CVE-2025-1771: Local File Inclusion in the Traveler Theme

The Traveler theme for WordPress, in all versions up to and including 3.1.8, is vulnerable to local file inclusion via the ‘hotel_alone_load_more_post’ function’s ‘style’ parameter. This bug enables unauthenticated attackers to include and execute arbitrary files on the server, potentially leading to unauthorised access and bypassing established security controls.

• Severity: 9.8 (Critical)

CVE-2025-1667: Privilege Escalation in WPSchoolPress

The School Management System plugin – WPSchoolPress – is affected by a privilege escalation flaw. Due to an oversight in the wpsp_UpdateTeacher() function in versions up to 2.2.16, authenticated users with teacher-level or higher access can modify key user details, potentially enabling a route to gain administrative control.

• Severity: 8.8 (High)

CVE-2025-1657: uListing Directory Data Modification and PHP Object Injection

The uListing plugin for WordPress, which manages directory listings, has been found vulnerable to unauthorised data modifications and PHP object injection. In versions up to 2.1.7, a missing capability check on the stm_listing_ajax action allows attackers with subscriber-level access to alter post metadata and inject malicious PHP objects, leading to potential further exploitation.

• Severity: 8.8 (High)

CVE-2025-1653: uListing Plugin Privilege Escalation

A second vulnerability affecting the uListing plugin involves improper restrictions in the stm_listing_profile_edit AJAX action. This permits authenticated attackers with minimal privileges to elevate their access to an administrator level, thereby exposing systems to a multitude of security risks.

• Severity: 8.8 (High)

CVE-2025-30066: Tj-Actions Information Disclosure

A high-severity vulnerability has been identified in the tj-actions module’s changed-files feature. Although initial releases of versions v1 through v45.0.7 were not affected, threat actors altered these tags, redirecting them to a commit that includes malicious updateFeatures code. As a result, remote attackers can now access sensitive information by reading actions logs.

• Severity: 8.6 (High)

CVE-2023-45588: FortiClientMac Arbitrary Code Execution

FortiClientMac, a crucial component for endpoint security, is vulnerable in versions 7.2.3 and below—and in installer version 7.0.10 and earlier. The vulnerability allows an external attacker to control file names or paths, potentially leading to arbitrary code execution when a malicious configuration file is written to the temporary folder before installation.

• Severity: 8.2 (High)

CVE-2024-46662: FortiManager Command Injection

Fortinet’s FortiManager, including FortiManager Cloud, is also at risk. Versions 7.4.1 to 7.4.3 are vulnerable to command injection due to improper neutralisation of special characters. Attackers can exploit crafted packets to execute unauthorised commands, potentially escalating their privileges and compromising the security of the management environment.

• Severity: 8.8 (High)

Infrastructure Under Siege

In a stark reminder of the intensifying cyber threat landscape, reports have emerged of Chinese hacker groups targeting critical American utilities. The breach of a Massachusetts public utility by group VOLTZITE underscores the increasing frequency and sophistication of infrastructure attacks, which pose significant risks to national security and public services.