WordPress Vulnerabilities Exposed: Act Now to Protect Sites!

WordPress Vulnerabilities Under the Microscope

In today’s cybersecurity roundup, a couple of notable WordPress vulnerabilities have caught the attention of the security community. The WPC Admin Columns plugin – a tool many site owners rely on – is facing a privilege escalation issue (CVE-2025-3418). Versions between 2.0.6 and 2.1.0 allow authenticated users, even those with Subscriber-level access, to update their role to that of an administrator. This delicate oversight stems from the ajax_edit_save() function not properly restricting user meta values. With a severity rating of 8.8, this vulnerability is one to watch over closely.

Not far behind, a vulnerability in the Everest Forms plugin (CVE-2025-3439) has also turned heads. This PHP Object Injection flaw affects all versions up to and including 3.1.1. Although unauthenticated attackers can inject PHP objects via the ‘field_value’ parameter, the issue relies on other plugins or themes to enable a dangerous POP chain – a requirement that, if met, could lead to file deletion, data retrieval, or code execution. Rated as a critical risk with a severity of 9.8, it’s a stark reminder for site administrators to double-check their plugin ecosystem.

Beyond WordPress: Wider Digital Impacts

The vulnerability headlines aren’t confined to just the WordPress world. The Oz Forensics face recognition application (CVE-2025-32367) exhibits an Insecure Direct Object Reference (IDOR) flaw, allowing unauthorised PII (Personally Identifiable Information) access via its /statistic/list endpoint. With a high severity of 8.6, this highlights that even specialised applications can harbor unexpected risks.

Meanwhile, Apple Safari users should note that a use-after-free issue (CVE-2023-42970) has been addressed with improved memory management. These improvements are now part of iOS 17, iPadOS 17, macOS Sonoma 14, watchOS 10, tvOS 17, and Safari 17. With the danger of arbitrary code execution previously looming over processing of web content, these updates bring a breath of fresh air—and a dose of enhanced security.

Fresh Security Advisories and Wider Trends

In an unmistakable sign that cyber threats continue to evolve, the Cybersecurity and Infrastructure Security Agency (CISA) has released ten new advisories covering vulnerabilities affecting Industrial Control Systems (ICS). These advisories are critical for organisations overseeing industrial infrastructure and wanting to stay one step ahead of potential exploitation.

Other related headlines include stories about a recent ransomware attack affecting a Winnipeg school division, highlighting the tragic exposure of nearly one million sensitive files on the dark web, and discussions surrounding fluctuating stock prices for companies like SATO Technologies. Additionally, UK cyber resilience remains a hot topic as businesses report a slight drop in cyber breaches from 50% to 43%—an encouraging yet incomplete victory in the fight against cybercrime.

Staying Ahead in a Rapidly Evolving Landscape

With the rapidly changing cybersecurity landscape, keeping your digital infrastructure secure is more important than ever. Whether you’re managing WordPress plugins or safeguarding sensitive industrial data, understanding these vulnerabilities helps in mitigating the risks. At Synergos Consultancy, we recognise the criticality of compliance and robust security measures.

Based in Huddersfield, West Yorkshire, our specialist consultancy supports businesses across Yorkshire and the wider UK in achieving compliance through ISO Certifications, Health & Safety Management, SSIP Accreditations, AEO Status, GDPR Compliance, and more. By staying informed and prepared, organisations can build a secure and resilient future in our digital age.

That’s a wrap for today’s cybersecurity news—stay alert and keep those systems patched!