[Vulnerability Alert] 6 Security Vulnerabilities in WordPress Plugins and Themes (CVE-2025-13536) (CVE-2025-13538) (CVE-2025-13539) (CVE-2025-13540) (CVE-2025-13615) (CVE-2025-13675), Please Confirm and Patch as Soon as Possible

• Subject: [Vulnerability Alert] 6 Security Vulnerabilities in WordPress Plugins and Themes (CVE-2025-13536) (CVE-2025-13538) (CVE-2025-13539) (CVE-2025-13540) (CVE-2025-13615) (CVE-2025-13675), Please Confirm and Patch as Soon as Possible

• Content:
  • Forwarded from National Information Security Information Sharing and Analysis Center Security Alert NISAC-200-202512-00000041
  • Researchers have discovered 6 high-risk security vulnerabilities in WordPress plugins and themes. Please confirm and patch as soon as possible.
  1. The Blubrry PowerPress plugin has an Arbitrary File Upload vulnerability (CVE-2025-13536). A remote attacker with general user privileges can upload a malicious file and execute arbitrary code. Please confirm and patch as soon as possible.
  2. The Tainacan plugin and Mascara theme have Improper Privilege Management vulnerabilities (CVE-2025-13538, CVE-2025-13540, and CVE-2025-13675). An unauthenticated remote attacker can specify an administrator role during registration, exploiting the vulnerability to gain website administrator privileges.
  3. The FindAll Membership plugin has an Authentication Bypass vulnerability (CVE-2025-13539). An unauthenticated remote attacker who has obtained a general user account and can access the administrator's email can log into the system as an administrator.
  4. The StreamTube Core plugin has an Arbitrary User Password Change vulnerability (CVE-2025-13615). An unauthenticated remote attacker can arbitrarily change website user passwords, potentially taking over an administrator account.
     • WordPress is a common website building system. Due to the large number of plugins and themes, serious vulnerabilities occasionally appear, such as the vulnerabilities listed in this alert.
     • It is recommended that when using a WordPress system, in addition to paying attention to updates for the WordPress core program, users must also monitor and promptly patch plugins and themes. Furthermore, it is recommended to evaluate the necessity of the plugins and themes being used, and remove them if they are not needed.

• Affected Platforms:
  • Blubrry PowerPress version 11.15.2 and earlier
  • FindAll Listing version 1.0.5 and earlier
  • FindAll Membership version 1.0.4 and earlier
  • Tainacan version 0.20.10 and earlier
  • Mascara version 1.1.2 and earlier
  • StreamTube Core version 2.0.0 and earlier

• Recommended Measures:
  • Blubrry PowerPress: Update to version 11.15.3 and later
  • FindAll Listing: Update to version 1.0.6 and later
  • FindAll Membership: Update to version 1.0.5 and later
  • Tainacan: Update to version 0.20.11 and later
  • Mascara: Update to version 1.1.3 and later
  • StreamTube Core: Update to version 2.0.1 and later
  • If not required, it is recommended to remove the affected plugins or themes.

• References:
  1. https://www.twcert.org.tw/tw/cp-132-10526-9f4c3-1.html
  2. https://wpscan.com/vulnerability/f0d7e822-0d67-4638-958a-ef8037303f26/

Computer and Communications Center
Network Systems Group