CVE-2025-4631 – WordPress Profitori Plugin Privilege Escalation Vulnerability

May 31, 2025

CVE ID : CVE-2025-4631

Published : May 31, 2025, 7:15 a.m. | 44 minutes ago

Description : The Profitori plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the stocktend_object endpoint in versions 2.0.6.0 to 2.1.1.3. This makes it possible to trigger the save_object_as_user() function for objects whose ‘_datatype’ is set to ‘users’,. This allows unauthenticated attackers to write arbitrary strings straight into the user’s wp_capabilities meta field, potentially elevating the privileges of an existing user account or a newly created one to that of an administrator.

Severity: 9.8 | CRITICAL

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

Source: Read More

Previous ArticleCVE-2025-4607 – “PSW Front-end Login & Registration WordPress Privilege Escalation”

Next Article CVE-2025-4672 – Offsprout Page Builder WordPress Privilege Escalation Vulnerability

Highlights

CVE-2025-38169 – Linux Kernel ARM64 FPSIMD State Clobbering Vulnerability

July 3, 2025

CVE ID : CVE-2025-38169

Published : July 3, 2025, 9:15 a.m. | 2 hours, 14 minutes ago

Description : In the Linux kernel, the following vulnerability has been resolved:

arm64/fpsimd: Avoid clobbering kernel FPSIMD state with SMSTOP

On system with SME, a thread’s kernel FPSIMD state may be erroneously
clobbered during a context switch immediately after that state is
restored. Systems without SME are unaffected.

If the CPU happens to be in streaming SVE mode before a context switch
to a thread with kernel FPSIMD state, fpsimd_thread_switch() will
restore the kernel FPSIMD state using fpsimd_load_kernel_state() while
the CPU is still in streaming SVE mode. When fpsimd_thread_switch()
subsequently calls fpsimd_flush_cpu_state(), this will execute an
SMSTOP, causing an exit from streaming SVE mode. The exit from
streaming SVE mode will cause the hardware to reset a number of
FPSIMD/SVE/SME registers, clobbering the FPSIMD state.

Fix this by calling fpsimd_flush_cpu_state() before restoring the kernel
FPSIMD state.

Severity: 0.0 | NA

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

Atla AI Introduces the Atla MCP Server: A Local Interface of Purpose-Built LLM Judges via Model Context Protocol (MCP)

April 22, 2025

12 Top ReactJS Development Companies in 2025

June 27, 2025

Sam Altman claims Meta is trying to poach OpenAI staffers with $100 million bonuses, but “none of our best people have decided to take them up on that”

June 18, 2025

Designing For TV: Principles, Patterns And Practical Guidance (Part 2)

Neo4j introduces new graph architecture that allows operational and analytics workloads to be run together

Beyond the benchmarks: Understanding the coding personalities of different LLMs

Top 10 Use Cases of Vibe Coding in Large-Scale Node.js Applications

Building smarter interactions with MCP elicitation: From clunky tool calls to seamless user experiences

From Zero to MCP: Simplifying AI Integrations with xmcp

Distribution Release: Linux Mint 22.2

Coded Smorgasbord: Basically, a Smorgasbord

Drupal 11’s AI Features: What They Actually Mean for Your Team

Drupal 11’s AI Features: What They Actually Mean for Your Team

Why Data Governance Matters More Than Ever in 2025?

Perficient Included in the IDC Market Glance for Digital Business Professional Services, 3Q25

How DevOps Teams Are Redefining Reliability with NixOS and OSTree-Powered Linux

How DevOps Teams Are Redefining Reliability with NixOS and OSTree-Powered Linux

Distribution Release: Linux Mint 22.2

‘Cronos: The New Dawn’ was by far my favorite experience at Gamescom 2025 — Bloober might have cooked an Xbox / PC horror masterpiece

CVE-2025-4631 – WordPress Profitori Plugin Privilege Escalation Vulnerability

Critical Linux UDisks Daemon Vulnerability (CVE-2025-8067) Exposes Privileged Data to Local Attackers

Google Slapped with $381 Million Fine in France Over Gmail Ads, Cookie Consent Missteps

Everything new in Microsoft Teams from April 2025

CVE-2025-34023 – Karel IP1211 Path Traversal Vulnerability

CVE-2025-49809 – MTR Sudo Execution Hijacking Vulnerability

The UX-Dev Relay – How to Pass the Baton Effectively

CVE-2025-38169 – Linux Kernel ARM64 FPSIMD State Clobbering Vulnerability

Atla AI Introduces the Atla MCP Server: A Local Interface of Purpose-Built LLM Judges via Model Context Protocol (MCP)

12 Top ReactJS Development Companies in 2025

Sam Altman claims Meta is trying to poach OpenAI staffers with $100 million bonuses, but “none of our best people have decided to take them up on that”

CVE-2025-4631 – WordPress Profitori Plugin Privilege Escalation Vulnerability

Related Posts