CISA Weekly Vulnerability Summary – Week of July 14, 2025

I have reviewed the CISA bulletin of newly reported vulnerabilities for the week of July 14, 2025. It is a compilation of recently discovered flaws, mostly classified as critical (CVSS score 7.0–10.0).

As a CERT manager, I am providing here a detailed analysis of these vulnerabilities. I have grouped them by vendor, highlighting each flaw and its potential impact.

The main objective is to provide CERT/CSIRT/SOC/CISO teams with a clear overview of the critical risks identified that week, in order to prioritize mitigation measures and patches. I am not bound by any length limitation, which allows me to address each point in depth.

Below, vendor by vendor, I describe the critical vulnerabilities (CVSS ≥ 7.0) announced that week, with the context, the nature of the flaw, its possible impact, and any notable information such as the availability of a fix or active exploitation. Note: All CVE identifiers mentioned correspond to vulnerabilities published during the week of 07/14/2025, according to CISA sources.

Critical Vulnerabilities by Vendor

aapanel
aapanel WP Toolkit (WordPress) – A privilege escalation vulnerability was discovered in the aapanel WP Toolkit plugin (versions 1.0 to 1.1). Due to the absence of authorization checks in the auto_login() function, an authenticated attacker, even with low privileges (a simple subscriber), can bypass role controls and gain full administrator privileges on the WordPress site. Associated CVE: CVE-2025-6813, CVSS score 8.8. This flaw would allow an initially limited attacker to take full control of the site.

aaroncampbell
Attachment Manager (WordPress) – The Attachment Manager plugin (up to v2.1.2) contains an arbitrary file deletion flaw. A lack of path validation in the handle_actions() function allows an unauthenticated attacker to delete arbitrary files on the server. The impact is critical (CVSS 9.1, CVE-2025-7643), as deleting sensitive files like wp-config.php could lead to remote code execution (RCE) by compromising the site’s configuration.

Adrian Tobey
Groundhogg (WordPress) – An “unrestricted file upload” vulnerability has been reported in Groundhogg (up to v4.2.1). It allows an attacker to upload a webshell (arbitrary malicious file) onto the server. CVE: CVE-2025-48300, CVSS 9.1. In practice, an attacker with access to the plugin could exploit this flaw to drop and execute malicious code on the WordPress host.

Alcatel-Lucent
OmniAccess Stellar (Wi-Fi Access Points) – Three critical vulnerabilities have been identified in Alcatel-Lucent’s OmniAccess Stellar products:

arisoft
Contact Form 7 – Editor Button (WordPress) – This plugin (v1.0.0 and earlier) contains a reflected Cross-Site Scripting (XSS) flaw. Due to the lack of proper sanitization of user input during page rendering, an attacker could inject malicious JavaScript code into the URL or a field, causing it to execute in the administrator’s browser. CVE: CVE-2025-48345, CVSS 7.1.

Atakan Au
Import CDN/Remote Images (WordPress) – Cross-Site Request Forgery (CSRF) vulnerability leading to stored XSS. In the Import CDN/Remote Images plugin (up to v2.1.2), an attacker can trick an administrator, via a crafted request, into performing an action that results in the permanent injection of malicious code (stored) into the site. CVE: CVE-2025-48153, CVSS 7.1.

August Infotech
Multi-language Responsive Contact Form (WordPress) – This plugin (up to v2.8) suffers from a lack of authentication on certain features, allowing unauthorized users to access actions that are normally restricted (ACL control violation). CVE: CVE-2025-29000, CVSS 7.5. This weakness could be exploited to access sensitive contact form functions without being an administrator.

awethemes
Hillter (WordPress theme) – The Hillter theme (up to v3.0.7) contains an insecure deserialization vulnerability, leading to PHP object injection. CVE: CVE-2025-24777, CVSS 8.8. An attacker could exploit malformed data to execute arbitrary code during server-side deserialization.

b1accounting
B1.lt (WordPress) – This plugin (up to v2.2.56) contains an SQL injection via the AJAX action b1_run_query without capability checks. An authenticated user, even with minimal rights (subscriber), can execute arbitrary SQL queries on the WordPress database, potentially compromising its integrity or exfiltrating data. CVE: CVE-2025-6718, CVSS 8.8.

Bearsthemes
Alone – Charity Multipurpose Theme (WordPress) – Two critical vulnerabilities affect this Alone theme (up to v7.8.3):
Bears Backup (WordPress) – The Bears Backup plugin (up to v2.0.0), often used with the Alone theme, is vulnerable to unauthenticated remote code execution. The bbackup_ajax_handle() function performs no permission check and directly calls call_user_func() with user-supplied data. An attacker can thereby execute arbitrary PHP code on the server. CVE: CVE-2025-5396, CVSS 9.8. Note: On a WordPress site using Alone ≤7.8.4, an attacker could first exploit CVE-2025-5394 to install the Bears Backup plugin, then exploit this RCE — a particularly dangerous exploit chain.

BossSoft
CRM 6.0 – An SQL injection vulnerability was discovered in BossSoft CRM v6.0, via the cstid parameter in the page HNDCBas_customPrmSearchDtl.jsp. CVE: CVE-2025-7801, CVSS 7.3. The attack is remotely executable, and the exploit has reportedly been publicly released, increasing the risk of untargeted exploitation by general malicious actors.

Campcodes
Online Movie Theater Seat Reservation System 1.0 – SQL injection vulnerability in manage_seat.php via the ID parameter. CVE: CVE-2025-7838, CVSS 7.3. Exploitation does not require authentication and the exploit is also publicly disclosed, meaning an attack can be easily automated by anyone.

chainguard-dev
apko (OCI image build tool) – In apko (v0.27.0 to 0.29.4), a permissions bug set critical files to mode 0666 (read/write for everyone). This could be abused for privilege escalation (notably on Linux, where any user could modify these files). CVE: CVE-2025-53945, CVSS 7.0. Note: version 0.29.5 fixes the issue.

Cisco
Identity Services Engine (ISE) & ISE-PIC – A critical vulnerability allows an unauthenticated remote attacker to execute arbitrary code as root on the Cisco ISE appliance. No authentication is required — just a specially crafted API request that exploits insufficient user input validation. CVSS impact: maximum 10.0 (CVE-2025-20337). In other words, an Internet-based attacker could obtain a root shell on the ISE server with no credentials — an extremely serious threat to network security.

CMSJunkie
WP-BusinessDirectory (WordPress) – This business directory plugin (up to v3.1.3) suffers from a blind SQL injection. CVE: CVE-2025-24759, CVSS 9.3. An attacker can inject malicious parameters into SQL queries, potentially exfiltrating or altering data in the WordPress database, without directly seeing the result (hence “blind” SQLi).

cmsMinds
Pay with Contact Form 7 (WordPress) – Cross-Site Scripting (XSS) vulnerability in this payment form plugin (up to v1.0.4). It’s a reflected XSS due to improper input sanitization. CVE: CVE-2025-52777, CVSS 7.1. An attacker can trick an admin into clicking a malicious link to execute a script in their browser context (potentially hijacking their admin session).

code-projects (web script provider)
Several open-source web applications from code-projects (mostly version 1.0) present critical SQL injection vulnerabilities. What is particularly concerning is the recurrence of this same type of flaw across different projects, often accompanied by publicly available exploits. Affected modules include:

• AVL Rooms – Two SQL injections: one via first_name on profile.php, the other via city on city.php. CVEs: CVE-2025-7605, CVE-2025-7606, CVSS 7.3 each.
• Church Donation System – No fewer than eight SQL injections have been reported in this donation system (pages login.php, reg.php, members/Tithes.php, members/offering.php, members/giving.php, members/update_password_admin.php, members/login_admin.php, members/search.php). Each one is critical (CVSS 7.3, e.g., CVE-2025-7829 to CVE-2025-7833, CVE-2025-7859 to CVE-2025-7861). All allow SQL injection through various parameters (Username, mobile, trcode, Amount, etc.), potentially exfiltrating or modifying the database. Worryingly, public exploits exist for all of them.
• Electricity Billing System – SQL injection via new_password on user/change_password.php. CVE: CVE-2025-7610, CVSS 7.3.
• Food Ordering Review System – SQL injection via fname on pages/signup_function.php. CVE: CVE-2025-7814, CVSS 7.3.
• Job Diary – Three critical SQL injections via the ID parameter on view-all.php, view-emp.php, and view-cad.php (CVE-2025-7593, 7594, 7595). CVSS 7.3.
• Mobile Shop – SQL injection via email on login.php. CVE: CVE-2025-7612, CVSS 7.3.
• Online Appointment Booking System – Eight SQL injections spread across various admin pages:
  • cover.php – parameters uname/psw
  • admin/getmanagerregion.php – param city
  • admin/adddoctorclinic.php – param clinic
  • admin/addclinic.php – param cid
  • admin/deletedoctor.php – param did
  • admin/adddoctor.php – param Username
  • admin/deletedoctorclinic.php – param clinic
  • admin/addmanagerclinic.php – param clinic
    CVEs: CVE-2025-7587, CVE-2025-7749 to 7753, CVE-2025-7764, 7765. All rated CVSS 7.3. Each can be used to bypass authentication and directly perform actions on the database (e.g., add a malicious doctor). Again, public exploits are available.
• Simple Shopping Cart – Three SQL injections:
  • Customers/save_order.php (parameter order_price) – CVE-2025-7607
  • userlogin.php (parameter user_email) – CVE-2025-7608
  • register.php (parameter ruser_email) – CVE-2025-7609
    All rated CVSS 7.3.
• Wedding Reservation – SQL injection via lu in global.php. CVE: CVE-2025-7611, CVSS 7.3.

In summary, most of these code-projects applications suffer from the same flaw: lack of input filtering/escaping, leading to widespread SQL injection vulnerabilities. All these exploits are publicly known, which means that bots or opportunistic attackers could easily target these applications if they are exposed online. I strongly recommend a general audit of these applications and the urgent implementation of patches or protective measures (e.g., a WAF).

mailcow
Mailcow: dockerized – Versions prior to 2025-07 of this open-source mail suite contain a Server-Side Template Injection (SSTI) vulnerability in the quota notification system. A mailcow administrator could configure a malicious notification template to execute code on the server when rendering the template (template expression injection). CVE: CVE-2025-53909, CVSS 9.1. This flaw requires admin access to the interface, so it’s more of an internal threat or post-compromise scenario. However, an attacker who has compromised the admin interface could exploit it to gain direct access to the mail server. Version 2025-07 fixes the issue.

malcure
Malcure Malware Scanner (WordPress) – Arbitrary file deletion vulnerability (authenticated) in this security plugin (≤ v16.8). The wpmr_delete_file() function does not check capabilities: thus, a low-privileged subscriber user can delete arbitrary files. CVE: CVE-2025-6043, CVSS 8.1. File deletion can lead to RCE (e.g., deleting wp-config.php) but only if the site is in “advanced” mode. Note: the vulnerability requires authentication (even if low-privileged), which slightly lowers the likelihood, but still—seeing a malware scanner introduce a critical flaw is quite ironic. Update it quickly.

MangaBooth
Madara – Core (WordPress) – Unauthenticated arbitrary file deletion vulnerability in this manga management plugin (≤ v2.2.3). The wp_manga_delete_zip() function does not sufficiently validate the file path, allowing deletion of any file. CVE: CVE-2025-7712, CVSS 9.1. Deleting files like wp-config.php → potential RCE by reinstalling WordPress or modifying the configuration. This very specific plugin needs to be updated to patch this flaw.

markjaquith
Subscribe to Comments (WordPress) – This plugin (≤ v2.1.2) suffers from a Local File Inclusion (LFI) via the Path HTTP header. An authenticated administrator can include and execute arbitrary PHP files on the server. CVE: CVE-2015-10133, CVSS 7.2. This vulnerability requires admin privileges, so it’s more of a local privilege escalation (e.g., a malicious admin can abuse the application – limited case). However, when combined with other vulnerabilities that give an attacker admin access, it could be used for persistence. It should be patched anyway.

Mbed (Arm)
Mbed TLS (< 3.6.4) – A use-after-free has been discovered in the mbedtls_x509_string_to_names() function of the TLS library. It frees a pointer passed as a parameter, although the documentation does not suggest so, meaning the calling application retains pointers to already freed memory. CVE: CVE-2025-47917, CVSS 8.9. In short, a program using Mbed TLS as per the documentation could crash or even suffer arbitrary code execution if an attacker exploits this behavior (e.g., with a malformed certificate containing multiple DNs in the SAN). Two example utilities (cert_write and cert_req) are explicitly mentioned as affected. Developers using Mbed TLS should upgrade to version 3.6.4 or higher and recompile their applications.

Md. Yeasin Ul Haider
The URL Shortener script (WordPress URL shortener) version ≤ 3.0.7 has three critical vulnerabilities:

SQL Injection – Failure to sanitize certain fields allows SQL injection (CVE: CVE-2025-28959, CVSS 9.3).
Untrusted deserialization (Object Injection) – Allows code execution via injected PHP objects (CVE: CVE-2025-28961, CVSS 9.8).
Missing authentication (access control) – Certain functions can be called without rights verification, allowing unauthorized users to access restricted features (CVE: CVE-2025-28965, CVSS 8.6).
These three vulnerabilities combined make the plugin extremely dangerous to expose. The untrusted deserialization (9.8) in particular means that an unauthenticated attacker could execute PHP and take over the site. This plugin must be disabled or patched immediately.

Metagauss
ProfileGrid (WordPress) – SQL Injection vulnerability (CVE: CVE-2025-49876, CVSS 8.5) in ProfileGrid (≤ v5.9.5.2). Impact: an attacker could exfiltrate/modify profile or other data by exploiting this bug. An update is required as CVSS 8.5 implies either an unauthenticated vector or highly impactful outcome.

Metasoft
MetaCRM (Chinese edition) – Up to v6.4.2, this CRM solution contains an insufficient authentication flaw on the /debug.jsp page. A remote attacker can access this critical debug page without authentication and potentially perform privileged actions. CVE: CVE-2025-7875, CVSS 7.3. The exploit is public and the vendor has not responded. This is similar to the LB-LINK case: no patch in sight. If you use MetaCRM, I recommend strictly restricting its network access (VPN) or applying your own compensating measures (e.g., delete debug.jsp if not needed).

Microsoft (Cloud et Entreprise)

Azure DevOps – A privilege escalation vulnerability has been fixed (CVE-2025-47158, CVSS 9.0). It stems from a flawed assumption about the immutability of certain data, allowing an unauthorized attacker to escalate privileges over the network. Microsoft has not provided many details in the public CVE, but one can imagine a vector such as manipulation of a JWT or an unverified configuration parameter.

Azure Machine Learning – Two critical vulnerabilities, both allowing an already authenticated attacker on the service to escalate their privileges within the ML environment. One is due to improper authorization handling (CVE-2025-49746, CVSS 9.9) and the other due to lack of authorization checks (CVE-2025-49747, CVSS 9.9). In essence, an Azure ML user with limited rights could become administrator of the ML service or perform unauthorized actions. Microsoft likely deployed patches on the server side given the near-maximum score.

Microsoft Purview – An overly permissive allowlist issue allows an authenticated attacker to escalate privileges (CVE-2025-53762, CVSS 8.7). Purview is a data governance solution; a malicious user could access normally restricted data or actions. A patch was likely applied by Microsoft.

SharePoint Enterprise Server 2016 – An insecure deserialization vulnerability in the on-premises versions of SharePoint 2016 allows an unauthenticated attacker to execute remote code on the server. CVE: CVE-2025-53770, CVSS 9.8. Microsoft has stated it is aware of an exploit in the wild for this flaw. No patch was immediately available as of July 20, but mitigations were published in the meantime. As a security officer, this is a critical issue: the published workarounds (usually disabling the vulnerable feature via PowerShell) should be applied until the full patch is deployed. Since SharePoint is often exposed on the intranet, this vulnerability can be exploited by an internal actor or one pivoting within the network.

Conclusion

I’m sharing with you, as a cybersecurity expert, the analysis of this weekly CISA bulletin dated July 14, 2025, which reveals a large number of critical vulnerabilities affecting various domains: WordPress plugins, network equipment, enterprise software, cloud solutions, etc. Several key trends emerge:

• Numerous WordPress plugin and theme vulnerabilities related to upload features, file deletion, or SQL/XSS injections. This highlights the importance for web administrators to keep their extensions updated and limit the use of non-essential or untrusted plugins. For CERT teams, a specific watch on popular WP plugins is necessary, as they are a prime target and often massively exploited once exploits are released.

• Outdated network/IoT equipment (D-Link, LB-LINK, Zyxel, etc.) suffering from buffer overflows, backdoors, or authentication bypasses. Many of these products are no longer supported by vendors, meaning no fixes are available. The obvious recommendation is to retire or isolate them from the network. For instance, legacy D-Link and LB-LINK routers should no longer be used in production environments.

• Critical vulnerabilities in enterprise and cloud solutions (Cisco ISE, HPE, Microsoft Azure/SharePoint, Logpoint). These generally received quick patches from vendors. However, the fact that some exploits are already in the wild (e.g., SharePoint, CrushFTP, iSherlock) is alarming. SOC teams must ensure immediate patching of these systems and monitor for any signs of exploitation (suspicious access logs, known IoCs).

• Vulnerabilities in software commonly used by end users (Lenovo Vantage, Motorola RSA, etc.) remind us that endpoint security is equally important. A local attacker or pre-installed malware can often exploit such vulnerabilities for further privilege escalation. This highlights the need for strong anti-malware protection, limited privilege policies, and timely software updates in workstation environments.

I chose to describe each vulnerability individually to highlight its nature and impact.

As a CISO or CERT analyst, I recommend prioritizing the following actions:

1. Identify affected systems in your infrastructure (servers, applications, web plugins, network equipment). For each CVE listed, ask yourself: “Do we have this component in-house?”. An up-to-date inventory makes this task easier.
2. Apply available patches without delay, starting with those already actively exploited (e.g., SharePoint CVE-2025-53770, iSherlock, CrushFTP, etc.) or those offering unauthenticated access to remote attackers (e.g., CVEs affecting Cisco ISE, FortiWeb, Zyxel…).
3. Implement temporary mitigations if no patch is available: disable the vulnerable feature, restrict access (firewall, VPN), increase log monitoring to detect exploitation. For example, for SharePoint 2016 CVE-2025-53770, Microsoft has provided mitigations to apply immediately while waiting for the patch. Likewise, for unpatched routers, network segmentation and strict filtering are necessary.
4. Monitor public exploits – Many of the vulnerabilities mentioned have publicly available proof-of-concepts or are already integrated into common attack tools. Expect these flaws to be quickly exploited opportunistically (especially SQL injections on CMSs, RCEs on routers/IoT, and critical WordPress flaws). Adjust your detection rules accordingly (IDS/IPS, SIEM use-cases).

In conclusion, the week of July 14, 2025, clearly illustrates the diversity of current threats: from basic XSS to unauthenticated RCE on network appliances, no layer is spared. My advice is to stay proactive: don’t wait for a vulnerability to be exploited in your environment before taking action. Stay informed via CISA bulletins (or equivalents) every week, and integrate this intelligence into your vulnerability management process.

Cybersecurity is a continuous effort, and responsiveness to such alerts is key to effectively protecting our infrastructure and data.

Thanks to CISA for their precise work.

Enjoy!

Source: https://www.cisa.gov/news-events/bulletins/sb25-202