In the dynamic realm of cybersecurity, staying updated on the latest vulnerabilities is imperative.
This edition of the AppSecWorld's CVE Daily Digest provides a snapshot of the vulnerabilities published in National Vulnerability Database between May 03-04, 2025.
During this period, The National Vulnerability Database published 30, and these new Common Vulnerabilities and Exposures (CVEs) are classified as follows:
Critical: 1
High: 2
Medium: 23
Low: 1
Severity Not Assigned: 3
Identifying and understanding these vulnerabilities are pivotal steps towards enhancing security measures and creating a safer digital environment.
Now, let's delve deeper into AppSecWorld's CVE Daily Digest, spotlighting the Critical and High Severity vulnerabilities that demand immediate attention.
1. CVE-2024-13738
Base Score: 7.3
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.4
Description: The The Motors - Car Dealer, Rental & Listing WordPress theme theme for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 5.6.65. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
*It is unclear exactly which version the issue was patched in from the changelog. Therefore, we used the latest version at the time of verification.
References: https://stylemixthemes.com/motors/
https://themeforest.net/item/motors-automotive-cars-vehicle-boat-dealership-classifieds-wordpress-theme/13987211
https://www.wordfence.com/threat-intel/vulnerabilities/id/4635f5c1-c326-4f53-bc54-a402cf5dae00?source=cve
CWE-ID: CWE-94
Common Platform Enumerations (CPE): Not Found
2. CVE-2025-3918
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: The Job Listings plugin for WordPress is vulnerable to Privilege Escalation due to improper authorization within the register_action() function in versions 0.1 to 0.1.1. The plugin’s registration handler reads the client-supplied $_POST['user_role'] and passes it directly to wp_insert_user() without restricting to a safe set of roles. This makes it possible for unauthenticated attackers to elevate their privileges to that of an administrator.
References: https://plugins.trac.wordpress.org/browser/job-listings/trunk/includes/forms/class-jlt-form-member.php#L68
https://wordpress.org/plugins/job-listings/#developers
https://www.wordfence.com/threat-intel/vulnerabilities/id/c9cd43f5-c3d0-4eb2-9c18-1af2edca37ff?source=cve
CWE-ID: CWE-285
Common Platform Enumerations (CPE): Not Found
3. CVE-2025-47244
Base Score: 7.3
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.4
Description: Inedo ProGet through 2024.22 allows remote attackers to reach restricted functionality through the C# reflection layer, as demonstrated by causing a denial of service (when an attacker executes a loop calling RestartWeb) or obtaining potentially sensitive information. Exploitation can occur if Anonymous access is enabled, or if there is a successful CSRF attack.
References: https://docs.inedo.com/docs/proget/installation/installation-guide
https://forums.inedo.com
https://my.inedo.com/downloads/installers?product=ProGet
https://seclists.org/fulldisclosure/2025/Apr/30
CWE-ID: CWE-288
Common Platform Enumerations (CPE): Not Found
This edition of the AppSecWorld's CVE Daily Digest provides a snapshot of the vulnerabilities published in National Vulnerability Database between May 03-04, 2025.
During this period, The National Vulnerability Database published 30, and these new Common Vulnerabilities and Exposures (CVEs) are classified as follows:
Critical: 1
High: 2
Medium: 23
Low: 1
Severity Not Assigned: 3
Identifying and understanding these vulnerabilities are pivotal steps towards enhancing security measures and creating a safer digital environment.
Now, let's delve deeper into AppSecWorld's CVE Daily Digest, spotlighting the Critical and High Severity vulnerabilities that demand immediate attention.
1. CVE-2024-13738
Base Score: 7.3
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.4
Description: The The Motors - Car Dealer, Rental & Listing WordPress theme theme for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 5.6.65. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
*It is unclear exactly which version the issue was patched in from the changelog. Therefore, we used the latest version at the time of verification.
References: https://stylemixthemes.com/motors/
https://themeforest.net/item/motors-automotive-cars-vehicle-boat-dealership-classifieds-wordpress-theme/13987211
https://www.wordfence.com/threat-intel/vulnerabilities/id/4635f5c1-c326-4f53-bc54-a402cf5dae00?source=cve
CWE-ID: CWE-94
Common Platform Enumerations (CPE): Not Found
2. CVE-2025-3918
Base Score: 9.8
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.9
Description: The Job Listings plugin for WordPress is vulnerable to Privilege Escalation due to improper authorization within the register_action() function in versions 0.1 to 0.1.1. The plugin’s registration handler reads the client-supplied $_POST['user_role'] and passes it directly to wp_insert_user() without restricting to a safe set of roles. This makes it possible for unauthenticated attackers to elevate their privileges to that of an administrator.
References: https://plugins.trac.wordpress.org/browser/job-listings/trunk/includes/forms/class-jlt-form-member.php#L68
https://wordpress.org/plugins/job-listings/#developers
https://www.wordfence.com/threat-intel/vulnerabilities/id/c9cd43f5-c3d0-4eb2-9c18-1af2edca37ff?source=cve
CWE-ID: CWE-285
Common Platform Enumerations (CPE): Not Found
3. CVE-2025-47244
Base Score: 7.3
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.4
Description: Inedo ProGet through 2024.22 allows remote attackers to reach restricted functionality through the C# reflection layer, as demonstrated by causing a denial of service (when an attacker executes a loop calling RestartWeb) or obtaining potentially sensitive information. Exploitation can occur if Anonymous access is enabled, or if there is a successful CSRF attack.
References: https://docs.inedo.com/docs/proget/installation/installation-guide
https://forums.inedo.com
https://my.inedo.com/downloads/installers?product=ProGet
https://seclists.org/fulldisclosure/2025/Apr/30
CWE-ID: CWE-288
Common Platform Enumerations (CPE): Not Found