In the dynamic realm of cybersecurity, staying updated on the latest vulnerabilities is imperative.
This edition of the AppSecWorld's CVE Daily Digest provides a snapshot of the vulnerabilities published in National Vulnerability Database between June 14-15, 2025.
During this period, The National Vulnerability Database published 30, and these new Common Vulnerabilities and Exposures (CVEs) are classified as follows:
Critical: 1
High: 4
Medium: 16
Low: 0
Severity Not Assigned: 9
Identifying and understanding these vulnerabilities are pivotal steps towards enhancing security measures and creating a safer digital environment.
Now, let's delve deeper into AppSecWorld's CVE Daily Digest, spotlighting the Critical and High Severity vulnerabilities that demand immediate attention.
1. CVE-2025-33108
Base Score: 8.5
Base Severity: HIGH
Exploitability Score: 1.8
Impact Score: 6.0
Description: IBM Backup, Recovery and Media Services for i 7.4 and 7.5 could allow a user with the capability to compile or restore a program to gain elevated privileges due to a library unqualified call made by a BRMS program. A malicious actor could cause user-controlled code to run with component access to the host operating system.
References: https://www.ibm.com/support/pages/node/7236663
CWE-ID: CWE-250
Common Platform Enumerations (CPE): Not Found
2. CVE-2025-3234
Base Score: 7.2
Base Severity: HIGH
Exploitability Score: 1.2
Impact Score: 5.9
Description: The File Manager Pro – Filester plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 1.8.8. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. Administrators have the ability to extend file manager usage privileges to lower-level users including subscribers, which would make this vulnerability more severe on such sites.
References: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3310066%40filester%2Ftrunk&old=3294389%40filester%2Ftrunk&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/00df02cd-b4d3-477a-86ee-aa2f9b5216e8?source=cve
CWE-ID: CWE-434
Common Platform Enumerations (CPE): Not Found
3. CVE-2025-5487
Base Score: 7.2
Base Severity: HIGH
Exploitability Score: 1.2
Impact Score: 5.9
Description: The AutomatorWP – Automator plugin for no-code automations, webhooks & custom integrations in WordPress plugin for WordPress is vulnerable to time-based SQL Injection via the field_conditions parameter in all versions up to, and including, 5.2.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. Administrators can configure the plugin to allow access to this functionality to authors and higher.
References: https://plugins.trac.wordpress.org/browser/automatorwp/tags/5.2.3/integrations/automatorwp/triggers/all-posts.php#L256
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3307465%40automatorwp%2Ftrunk&old=3302138%40automatorwp%2Ftrunk&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/3e1a84c6-e28b-42fe-a16a-aeb227cfe956?source=cve
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
4. CVE-2025-4200
Base Score: 8.1
Base Severity: HIGH
Exploitability Score: 2.2
Impact Score: 5.9
Description: The Zagg - Electronics & Accessories WooCommerce WordPress Theme theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.4.1 via the load_view() function that is called via at least three AJAX actions: 'load_more_post', 'load_shop', and 'load_more_product. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
References: https://themeforest.net/item/zagg-electronics-accessories-woocommerce-wordpress-theme/54636595
https://www.wordfence.com/threat-intel/vulnerabilities/id/327deb08-715f-4d54-b95b-18552c07cbc0?source=cve
CWE-ID: CWE-98
Common Platform Enumerations (CPE): Not Found
5. CVE-2025-6065
Base Score: 9.1
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.2
Description: The Image Resizer On The Fly plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'delete' task in all versions up to, and including, 1.1. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
References: https://plugins.trac.wordpress.org/browser/image-resizer-on-the-fly/trunk/image-resizer-on-the-fly.php#L25
https://wordpress.org/plugins/image-resizer-on-the-fly/
https://www.wordfence.com/threat-intel/vulnerabilities/id/14877ff6-e393-41a3-91c1-fe7f477297cc?source=cve
CWE-ID: CWE-22
Common Platform Enumerations (CPE): Not Found
This edition of the AppSecWorld's CVE Daily Digest provides a snapshot of the vulnerabilities published in National Vulnerability Database between June 14-15, 2025.
During this period, The National Vulnerability Database published 30, and these new Common Vulnerabilities and Exposures (CVEs) are classified as follows:
Critical: 1
High: 4
Medium: 16
Low: 0
Severity Not Assigned: 9
Identifying and understanding these vulnerabilities are pivotal steps towards enhancing security measures and creating a safer digital environment.
Now, let's delve deeper into AppSecWorld's CVE Daily Digest, spotlighting the Critical and High Severity vulnerabilities that demand immediate attention.
1. CVE-2025-33108
Base Score: 8.5
Base Severity: HIGH
Exploitability Score: 1.8
Impact Score: 6.0
Description: IBM Backup, Recovery and Media Services for i 7.4 and 7.5 could allow a user with the capability to compile or restore a program to gain elevated privileges due to a library unqualified call made by a BRMS program. A malicious actor could cause user-controlled code to run with component access to the host operating system.
References: https://www.ibm.com/support/pages/node/7236663
CWE-ID: CWE-250
Common Platform Enumerations (CPE): Not Found
2. CVE-2025-3234
Base Score: 7.2
Base Severity: HIGH
Exploitability Score: 1.2
Impact Score: 5.9
Description: The File Manager Pro – Filester plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 1.8.8. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. Administrators have the ability to extend file manager usage privileges to lower-level users including subscribers, which would make this vulnerability more severe on such sites.
References: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3310066%40filester%2Ftrunk&old=3294389%40filester%2Ftrunk&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/00df02cd-b4d3-477a-86ee-aa2f9b5216e8?source=cve
CWE-ID: CWE-434
Common Platform Enumerations (CPE): Not Found
3. CVE-2025-5487
Base Score: 7.2
Base Severity: HIGH
Exploitability Score: 1.2
Impact Score: 5.9
Description: The AutomatorWP – Automator plugin for no-code automations, webhooks & custom integrations in WordPress plugin for WordPress is vulnerable to time-based SQL Injection via the field_conditions parameter in all versions up to, and including, 5.2.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. Administrators can configure the plugin to allow access to this functionality to authors and higher.
References: https://plugins.trac.wordpress.org/browser/automatorwp/tags/5.2.3/integrations/automatorwp/triggers/all-posts.php#L256
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3307465%40automatorwp%2Ftrunk&old=3302138%40automatorwp%2Ftrunk&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/3e1a84c6-e28b-42fe-a16a-aeb227cfe956?source=cve
CWE-ID: CWE-89
Common Platform Enumerations (CPE): Not Found
4. CVE-2025-4200
Base Score: 8.1
Base Severity: HIGH
Exploitability Score: 2.2
Impact Score: 5.9
Description: The Zagg - Electronics & Accessories WooCommerce WordPress Theme theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.4.1 via the load_view() function that is called via at least three AJAX actions: 'load_more_post', 'load_shop', and 'load_more_product. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
References: https://themeforest.net/item/zagg-electronics-accessories-woocommerce-wordpress-theme/54636595
https://www.wordfence.com/threat-intel/vulnerabilities/id/327deb08-715f-4d54-b95b-18552c07cbc0?source=cve
CWE-ID: CWE-98
Common Platform Enumerations (CPE): Not Found
5. CVE-2025-6065
Base Score: 9.1
Base Severity: CRITICAL
Exploitability Score: 3.9
Impact Score: 5.2
Description: The Image Resizer On The Fly plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'delete' task in all versions up to, and including, 1.1. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
References: https://plugins.trac.wordpress.org/browser/image-resizer-on-the-fly/trunk/image-resizer-on-the-fly.php#L25
https://wordpress.org/plugins/image-resizer-on-the-fly/
https://www.wordfence.com/threat-intel/vulnerabilities/id/14877ff6-e393-41a3-91c1-fe7f477297cc?source=cve
CWE-ID: CWE-22
Common Platform Enumerations (CPE): Not Found