The European Central Bank (ECB) issues new warnings on unprecedented financial risks impacting eurozone banks, including market volatility, geopolitical tensions, and non-bank vulnerabilities. Explore the ECB’s latest supervisory measures, reverse stress testing, capital requirements, and strategic recommendations for long-term financial stability. Latest ECB Warnings The ECB cautions that the financial system is facing “unprecedented shocks”, noting that the current environment is highly unpredictable and may expose banks to crisis scenarios that have never previously occurred. Key risk areas identified include: ECB: Next Steps 1. Introduction of a New “Reverse Stress Test” Approach 2. Strengthened Expectations for Banks The ECB advises…
-
-
Overview CVE-2025-13526 is a high-severity vulnerability affecting the OneClick Chat to Order plugin for WordPress. This vulnerability, present in versions up to and including 1.0.8, allows unauthenticated attackers to access sensitive customer order information by exploiting an Insecure Direct Object Reference (IDOR). Technical Details The vulnerability resides within the wa_order_thank_you_override function in the plugin’s code. Specifically, the plugin fails to properly validate user-supplied input for the order ID. An attacker can manipulate the order ID parameter in the URL to access details related to arbitrary orders within the system. This is a classic example of an IDOR vulnerability. The vulnerable…
-
Overview CVE-2025-13318 is a medium severity vulnerability affecting the Booking Calendar Contact Form plugin for WordPress. This vulnerability, present in versions up to and including 1.2.60, allows unauthenticated attackers to bypass payment requirements and arbitrarily confirm bookings. This is due to a missing authorization check and payment verification within the dex_bccf_check_IPN_verification function. Technical Details The vulnerability lies within the dex_bccf_check_IPN_verification function, which handles IPN (Instant Payment Notification) verification for bookings. Due to the absence of proper authorization checks and verification that a payment has actually been made, an attacker can send a crafted request with the dex_bccf_ipn parameter to trigger…
-
Overview CVE-2025-13136 identifies a medium severity vulnerability within the GSheetConnector For Ninja Forms WordPress plugin. This flaw allows authenticated attackers with Subscriber-level access or higher to retrieve sensitive information about the WordPress system. The vulnerability exists due to a missing capability check on the njform-google-sheet-config page. All versions of the plugin up to and including 2.0.1 are affected. Technical Details The vulnerability stems from a lack of proper access control on the njform-google-sheet-config page. Specifically, the plugin fails to verify whether a user possesses the necessary capabilities to access this page. As a result, even users with minimal privileges, such…
-
Overview A high-severity vulnerability, identified as CVE-2025-13384, has been discovered in the CP Contact Form with PayPal plugin for WordPress. This flaw allows unauthenticated attackers to mark form submissions as paid without actually completing the payment process. This impacts all versions of the plugin up to and including version 1.3.56. If you use this plugin, immediate action is required to protect your website. Technical Details The vulnerability stems from a missing authorization check in the plugin’s IPN (Instant Payment Notification)-like endpoint. Specifically, the ‘cp_contactformpp_ipncheck’ query parameter triggers payment confirmation processing. The plugin fails to validate the authenticity of these requests,…
-
Overview CVE-2025-13317 identifies a missing authorization vulnerability affecting the Appointment Booking Calendar plugin for WordPress. This flaw, present in versions up to and including 1.3.96, allows unauthenticated attackers to bypass security checks and inject arbitrary bookings into the calendar. This can lead to disruption of services, unauthorized access to resources, and potential data manipulation. Technical Details The vulnerability stems from the plugin’s exposure of an unauthenticated booking processing endpoint (cpabc_appointments_check_IPN_verification). The plugin trusts attacker-supplied payment notifications received through the cpabc_ipncheck parameter without properly verifying their origin, authenticity, or requiring proper authorization. This means an attacker can craft malicious requests that…
-
Overview A critical security vulnerability has been identified in the IDonate – Blood Donation, Request And Donor Management System plugin for WordPress. Designated as CVE-2025-12877, this flaw allows unauthenticated attackers to delete arbitrary posts within the WordPress installation. This vulnerability affects all versions of the plugin up to and including version 2.1.15. Immediate action is required to mitigate this risk. Technical Details The vulnerability stems from a missing capability check within the panding_blood_request_action() function. Specifically, the plugin fails to verify whether a user has the necessary permissions before allowing them to execute this function. As a result, an unauthenticated attacker…
-
Overview CVE-2025-12752 is a medium severity vulnerability affecting the “Subscriptions & Memberships for PayPal” WordPress plugin, impacting versions up to and including 1.1.7. This security flaw allows unauthenticated attackers to create fake payment entries within the system, potentially leading to unauthorized access, service disruption, or financial manipulation. Technical Details The vulnerability stems from the plugin’s inadequate verification of the authenticity of Instant Payment Notification (IPN) requests received from PayPal. An IPN is a message service that PayPal uses to notify merchants of events related to PayPal transactions. Because the plugin doesn’t properly validate the source of these IPN requests, an…
-
Overview A critical security vulnerability, identified as CVE-2025-11186, has been discovered in the “Cookie Notice & Compliance for GDPR / CCPA” WordPress plugin. This vulnerability allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts into pages via the plugin’s cookies_accepted shortcode. This Stored Cross-Site Scripting (XSS) vulnerability affects all versions up to and including 2.5.8. Successful exploitation of this vulnerability could lead to account compromise, malware injection, and other malicious activities. Technical Details The vulnerability stems from insufficient input sanitization and output escaping when handling user-supplied attributes within the cookies_accepted shortcode. Specifically, the code responsible for…
-
Overview CVE-2025-12889 describes a vulnerability affecting TLS 1.2 connections. The vulnerability allows a client to select a weaker digest for authentication, even if the server supports stronger digests as indicated in the CertificateRequest message. This can potentially weaken the security of the TLS connection, making it more susceptible to certain types of attacks. Technical Details In a standard TLS 1.2 handshake, the server sends a CertificateRequest message to the client, specifying the acceptable certificate types and signature algorithms. Ideally, the client should adhere to these constraints and select a signature algorithm (digest) from the offered list. However, CVE-2025-12889 highlights a…