CVE-2025-0913

Published Jun 11, 2025

Last updated a month ago

CVSS medium 5.5
WordPress

Overview

AI description

Automated description summarized from trusted sources.

CVE-2025-0913 is associated with multiple vulnerabilities across different software. One vulnerability affects the Slider & Popup Builder by Depicter plugin for WordPress. Specifically, it is a generic SQL Injection vulnerability present in versions up to and including 3.6.1. The vulnerability lies in the 's' parameter due to insufficient escaping of user-supplied input and inadequate preparation of the existing SQL query. Another vulnerability, CVE-2025-0913, is found in Ashlar-Vellum Cobalt related to CO file parsing. This use-after-free vulnerability allows remote attackers to execute arbitrary code on affected installations. Exploitation requires user interaction, such as opening a malicious file. The flaw stems from the lack of validation of an object's existence before operations are performed on it.

Description
os.OpenFile(path, os.O_CREATE|O_EXCL) behaved differently on Unix and Windows systems when the target path was a dangling symlink. On Unix systems, OpenFile with O_CREATE and O_EXCL flags never follows symlinks. On Windows, when the target path was a symlink to a nonexistent location, OpenFile would create a file in that location. OpenFile now always returns an error when the O_CREATE and O_EXCL flags are both set and the target path is a symlink.
Source
security@golang.org
NVD status
Awaiting Analysis

Risk scores

CVSS 3.1

Type
Secondary
Base score
5.5
Impact score
3.6
Exploitability score
1.8
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Severity
MEDIUM

Social media

Hype score
Not currently trending

  1. CVE-2025-0913 os.OpenFile(path, os.O_CREATE|O_EXCL) behaved differently on Unix and Windows systems when the target path was a dangling symlink. On Unix systems, OpenFile with O_CREA… https://t.co/Yup2PxEyWw

    @CVEnew

    11 Jun 2025

    428 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. 🚀 URGENT: #openSUSE Leap 15.6 patches critical #GoLang vulnerabilities (CVE-2025-22874, CVE-2025-0913, CVE-2025-4673). 🔐 Impacts: ✔ Certificate validation bypass ✔ HTTP header leaks ✔ Permission flaws Read more : 👇https://t.co/tD2CaU1AV8 https://t.co/GCarji7v1R

    @Cezar_H_Linux

    10 Jun 2025

    31 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. #Mageia9 patches 3 Golang CVEs: ✅ Proxy-Auth header leaks (CVE-2025-4673) ✅ Symlink handling flaws (CVE-2025-0913) ✅ x509 policy bypass (CVE-2025-22874) Read more: 👉 https://t.co/6AmFFJ5tkT #DevSecOps https://t.co/hzSlkXsB2B

    @Cezar_H_Linux

    10 Jun 2025

    16 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. 🎆 Go 1.24.4 and 1.23.10 are released! 🔐 Security: Includes security fixes for CVE-2025-4673, CVE-2025-0913, and CVE-2025-22874 in net/http, os, and crypto/x509. 📰 Announcement: https://t.co/C3AeYy8ZX8 📦 Download: https://t.co/5hObjouLtK #golang https://t.co/NyEeP3

    @golang

    5 Jun 2025

    18043 Impressions

    101 Retweets

    443 Likes

    26 Bookmarks

    4 Replies

    4 Quotes

References

Sources include official advisories and independent security research.