Vulnerability Notice: Fortinet, WordPress and Microsoft

Overview

Fortinet has identified a critical path traversal and authentication bypass vulnerability in several version of their FortiWeb Web Application Firewall (WAF). This vulnerability allows an unauthenticated remote attacker to gain full administrative access, modify WAF rules and pivot into networks. It is actively being exploited in the wild.

• CVE-2025-64446: Fortinet FortiWeb Escalation of Privilege (CVSSv3 9.4). Affects numerous versions prior to 8.0.1.

WordPress plugins, WooCommerce, “Enable SVG, WebP, and ICO Upload” and Elementor, have identified high severity vulnerabilities enabling attackers to gain unauthorised access to sensitive data, upload dangerous files and inject arbitrary scripts in pages.

• CVE-2025-12955: WordPress WooCommerce Plugin Missing Authorisation (CVSSv3 7.5). Affects versions <= 2.3.39.
• CVE-2025-13069: WordPress “Enable SVG, WebP, and ICO Upload” Plugin Unrestricted File Upload (CVSSv3 8.8). Affects versions <= 1.1.2.
• CVE-2025-13196: WordPress GiveWP Donation Plugin Cross-Site Scripting (XSS) (CVSSv3 7.2). Affects version <= 4.13.0.

Microsoft released 63 security fixes in their November “Patch Tuesday” release, including an actively exploited zero-day and five critical vulnerabilities. Notable high and critical vulnerabilities include unauthorised privilege escalation via race condition and remote code execution requiring no privileges.

• CVE-2025-62215: Windows kernel privilege escalation (zero day) (CVSSv3 7.0)
• CVE-2025-60724: Microsoft Graphics Component Remote Code Execution (RCE) (CVSSv3 9.8)
• CVE-2025-62199: Microsoft Remote Code Execution (RCE) (CVSSv3 7.8)

Recommended Action

Organisations and individuals are strongly advised to review the appropriate security advisory pages and apply the relevant patches or mitigations:

• Fortinet Fortiguard - PSIRT
• Wordfence – WordPress Vulnerability Database
• Microsoft – Security Update Guide