Critical vulnerabilities, curated daily for security professionals
π― SSCV Profile
See how vulnerabilities affect your specific environment
CRS uses the System Security Context Vector (SSCV) Framework v1.0 to adjust CVSS scores based on your system's exposure level, network position, and business criticality. Learn more about SSCV Framework
Risk scores will be adjusted based on your selected environment
π
Today's Security Brief
Monday brings concerning news with an actively exploited VoWiFi command injection flaw (CVSS 9.8) discovered over the weekend. The WordPress ecosystem continues to face pressure with 7 new plugin vulnerabilities, while network administrators should prioritize patching multiple Tenda router flaws affecting small business deployments.
Critical VoWiFi service vulnerability enables remote privilege escalation
WordPress ecosystem hit with 7 plugin/theme vulnerabilities including arbitrary file uploads
Immediate action: Security teams should immediately audit VoWiFi deployments for CVE-2025-31715 exposure and review WordPress plugin inventories for affected components.
π‘ Tip: Swipe CVE cards left to β star, right to β remove
Section Navigation
β οΈ
CISA Known Exploited Vulnerabilities
β οΈ CISA KEVURGENT
CVE-2025-8876
9.5π
N-ableN-Central
β° Federal Deadline:August 19, 2025(1 days remaining)
N-able N-Central Command Injection Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEVURGENT
CVE-2025-8875
9.5π
N-ableN-Central
β° Federal Deadline:August 19, 2025(1 days remaining)
N-able N-Central Insecure Deserialization Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEVURGENT
CVE-2020-25078
9.5
D-LinkDCS-2530L and DCS-2670L Devices
β° Federal Deadline:August 25, 2025(7 days remaining)
D-Link DCS-2530L and DCS-2670L Devices Unspecified Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEVURGENT
CVE-2020-25079
9.5
D-LinkDCS-2530L and DCS-2670L Devices
β° Federal Deadline:August 25, 2025(7 days remaining)
D-Link DCS-2530L and DCS-2670L Command Injection Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEVURGENT
CVE-2022-40799
9.5
D-LinkDNR-322L
β° Federal Deadline:August 25, 2025(7 days remaining)
D-Link DNR-322L Download of Code Without Integrity Check Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEV
CVE-2025-8088
9.5
RARLABWinRAR
β° Federal Deadline:September 1, 2025(14 days remaining)
RARLAB WinRAR Path Traversal Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEV
CVE-2007-0671
9.5
MicrosoftOffice
β° Federal Deadline:September 1, 2025(14 days remaining)
Microsoft Office Excel Remote Code Execution Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
β οΈ CISA KEV
CVE-2013-3893
9.5
MicrosoftInternet Explorer
β° Federal Deadline:September 1, 2025(14 days remaining)
Microsoft Internet Explorer Resource Management Errors Vulnerability - Active in CISA KEV catalog.
CVSS Base9.5
β
CRSSelect profile
π¨
Critical Vulnerabilities
CVE-2025-31715
9.8π
In vowifiMultiple Products
In vowifi service, there is a possible command injection due to improper input validation. This could lead to remote escalation of privilege with no additional execution privileges needed.
CVSS Base9.8
β
CRSSelect profile
β οΈ
High Priority Updates
CVE-2025-7664
7.5π
WordPressMultiple Products
The AL Pack plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the check_activate_permission() permission callback for the /wp-json/presslearn/v1/activate REST API endpoint in all versions up to, and including, 1
CVSS Base7.5
β
CRSSelect profile
CVE-2024-12612
7.5π
WordpressMultiple Products
The School Management System for Wordpress plugin for WordPress is vulnerable to SQL Injection via several parameters across multiple AJAX action in all versions up to, and including, 93
CVSS Base7.5
β
CRSSelect profile
CVE-2025-3671
8.8π
WordpressMultiple Products
The WPGYM - Wordpress Gym Management System plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 67
CVSS Base8.8
β
CRSSelect profile
CVE-2025-6079
8.8π
WordpressMultiple Products
The School Management System for Wordpress plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the homework
CVSS Base8.8
β
CRSSelect profile
CVE-2025-6080
8.8π
WordpressMultiple Products
The WPGYM - Wordpress Gym Management System plugin for WordPress is vulnerable to unauthorized admin account creation in all versions up to, and including, 67
CVSS Base8.8
β
CRSSelect profile
CVE-2025-8142
8.8π
WordPressMultiple Products
The Soledad theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 8
CVSS Base8.8
β
CRSSelect profile
CVE-2025-8105
7.3π
WordPressMultiple Products
The The Soledad theme for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 8
CVSS Base7.3
β
CRSSelect profile
CVE-2025-7342
7.5π
KubernetesMultiple Products
A security issue was discovered in the Kubernetes Image Builder where default credentials are enabled during the image build process
CVSS Base7.5
β
CRSSelect profile
CVE-2025-49895
8.8π
iThemesMultiple Products
Cross-Site Request Forgery (CSRF) vulnerability in iThemes ServerBuddy by PluginBuddy
CVSS Base8.8
β
CRSSelect profile
CVE-2025-9087
8.8π
hasMultiple Products
A vulnerability has been found in Tenda AC20 16
CVSS Base8.8
β
CRSSelect profile
CVE-2025-9088
8.8π
wasMultiple Products
A vulnerability was found in Tenda AC20 16
CVSS Base8.8
β
CRSSelect profile
CVE-2025-9089
8.8π
wasMultiple Products
A vulnerability was determined in Tenda AC20 16
CVSS Base8.8
β
CRSSelect profile
CVE-2025-31713
8.4π
engineerMultiple Products
In engineer mode service, there is a possible command injection due to improper input validation