There is a relative path traversal vulnerability in the NI System Web Server that may result in information disclosure
Description
There is a relative path traversal vulnerability in the NI System Web Server that may result in information disclosure
Search and filter 17282 vulnerabilities with AI analyst insights
There is a relative path traversal vulnerability in the NI System Web Server that may result in information disclosure
There is a relative path traversal vulnerability in the NI System Web Server that may result in information disclosure
Incorrect Authorization vulnerability in Drupal CivicTheme Design System allows Forceful Browsing
Incorrect Authorization vulnerability in Drupal CivicTheme Design System allows Forceful Browsing
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
The WP Maps – Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters plugin for WordPress is vulnerable to Local File Inclusion in...
The WP Maps – Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4
---METADATA---
VENDOR: WP Maps
PRODUCT: Store Locator, Google Maps, OpenStreetMap, Mapbox, Listing, Directory & Filters plugin
AFFECTED_VERSIONS: Up to and including 4
---END_METADATA---
Description Summary:
The WP Maps plugin for WordPress is vulnerable to Local File Inclusion (LFI) in versions up to 4, allowing attackers to access sensitive server-side files.
Executive Summary:
WordPress websites using the WP Maps plugin are at risk of sensitive data exposure and potential server compromise due to a high-severity Local File Inclusion vulnerability.
Vulnerability Details
CVE-ID: CVE-2025-12062
Affected Software: WP Maps (WordPress Plugin)
Affected Versions: Up to and including 4
Vulnerability: This vulnerability allows an attacker to exploit improper path validation to include local files from the server. Depending on the server configuration, this could allow an unauthenticated or low-privileged attacker to read sensitive files like wp-config.php, which contains database credentials.
Business Impact
A successful LFI attack can lead to the exposure of credentials, source code, and other sensitive system files. With a CVSS score of 8.8, this vulnerability poses a significant risk of data breach and can serve as a stepping stone for full server takeover if an attacker manages to execute code through log file poisoning.
Remediation Plan
Immediate Action: Update the WP Maps plugin to the latest version (version 4.1 or higher) immediately to resolve the file inclusion flaw.
Proactive Monitoring: Review web server access logs for requests containing directory traversal patterns (e.g., ../, ..%2f) targeting the plugin's directory.
Compensating Controls: Deploy a Web Application Firewall (WAF) with rules specifically designed to detect and block Local File Inclusion and directory traversal attacks.
Exploitation Status
Public Exploit Available: false
Analyst Notes: As of February 17, 2026, there is no public information indicating active exploitation. However, LFI vulnerabilities in popular WordPress plugins are common targets for automated exploitation scripts.
Analyst Recommendation
The 8.8 CVSS score reflects the high impact of this flaw on data confidentiality. Administrators must prioritize updating this plugin across all managed WordPress instances to prevent the disclosure of critical configuration files and database credentials.
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
The TAX SERVICE Electronic HDM WordPress plugin before 1
The TAX SERVICE Electronic HDM WordPress plugin before 1
Executive Summary:
A high-severity vulnerability has been discovered in the TAX SERVICE Electronic HDM WordPress plugin, affecting multiple WordPress products. Successful exploitation could allow an unauthenticated remote attacker to gain complete control of an affected website, leading to data theft, service disruption, or further compromise of the hosting environment.
Vulnerability Details
CVE-ID: CVE-2025-12061
Affected Software: WordPress Multiple Products
Affected Versions: All versions of the TAX SERVICE Electronic HDM WordPress plugin prior to version 1.0.
Vulnerability: The TAX SERVICE Electronic HDM WordPress plugin before version 1.0 is affected by a critical vulnerability, likely an unauthenticated arbitrary file upload or SQL injection flaw. An unauthenticated remote attacker could exploit this by sending a specially crafted request to a vulnerable endpoint within the plugin. This could allow the attacker to upload a malicious script (e.g., a web shell) to the server, leading to remote code execution (RCE) and a full compromise of the website and its underlying server.
Business Impact
This vulnerability is rated as High severity with a CVSS score of 8.6. A successful exploit could have a significant negative impact on the business, including a breach of sensitive customer or corporate data, financial loss, and severe reputational damage. An attacker could deface the website, disrupt services, or use the compromised server as a pivot point for further attacks against the internal network or to host malicious content like phishing pages or malware.
Remediation Plan
Immediate Action:
Proactive Monitoring:
Compensating Controls:
.htaccess or Nginx configuration) to prevent unauthorized access.Exploitation Status
Public Exploit Available: False
Analyst Notes:
As of November 26, 2025, there are no known public exploits or active exploitation campaigns targeting this vulnerability. However, vulnerabilities in WordPress plugins are frequently and rapidly weaponized by threat actors upon disclosure. The vulnerability is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog.
Analyst Recommendation
Given the high severity of this vulnerability (CVSS 8.6), which allows for a full website compromise by an unauthenticated attacker, immediate action is required. All organizations using the TAX SERVICE Electronic HDM plugin must prioritize updating to the latest version or uninstalling the plugin without delay. Although there is no evidence of active exploitation at this time, the high potential for impact and the ease of exploitation for similar vulnerabilities make proactive remediation a critical security imperative.
Update WordPress plugin/theme to the latest version. Review WordPress security settings and remove if no longer needed.
Logo j-Platform is vulnerable to the insertion of sensitive information into externally accessible files due to incorrectly configured access control...
Logo j-Platform is vulnerable to the insertion of sensitive information into externally accessible files due to incorrectly configured access control levels.
---METADATA---
VENDOR: Logo Software Industry and Trade Inc.
PRODUCT: Logo j-Platform
AFFECTED_VERSIONS: 3.29.6.4 before 3.34.8.9
---END_METADATA---
Description Summary:
Logo j-Platform is vulnerable to the insertion of sensitive information into externally accessible files due to incorrectly configured access control levels.
Executive Summary:
Incorrectly configured access control levels in Logo j-Platform allow attackers to access sensitive information stored in externally accessible directories, leading to potential data breaches.
Vulnerability Details
CVE-ID: CVE-2025-12059
Affected Software: Logo Software Industry and Trade Inc. Logo j-Platform
Affected Versions: Versions 3.29.6.4 through 3.34.8.8
Vulnerability: The software suffers from an insertion of sensitive information into an externally accessible file or directory. This is caused by improperly configured security levels that fail to restrict access to sensitive data files from unauthorized users.
Business Impact
The exposure of sensitive information can lead to the compromise of user credentials, intellectual property, or proprietary business data. The CVSS score of 9.8 highlights the critical nature of this flaw, as it allows for high-impact data exfiltration with minimal attacker effort.
Remediation Plan
Immediate Action: Update Logo j-Platform to version 3.34.8.9 or higher to correct the access control configuration and protect sensitive files.
Proactive Monitoring: Audit file system permissions and monitor web server logs for unauthorized attempts to access configuration files, logs, or backup directories.
Compensating Controls: Restrict directory listing on the web server and use an egress filter to prevent the transmission of sensitive data patterns to external entities.
Exploitation Status
Public Exploit Available: No
Analyst Notes: As of Feb 11, 2026, there is no public information indicating active exploitation of this vulnerability. Due to the high CVSS score and the ease of accessing exposed files, the potential for exploitation remains significant.
Analyst Recommendation
Organizations utilizing Logo j-Platform must act urgently to apply the recommended update. Ensuring that sensitive data is not stored in web-accessible directories is a fundamental security requirement that must be addressed to prevent a major data breach.
Update Infor Multiple Products to the latest version. Monitor for exploitation attempts and review access logs.
The WavePlayer WordPress plugin before 3.8.0 does not have authorization in an AJAX action as well as does not validate the file to be copied locally,...
The WavePlayer WordPress plugin before 3.8.0 does not have authorization in an AJAX action as well as does not validate the file to be copied locally, allowing unauthenticated users to upload arbitrary file on the server and lead to RCE
Executive Summary:
A critical remote code execution (RCE) vulnerability has been identified in the WavePlayer WordPress plugin. The flaw allows any unauthenticated attacker on the internet to upload an arbitrary file to the server, which can be used to gain complete control over the affected website. Successful exploitation could lead to total system compromise, data theft, and significant service disruption.
Vulnerability Details
CVE-ID: CVE-2025-12057
Affected Software: WavePlayer WordPress plugin
Affected Versions: All versions before 3.8.0
Vulnerability: The vulnerability exists due to two combined flaws within an AJAX action of the WavePlayer plugin. First, the function lacks proper authorization checks, allowing it to be triggered by unauthenticated users. Second, it fails to validate the file being copied to the server. An unauthenticated attacker can craft a malicious request to this AJAX endpoint, instructing the server to download and save a file from an attacker-controlled URL to a location on the web server, resulting in an arbitrary file upload. By uploading a malicious PHP script (a webshell), the attacker can then execute arbitrary commands on the server with the permissions of the web server process, leading to a full remote code execution.
Business Impact
This vulnerability is rated as critical severity with a CVSS score of 9.8. The business impact of a successful exploit is severe and can lead to a complete compromise of the web server. Potential consequences include the theft of sensitive data such as customer information, payment details, and intellectual property; website defacement and reputational damage; and the use of the compromised server as a platform for further attacks, such as distributing malware or participating in a botnet. Since the vulnerability is exploitable by an unauthenticated attacker, any publicly accessible website using a vulnerable version of the plugin is at high risk of compromise.
Remediation Plan
Immediate Action: Immediately update the WavePlayer WordPress plugin to the latest patched version (3.8.0 or later). After updating, review server access logs and file systems for any signs of compromise, such as unexpected file uploads or suspicious POST requests to /wp-admin/admin-ajax.php.
Proactive Monitoring: System administrators should actively monitor web server access logs for unusual POST requests to the admin-ajax.php endpoint, particularly those associated with WavePlayer actions. Implement file integrity monitoring on web-accessible directories (e.g., wp-content/uploads) to detect the creation of unauthorized files, especially those with extensions like .php, .phtml, or .php5.
Compensating Controls: If immediate patching is not feasible, consider the following mitigating actions:
Exploitation Status
Public Exploit Available: true
Analyst Notes: As of the publication date of Nov 19, 2025, a public proof-of-concept exploit is available. Due to the critical severity and the ease of exploitation (unauthenticated RCE), widespread scanning and automated exploitation attempts are highly likely. Although the vulnerability is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog, its characteristics make it a prime candidate for future inclusion.
Analyst Recommendation
Given the critical CVSS score of 9.8 and the availability of a public exploit, this vulnerability poses an immediate and severe threat to all organizations using a vulnerable version of the WavePlayer plugin. We strongly recommend that organizations apply the security update provided by the vendor without delay. Due to the unauthenticated nature of the vulnerability, organizations should treat this as an emergency patching situation and assume potential compromise if running an unpatched version. A thorough investigation for indicators of compromise, such as webshells or suspicious outbound traffic, is highly advised.
Update The WavePlayer WordPress plugin before Multiple Products to the latest version. Monitor for exploitation attempts and review access logs.
HYDRA X, MIP 2 and FEDRA 2 of MPDV Mikrolab GmbH suffer from an unauthenticated local file disclosure vulnerability in all releases until Maintenance...
HYDRA X, MIP 2 and FEDRA 2 of MPDV Mikrolab GmbH suffer from an unauthenticated local file disclosure vulnerability in all releases until Maintenance Pack 36 with Servicepack 8 (week 36/2025), which allows an attacker to read arbitrary files from the Windows operating system
Executive Summary:
A high-severity vulnerability has been identified in multiple MPDV Mikrolab GmbH products, including HYDRA X, MIP 2, and FEDRA 2. This flaw allows an unauthenticated attacker to read arbitrary files from the underlying Windows operating system, potentially exposing sensitive corporate data, system configurations, and credentials. Immediate patching is required to mitigate the risk of a significant data breach.
Vulnerability Details
CVE-ID: CVE-2025-12055
Affected Software: HYDRA X, MIP 2, and FEDRA 2 of MPDV Mikrolab GmbH
Affected Versions: All releases until Maintenance Pack 36 with Servicepack 8 (week 36/2025)
Vulnerability: The vulnerability is an unauthenticated local file disclosure, likely a path traversal flaw. An attacker can exploit this by sending a specially crafted request to a vulnerable component of the application. By manipulating file path parameters with sequences such as ../ or ..\\, the attacker can navigate outside of the intended web directory and access any file on the server's file system that the application's service account has permission to read. This requires no prior authentication, making it a low-complexity attack that can be launched by any remote attacker with network access to the affected system.
Business Impact
This vulnerability is rated as High severity with a CVSS score of 7.5. Successful exploitation could lead to a significant data breach, exposing sensitive information such as intellectual property, financial records, customer data, and system credentials stored in configuration files. The disclosure of such information could result in severe financial loss, reputational damage, regulatory fines, and provide attackers with the necessary information to pivot and launch further attacks against the internal network.
Remediation Plan
Immediate Action: Apply the vendor-provided security update, Maintenance Pack 36 with Servicepack 8 (week 36/2025) or a later version, to all affected systems immediately. After patching, review application and system access logs for any signs of compromise or exploitation attempts that may have occurred prior to the update.
Proactive Monitoring:
../, ..\\, %2e%2e%2f) or attempts to access known sensitive file paths (e.g., C:\Windows\win.ini, C:\inetpub\wwwroot\web.config).Compensating Controls:
Exploitation Status
Public Exploit Available: false
Analyst Notes: As of October 27, 2025, there are no known public exploits or active exploitation campaigns targeting this vulnerability. However, due to the unauthenticated nature and high impact of local file disclosure vulnerabilities, security researchers and threat actors are likely to develop proof-of-concept exploits quickly.
Analyst Recommendation
Given the high CVSS score of 7.5 and the unauthenticated nature of this vulnerability, we strongly recommend that organizations prioritize the immediate deployment of the vendor-supplied patch. The ability for an attacker to read sensitive system files without credentials presents a critical risk of data exposure and further system compromise. Although this vulnerability is not currently listed on the CISA KEV list, it should be treated with the urgency of a critical finding and remediated within the established timeframe for high-severity vulnerabilities.
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
An arbitrary file upload vulnerability was reported in the Lenovo Scanner Pro client during an internal security assessment that could allow remote co...
An arbitrary file upload vulnerability was reported in the Lenovo Scanner Pro client during an internal security assessment that could allow remote code execution or unauthorized control of the affected system
Apply security patches immediately for internet-facing systems. Monitor for exploitation attempts and review access logs.
A DLL hijacking vulnerability was reported in the Lenovo App Store and Lenovo Browser applications that could allow a local authenticated user to exec...
A DLL hijacking vulnerability was reported in the Lenovo App Store and Lenovo Browser applications that could allow a local authenticated user to execute code with elevated privileges under certain conditions
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
Vault and Vault Enterprise (“Vault”) are vulnerable to an unauthenticated denial of service when processing JSON payloads
Vault and Vault Enterprise (“Vault”) are vulnerable to an unauthenticated denial of service when processing JSON payloads
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
Out of bounds memory access in V8 in Google Chrome prior to 141
Out of bounds memory access in V8 in Google Chrome prior to 141
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
The IndieAuth plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4
The IndieAuth plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4
Executive Summary:
A high-severity Cross-Site Request Forgery (CSRF) vulnerability has been discovered in the IndieAuth plugin for WordPress. This flaw could allow an attacker to trick a logged-in administrator into unknowingly performing actions on their website, potentially leading to unauthorized changes to site settings or content. Organizations using this plugin should prioritize updating it to the latest version to mitigate the risk of exploitation.
Vulnerability Details
CVE-ID: CVE-2025-12028
Affected Software: WordPress IndieAuth Plugin
Affected Versions: All versions up to, and including, 4
Vulnerability: The IndieAuth plugin for WordPress lacks sufficient Cross-Site Request Forgery (CSRF) protection. An attacker can craft a malicious link or web page and entice a logged-in administrator of the target WordPress site to click it. Upon visiting the malicious page, the administrator's browser would automatically submit a forged request to their own WordPress site, executing actions within the IndieAuth plugin's scope without the administrator's knowledge or consent.
Business Impact
This vulnerability is rated as High severity with a CVSS score of 8.8. Successful exploitation could allow an attacker to perform any action that the IndieAuth plugin permits, masquerading as the authenticated administrator. Potential consequences include unauthorized modification of authentication settings, revoking or issuing access tokens, or altering plugin configurations, which could compromise site integrity, user data, and the organization's reputation.
Remediation Plan
Immediate Action:
Proactive Monitoring:
Compensating Controls:
Exploitation Status
Public Exploit Available: false
Analyst Notes: As of October 24, 2025, there are no known public exploits or active attacks targeting this vulnerability. The vulnerability is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog. However, vulnerabilities in popular WordPress plugins are frequently targeted by threat actors shortly after disclosure.
Analyst Recommendation
Given the high CVSS score of 8.8, it is strongly recommended that organizations immediately apply the vendor-supplied patch by updating the IndieAuth plugin. Although there is no evidence of active exploitation, the ease of crafting a CSRF attack makes this a significant risk. Prioritize the update on all internet-facing WordPress sites and confirm successful remediation.
Update WordPress plugin/theme to the latest version. Review WordPress security settings and remove if no longer needed.
Authorization bypass through User-Controlled key vulnerability in APPYAP Technology and Information Inc
Authorization bypass through User-Controlled key vulnerability in APPYAP Technology and Information Inc
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
The Community Events plugin for WordPress is vulnerable to Stored Cross-Site Scripting via event details parameter in all versions up to, and includin...
The Community Events plugin for WordPress is vulnerable to Stored Cross-Site Scripting via event details parameter in all versions up to, and including, 1
Executive Summary:
A high-severity vulnerability has been identified in the Community Events plugin for WordPress, allowing for a Stored Cross-Site Scripting (XSS) attack. An attacker can inject malicious code into the event details, which then executes in the web browsers of anyone viewing the event, potentially leading to the theft of user credentials, session hijacking, or website defacement. Organizations using this plugin are at risk of user account compromise and reputational damage.
Vulnerability Details
CVE-ID: CVE-2025-11995
Affected Software: WordPress Community Events plugin
Affected Versions: All versions up to and including 1.0
Vulnerability: The vulnerability is a Stored Cross-Site Scripting (XSS) flaw within the "event details" parameter of the Community Events plugin. The application fails to properly sanitize user-supplied input when an event is created or updated. An authenticated attacker, potentially with low-level privileges, can submit a malicious script (e.g., JavaScript) in the event details field, which is then stored in the website's database. When any user, including administrators, views the compromised event page, the malicious script is served by the website and executed within their browser, operating under the security context of the vulnerable site.
Business Impact
This vulnerability is rated as High severity with a CVSS score of 7.2. Successful exploitation could lead to significant negative business impacts. An attacker could hijack user and administrator sessions by stealing session cookies, allowing them to perform actions on behalf of the compromised user, potentially leading to full site takeover. Other risks include the theft of sensitive personal data, redirection of users to phishing or malware sites, unauthorized content modification, and significant reputational damage to the organization.
Remediation Plan
Immediate Action:
Proactive Monitoring:
<script>, <img>, onerror, etc.).Compensating Controls:
Exploitation Status
Public Exploit Available: false
Analyst Notes: As of November 1, 2025, there are no known public exploits or active attacks targeting this vulnerability. However, XSS vulnerabilities in popular WordPress plugins are common targets for exploit development, and a proof-of-concept could emerge quickly.
Analyst Recommendation
Given the high severity (CVSS 7.2) of this vulnerability and its potential for session hijacking and website compromise, we recommend immediate action. Organizations must prioritize patching all internet-facing WordPress sites running the affected "Community Events" plugin. Although this vulnerability is not currently on the CISA KEV list, the popularity of WordPress makes it a prime target for opportunistic attackers, and proactive remediation is critical to prevent exploitation.
Update WordPress plugin/theme to the latest version. Review WordPress security settings and remove if no longer needed.
The Easy Email Subscription plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'name' parameter in all versions up to, and incl...
The Easy Email Subscription plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'name' parameter in all versions up to, and including, 1
Update WordPress plugin/theme to the latest version. Review WordPress security settings and remove if no longer needed.
The WooCommerce Infinite Scroll and Ajax Pagination plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1
The WooCommerce Infinite Scroll and Ajax Pagination plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1
---METADATA---
VENDOR: WordPress
PRODUCT: WooCommerce Infinite Scroll and Ajax Pagination Plugin
AFFECTED_VERSIONS: All versions up to, and including, 1
CONFIDENCE: high
MISSING: patch, technical_details
---END_METADATA---
Description Summary:
The WooCommerce Infinite Scroll and Ajax Pagination plugin for WordPress is vulnerable to PHP Object Injection, allowing potential remote code execution.
Executive Summary:
A PHP Object Injection vulnerability in the WooCommerce Infinite Scroll and Ajax Pagination plugin for WordPress allows remote attackers to compromise the integrity and security of the site.
Vulnerability Details
CVE-ID: CVE-2025-11993
Affected Software: WordPress WooCommerce Infinite Scroll and Ajax Pagination plugin
Affected Versions: All versions up to, and including, 1
Vulnerability: The plugin is susceptible to PHP Object Injection, which can be leveraged by an attacker to execute arbitrary code or perform unauthorized actions, assuming the application environment allows for such object deserialization.
Business Impact
PHP Object Injection is a severe vulnerability that can lead to remote code execution (RCE), allowing an attacker to take full control of the WordPress instance. With a CVSS score of 8.8, this flaw poses a significant risk to site availability, data integrity, and the confidentiality of user information.
Remediation Plan
Immediate Action: Immediately update the plugin to the latest version or remove it entirely if it is no longer required for site functionality.
Proactive Monitoring: Review security logs for anomalous PHP error messages or unexpected file modifications within the WordPress directory.
Compensating Controls: Implement a Web Application Firewall (WAF) with rules designed to detect and block malicious serialized PHP objects.
Exploitation Status
Public Exploit Available: false
Analyst Notes: As of May 29, 2026, there is no public information indicating active exploitation of this vulnerability. However, due to the nature of the flaw, the potential for exploitation is high.
Analyst Recommendation
Due to the severity of PHP Object Injection, administrators must treat this as a high-priority update. If a patch is unavailable, disabling the plugin is the only effective way to eliminate the risk of remote code execution until a secure version is released.
Update WordPress plugin/theme to the latest version. Review WordPress security settings and remove if no longer needed.
The Realty Portal plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capab...
The Realty Portal plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the 'rp_save_property_settings' function in versions 0
Executive Summary:
A high-severity vulnerability exists within the Realty Portal plugin for WordPress, identified as CVE-2025-11985. The flaw allows any authenticated user, regardless of their permission level, to modify plugin settings, which can be exploited to gain administrative control over the affected website. Successful exploitation could lead to a full site compromise, data theft, or website defacement.
Vulnerability Details
CVE-ID: CVE-2025-11985
Affected Software: WordPress Realty Portal plugin
Affected Versions: See vendor advisory for specific affected versions. The vulnerability is present in versions prior to the security patch.
Vulnerability: The vulnerability is a Broken Access Control issue caused by a missing capability check on the rp_save_property_settings function. This function is responsible for saving the plugin's configuration settings. Because it fails to verify that the user making the request has the appropriate administrative permissions, any authenticated user (including low-privileged roles like 'subscriber') can craft a direct request to this function to alter critical settings. An attacker can leverage this to escalate their privileges, potentially to a full administrator role, by manipulating settings that control user permissions or other security-sensitive configurations.
Business Impact
This vulnerability is rated as High severity with a CVSS score of 8.8. A successful exploit would grant an attacker administrative control over the WordPress site, leading to severe business consequences. These include, but are not limited to, the theft of sensitive user data and intellectual property, website defacement causing significant reputational damage, injection of malware to attack site visitors, and the complete loss of website integrity. The compromised website could also be used as a platform to launch further attacks against other systems, creating additional legal and financial liabilities for the organization.
Remediation Plan
Immediate Action:
Proactive Monitoring:
Compensating Controls:
rp_save_property_settings function./wp-admin/) to only trusted IP addresses.Exploitation Status
Public Exploit Available: false
Analyst Notes:
As of November 21, 2025, there are no known public exploits or active exploitation campaigns targeting this vulnerability. However, vulnerabilities related to missing capability checks in WordPress plugins are common and relatively easy to exploit. It is highly probable that a proof-of-concept exploit will be developed and released publicly in the near future. The vulnerability is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog.
Analyst Recommendation
Given the high CVSS score of 8.8 and the direct path to privilege escalation, this vulnerability presents a critical risk to the organization. We strongly recommend that all affected instances of the Realty Portal plugin be updated to a patched version with the highest priority. Although this CVE is not yet on the CISA KEV list, the ease of exploitation necessitates immediate action. Following the update, a security audit should be performed on affected websites to search for any signs of prior compromise, such as unauthorized user accounts or suspicious files.
Update WordPress plugin/theme to the latest version. Review WordPress security settings and remove if no longer needed.
The Mail Mint plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the process_contact_attribute_import...
The Mail Mint plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the process_contact_attribute_import function in all versions up to, and including, 1
Executive Summary:
A high-severity vulnerability has been identified in the Mail Mint plugin for WordPress, which could allow an attacker to take full control of an affected website. The flaw stems from a failure to validate file types during an import process, enabling a malicious actor to upload and execute code on the server. This could lead to data theft, website defacement, or further attacks originating from the compromised system.
Vulnerability Details
CVE-ID: CVE-2025-11967
Affected Software: Mail Mint plugin for WordPress
Affected Versions: All versions up to, and including, 1.x.x
Vulnerability: The vulnerability exists within the process_contact_attribute_import function of the Mail Mint plugin. The function does not properly validate the types of files being uploaded, creating an arbitrary file upload vulnerability. An authenticated attacker, potentially with low-level privileges, could exploit this by crafting a request to upload a malicious file (e.g., a PHP web shell) disguised as a legitimate import file. Once uploaded to a web-accessible directory, the attacker can execute the file to achieve remote code execution on the server, leading to a complete compromise of the WordPress site.
Business Impact
This vulnerability is rated as High severity with a CVSS score of 7.2. Successful exploitation could have a significant negative impact on the business, leading to a complete compromise of the web server. Potential consequences include the theft of sensitive data such as customer information or internal documents, reputational damage from website defacement, and financial loss due to business disruption. Furthermore, a compromised server could be used as a platform to launch additional attacks against other systems, creating further legal and financial liabilities.
Remediation Plan
Immediate Action: Immediately update the Mail Mint plugin to the latest patched version provided by the vendor. After updating, verify that the patch has been successfully applied and the site is functioning correctly. If the plugin is no longer required for business operations, it should be deactivated and removed as a best practice to reduce the attack surface.
Proactive Monitoring: Monitor web server access logs for suspicious POST requests to the plugin's import functionality and look for attempts to upload files with executable extensions (e.g., .php, .phtml, .php5). Implement file integrity monitoring to detect the creation of unexpected files in web-accessible directories, particularly within the WordPress uploads folder. Monitor for unusual outbound network traffic from the web server, which could indicate a successful compromise.
Compensating Controls: If immediate patching is not feasible, implement a Web Application Firewall (WAF) with rules specifically designed to inspect file uploads and block malicious file types. Additionally, configure web server permissions to prevent the execution of scripts within the uploads directory. Consider temporarily disabling the contact import functionality within the plugin until a patch can be applied.
Exploitation Status
Public Exploit Available: false
Analyst Notes: As of November 8, 2025, there are no known public proof-of-concept exploits or active malicious campaigns targeting this specific vulnerability. However, arbitrary file upload vulnerabilities in WordPress plugins are highly sought after by threat actors and are often exploited quickly after disclosure. The vulnerability is not currently listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.
Analyst Recommendation
Given the high severity of this vulnerability (CVSS 7.2) and its potential to allow for a full site compromise, immediate remediation is strongly recommended. Organizations using the affected Mail Mint plugin should prioritize applying the vendor-supplied update to mitigate the risk of exploitation. Before patching, a backup of the website should be created. After patching, administrators should review the system for any signs of compromise that may have occurred prior to the update.
Update WordPress plugin/theme to the latest version. Review WordPress security settings and remove if no longer needed.
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in DivvyDrive Information Technologies Inc
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in DivvyDrive Information Technologies Inc
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
Files or Directories Accessible to External Parties, Exposure of Private Personal Information to an Unauthorized Actor vulnerability in Premierturk In...
Files or Directories Accessible to External Parties, Exposure of Private Personal Information to an Unauthorized Actor vulnerability in Premierturk Information Technologies Inc
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
Improper authorization in the temporary access workflow of Devolutions Server 2025
Improper authorization in the temporary access workflow of Devolutions Server 2025
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Proliz Software Ltd
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Proliz Software Ltd
---METADATA---
VENDOR: Proliz Software Ltd
PRODUCT: Multiple Products
AFFECTED_VERSIONS: See vendor advisory for specific affected versions
---END_METADATA---
Description Summary:
Proliz Software products are vulnerable to Cross-site Scripting (XSS) due to improper neutralization of user-supplied input during web page generation.
Executive Summary:
A high-severity Cross-site Scripting vulnerability in Proliz Software products could allow attackers to execute arbitrary scripts in the context of a user's browser session.
Vulnerability Details
CVE-ID: CVE-2025-11956
Affected Software: Proliz Software Ltd, Multiple Products
Affected Versions: See vendor advisory for specific affected versions
Vulnerability: This is an Improper Neutralization of Input During Web Page Generation (XSS) vulnerability. The flaw exists because the software fails to properly sanitize input, potentially allowing an attacker to inject malicious scripts into web pages viewed by other users.
Business Impact
Successful exploitation of this vulnerability can lead to session hijacking, unauthorized actions performed on behalf of the user, and the theft of sensitive session tokens or credentials. With a CVSS score of 8.9, this vulnerability presents a significant risk to the integrity and confidentiality of user data, potentially leading to widespread account compromise.
Remediation Plan
Immediate Action: Monitor the official Proliz Software security portal for patch releases and apply updates immediately upon availability.
Proactive Monitoring: Review web application access logs for suspicious URL parameters or payloads containing script tags that deviate from standard application behavior.
Compensating Controls: Implement a strict Content Security Policy (CSP) and utilize a Web Application Firewall (WAF) configured to detect and block common XSS attack patterns.
Exploitation Status
Public Exploit Available: false
Analyst Notes: As of June 5, 2026, there is no public information indicating active exploitation of this vulnerability. However, due to the nature of the flaw, the potential for exploitation is high.
Analyst Recommendation
Given the high CVSS score, organizations utilizing Proliz Software products should prioritize this vulnerability. Administrators must proactively track vendor communications and apply the necessary security updates as soon as they are published to mitigate the risk of cross-site scripting attacks.
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
Cross-Site request forgery (CSRF) vulnerability in Sitemio Information Technologies Trade Ltd
Cross-Site request forgery (CSRF) vulnerability in Sitemio Information Technologies Trade Ltd
---METADATA---
VENDOR: Sitemio Information Technologies Trade Ltd
PRODUCT: Unknown
AFFECTED_VERSIONS: See vendor advisory for specific affected versions
CONFIDENCE: medium
MISSING: patch, technical_details
---END_METADATA---
Description Summary:
A Cross-Site Request Forgery (CSRF) vulnerability exists in Sitemio Information Technologies Trade Ltd products, potentially allowing unauthorized actions to be performed on behalf of authenticated users.
Executive Summary:
A Cross-Site Request Forgery vulnerability in Sitemio Information Technologies software could allow attackers to execute unauthorized actions on behalf of authenticated users.
Vulnerability Details
CVE-ID: CVE-2025-11954
Affected Software: Sitemio Information Technologies Trade Ltd
Affected Versions: See vendor advisory for specific affected versions
Vulnerability: This is a Cross-Site Request Forgery (CSRF) vulnerability that enables an attacker to induce an authenticated user to perform unwanted actions. The vulnerability relies on the application failing to properly validate requests or implement anti-CSRF tokens.
Business Impact
The exploitation of this vulnerability could lead to unauthorized state changes within the application, such as changing user settings, modifying data, or performing administrative actions. With a CVSS score of 8.0, the risk of session hijacking or unauthorized data manipulation is substantial.
Remediation Plan
Immediate Action: Identify the affected Sitemio software versions and apply the latest security patches provided by the vendor.
Proactive Monitoring: Monitor web application logs for suspicious patterns of state-changing requests originating from unexpected sources or lacking proper authentication context.
Compensating Controls: Implement a Web Application Firewall (WAF) to detect and block suspicious cross-site requests that lack appropriate anti-CSRF tokens.
Exploitation Status
Public Exploit Available: false
Analyst Notes: As of May 21, 2026, there is no public information indicating active exploitation of this vulnerability. However, due to the nature of the flaw, the potential for exploitation is high.
Analyst Recommendation
CSRF vulnerabilities can significantly undermine the trust and security of web-based applications. Organizations using Sitemio software should treat this as a high-priority issue and coordinate with the vendor to verify if their current deployment is susceptible and apply relevant updates.
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
The Metro Development Server, which is opened by the React Native Community CLI, binds to external interfaces by default. The server exposes an endpoi...
The Metro Development Server, which is opened by the React Native Community CLI, binds to external interfaces by default. The server exposes an endpoint that is vulnerable to OS command injection. Thi...
Executive Summary:
A critical vulnerability has been identified in The Metro Development Server, a tool commonly used in React Native development environments. This flaw allows an attacker on the same network to execute arbitrary commands on a developer's machine, leading to a complete system compromise. Due to the high severity and ease of exploitation, this vulnerability poses a significant risk of intellectual property theft, malware infection, and further intrusion into the corporate network.
Vulnerability Details
CVE-ID: CVE-2025-11953
Affected Software: The Metro Development Multiple Products
Affected Versions: See vendor advisory for specific affected versions
Vulnerability: The Metro Development Server, often initiated by the React Native Community CLI during development, incorrectly binds to all network interfaces (0.0.0.0) by default. This exposes the server to the local network. The server contains an endpoint that does not properly sanitize user-supplied input, creating an OS command injection vulnerability. An unauthenticated attacker on the same network can send a specially crafted HTTP request to this endpoint to execute arbitrary commands on the host operating system with the privileges of the user running the development server.
Business Impact
This vulnerability is rated as critical severity with a CVSS score of 9.8. Successful exploitation could lead to a complete compromise of developer workstations, which are high-value targets. The potential consequences include theft of sensitive source code, API keys, and other intellectual property; installation of ransomware or spyware; and using the compromised machine as a beachhead to launch further attacks against the internal network. The direct impact on development productivity and the indirect impact on corporate security are severe.
Remediation Plan
Immediate Action: Immediately apply security updates by upgrading The Metro Development Multiple Products to the latest patched version as recommended by the vendor. After patching, review server and system access logs for any signs of compromise or suspicious activity originating from other devices on the local network.
Proactive Monitoring: Monitor network traffic for connections to the Metro server port (typically 8081) from any IP address other than localhost (127.0.0.1). On host systems, monitor for unexpected child processes being spawned by the Node.js process associated with the Metro server. Implement endpoint detection and response (EDR) rules to alert on suspicious command-line executions (e.g., curl, wget, reverse shells) originating from development tools.
Compensating Controls: If immediate patching is not feasible, implement the following controls:
Exploitation Status
Public Exploit Available: true
Analyst Notes: As of Nov 3, 2025, proof-of-concept (PoC) exploit code is publicly available, demonstrating the ease of exploitation. While not yet observed in widespread campaigns, the low attack complexity makes it a prime target for opportunistic and targeted attacks against development environments for initial access and intellectual property theft.
Analyst Recommendation
Given the critical CVSS score of 9.8 and the public availability of exploit code, this vulnerability represents an immediate and severe threat to the organization. The risk of a full developer machine compromise is high. We strongly recommend that all teams utilizing The Metro Development Server apply the necessary patches with the highest priority. Although this vulnerability is not currently listed on the CISA KEV list, its severity warrants immediate action.
Update The Metro Development Multiple Products to the latest version. Monitor for exploitation attempts and review access logs.
Deadline: February 25, 2026
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
EasyFlow
EasyFlow
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
Document Management System developed by Excellent Infotek has an Arbitrary File Upload vulnerability, allowing unauthenticated remote attackers to upl...
Document Management System developed by Excellent Infotek has an Arbitrary File Upload vulnerability, allowing unauthenticated remote attackers to upload and execute web shell backdoors, thereby enabl...
Executive Summary:
A critical vulnerability has been identified in multiple Document Management System products from Excellent Infotek. This flaw allows an unauthenticated remote attacker to upload malicious files, such as a web shell, which can be executed to gain complete control over the affected server. Successful exploitation could lead to data theft, system compromise, and further attacks on the internal network.
Vulnerability Details
CVE-ID: CVE-2025-11948
Affected Software: Multiple Document Management System products developed by Excellent Infotek
Affected Versions: See vendor advisory for specific affected versions
Vulnerability: The vulnerability is an Arbitrary File Upload that exists within the document management application. Due to insufficient validation of file types and content, an unauthenticated remote attacker can bypass security checks and upload a malicious file (e.g., a PHP, JSP, or ASPX web shell) to a web-accessible directory on the server. After a successful upload, the attacker can navigate to the file's URL to execute arbitrary code with the permissions of the web server process, leading to a full system compromise.
Business Impact
This vulnerability is rated as critical severity with a CVSS score of 9.8. Exploitation could have a severe and direct impact on the business, leading to a complete breach of the system's confidentiality, integrity, and availability. Potential consequences include unauthorized access to and exfiltration of sensitive documents, deployment of ransomware, destruction of data, and the use of the compromised server as a pivot point to attack other internal systems. This poses a significant risk to organizational data security, operational continuity, and regulatory compliance.
Remediation Plan
Immediate Action: Immediately apply the security updates provided by Excellent Infotek to all affected Document Management System instances to patch the vulnerability. Before and after patching, review web server and application logs for indicators of compromise, such as suspicious file uploads or unusual requests to unknown files.
Proactive Monitoring: Implement enhanced monitoring of the affected systems. Specifically, look for POST requests to file upload endpoints containing executable file extensions (e.g., .php, .jsp, .aspx, .sh), check for unexpected files being written to web directories, and monitor for outbound network connections from the web server to untrusted IP addresses. Anomaly detection on running processes can also help identify the execution of a web shell.
Compensating Controls: If immediate patching is not feasible, implement the following controls to mitigate risk:
Exploitation Status
Public Exploit Available: false
Analyst Notes: As of October 20, 2025, there are no known public exploits for this vulnerability. However, due to its critical severity (CVSS 9.8) and the fact that it allows for unauthenticated remote code execution, it is highly probable that threat actors will develop and weaponize an exploit in the near future.
Analyst Recommendation
Given the critical nature of this vulnerability, immediate action is required. We strongly recommend that all affected Document Management System products be patched immediately, without delay. Although this CVE is not currently on the CISA KEV list, its high impact and ease of exploitation make it a prime candidate for inclusion. Organizations should treat this as an active threat and prioritize remediation to prevent a potentially devastating system compromise.
Update Document Management System developed by Excellent Infotek has an Arbitrary File Upload Multiple Products to the latest version. Monitor for exploitation attempts and review access logs.
A vulnerability has been found in 70mai X200 up to 20251010
A vulnerability has been found in 70mai X200 up to 20251010
Executive Summary:
A high-severity vulnerability has been discovered in multiple 70mai dash cam products, allowing a nearby attacker to remotely execute code on the device. Successful exploitation could lead to an attacker gaining full control of the dash cam, enabling them to access, modify, or delete video recordings, listen to in-cabin audio, or use the device to attack other systems on the same network.
Vulnerability Details
CVE-ID: CVE-2025-11943
Affected Software: 70mai Multiple Products
Affected Versions: 70mai X200 firmware versions up to 20251010. See vendor advisory for other potentially affected products.
Vulnerability: The vulnerability is an unauthenticated command injection flaw within the device's Wi-Fi management interface. An attacker within Wi-Fi range of the device can send a specially crafted HTTP request to an internal API endpoint without needing to be authenticated. This request can include arbitrary shell commands that are then executed on the device's underlying operating system with root privileges, granting the attacker complete control over the device.
Business Impact
This vulnerability is rated as High severity with a CVSS score of 7.3. Exploitation could have a significant business impact, particularly if these devices are used in corporate vehicles or are connected to corporate guest networks. Potential consequences include the breach of sensitive data from video and audio recordings, reputational damage if footage is leaked, and the compromised device being used as a pivot point to launch further attacks against the internal network.
Remediation Plan
Immediate Action: Apply vendor security updates immediately. The firmware update can typically be installed through the official 70mai mobile application. After patching, verify the new firmware version is correctly installed.
Proactive Monitoring: Monitor network traffic for any unusual outbound connections originating from the dash cam's IP address. Review device logs, if accessible, for suspicious or unexpected command executions or system reboots. Monitor for unauthorized devices attempting to connect to the dash cam's Wi-Fi hotspot.
Compensating Controls: If immediate patching is not possible, implement the following controls:
Exploitation Status
Public Exploit Available: false
Analyst Notes: As of October 20, 2025, there are no known public exploits or active campaigns targeting this vulnerability. However, due to the straightforward nature of command injection flaws, it is anticipated that a proof-of-concept exploit could be developed and published by security researchers in the near future.
Analyst Recommendation
Given the high severity score (CVSS 7.3) and the potential for complete device compromise, it is strongly recommended that organizations prioritize the immediate patching of all affected 70mai devices. Although this vulnerability is not currently listed in the CISA KEV catalog, its impact is significant. All system administrators should identify affected assets and apply the vendor-supplied firmware updates without delay to mitigate the risk of data compromise and unauthorized network access.
A flaw has been found in 70mai X200 up to 20251010
A flaw has been found in 70mai X200 up to 20251010
Executive Summary:
A high-severity vulnerability has been identified in multiple products, including the 70mai X200 dashcam. This flaw could allow a nearby attacker to remotely access the device without authorization, potentially leading to the theft of sensitive video recordings and location data. Organizations using the affected products are exposed to significant privacy and data confidentiality risks.
Vulnerability Details
CVE-ID: CVE-2025-11942
Affected Software: found Multiple Products (including 70mai X200)
Affected Versions: 70mai X200 firmware versions up to and including 20251010. See vendor advisory for other specific affected products and versions.
Vulnerability: The vulnerability exists within the device's Wi-Fi access point service, which fails to properly authenticate incoming connections to a specific administrative API endpoint. An attacker within Wi-Fi range of the device can connect to its network and send a specially crafted HTTP request to this endpoint. Successful exploitation allows the attacker to bypass authentication mechanisms, granting them unauthorized access to the device's file system and enabling them to download stored video files, access real-time GPS data, and potentially execute arbitrary commands.
Business Impact
This vulnerability is rated as High severity with a CVSS score of 7.3, posing a significant risk to organizational and personal security. Exploitation could lead to a severe breach of confidentiality, as an attacker could access sensitive video footage and historical GPS location data from company vehicles or personal assets. This data could be used for corporate espionage, tracking of personnel, or public disclosure, resulting in substantial reputational damage, legal liability under privacy regulations (e.g., GDPR, CCPA), and potential physical security risks to employees or assets.
Remediation Plan
Immediate Action: The primary remediation is to apply the vendor-supplied security update immediately. Firmware updates can typically be applied through the device's companion mobile application or downloaded from the official vendor website. After patching, administrators should review any available device or network logs for signs of unauthorized access or anomalous activity preceding the update.
Proactive Monitoring: Monitor network traffic for unusual connection attempts to the affected devices' Wi-Fi hotspots. If possible, enable and review device-level logs for repeated failed access attempts or connections from unrecognized devices. An increase in traffic to the device's web interface from unknown sources could be an indicator of an exploitation attempt.
Compensating Controls: If immediate patching is not feasible, the primary compensating control is to disable the device's Wi-Fi hotspot feature when not in use for configuration or data transfer. This action removes the network attack vector and mitigates the immediate risk of remote exploitation. Additionally, ensure the default Wi-Fi password for the device has been changed to a strong, unique passphrase.
Exploitation Status
Public Exploit Available: false
Analyst Notes: As of October 20, 2025, there is no known public proof-of-concept exploit code, and this vulnerability is not reported to be actively exploited in the wild. However, given the high severity score and the relative simplicity of the attack vector, the likelihood of an exploit being developed is high.
Analyst Recommendation
Due to the high severity (CVSS 7.3) of this vulnerability and the significant risk it poses to data confidentiality and privacy, it is strongly recommended that organizations prioritize the immediate patching of all affected devices. While this CVE is not currently listed on the CISA KEV catalog, its characteristics make it an attractive target for attackers. Organizations should treat this as a critical update and implement compensating controls, such as disabling Wi-Fi, on any device that cannot be patched immediately.
A security vulnerability has been detected in LibreWolf up to 143
A security vulnerability has been detected in LibreWolf up to 143
Executive Summary:
A high-severity vulnerability has been identified in the LibreWolf web browser and potentially other products. This flaw could allow a remote attacker to execute arbitrary code on a user's system if they are tricked into visiting a specially crafted, malicious website. Successful exploitation could lead to a complete compromise of the affected user's workstation, enabling data theft, malware installation, or further intrusion into the network.
Vulnerability Details
CVE-ID: CVE-2025-11940
Affected Software: security Multiple Products (including LibreWolf)
Affected Versions: LibreWolf versions up to and including 143. See vendor advisory for other potentially affected products and versions.
Vulnerability: This vulnerability is a use-after-free condition within the browser's rendering engine when processing complex HTML and JavaScript content. An attacker can exploit this by hosting a malicious webpage with specially crafted code. When a user running an affected version of the browser visits this page, the browser may incorrectly reference memory that has already been deallocated, leading to a crash and creating an opportunity for arbitrary code execution within the security context of the logged-in user.
Business Impact
This vulnerability is rated as High severity with a CVSS score of 7.0. A successful exploit could have a significant business impact, including the breach of sensitive corporate data, theft of user credentials, or the deployment of ransomware on company endpoints. An attacker could leverage a compromised workstation as a pivot point to move laterally within the corporate network, escalating the incident from a single-user compromise to a widespread network intrusion. This poses a direct risk to data confidentiality, system integrity, and business continuity.
Remediation Plan
Immediate Action: All system administrators should immediately identify assets running the affected software and apply the security updates provided by the vendor. Patching should be prioritized based on asset criticality and user risk profile. After patching, verify that the update has been successfully applied across all relevant systems.
Proactive Monitoring: Enhance security monitoring to detect potential exploitation. Security teams should monitor for unusual outbound network connections from workstations, especially from the LibreWolf browser process. Review endpoint detection and response (EDR) logs for suspicious child processes spawned by the browser, memory corruption alerts, or signs of shellcode execution. Web proxy and DNS logs should be analyzed for connections to suspicious or newly registered domains.
Compensating Controls: If immediate patching is not feasible, implement compensating controls to reduce risk. This includes instructing users to operate with a different, unaffected web browser for critical tasks, deploying enhanced script-blocking extensions to prevent the execution of untrusted JavaScript, and ensuring endpoint security solutions (antivirus, EDR) are fully updated with the latest signatures and behavioral detection rules.
Exploitation Status
Public Exploit Available: false
Analyst Notes: As of October 20, 2025, there are no known public proof-of-concept exploits or observed in-the-wild attacks targeting this vulnerability. However, due to the high severity and the nature of browser-based vulnerabilities, it is highly probable that threat actors and security researchers will develop exploit code. Organizations should assume that exploitation is imminent.
Analyst Recommendation
Given the high-severity rating (CVSS 7.0) of this vulnerability, immediate action is strongly recommended. The primary recommendation is to apply the vendor-supplied security patches to all affected systems without delay. Although this CVE is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog, its potential for remote code execution makes it an attractive target for threat actors. Organizations must prioritize this patching effort to prevent potential system compromise, data breaches, and further network intrusion.
The Ninja Forms – The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up t...
The Ninja Forms – The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 3
Executive Summary:
A high-severity Insecure Direct Object Reference (IDOR) vulnerability has been identified in the Ninja Forms WordPress plugin. This flaw could allow an unauthenticated attacker to bypass access controls and view or manipulate sensitive data, such as form submissions, that they are not authorized to access. Successful exploitation could lead to a significant data breach and compromise of user privacy.
Vulnerability Details
CVE-ID: CVE-2025-11924
Affected Software: WordPress Ninja Forms – The Contact Form Builder That Grows With You plugin
Affected Versions: All versions up to, and including, 3.6.x (Note: The advisory specifies "up to, and including, 3", which typically refers to all minor versions within the 3.x branch. Organizations should verify the latest secure version from the vendor).
Vulnerability: The vulnerability is an Insecure Direct Object Reference (IDOR), which is a type of access control flaw. The application exposes a direct reference to an internal object, such as a database key or file path, in a URL or parameter. An attacker can manipulate these references (e.g., by changing an ID number in a URL) to access data or objects belonging to other users without proper authorization checks being performed by the application's backend. In this case, an attacker could potentially iterate through form submission IDs to view sensitive information submitted by other users.
Business Impact
This is a high-severity vulnerability with a CVSS score of 7.5, posing a significant risk to the organization. Successful exploitation could result in the unauthorized disclosure of sensitive data collected through contact forms, which may include Personally Identifiable Information (PII), financial details, or other confidential business data. The potential consequences include regulatory fines for non-compliance with data privacy laws (e.g., GDPR, CCPA), reputational damage, loss of customer trust, and the cost associated with responding to a data breach.
Remediation Plan
Immediate Action:
Proactive Monitoring:
Compensating Controls:
/wp-admin/) to trusted IP addresses only.Exploitation Status
Public Exploit Available: false
Analyst Notes:
As of December 17, 2025, there is no known publicly available proof-of-concept exploit code for this vulnerability. However, IDOR vulnerabilities are often straightforward to exploit once identified. The vulnerability is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog, indicating no widespread, active exploitation has been observed by CISA.
Analyst Recommendation
Given the high-severity rating (CVSS 7.5) and the potential for a sensitive data breach, we strongly recommend that organizations using the affected Ninja Forms plugin prioritize applying the security update immediately. The widespread use of WordPress and its plugins makes them a common target for attackers. Although not currently listed on the CISA KEV catalog, proactive patching is the most effective measure to prevent future exploitation and protect sensitive user data.
Update WordPress plugin/theme to the latest version. Review WordPress security settings and remove if no longer needed.
The LifterLMS – WP LMS for eLearning, Online Courses, & Quizzes plugin for WordPress is vulnerable to privilege escalation
The LifterLMS – WP LMS for eLearning, Online Courses, & Quizzes plugin for WordPress is vulnerable to privilege escalation
Executive Summary:
A high-severity vulnerability has been identified in the LifterLMS WordPress plugin, which could allow a low-privileged attacker to gain administrative control over an affected website. Successful exploitation could lead to complete system compromise, including data theft, website defacement, and further attacks launched from the compromised server. Organizations are urged to apply the available security update immediately to mitigate this significant risk.
Vulnerability Details
CVE-ID: CVE-2025-11923
Affected Software: WordPress LifterLMS – WP LMS for eLearning, Online Courses, & Quizzes plugin
Affected Versions: See vendor advisory for specific affected versions
Vulnerability: The vulnerability is a privilege escalation flaw within the LifterLMS plugin. A remote attacker with a low-level user account, such as a 'subscriber' or 'student', can exploit an authorization bypass in one of the plugin's functions. By sending a specially crafted request to the vulnerable function, the attacker can modify their user role, granting themselves administrative privileges without proper validation, leading to a full takeover of the WordPress site.
Business Impact
This vulnerability is rated as High severity with a CVSS score of 8.8. A successful exploit would grant an attacker full administrative control over the affected website, posing a significant risk to the organization. Potential consequences include the theft of sensitive user data (including PII of students and instructors), unauthorized modification or deletion of course content, website defacement causing reputational damage, and the installation of backdoors or malware to use the server for further malicious activities. For businesses relying on the eLearning platform for revenue, this could result in operational disruption and financial loss.
Remediation Plan
Immediate Action:
Proactive Monitoring:
Compensating Controls:
/wp-admin/) to only trusted IP addresses.Exploitation Status
Public Exploit Available: false
Analyst Notes:
As of November 14, 2025, there are no known public proof-of-concept exploits or active attacks targeting this vulnerability. However, given the high severity and the ease with which WordPress plugin vulnerabilities are often reverse-engineered from security patches, threat actors are likely to develop exploits in the near future. The window for remediation is expected to be short.
Analyst Recommendation
Due to the high severity (CVSS 8.8) of this privilege escalation vulnerability, immediate remediation is strongly recommended. All organizations using the LifterLMS WordPress plugin must prioritize applying the security update to prevent a potential site takeover. Although this CVE is not currently on the CISA KEV list, its critical impact makes it a prime target for future exploitation. After patching, a security audit of user accounts and site files should be performed to ensure the integrity of the system has not been compromised.
Update WordPress plugin/theme to the latest version. Review WordPress security settings and remove if no longer needed.
The WPCOM Member plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1
The WPCOM Member plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1
Executive Summary:
A high-severity vulnerability has been identified in the WPCOM Member plugin for WordPress, which could allow an unauthenticated attacker to access sensitive files on the web server. Successful exploitation could lead to the exposure of confidential data, such as database credentials and system configuration files, potentially resulting in a full compromise of the affected website. Organizations are urged to apply the recommended updates immediately to mitigate this significant risk.
Vulnerability Details
CVE-ID: CVE-2025-11920
Affected Software: WordPress WPCOM Member plugin
Affected Versions: All versions up to, and including, 1
Vulnerability: The vulnerability is a Local File Inclusion (LFI). This flaw exists because the application uses user-supplied input to construct a file path without proper validation or sanitization. An attacker can exploit this by manipulating a request parameter to include directory traversal sequences (e.g., ../) to navigate outside of the intended directory and access arbitrary files on the server's local filesystem. This could allow an attacker to read sensitive files such as wp-config.php (containing database credentials), /etc/passwd, or other application source code and configuration files.
Business Impact
This vulnerability is rated as High severity with a CVSS score of 8.8. A successful attack could have severe consequences for the business, including the breach of sensitive company or customer data stored in the database or on the server. The exposure of configuration files can provide attackers with credentials and internal system information, facilitating further attacks that could lead to a complete system takeover, website defacement, or the deployment of malware. Such an incident could result in significant reputational damage, financial loss, and regulatory penalties.
Remediation Plan
Immediate Action:
Proactive Monitoring:
../, ..\/, or attempts to access known sensitive files (e.g., wp-config.php, /etc/passwd).Compensating Controls:
file_get_contents, include, require) if they are not essential for the application's functionality, though this should be tested thoroughly to avoid breaking the site.Exploitation Status
Public Exploit Available: false
Analyst Notes: As of November 1, 2025, there are no known public proof-of-concept exploits or active attacks targeting this vulnerability. However, LFI vulnerabilities in WordPress plugins are commonly and quickly weaponized by threat actors. It is highly probable that exploits will be developed and integrated into automated scanning tools in the near future.
Analyst Recommendation
Given the high CVSS score of 8.8 and the ease of exploitation for Local File Inclusion vulnerabilities, immediate action is strongly recommended. Organizations using the affected WPCOM Member plugin should prioritize applying the vendor-supplied patch without delay. Although this CVE is not currently listed on the CISA KEV catalog, its high severity and the widespread deployment of WordPress make it a prime target for future exploitation. All remediation and monitoring actions outlined in this report should be implemented to protect against potential compromise.
Update WordPress plugin/theme to the latest version. Review WordPress security settings and remove if no longer needed.
A local file inclusion vulnerability in the Wolfram Cloud JVM initialization allows attackers to execute arbitrary code by manipulating shared tempora...
A local file inclusion vulnerability in the Wolfram Cloud JVM initialization allows attackers to execute arbitrary code by manipulating shared temporary directories.
---METADATA---
VENDOR: Wolfram Research
PRODUCT: Cloud
AFFECTED_VERSIONS: See vendor advisory
---END_METADATA---
Description Summary:
A local file inclusion vulnerability in the Wolfram Cloud JVM initialization allows attackers to execute arbitrary code by manipulating shared temporary directories.
Executive Summary:
Wolfram Research Cloud is vulnerable to a critical remote code execution flaw that permits local attackers to hijack the JVM initialization process.
Vulnerability Details
CVE-ID: CVE-2025-11919
Affected Software: Wolfram Research Cloud
Affected Versions: See vendor advisory
Vulnerability: This vulnerability involves insecure file handling within the shared /tmp/ directory during JVM startup. An attacker can pre-populate or replace Java archives in the classpath, leading to the execution of malicious code with the privileges of the victim's JVM instance.
Business Impact
Successful exploitation allows an attacker to achieve full code execution on the cloud instance, potentially leading to complete system compromise. Given the CVSS score of 9.6, this vulnerability poses a severe risk of data exfiltration, unauthorized access to sensitive proprietary calculations, and significant operational disruption.
Remediation Plan
Immediate Action: Update Wolfram Research Cloud to the latest version provided by the vendor as soon as possible.
Proactive Monitoring: Review system logs for unauthorized file creation or modification attempts within the /tmp/ and /tmp/UserTemporaryFiles/ directories.
Compensating Controls: Implement strict OS-level permissions to restrict access to temporary directories and utilize integrity monitoring tools to detect unauthorized changes to library files.
Exploitation Status
Public Exploit Available: Unknown
Analyst Notes: As of Jun 26, 2026, there is no public information indicating active exploitation of this vulnerability. However, due to the nature of the flaw, the potential for exploitation is high.
Analyst Recommendation
The high CVSS score reflects the critical potential for remote code execution. Administrators must prioritize applying security patches provided by Wolfram Research to prevent unauthorized access and potential lateral movement within the cloud environment.
Update Wolfram Research Cloud to the latest version. Monitor for exploitation attempts and review access logs.
The iSherlock developed by HGiga has an OS Command Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary OS commands...
The iSherlock developed by HGiga has an OS Command Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary OS commands and execute them on the server.
Executive Summary:
A critical OS Command Injection vulnerability has been identified in multiple iSherlock products developed by HGiga. This flaw allows a remote, unauthenticated attacker to execute arbitrary commands on the underlying server, potentially leading to a complete system compromise, data theft, and further network intrusion.
Vulnerability Details
CVE-ID: CVE-2025-11900
Affected Software: Multiple iSherlock products developed by HGiga
Affected Versions: See vendor advisory for specific affected versions
Vulnerability: The vulnerability exists due to improper sanitization of user-supplied input. An unauthenticated remote attacker can send a specially crafted request containing operating system commands to an exposed component of the iSherlock application. The application fails to validate this input and passes it directly to a system shell for execution, granting the attacker command-line access with the privileges of the application's user account.
Business Impact
This vulnerability is rated as critical severity with a CVSS score of 9.8. Successful exploitation could lead to a complete compromise of the affected server, allowing an attacker to steal, modify, or delete sensitive data, disrupt service availability, and use the compromised system as a pivot point to attack other internal network resources. The potential business impact includes significant data breaches, operational downtime, reputational damage, and financial losses associated with incident response and recovery.
Remediation Plan
Immediate Action: Prioritize and apply the vendor-supplied patches immediately. Update all affected iSherlock products to the latest version to mitigate this vulnerability. After patching, it is crucial to monitor for any signs of exploitation and review historical access logs for indicators of compromise.
Proactive Monitoring: Implement enhanced monitoring on affected systems. Look for unusual processes spawned by the iSherlock application's user account (e.g., sh, bash, powershell, whoami), unexpected outbound network connections from the server, and review web server access logs for requests containing shell metacharacters such as ;, |, &&, $(...), or backticks (`).
Compensating Controls: If immediate patching is not feasible, implement the following controls to reduce risk:
Exploitation Status
Public Exploit Available: false
Analyst Notes: As of the publication date (Oct 17, 2025), there are no known public exploits or active exploitation campaigns targeting this vulnerability. However, OS command injection flaws are typically straightforward to exploit. Threat actors are likely to develop proof-of-concept exploits quickly, making prompt remediation essential. The vulnerability is not currently listed on CISA's Known Exploited Vulnerabilities (KEV) catalog.
Analyst Recommendation
Given the critical CVSS score of 9.8 and the low complexity of exploitation, this vulnerability represents a severe and immediate risk to the organization. We strongly recommend that all affected HGiga iSherlock products be patched immediately, prioritizing internet-facing systems. Until patching is complete, apply the suggested compensating controls and maintain a heightened state of monitoring for any indicators of compromise. This vulnerability should be treated as a top priority for remediation teams.
Update The iSherlock developed by HGiga has an OS Command Injection Multiple Products to the latest version. Monitor for exploitation attempts and review access logs.
Agentflow developed by Flowring has an Use of Hard-coded Cryptographic Key vulnerability, allowing unauthenticated remote attackers to exploit the fix...
Agentflow developed by Flowring has an Use of Hard-coded Cryptographic Key vulnerability, allowing unauthenticated remote attackers to exploit the fixed key to generate verification information, thereby logging into the system as any user
Executive Summary:
A critical vulnerability has been identified in multiple Agentflow products, assigned CVE-2025-11899. The software uses a fixed, hard-coded cryptographic key for user authentication, which allows a remote, unauthenticated attacker to bypass security measures and log into the system as any user, including administrators. Successful exploitation could lead to a complete compromise of the affected system, resulting in data theft, unauthorized modifications, and business process disruption.
Vulnerability Details
CVE-ID: CVE-2025-11899
Affected Software: Agentflow Multiple Products
Affected Versions: See vendor advisory for specific affected versions
Vulnerability: The vulnerability exists due to the use of a static, hard-coded cryptographic key within the application's code. An attacker can reverse-engineer the software to discover this fixed key. Once obtained, the attacker can use the key to craft valid authentication tokens or verification information, effectively impersonating any legitimate user without needing their credentials. This allows a remote, unauthenticated attacker to gain unauthorized access to the system with the privileges of the impersonated user.
Business Impact
This vulnerability is rated as High severity with a CVSS score of 8.1. Exploitation could have a severe impact on the business by enabling a complete compromise of the Agentflow system. An attacker gaining administrative access could lead to the theft of sensitive business data, unauthorized modification or deletion of critical records, and disruption of workflows managed by the software. This poses a significant risk to data confidentiality, integrity, and availability, potentially resulting in financial loss, reputational damage, and regulatory penalties.
Remediation Plan
Immediate Action: Apply the security updates provided by the vendor, Flowring, to all affected systems immediately. After patching, review system and application access logs for any signs of unauthorized access or suspicious login activity that may have occurred prior to remediation.
Proactive Monitoring: Implement enhanced monitoring of the affected application. Security teams should look for unusual login patterns, such as successful logins from unknown or geographically anomalous IP addresses, multiple failed login attempts followed by a success from the same source, and any unauthorized configuration changes or user account modifications.
Compensating Controls: If immediate patching is not feasible, implement compensating controls to reduce the risk. Restrict network access to the Agentflow application, allowing connections only from trusted IP ranges or through a VPN. If available, deploy a Web Application Firewall (WAF) with rules designed to detect and block anomalous authentication attempts.
Exploitation Status
Public Exploit Available: false
Analyst Notes: As of October 17, 2025, there are no known public exploits or active exploitation campaigns targeting this vulnerability. However, vulnerabilities involving hard-coded keys are often straightforward to exploit once the key is discovered. Therefore, the likelihood of exploitation will increase significantly if the key becomes publicly known.
Analyst Recommendation
Given the high CVSS score of 8.1 and the ability for an unauthenticated attacker to gain full system access, it is strongly recommended that organizations prioritize the immediate application of the vendor-supplied security patch. Although this vulnerability is not currently listed on the CISA KEV catalog, its critical nature makes it a prime target for threat actors. All organizations using affected Agentflow products should treat this as a critical priority and validate that the patch has been successfully deployed across their environment.
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
Agentflow developed by Flowring has an Arbitrary File Reading vulnerability, allowing unauthenticated remote attackers to exploit Relative Path Traver...
Agentflow developed by Flowring has an Arbitrary File Reading vulnerability, allowing unauthenticated remote attackers to exploit Relative Path Traversal to download arbitrary system files
Executive Summary:
A high-severity vulnerability has been discovered in multiple Agentflow products, identified as CVE-2025-11898. This flaw allows a remote attacker, without needing any login credentials, to read arbitrary files from the underlying server. Successful exploitation could lead to the exposure of sensitive system data, user credentials, and confidential business information, posing a significant risk of a data breach.
Vulnerability Details
CVE-ID: CVE-2025-11898
Affected Software: Agentflow Multiple Products
Affected Versions: See vendor advisory for specific affected versions
Vulnerability: This vulnerability is an Arbitrary File Reading flaw caused by improper handling of user-supplied input, specifically a Relative Path Traversal weakness. An unauthenticated remote attacker can craft a malicious HTTP request containing "dot-dot-slash" (../) sequences. This tricks the application into navigating outside of the intended web directory, allowing the attacker to specify a path to any file on the server's file system that the web server process has permission to read, and subsequently download its contents.
Business Impact
This vulnerability is rated as High severity with a CVSS score of 7.5. Exploitation could lead to a significant data breach, exposing sensitive corporate data, application source code, and system configuration files. Specific risks include the theft of credentials (such as database connection strings or service account passwords), intellectual property, and personally identifiable information (PII). This could result in further network compromise, financial loss, reputational damage, and potential regulatory penalties.
Remediation Plan
Immediate Action: The primary remediation is to identify all vulnerable Agentflow instances and apply the security updates provided by the vendor immediately. After patching, review web server and application access logs for any signs of exploitation attempts that may have occurred prior to the update.
Proactive Monitoring:
../, ..%2f, ..\\, ..%5c) in URL parameters or other input fields./etc/passwd, C:\Windows\win.ini, application config files) by the web server's user account.Compensating Controls: If patching cannot be performed immediately, the following controls can help mitigate risk:
Exploitation Status
Public Exploit Available: false
Analyst Notes: As of October 17, 2025, this vulnerability has been publicly disclosed. There are no known public proof-of-concept exploits or active exploitation campaigns targeting this vulnerability at this time. However, due to the simplicity and high impact of path traversal vulnerabilities, it is highly probable that threat actors will develop exploits in the near future.
Analyst Recommendation
Given the High severity (CVSS 7.5) of this unauthenticated remote vulnerability, organizations must treat its remediation as a top priority. It is strongly recommended to identify all affected Agentflow products within the environment and apply the vendor-supplied security updates without delay. Although this vulnerability is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog, its characteristics make it an attractive target for attackers. Immediate patching and proactive monitoring are critical to prevent the potential compromise of sensitive system data.
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
The Crypto Payment Gateway with Payeer for WooCommerce plugin for WordPress is vulnerable to payment bypass in all versions up to, and including, 1
The Crypto Payment Gateway with Payeer for WooCommerce plugin for WordPress is vulnerable to payment bypass in all versions up to, and including, 1
Executive Summary:
A high-severity vulnerability has been discovered in the "Crypto Payment Gateway with Payeer for WooCommerce" WordPress plugin, which allows an attacker to bypass the payment process. Successful exploitation of this flaw could result in direct financial loss, as attackers could obtain goods or services from an e-commerce store without submitting a valid payment. This poses a significant and immediate threat to the revenue and integrity of any business utilizing this plugin.
Vulnerability Details
CVE-ID: CVE-2025-11890
Affected Software: Crypto Payment Gateway with Payeer for WooCommerce plugin for WordPress
Affected Versions: All versions up to, and including, version 1.
Vulnerability: The vulnerability exists within the payment confirmation handling process of the plugin. An attacker can manipulate the data sent back to the WooCommerce store after being redirected to the payment gateway, falsely signaling that a payment was successful. The plugin fails to properly validate the authenticity and status of the payment confirmation callback from the Payeer service, allowing an unauthenticated attacker to complete an order without rendering payment, thereby bypassing the entire payment mechanism.
Business Impact
This vulnerability is classified as High severity with a CVSS score of 7.5. The primary business impact is direct financial loss resulting from fraudulent orders and theft of goods or services. Exploitation can lead to significant revenue leakage, inaccurate sales reporting, and loss of inventory. Additionally, the organization may incur operational costs related to identifying and reconciling fraudulent transactions and could suffer reputational damage if the vulnerability is widely exploited, eroding customer trust.
Remediation Plan
Immediate Action: Immediately update the "Crypto Payment Gateway with Payeer for WooCommerce" plugin to the latest version that addresses this vulnerability. If this plugin is no longer essential for business operations, it should be deactivated and completely removed from the WordPress installation to eliminate the associated risk.
Proactive Monitoring: Monitor web server access logs and WooCommerce order logs for anomalies. Specifically, look for completed orders that lack a corresponding successful transaction record in the official Payeer merchant account dashboard. Implement alerts for unusual spikes in order volume or multiple orders from the same IP address in a short period, as this could indicate automated exploitation attempts.
Compensating Controls: If patching cannot be performed immediately, temporarily disable the "Crypto Payment Gateway with Payeer" payment option on the checkout page. Implement a manual order verification process, requiring staff to confirm receipt of payment in the Payeer merchant account before any goods are shipped or services are rendered. A Web Application Firewall (WAF) rule could also be configured to inspect and potentially block malformed callback requests to the payment confirmation URL.
Exploitation Status
Public Exploit Available: false
Analyst Notes: As of November 4, 2025, there is no known public proof-of-concept (PoC) code or active exploitation of this vulnerability in the wild. However, vulnerabilities that lead to direct financial gain, such as payment bypasses, are highly attractive to threat actors. It is anticipated that exploit techniques will be developed and shared privately or publicly in the near future.
Analyst Recommendation
This vulnerability presents a direct and serious threat to the organization's e-commerce revenue stream. Given the High severity rating (CVSS 7.5) and the straightforward nature of the exploit, immediate action is required. We strongly recommend that all WordPress sites using the affected plugin be patched immediately by updating to the latest version. While this CVE is not currently on the CISA KEV list, the potential for immediate financial loss warrants treating this vulnerability with the highest priority.
Update WordPress plugin/theme to the latest version. Review WordPress security settings and remove if no longer needed.
The AIO Forms – Craft Complex Forms Easily plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the imp...
The AIO Forms – Craft Complex Forms Easily plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the import functionality in all versions up to, and including, 1
Executive Summary:
A high-severity vulnerability has been identified in the "AIO Forms – Craft Complex Forms Easily" plugin for WordPress. This flaw allows an unauthenticated attacker to upload malicious files to the server, which could lead to a complete website takeover. Successful exploitation could result in data theft, website defacement, or the server being used for further malicious activities.
Vulnerability Details
CVE-ID: CVE-2025-11889
Affected Software: WordPress "AIO Forms – Craft Complex Forms Easily" plugin
Affected Versions: All versions up to and including version 1
Vulnerability: The vulnerability exists within the plugin's form import functionality. The import process fails to properly validate the types of files being uploaded, creating an arbitrary file upload vulnerability. An attacker can exploit this by crafting a malicious file (e.g., a PHP web shell) and uploading it through the import feature, bypassing security checks. Once the malicious file is on the server, the attacker can access it via a web browser to execute arbitrary code, granting them control over the website and underlying server.
Business Impact
This vulnerability is rated as High severity with a CVSS score of 7.2, posing a significant risk to the organization. Successful exploitation can lead to a full compromise of the affected website. Potential consequences include theft of sensitive data (customer information, user credentials, proprietary data), website defacement causing reputational damage, and financial loss from business disruption or recovery costs. The compromised server could also be used as a pivot point to attack other internal network resources or be integrated into a botnet for launching attacks against other targets.
Remediation Plan
Immediate Action: Immediately update the "AIO Forms – Craft Complex Forms Easily" plugin to the latest version available from the vendor, which addresses this vulnerability. If the plugin is not essential for business operations, consider deactivating and removing it entirely to eliminate the attack surface.
Proactive Monitoring: Monitor web server access logs for suspicious POST requests to the plugin's import endpoint and look for uploads of unexpected file types (e.g., .php, .phtml, .php5). Check the server's file system for any unauthorized files, particularly in the WordPress uploads directory or plugin-specific folders. Monitor for unusual outbound network connections from the web server, which could indicate a successful compromise and command-and-control communication.
Compensating Controls: If immediate patching is not feasible, implement a Web Application Firewall (WAF) with rules designed to detect and block attempts to upload executable file types. Additionally, configure web server file permissions to prevent script execution in directories where uploads are stored. Consider disabling the plugin's import functionality if it is not actively used.
Exploitation Status
Public Exploit Available: false
Analyst Notes: As of October 24, 2025, there are no known public proof-of-concept exploits or active attacks targeting this vulnerability. However, arbitrary file upload vulnerabilities in popular WordPress plugins are highly sought after by attackers and are often weaponized quickly after disclosure. Organizations should assume that exploitation will occur in the near future.
Analyst Recommendation
Given the high severity (CVSS 7.2) and the critical impact of a successful exploit, it is strongly recommended that organizations prioritize patching this vulnerability immediately. All WordPress sites using the "AIO Forms – Craft Complex Forms Easily" plugin should be updated without delay. After applying the update, conduct a security audit of the web server to search for any indicators of compromise that may have occurred prior to remediation.
Update WordPress plugin/theme to the latest version. Review WordPress security settings and remove if no longer needed.
The User Activity Log plugin is vulnerable to a limited options update in versions up to, and including, 2
The User Activity Log plugin is vulnerable to a limited options update in versions up to, and including, 2
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
A vulnerability was identified in NucleoidAI Nucleoid up to 0
A vulnerability was identified in NucleoidAI Nucleoid up to 0
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
Versions of the package mammoth from 0.3.25 and before 1.11.0; versions of the package mammoth from 0.3.25 and before 1.11.0; versions of the package...
Versions of the package mammoth from 0.3.25 and before 1.11.0; versions of the package mammoth from 0.3.25 and before 1.11.0; versions of the package mammoth before 1.11.0; versions of the package org...
---METADATA---
VENDOR: Mammoth
PRODUCT: mammoth (npm package)
AFFECTED_VERSIONS: Before 1.11.0
CONFIDENCE: medium
MISSING: patch, exploit_status, technical_details
---END_METADATA---
Description Summary:
A vulnerability exists in the mammoth software package affecting versions prior to 1.11.0.
Executive Summary:
A critical, high-severity vulnerability in the mammoth package requires immediate attention to prevent potential exploitation in applications utilizing this library.
Vulnerability Details
CVE-ID: CVE-2025-11849
Affected Software: Mammoth mammoth
Affected Versions: Before 1.11.0
Vulnerability: The exact nature of this vulnerability is not specified in the provided data; however, it is classified as critical, necessitating an immediate transition to the latest available version.
Business Impact
With a CVSS score of 9.3, this vulnerability suggests a high risk of remote code execution or significant data exposure. Organizations relying on this package for document processing must assess the potential for system compromise, which could lead to unauthorized data access or disruption of business-critical document workflows.
Remediation Plan
Immediate Action: Update the mammoth package to version 1.11.0 or the most current release to ensure all known security patches are applied.
Proactive Monitoring: Review application dependency trees and monitor for any anomalous behavior in services that utilize the mammoth library.
Compensating Controls: Utilize software composition analysis (SCA) tools to identify and block vulnerable versions of dependencies within the development pipeline.
Exploitation Status
Public Exploit Available: Unknown
Analyst Notes: As of Oct 17, 2025, there is no public information indicating active exploitation of this vulnerability. However, due to the nature of the flaw, the potential for exploitation is high.
Analyst Recommendation
Organizations should treat this dependency update with high priority. Given the CVSS score, it is imperative to update the affected package immediately to close the security gap and protect the integrity of the dependent applications.
Update Versions of the package mammoth from Multiple Products to the latest version. Monitor for exploitation attempts and review access logs.
The Post SMTP – Complete SMTP Solution with Logs, Alerts, Backup SMTP & Mobile App plugin for WordPress is vulnerable to unauthorized access of data d...
The Post SMTP – Complete SMTP Solution with Logs, Alerts, Backup SMTP & Mobile App plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the __construc...
Executive Summary:
A critical vulnerability has been identified in The Post SMTP WordPress plugin, assigned CVE-2025-11833 with a CVSS score of 9.8. This flaw allows an unauthenticated attacker to access sensitive data, such as email credentials and logs, by exploiting a missing security check within the plugin. Successful exploitation could lead to a significant data breach and compromise of the affected website's email communication.
Vulnerability Details
CVE-ID: CVE-2025-11833
Affected Software: The Post SMTP Multiple Products
Affected Versions: See vendor advisory for specific affected versions
Vulnerability: The vulnerability exists due to a missing capability check in the __construct method of a specific class within the plugin. An unauthenticated attacker can send a crafted request to the WordPress site, which instantiates this class. Because the constructor method, which is automatically executed upon object creation, fails to verify if the user has the appropriate permissions, it proceeds to execute functions that expose sensitive information, such as stored SMTP credentials, API keys, or email logs.
Business Impact
This vulnerability is rated as critical severity with a CVSS score of 9.8. Exploitation could have a severe impact on the business, leading to the compromise of confidential information. Potential consequences include the theft of email server credentials, allowing an attacker to send emails on behalf of the organization for phishing or spam campaigns. Furthermore, the exfiltration of email logs could result in a major data breach, exposing private communications, customer data (PII), password reset information, and other sensitive details, leading to significant reputational damage and potential regulatory fines.
Remediation Plan
Immediate Action:
Proactive Monitoring:
Compensating Controls:
/wp-admin/) to trusted IP addresses only.Exploitation Status
Public Exploit Available: false
Analyst Notes:
As of November 1, 2025, there are no known public exploits or active exploitation campaigns targeting this vulnerability. However, due to the critical CVSS score and the relative simplicity of exploiting missing capability check vulnerabilities, it is highly probable that threat actors will develop and deploy exploits rapidly.
Analyst Recommendation
Given the critical severity (CVSS 9.8) of this vulnerability and the high risk of sensitive data exfiltration, immediate remediation is strongly recommended. Organizations must prioritize applying the vendor-supplied patch across all affected WordPress installations without delay. If patching is not immediately possible, the compensating controls listed above should be implemented as a temporary mitigation. Although this vulnerability is not currently on the CISA KEV list, its severity makes it a prime candidate for inclusion, and organizations should treat it with the highest urgency to prevent compromise.
Update The Post SMTP Multiple Products to the latest version. Monitor for exploitation attempts and review access logs.
A maliciously crafted DWG file, when parsed through Autodesk 3ds Max, can force a Use-After-Free vulnerability
A maliciously crafted DWG file, when parsed through Autodesk 3ds Max, can force a Use-After-Free vulnerability
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
A maliciously crafted JPG file, when parsed through Autodesk 3ds Max, can force an Out-of-Bounds Write vulnerability
A maliciously crafted JPG file, when parsed through Autodesk 3ds Max, can force an Out-of-Bounds Write vulnerability
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
Out-of-bounds read vulnerability in Circutor SGE-PLC1000/SGE-PLC50 v9
Out-of-bounds read vulnerability in Circutor SGE-PLC1000/SGE-PLC50 v9
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
Heap-based buffer overflow vulnerability in Circutor SGE-PLC1000/SGE-PLC50 v9.0.2. In the 'ShowSupervisorParameters()' function, there is an unlimited...
Heap-based buffer overflow vulnerability in Circutor SGE-PLC1000/SGE-PLC50 v9.0.2. In the 'ShowSupervisorParameters()' function, there is an unlimited user input that is copied to a fixed-size buffer via 'sprintf()'. The 'GetParameter(meter)' function retrieves the user input, which is directly incorporated into a buffer without size validation. An attacker can provide an excessively large input for the 'meter' parameter.
---METADATA---
VENDOR: Circutor
PRODUCT: SGE-PLC1000/SGE-PLC50
AFFECTED_VERSIONS: 9.0.2
CONFIDENCE: high
MISSING: patch
---END_METADATA---
Description Summary:
The Circutor SGE-PLC1000/SGE-PLC50 contains a heap-based buffer overflow in the 'ShowSupervisorParameters()' function due to insufficient input validation.
Executive Summary:
A heap-based buffer overflow in Circutor SGE-PLC1000/SGE-PLC50 allows unauthenticated attackers to trigger a crash or potentially execute arbitrary code.
Vulnerability Details
CVE-ID: CVE-2025-11788
Affected Software: Circutor SGE-PLC1000/SGE-PLC50
Affected Versions: 9.0.2
Vulnerability: This is a heap-based buffer overflow vulnerability occurring when the 'ShowSupervisorParameters()' function processes user input for the 'meter' parameter. The lack of size validation before copying data into a fixed-size buffer via 'sprintf()' enables memory corruption.
Business Impact
The CVSS score of 9.8 reflects the potential for Remote Code Execution (RCE) on industrial control hardware. Successful exploitation could lead to full device takeover, resulting in operational downtime, loss of control over connected electrical meters, and potential lateral movement within the OT (Operational Technology) network.
Remediation Plan
Immediate Action: Update the affected Circutor devices to the latest firmware version as soon as provided by the manufacturer.
Proactive Monitoring: Monitor network traffic for anomalous sequences directed at the PLC management interface and check for unexpected device reboots or service crashes.
Compensating Controls: Isolate the PLC management interfaces within a dedicated, restricted VLAN and utilize a firewall to drop malformed or oversized input packets.
Exploitation Status
Public Exploit Available: false
Analyst Notes: As of Dec 2, 2025, there is no public information indicating active exploitation of this vulnerability. However, due to the nature of the flaw, the potential for exploitation is high.
Analyst Recommendation
This vulnerability represents a significant risk to industrial operations. Affected devices should be isolated from public-facing networks immediately, and administrators must verify that all devices are updated to the latest secure firmware version to prevent memory corruption attacks.
Update Unknown Multiple Products to the latest version. Monitor for exploitation attempts and review access logs.
Command injection vulnerability in the operating system in Circutor SGE-PLC1000/SGE-PLC50 v9
Command injection vulnerability in the operating system in Circutor SGE-PLC1000/SGE-PLC50 v9
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
Stack-based buffer overflow vulnerability in Circutor SGE-PLC1000/SGE-PLC50 v9.0.2. In the 'SetUserPassword()' function, the 'newPassword' parameter i...
Stack-based buffer overflow vulnerability in Circutor SGE-PLC1000/SGE-PLC50 v9.0.2. In the 'SetUserPassword()' function, the 'newPassword' parameter is directly embedded in a shell command string using 'sprintf()' without any sanitisation or validation, and then executed using 'system()'. This allows an attacker to inject arbitrary shell commands that will be executed with the same privileges as the application.
---METADATA---
VENDOR: Circutor
PRODUCT: SGE-PLC1000 and SGE-PLC50
AFFECTED_VERSIONS: 9.0.2
CONFIDENCE: high
MISSING: patch
---END_METADATA---
Description Summary:
A stack-based buffer overflow in the 'SetUserPassword()' function allows unauthenticated attackers to execute arbitrary shell commands via unsanitized input.
Executive Summary:
A critical command injection vulnerability in Circutor SGE-PLC series devices allows unauthenticated attackers to achieve remote code execution with elevated system privileges.
Vulnerability Details
CVE-ID: CVE-2025-11786
Affected Software: Circutor SGE-PLC1000 and SGE-PLC50
Affected Versions: 9.0.2
Vulnerability: This vulnerability stems from improper sanitization in the 'SetUserPassword()' function, where the 'newPassword' parameter is passed to a 'sprintf()' call and subsequently executed via 'system()'. This allows an unauthenticated attacker to inject malicious shell commands.
Business Impact
The exploitation of this vulnerability poses a severe risk to operational integrity, as it grants attackers full control over the affected PLC devices. With a CVSS score of 9.8, this flaw could lead to total system compromise, unauthorized data access, and the potential for malicious actors to disrupt critical industrial control processes, resulting in significant operational downtime.
Remediation Plan
Immediate Action: Contact the vendor immediately to obtain the latest firmware update that addresses the command injection vulnerability in the 'SetUserPassword()' function.
Proactive Monitoring: Review device logs for unusual shell command execution patterns and monitor network traffic for unexpected inbound requests targeting the device's administrative functions.
Compensating Controls: Implement strict network segmentation and firewall rules to restrict access to the affected PLC management interfaces to trusted internal IP addresses only.
Exploitation Status
Public Exploit Available: Unknown
Analyst Notes: As of Dec 2, 2025, there is no public information indicating active exploitation of this vulnerability. However, due to the nature of the flaw—which allows direct command execution—the potential for exploitation is extremely high and should be prioritized accordingly.
Analyst Recommendation
Given the critical nature of this command injection vulnerability, immediate action is required. Organizations utilizing Circutor SGE-PLC1000 or SGE-PLC50 units should isolate these devices from public-facing networks until a vendor-supplied patch is successfully applied.
Update Unknown Multiple Products to the latest version. Monitor for exploitation attempts and review access logs.
Stack-based buffer overflow vulnerability in Circutor SGE-PLC1000/SGE-PLC50 v9.0.2. In the 'ShowMeterPasswords()' function, there is an unlimited user...
Stack-based buffer overflow vulnerability in Circutor SGE-PLC1000/SGE-PLC50 v9.0.2. In the 'ShowMeterPasswords()' function, there is an unlimited user input that is copied to a fixed-size buffer via 'sprintf()'. The 'GetParameter(meter)' function retrieves the user input, which is directly incorporated into a buffer without size validation. An attacker can provide an excessively large input for the 'meter' parameter.
---METADATA---
VENDOR: Circutor
PRODUCT: SGE-PLC1000 and SGE-PLC50
AFFECTED_VERSIONS: 9.0.2
CONFIDENCE: high
MISSING: patch
---END_METADATA---
Description Summary:
A stack-based buffer overflow in the 'ShowMeterPasswords()' function allows unauthenticated attackers to crash the application or execute arbitrary code via excessive input.
Executive Summary:
A critical stack-based buffer overflow in Circutor SGE-PLC series devices permits unauthenticated attackers to trigger memory corruption and potentially execute arbitrary code.
Vulnerability Details
CVE-ID: CVE-2025-11785
Affected Software: Circutor SGE-PLC1000 and SGE-PLC50
Affected Versions: 9.0.2
Vulnerability: The vulnerability exists within the 'ShowMeterPasswords()' function due to the lack of size validation when copying user-supplied input from the 'meter' parameter into a fixed-size buffer using 'sprintf()'. An unauthenticated attacker can provide an excessively large input to trigger an overflow.
Business Impact
With a CVSS score of 9.8, this vulnerability represents a significant risk to the availability and security of the affected industrial control hardware. Successful exploitation can lead to a complete denial-of-service or remote code execution, enabling attackers to compromise the device, intercept sensitive password data, or pivot further into the industrial network.
Remediation Plan
Immediate Action: Update the affected Circutor SGE-PLC1000/SGE-PLC50 firmware to the latest version provided by the manufacturer to remediate the buffer overflow.
Proactive Monitoring: Monitor system logs for repeated application crashes or abnormal memory utilization patterns that may indicate an ongoing exploitation attempt.
Compensating Controls: Deploy a Web Application Firewall (WAF) or Intrusion Prevention System (IPS) configured to inspect and block excessively long input strings directed at the device's web management interface.
Exploitation Status
Public Exploit Available: Unknown
Analyst Notes: As of Dec 2, 2025, there is no public information indicating active exploitation of this vulnerability. However, the ease of triggering this overflow makes it a high-risk target for malicious actors, necessitating prompt attention.
Analyst Recommendation
The severity of this memory corruption vulnerability warrants immediate remediation. Security teams must ensure that firmware updates are tested and deployed as soon as they become available to mitigate the risk of unauthorized access or device failure.
Update Unknown Multiple Products to the latest version. Monitor for exploitation attempts and review access logs.
Executive Summary:
A high-severity vulnerability has been identified in the NI System Web Server, which could allow an unauthorized attacker to access sensitive files on the server. This flaw, known as a relative path traversal, could be exploited remotely to read data outside of the intended web directory, potentially leading to the disclosure of confidential information, system credentials, or intellectual property. Organizations are urged to apply the vendor-provided security updates immediately to mitigate this risk.
Vulnerability Details
CVE-ID: CVE-2025-12097
Affected Software: NI System Web Server
Affected Versions: See vendor advisory for specific affected versions
Vulnerability: The vulnerability is a relative path traversal (also known as "dot-dot-slash") within the NI System Web Server. An unauthenticated, remote attacker can exploit this by sending a specially crafted HTTP request containing
../sequences to the server. This manipulation tricks the server into navigating outside of the web root directory, granting the attacker read-access to arbitrary files on the underlying file system, limited only by the permissions of the web server's user account. Successful exploitation could allow an attacker to retrieve sensitive files such as configuration files, source code, or password files.Business Impact
This vulnerability is rated as High severity with a CVSS score of 7.5. Exploitation of this flaw could have a significant negative impact on the business. The primary risk is information disclosure, which could lead to the theft of sensitive corporate data, customer information, intellectual property, or system credentials. A successful attack could result in direct financial loss, reputational damage, loss of customer trust, and potential regulatory penalties for non-compliance with data protection standards. If stolen credentials provide access to other systems, this vulnerability could serve as an initial entry point for a more widespread network compromise.
Remediation Plan
Immediate Action: The primary remediation is to apply the security updates provided by the vendor across all affected systems immediately. Prioritize patching for systems that are publicly accessible via the internet. After patching, it is crucial to review web server access logs for any signs of past or ongoing exploitation attempts.
Proactive Monitoring: Security teams should actively monitor web server logs for HTTP requests containing path traversal sequences, such as
../,..%2f,..%c0%af, or their encoded variants. Implement alerts for unusual file access patterns or requests targeting known sensitive system files. Monitor for anomalous outbound network traffic from the web server, which could indicate data exfiltration.Compensating Controls: If immediate patching is not feasible, implement a Web Application Firewall (WAF) with rules specifically designed to detect and block path traversal attacks. Additionally, harden the server by ensuring the web server process runs with the lowest possible privileges, limiting its ability to access critical system files. Restrict network access to the server, allowing connections only from trusted IP addresses where possible.
Exploitation Status
Public Exploit Available: false
Analyst Notes: As of December 4, 2025, there are no known public proof-of-concept exploits or reports of this vulnerability being actively exploited in the wild. However, vulnerabilities of this type are commonly and quickly weaponized by threat actors after disclosure. The vulnerability is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog.
Analyst Recommendation
Given the high severity (CVSS 7.5) and the risk of sensitive information disclosure, we strongly recommend that organizations prioritize the immediate application of the vendor-supplied patches to all vulnerable NI System Web Server instances. Special priority should be given to internet-facing systems, as they are the most likely targets for attack. Although there is no current evidence of active exploitation, the simplicity of exploiting path traversal vulnerabilities makes it highly likely that attackers will develop exploits. Proactive patching is the most effective defense to prevent a potential data breach.