Hardcoded default credentials (username 'freedom', password 'viscount') in Hirsch Enterphone MESH web GUI enable remote unauthenticated takeover of apartment building access control systems across dozens of Canadian and U.S. buildings. Attackers can access mesh.webadmin.MESHAdminServlet over the Internet to extract resident PII and potentially manipulate building access controls. EPSS score of 27.21% (96th percentile) indicates elevated exploitation probability, though no CISA KEV listing exists at time of analysis. Exploitation requires no special conditions beyond network reachability of the vulnerable interface.
The s2Member Pro plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 241216 via deserialization of untrusted input from the 's2member_pro_remote_op'. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
The Oliver POS - A WooCommerce Point of Sale (POS) plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.4.2.3 via the logging functionality. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Missing Authorization vulnerability could allow attackers to access resources or perform actions without proper authorization checks.