Skip to main content
CVE-2025-26793 CRITICAL POC THREAT Emergency

Hardcoded default credentials (username 'freedom', password 'viscount') in Hirsch Enterphone MESH web GUI enable remote unauthenticated takeover of apartment building access control systems across dozens of Canadian and U.S. buildings. Attackers can access mesh.webadmin.MESHAdminServlet over the Internet to extract resident PII and potentially manipulate building access controls. EPSS score of 27.21% (96th percentile) indicates elevated exploitation probability, though no CISA KEV listing exists at time of analysis. Exploitation requires no special conditions beyond network reachability of the vulnerable interface.

Information Disclosure
NVD
CVSS 4.0
9.3
EPSS
27.2%
Threat
4.2
CVE-2024-12562 CRITICAL Act Now

The s2Member Pro plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 241216 via deserialization of untrusted input from the 's2member_pro_remote_op'. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure WordPress PHP Deserialization S2Member
NVD
CVSS 3.1
9.8
EPSS
0.8%
CVE-2024-13513 CRITICAL PATCH Act Now

The Oliver POS - A WooCommerce Point of Sale (POS) plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.4.2.3 via the logging functionality. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Missing Authorization vulnerability could allow attackers to access resources or perform actions without proper authorization checks.

WordPress Information Disclosure Authentication Bypass Oliver Pos
NVD
CVSS 3.1
9.8
EPSS
0.1%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy