Skip to main content
CVE-2025-3605 CRITICAL POC THREAT Emergency

The Frontend Login and Registration Blocks plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.0.7. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 12.7%.

WordPress Authentication Bypass Privilege Escalation
NVD Exploit-DB
CVSS 3.1
9.8
EPSS
12.7%
CVE-2025-28200 CRITICAL POC Act Now

Victure RX1800 EN_V1.0.0_r12_110933 was discovered to utilize a weak default password which includes the last 8 digits of the Mac address. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Brute Force Information Disclosure Rx1800 Firmware
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2025-45885 CRITICAL POC Act Now

PHPGURUKUL Vehicle Parking Management System v1.13 is vulnerable to SQL injection in the /vpms/users/login.php file. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Vehicle Parking Management System
NVD GitHub
CVSS 3.1
9.8
EPSS
0.3%
CVE-2025-45887 CRITICAL POC Act Now

Yifang CMS v2.0.2 is vulnerable to Server-Side Request Forgery (SSRF) in /api/file/getRemoteContent. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SSRF Yifang
NVD
CVSS 3.1
9.1
EPSS
0.3%
CVE-2025-4403 CRITICAL Act Now

The Drag and Drop Multiple File Upload for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads in all versions up to, and including, 1.1.6 due to accepting a user‐supplied. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress RCE File Upload PHP
NVD
CVSS 3.1
9.8
EPSS
2.8%
CVE-2024-12442 CRITICAL Act Now

EnerSys AMPA versions 24.04 through 24.16, inclusive, are vulnerable to command injection leading to privileged remote shell access. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Command Injection
NVD GitHub
CVSS 3.1
9.8
EPSS
2.3%
CVE-2024-11861 CRITICAL Act Now

EnerSys AMPA 22.09 and prior versions are vulnerable to command injection leading to privileged remote shell access. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Command Injection
NVD GitHub
CVSS 3.1
9.8
EPSS
2.3%
CVE-2024-11617 CRITICAL Act Now

The Envolve Plugin plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'zetra_languageUpload' and 'zetra_fontsUpload' functions in all versions up. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress RCE File Upload
NVD
CVSS 3.1
9.8
EPSS
2.1%
CVE-2025-46191 CRITICAL Act Now

Arbitrary File Upload in user_payment_update.php in SourceCodester Client Database Management System 1.0 allows unauthenticated users to upload arbitrary files via the uploaded_file_cancelled field. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE PHP Code Injection File Upload Client Database Management System
NVD GitHub
CVSS 3.1
9.8
EPSS
0.6%
CVE-2025-2253 CRITICAL Act Now

The IMITHEMES Listing plugin is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.3. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Privilege Escalation
NVD
CVSS 3.1
9.8
EPSS
0.6%
CVE-2025-3811 CRITICAL PATCH Act Now

The WPBookit plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.0.2. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

WordPress Authentication Bypass Privilege Escalation Wpbookit PHP
NVD
CVSS 3.1
9.8
EPSS
0.6%
CVE-2025-3810 CRITICAL PATCH Act Now

The WPBookit plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.0.2. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

WordPress Authentication Bypass Privilege Escalation Wpbookit PHP
NVD
CVSS 3.1
9.8
EPSS
0.6%
CVE-2025-46192 CRITICAL Act Now

SourceCodester Client Database Management System 1.0 is vulnerable to SQL Injection in user_payment_update.php via the order_id POST parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

PHP SQLi Client Database Management System
NVD GitHub
CVSS 3.1
9.8
EPSS
0.2%
CVE-2025-46190 CRITICAL Act Now

SourceCodester Client Database Management System 1.0 is vulnerable to SQL Injection in user_delivery_update.php via the order_id POST parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

PHP SQLi Client Database Management System
NVD GitHub
CVSS 3.1
9.8
EPSS
0.2%
CVE-2025-3714 CRITICAL Act Now

The LCD KVM over IP Switch CL5708IM has a Stack-based Buffer Overflow vulnerability in firmware versions prior to v2.2.215, allowing unauthenticated remote attackers to exploit this vulnerability to. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow RCE Stack Overflow
NVD
CVSS 4.0
9.3
EPSS
1.4%
CVE-2025-3711 CRITICAL Act Now

The LCD KVM over IP Switch CL5708IM has a Stack-based Buffer Overflow vulnerability in firmware versions prior to v2.2.215, allowing unauthenticated remote attackers to exploit this vulnerability to. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow RCE Stack Overflow
NVD
CVSS 4.0
9.3
EPSS
1.4%
CVE-2025-3710 CRITICAL Act Now

The LCD KVM over IP Switch CL5708IM has a Stack-based Buffer Overflow vulnerability in firmware versions prior to v2.2.215, allowing unauthenticated remote attackers to exploit this vulnerability to. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow RCE Stack Overflow
NVD
CVSS 4.0
9.3
EPSS
1.4%
CVE-2025-3463 CRITICAL Act Now

"This issue is limited to motherboards and does not affect laptops, desktop computers, or other endpoints." An insufficient validation vulnerability in ASUS DriverHub may allow untrusted sources to. Rated critical severity (CVSS 9.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure
NVD
CVSS 4.0
9.4
EPSS
0.5%
CVE-2025-46193 CRITICAL This Week

SourceCodester Client Database Management System 1.0 is vulnerable to Remote code execution via Arbitrary file upload in user_proposal_update_order.php. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

PHP RCE File Upload Client Database Management System
NVD GitHub
CVSS 3.1
9.8
EPSS
3.6%
CVE-2025-46189 CRITICAL POC Act Now

SourceCodester Client Database Management System 1.0 is vulnerable to SQL Injection in user_order_customer_update.php via the order_id POST parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Client Database Management System
NVD GitHub
CVSS 3.1
9.8
EPSS
0.3%
CVE-2025-46188 CRITICAL POC Act Now

SourceCodester Client Database Management System 1.0 is vulnerable to SQL Injection in superadmin_phpmyadmin.php. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Client Database Management System
NVD GitHub
CVSS 3.1
9.8
EPSS
0.3%
CVE-2025-45513 CRITICAL POC Act Now

Tenda FH451 V1.0.0.9 has a stack overflow vulnerability in the function.P2pListFilter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Tenda Buffer Overflow Stack Overflow Fh451 Firmware
NVD GitHub
CVSS 3.1
9.8
EPSS
0.4%
CVE-2025-1087 CRITICAL This Week

Kong Insomnia Desktop Application before 11.0.2 contains a template injection vulnerability that allows attackers to execute arbitrary code. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE
NVD GitHub
CVSS 4.0
9.3
EPSS
0.9%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy