Skip to main content
CVE-2025-47539 CRITICAL POC THREAT Emergency

Incorrect Privilege Assignment vulnerability in Themewinter Eventin allows Privilege Escalation.0.26. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 28.9% and no vendor patch available.

Privilege Escalation
NVD
CVSS 3.1
9.8
EPSS
28.9%
Threat
4.3
CVE-2025-47646 CRITICAL POC Act Now

Weak Password Recovery Mechanism for Forgotten Password vulnerability in Gilblas Ngunte Possi PSW Front-end Login & Registration allows Password Recovery Exploitation.13. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure
NVD
CVSS 3.1
9.8
EPSS
8.9%
CVE-2025-5099 CRITICAL POC Act Now

An Out of Bounds Write occurs when the native library attempts PDF rendering, which can be exploited to achieve memory corruption and potentially arbitrary code execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow RCE Printershare
NVD
CVSS 3.1
9.8
EPSS
1.0%
CVE-2025-5098 CRITICAL POC Act Now

PrinterShare Android application allows the capture of Gmail authentication tokens that can be reused to access a user's Gmail account without proper authorization. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Google Information Disclosure Printershare Android
NVD
CVSS 3.1
9.1
EPSS
0.1%
CVE-2025-47687 CRITICAL Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in StoreKeeper B.V. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress File Upload
NVD
CVSS 3.1
10.0
EPSS
0.4%
CVE-2025-47642 CRITICAL Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in Ajar Productions Ajar in5 Embed allows Upload a Web Shell to a Web Server.1.5. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

File Upload
NVD
CVSS 3.1
10.0
EPSS
0.4%
CVE-2025-47641 CRITICAL Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in printcart Printcart Web to Print Product Designer for WooCommerce allows Upload a Web Shell to a Web Server.3.8. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress File Upload
NVD
CVSS 3.1
10.0
EPSS
0.4%
CVE-2025-47637 CRITICAL Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in STAGGS STAGGS allows Upload a Web Shell to a Web Server.11.0. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

File Upload
NVD
CVSS 3.1
10.0
EPSS
0.4%
CVE-2025-47663 CRITICAL Act Now

Authenticated remote attackers can upload malicious PHP web shells to mojoomla Hospital Management System versions 47.0(20) through 11, achieving remote code execution with server privileges. The CVSS:3.1 vector (AV:N/AC:L/PR:L/UI:N/S:C) reflects network-based exploitation requiring only low-privileged authentication, with scope change indicating potential container/hosting escape. EPSS score of 0.32% (55th percentile) suggests low probability of mass exploitation despite critical severity. Patchstack reported this CWE-434 file upload vulnerability, with exploit scenario involving authenticated upload of PHP backdoor to achieve persistent server compromise.

File Upload
NVD
CVSS 3.1
9.9
EPSS
0.3%
CVE-2025-47658 CRITICAL Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in ELEXtensions ELEX WordPress HelpDesk & Customer Ticketing System allows Upload a Web Shell to a Web Server.2.7. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress File Upload
NVD
CVSS 3.1
9.9
EPSS
0.3%
CVE-2025-46490 CRITICAL Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in wordwebsoftware Crossword Compiler Puzzles allows Upload a Web Shell to a Web Server.2. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

File Upload
NVD
CVSS 3.1
9.9
EPSS
0.3%
CVE-2025-46468 CRITICAL Act Now

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in WPFable Fable Extra allows PHP Local File Inclusion.0.6. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure LFI PHP
NVD
CVSS 3.1
9.8
EPSS
0.7%
CVE-2025-48289 CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in AncoraThemes Kids Planet allows Object Injection.2.14. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2025-48287 CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in Pagaleve Pix 4x sem juros - Pagaleve allows Object Injection.6.9. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2025-47568 CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in ZoomIt ZoomSounds allows Object Injection.91. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2025-47532 CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in CoinPayments CoinPayments.net Payment Gateway for WooCommerce allows Object Injection.net Payment Gateway for WooCommerce: from n/a through 1.0.17. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2025-47530 CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in WPFunnels WPFunnels allows Object Injection.5.18. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2025-39503 CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in GoodLayers Goodlayers Hotel allows Object Injection.1.4. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2025-39500 CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in GoodLayers Goodlayers Hostel allows Object Injection.1.2. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2025-39499 CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in BoldThemes Medicare allows Object Injection.1.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2025-39495 CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in BoldThemes Avantage allows Object Injection.4.6. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2025-39485 CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in ThemeGoods Grand Tour | Travel Agency WordPress allows Object Injection.5.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2025-32292 CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in AncoraThemes Jarvis - Night Club, Concert, Festival WordPress allows Object Injection.8.11. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2025-31927 CRITICAL Act Now

PHP object injection in Acerola WordPress theme versions up to 1.6.5 enables remote unauthenticated attackers to execute arbitrary code, manipulate application data, or cause denial of service through deserialization of untrusted data. CVSS 9.8 reflects worst-case impact (network vector, no authentication required), though EPSS score of 0.37% (59th percentile) suggests limited active targeting to date. Reported by Patchstack audit team with vulnerability details published in their database, indicating researcher-identified rather than in-the-wild discovery. No CISA KEV listing confirms exploitation remains theoretical or limited in scope.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2025-31631 CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in AncoraThemes Fish House allows Object Injection.2.7. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2025-31430 CRITICAL Act Now

PHP Object Injection in 'The Business' WordPress theme through version 1.6.1 allows remote unauthenticated attackers to execute arbitrary code, modify data, or cause denial of service via deserialization of untrusted data. With CVSS 9.8 (AV:N/AC:L/PR:N/UI:N), exploitation requires no authentication or user interaction. EPSS score of 0.37% suggests low observed exploitation probability despite critical severity, though no public exploit code or CISA KEV listing exists at time of analysis. Patchstack cataloged this vulnerability, indicating security researcher attention to WordPress theme supply chain risks.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2025-31423 CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in AncoraThemes Umberto allows Object Injection.2.8. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2025-31069 CRITICAL Act Now

PHP object injection in HotStar WordPress theme (versions up to 1.4) allows remote unauthenticated attackers to achieve full system compromise through deserialization of untrusted data. The CVSS 9.8 critical rating reflects network-based exploitation requiring no authentication or user interaction, though EPSS scoring at 0.37% (59th percentile) indicates relatively low observed exploitation probability. Patchstack reported this vulnerability, and while no CISA KEV listing exists, the trivial attack complexity (AC:L) combined with the WordPress theme context suggests potential for automated scanning and exploitation if gadget chains are present in the target environment.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2025-31049 CRITICAL Act Now

Remote unauthenticated attackers can achieve arbitrary PHP object injection in Dash WordPress theme versions up to 1.3 by exploiting unsafe deserialization of user-controlled data. The CVSS 9.8 score reflects network-based attack with no authentication required and complete compromise potential (confidentiality, integrity, availability). Despite the critical severity, EPSS probability is relatively low (0.37%, 59th percentile), suggesting limited observed exploitation attempts. Reported by Patchstack security research team with public vulnerability database entry available. No CISA KEV listing indicates this is not confirmed as actively exploited in the wild, though the straightforward attack vector (AV:N/AC:L/PR:N) makes it attractive for mass WordPress scanning campaigns.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2025-39489 CRITICAL Act Now

Incorrect Privilege Assignment vulnerability in pebas CouponXL allows Privilege Escalation.5.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Privilege Escalation
NVD
CVSS 3.1
9.8
EPSS
0.3%
CVE-2025-31918 CRITICAL Act Now

Incorrect Privilege Assignment vulnerability in quantumcloud Simple Business Directory Pro allows Privilege Escalation.4.8. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Privilege Escalation
NVD
CVSS 3.1
9.8
EPSS
0.3%
CVE-2025-39480 CRITICAL Act Now

A critical deserialization vulnerability in the ThemeMakers Car Dealer WordPress theme allows remote attackers to perform PHP object injection attacks without authentication. The vulnerability affects all versions of Car Dealer prior to 1.6.7 and enables complete system compromise with the ability to execute arbitrary code, steal data, or take over the website. With an EPSS score of 0.15% (35th percentile), while not currently in CISA KEV, the vulnerability presents moderate real-world exploitation risk given its network-accessible attack vector and lack of required authentication.

Deserialization
NVD VulDB
CVSS 3.1
9.8
EPSS
0.2%
CVE-2025-48283 CRITICAL Act Now

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Majestic Support Majestic Support allows SQL Injection.1.0. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi
NVD
CVSS 3.1
9.3
EPSS
0.2%
CVE-2025-47640 CRITICAL Act Now

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in printcart Printcart Web to Print Product Designer for WooCommerce allows SQL Injection.3.8. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress SQLi
NVD
CVSS 3.1
9.3
EPSS
0.2%
CVE-2025-47599 CRITICAL Act Now

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in facturante Facturante allows SQL Injection.11. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi
NVD
CVSS 3.1
9.3
EPSS
0.2%
CVE-2025-46539 CRITICAL Act Now

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WPFable Fable Extra allows Blind SQL Injection.0.6. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi
NVD
CVSS 3.1
9.3
EPSS
0.2%
CVE-2025-46460 CRITICAL Act Now

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Detheme Easy Guide allows SQL Injection.0.0. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi
NVD
CVSS 3.1
9.3
EPSS
0.2%
CVE-2025-46455 CRITICAL Act Now

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in IndigoThemes WP HRM LITE allows SQL Injection.1. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi
NVD
CVSS 3.1
9.3
EPSS
0.2%
CVE-2025-39504 CRITICAL Act Now

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in GoodLayers Goodlayers Hotel allows Blind SQL Injection.1.4. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi
NVD
CVSS 3.1
9.3
EPSS
0.2%
CVE-2025-39501 CRITICAL Act Now

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in GoodLayers Goodlayers Hostel allows Blind SQL Injection.1.2. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi
NVD
CVSS 3.1
9.3
EPSS
0.2%
CVE-2025-31914 CRITICAL Act Now

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in kamleshyadav Pixel WordPress Form BuilderPlugin & Autoresponder allows Blind SQL Injection.0.2. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress SQLi
NVD
CVSS 3.1
9.3
EPSS
0.2%
CVE-2025-31397 CRITICAL Act Now

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in smartcms Bus Ticket Booking with Seat Reservation for WooCommerce allows SQL Injection.7. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress SQLi
NVD
CVSS 3.1
9.3
EPSS
0.2%
CVE-2025-31056 CRITICAL Act Now

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Techspawn WhatsCart - Whatsapp Abandoned Cart Recovery, Order Notifications, Chat Box, OTP for. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress SQLi
NVD
CVSS 3.1
9.3
EPSS
0.2%
CVE-2025-3895 CRITICAL Act Now

Token used for resetting passwords in MegaBIP software are generated using a small space of random values combined with a queryable value. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure
NVD
CVSS 4.0
9.1
EPSS
0.6%
CVE-2025-31916 CRITICAL Act Now

Unrestricted file upload in JP Students Result Management System Premium WordPress plugin versions 1.1.7 and later enables remote unauthenticated attackers to upload and execute malicious web shells, achieving complete server compromise with high complexity exploitation requirements. Reported by Patchstack security researchers, this vulnerability carries a 0.31% EPSS exploitation probability (54th percentile), indicating moderate but not negligible real-world risk. No active exploitation confirmed in CISA KEV at time of analysis, though the cross-scope impact (S:C in CVSS vector) suggests potential for lateral movement beyond the WordPress application itself.

File Upload
NVD
CVSS 3.1
9.0
EPSS
0.3%
CVE-2024-51360 CRITICAL POC Act Now

An issue in Hospital Management System In PHP V4.0 allows a remote attacker to execute arbitrary code via the hms/doctor/edit-profile.php file. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE PHP Code Injection Hospital Management System
NVD GitHub
CVSS 3.1
9.8
EPSS
3.9%
CVE-2024-51101 CRITICAL POC Act Now

PHPGURUKUL Restaurant Table Booking System using PHP and MySQL v1.0 was discovered to contain a SQL injection vulnerability via the searchdata parameter at /rtbs/check-status.php. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Restaurant Table Booking System
NVD GitHub
CVSS 3.1
9.8
EPSS
0.3%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy