A security vulnerability in version 4.0.0 and (CVSS 9.0) that allows capturing of env variables. Risk factors: EPSS 41% exploitation probability, public PoC available. Vendor patch is available.
A remote code execution vulnerability in sonalsinha21 Recover abandoned cart for WooCommerce allows SQL Injection (CVSS 9.3). Risk factors: EPSS 32% exploitation probability.
Blind SQL injection vulnerability in mystyleplatform's MyStyle Custom Product Designer that allows unauthenticated remote attackers to extract sensitive data through time-based or error-based SQL injection techniques. All versions up to and including 3.21.1 are affected. The high CVSS score of 9.3 reflects the critical nature of unauthenticated network-accessible SQL injection with high confidentiality impact, though integrity is not directly compromised and availability impact is limited.
Critical unrestricted file upload vulnerability in FantasticPlugins SUMO Affiliates Pro (versions through 10.7.0) that allows unauthenticated attackers to upload malicious files with dangerous types, leading to complete system compromise. This CWE-434 vulnerability has a perfect CVSS 3.1 score of 10.0 due to network accessibility without authentication or user interaction, and affects all confidentiality, integrity, and availability properties. The vulnerability represents an immediate, easily exploitable threat to any WordPress installation running the affected plugin versions.
A remote code execution vulnerability (CVSS 10.0). Critical severity with potential for significant impact on affected systems.
A security vulnerability in WilderForge (CVSS 9.9). Critical severity with potential for significant impact on affected systems.
Critical Code Injection vulnerability (CWE-94) in MetalpriceAPI versions through 1.1.4 that allows authenticated attackers to inject and execute arbitrary code with network access and low complexity. The vulnerability has a maximum severity CVSS score of 9.9 with complete impact across confidentiality, integrity, and availability. This is a high-priority vulnerability affecting any deployment of MetalpriceAPI up to version 1.1.4, with no publicly confirmed workarounds available at this time.
CyberData 011209 Intercom devices contain an authentication bypass vulnerability in the web interface accessible via an alternate path, allowing unauthenticated attackers complete unauthorized access (confidentiality, integrity, availability compromise). This CVSS 9.8 critical vulnerability affects CyberData intercom systems and poses immediate risk to organizations relying on these devices for communication and physical security integration. No specific KEV or active exploitation data provided, but the unauthenticated network-accessible nature with no mitigation requirements makes this highly likely to be targeted.
Critical remote code execution vulnerability in Zohocorp ManageEngine Exchange Reporter Plus versions 5721 and prior, exploitable through the Content Search module without authentication. An attacker can achieve arbitrary code execution with high confidentiality, integrity, and availability impact across the system boundary (CVSS 9.6). This vulnerability requires user interaction (UI=R) and involves improper file upload handling (CWE-434); active exploitation status and POC availability require verification through CISA KEV and public disclosures.
Critical authentication bypass vulnerability in Honding Technology's Smart Parking Management System that allows unauthenticated remote attackers to directly access an administrative credentials page and retrieve plaintext administrator passwords without authentication. With a CVSS score of 9.8 and network-accessible attack vector, this vulnerability poses an immediate and severe risk to all deployed instances, potentially enabling complete system compromise and unauthorized access to parking infrastructure management.
Critical arbitrary file upload vulnerability in CyberData 011209 Intercom systems that allows authenticated attackers to upload malicious files to multiple locations within the system without user interaction. With a CVSS 9.8 score and network-accessible attack surface requiring only valid authentication credentials, this vulnerability poses severe risk to organizations deploying these intercom systems. The vulnerability enables complete system compromise through arbitrary file placement, potentially allowing remote code execution, system manipulation, and data theft.
Discourse versions prior to 3.4.4 (stable), 3.5.0.beta5 (beta), and 3.5.0.beta6-dev (tests-passed) contain a critical vulnerability where Codepen is included in the default `allowed_iframes` site setting and can auto-execute arbitrary JavaScript within the iframe scope, enabling unauthenticated remote code execution. With a CVSS score of 9.8 and network-accessible attack vector requiring no privileges or user interaction, this vulnerability poses severe risk to all default Discourse installations and should be prioritized for immediate patching.
Remote code execution vulnerability in PressGrid WordPress Theme versions through 1.3.1 allows unauthenticated attackers to inject arbitrary PHP objects via insecure deserialization, potentially leading to full site compromise. The vulnerability exploits improper validation of serialized user input - a common attack vector in WordPress themes and plugins. CVSS 9.8 critical severity is supported by network attack vector requiring no privileges, though EPSS score of 0.14% (34th percentile) and absence from CISA KEV suggest limited active exploitation. Patchstack, a WordPress security vendor, identified and disclosed this flaw.
Remote code execution in PIMP Creative MultiPurpose WordPress theme through version 1.7 allows unauthenticated attackers to execute arbitrary PHP code via insecure deserialization of user-controlled data. The CVSS 9.8 score reflects network-accessible exploitation with no authentication or user interaction required. Patchstack identified this vulnerability, though EPSS probability is low (0.14%, 34th percentile), suggesting no public exploit identified at time of analysis and limited observed exploitation attempts.
PHP object injection in FLAP Business WordPress Theme versions through 1.5 allows unauthenticated remote attackers to execute arbitrary code via unsafe deserialization of user-supplied data. The CVSS 9.8 critical rating reflects network-based exploitation requiring no privileges or user interaction, enabling full system compromise. While EPSS score of 0.14% suggests low immediate exploitation probability, the availability of technical details in the Patchstack database increases weaponization risk for WordPress installations running this theme.
Critical deserialization of untrusted data vulnerability in themeton's 'The Fashion - Model Agency One Page Beauty Theme' WordPress theme (versions up to 1.4.4) that enables object injection attacks. An unauthenticated, remote attacker can exploit this with no user interaction required to achieve complete system compromise including confidentiality, integrity, and availability breaches. The CVSS 9.8 score reflects the critical nature (network-accessible, low complexity, no privileges needed, high impact across all security properties), though real-world exploitation likelihood depends on whether public POCs exist and if the vulnerability is actively being weaponized in the wild.
CVE-2025-31022 is an authentication bypass vulnerability in PayU India's payment processing platform (versions before 3.8.8) that allows attackers to bypass authentication mechanisms via an alternate path or channel, granting unauthorized access to sensitive payment and customer data. With a critical CVSS score of 9.8 and network-based attack vector requiring no privileges or user interaction, this vulnerability poses an immediate and severe threat to all PayU India users and their customers' payment information. Active exploitation status and public disclosure details should be verified through CISA KEV database and PayU's official security advisories.
Critical authentication bypass vulnerability in Lablup's BackendAI registration feature that allows unauthenticated attackers to create arbitrary user accounts and access private data, even when registration is administratively disabled. With a CVSS score of 9.8 and network-based attack vector requiring no privileges or user interaction, this vulnerability poses an immediate and severe risk to all BackendAI deployments. The vulnerability enables account creation without proper authentication controls (CWE-306), potentially allowing attackers to gain unauthorized access to sensitive computational resources and data.
CVE-2025-48129 is an Incorrect Privilege Assignment vulnerability (CWE-266) in Holest Engineering's Spreadsheet Price Changer for WooCommerce and WP E-commerce - Light plugin that allows unauthenticated remote attackers to escalate privileges and gain complete control over affected WordPress installations. The vulnerability affects versions up to and including 2.4.37, with a critical CVSS 9.8 score indicating network-exploitable, low-complexity privilege escalation requiring no authentication or user interaction. Active exploitation status and proof-of-concept availability would significantly elevate real-world risk given the plugin's direct access to WooCommerce/WP E-commerce price modification functionality.
Critical SQL injection vulnerability in Alex Zaytseff's Multi CryptoCurrency Payments plugin (versions up to 2.0.3) that allows unauthenticated remote attackers to execute arbitrary SQL commands. The vulnerability has a CVSS score of 9.3 with network-based attack vector and no privileges required, enabling attackers to extract sensitive data including cryptocurrency transaction records, user credentials, and payment information. The high CVSS combined with an unauthenticated, low-complexity attack vector suggests this is a high-priority vulnerability with significant real-world exploitation risk.
A critical SQL injection vulnerability (CVE-2025-48122) exists in Holest Engineering's Spreadsheet Price Changer for WooCommerce and WP E-commerce - Light plugin affecting versions through 2.4.37. An unauthenticated remote attacker can execute arbitrary SQL commands to extract sensitive database information including customer data and product details. The high CVSS score of 9.3 combined with network accessibility and no authentication requirement makes this a severe priority, particularly if the vulnerability is actively exploited or proof-of-concept code is publicly available.
Blind SQL Injection vulnerability in the WP Lead Capturing Pages WordPress plugin (versions through 2.3) that allows unauthenticated remote attackers to extract sensitive data from the database without leaving obvious traces. The vulnerability has a critical CVSS score of 9.3 due to its network-accessible attack vector, low complexity, and requirement for no privileges or user interaction. While specific KEV or active exploitation status is not confirmed in available intelligence, the high CVSS, blind SQL injection nature, and broad applicability across WordPress installations make this a priority for remediation.
A critical SQL injection vulnerability (CVE-2025-31059) exists in woobewoo WBW Product Table PRO plugin versions up to 2.1.3, allowing unauthenticated remote attackers to execute arbitrary SQL queries and extract sensitive database information. The CVSS 9.3 score reflects the severe impact on confidentiality with network-based attack vectors requiring no user interaction, though integrity is not compromised. The vulnerability's active exploitation status and high EPSS score indicate this is a genuine, prioritized threat requiring immediate patching.
Blind SQL Injection vulnerability in the TicketBAI Facturas para WooCommerce plugin (versions up to 3.19) that allows unauthenticated remote attackers to execute arbitrary SQL queries. The vulnerability has a critical CVSS score of 9.3 with network-based attack vector requiring no privileges or user interaction, potentially enabling data exfiltration from WordPress database instances. Active exploitation status and proof-of-concept availability should be verified through KEV databases and security research channels.
CVE-2025-31039 is an XML External Entity (XXE) injection vulnerability in the Pixelgrade Category Icon WordPress plugin (versions through 1.0.2) that allows authenticated attackers with high privileges to read arbitrary files, execute remote code, or cause denial of service through improper XML entity validation. The vulnerability has a critical CVSS score of 9.1 but requires administrator-level privileges to exploit; active exploitation status and proof-of-concept availability are not confirmed from the provided intelligence.