The FunnelKit plugin for WordPress (versions ≤3.5.3) contains a critical vulnerability allowing unauthenticated attackers to install arbitrary plugins due to missing capability checks and weak nonce validation in the install_or_activate_addon_plugins() function. This is a pre-authentication remote code execution vector with a CVSS 9.8 severity rating that enables complete site compromise through malicious plugin installation.
A remote code execution vulnerability in CloudClassroom-PHP-Project v1.0 (CVSS 9.8). Risk factors: public PoC available.
Critical remote code execution vulnerability in EfroTech Time Trax v1.0 that exploits improper file upload validation in the leave request form's attachment functionality. An authenticated attacker with low privileges can upload and execute arbitrary code on the server, achieving complete system compromise with high confidentiality, integrity, and availability impact. The vulnerability is classified as actively exploitable (CVSS 9.9) and represents an immediate threat to all deployed instances.
CloudClassroom-PHP-Project v1.0 contains a critical SQL injection vulnerability in the loginlinkadmin.php component that allows unauthenticated attackers to bypass authentication and gain unauthorized administrative access by injecting malicious SQL payloads into the username field. With a CVSS score of 9.8 and network-accessible attack vector requiring no privileges or user interaction, this vulnerability poses immediate and severe risk to all deployments. While specific KEV status and EPSS data were not provided in the intelligence sources, the combination of complete authentication bypass capability, high CVSS score, and trivial exploitation complexity suggests this is actively exploitable and likely to be targeted by opportunistic attackers.
D-Link DPH-400S/SE VoIP phones running firmware v1.01 contain hardcoded provisioning credentials (PROVIS_USER_PASSWORD) embedded directly in the firmware binary, allowing attackers with firmware access to extract sensitive authentication material via static analysis tools. This critical vulnerability (CVSS 9.8) enables unauthorized access to device management functions and potentially user accounts, with network-accessible exploitation possible if combined with firmware extraction techniques.
CryptPad versions prior to 2025.3.0 contain a critical authentication bypass vulnerability that allows attackers to circumvent Two-Factor Authentication (2FA) enforcement through a trivial path parameter manipulation. An attacker who obtains valid user credentials can bypass 2FA protection by URL-encoding a single character in the access path, gaining full account access without the second authentication factor. The vulnerability has a CVSS score of 9.1 (Critical) and requires no special privileges or user interaction to exploit.
A remote code execution vulnerability in the PDF scanning processes of ClamAV could allow an unauthenticated (CVSS 9.8). Critical severity with potential for significant impact on affected systems.
CVE-2025-51381 is an authentication bypass vulnerability in KCM3100 version 1.4.2 and earlier that allows unauthenticated attackers on the local network (LAN) to completely bypass product authentication and gain full system access. The vulnerability has a critical CVSS score of 9.8 with no authentication or user interaction required, enabling attackers to achieve complete confidentiality, integrity, and availability compromise of affected devices.