CVE-2025-7503 is a security vulnerability (CVSS 10.0). Critical severity with potential for significant impact on affected systems.
The Premium Age Verification / Restriction for WordPress plugin contains an insufficiently protected remote support functionality in remote_tunnel.php that allows unauthenticated attackers to read from or write to arbitrary files on affected servers. This critical vulnerability (CVSS 9.8) affects all versions up to and including 3.0.2, potentially enabling sensitive information disclosure or remote code execution without authentication. Given the critical CVSS score and network-accessible attack vector, this vulnerability should be treated as high priority pending confirmation of KEV status and active exploitation.
The GB Forms DB plugin for WordPress contains a critical unauthenticated Remote Code Execution vulnerability in the gbfdb_talk_to_front() function, affecting all versions up to 1.0.2. The vulnerability stems from unsanitized user input passed directly to call_user_func(), allowing attackers to execute arbitrary PHP code without authentication. This can be leveraged to inject backdoors, create administrative accounts, or achieve full server compromise.
CVE-2025-30026 is a critical authentication bypass vulnerability in AXIS Camera Station Server that allows unauthenticated remote attackers to completely compromise the system without requiring valid credentials. The flaw has a CVSS score of 9.8 with a CVSS vector indicating network-accessible, low-complexity exploitation requiring no privileges or user interaction, enabling attackers to achieve full confidentiality, integrity, and availability compromise. This vulnerability affects the AXIS Camera Station Server product line and represents an immediate and severe threat requiring emergency patching.
CVE-2025-50121 is an OS command injection vulnerability (CWE-78) in an unspecified product that allows unauthenticated remote attackers to achieve remote code execution by creating a malicious folder through the web interface when HTTP is enabled. With a CVSS 9.5 score and network-based attack vector requiring minimal complexity, this represents a critical vulnerability; however, real-world risk is substantially mitigated by the requirement that HTTP must be explicitly enabled (disabled by default). No active KEV status, EPSS data, or public POC availability has been confirmed from the provided intelligence.
CVE-2025-52950 is a Missing Authorization vulnerability in Juniper Networks Security Director that allows authenticated attackers to read and modify sensitive resources beyond their authorization level through the web interface. This affects Security Director version 24.4.1 and could enable lateral movement and compromise of downstream managed network devices. The vulnerability has a critical CVSS 9.6 score and represents a significant integrity and availability risk, though it requires valid credentials to exploit.
CVE-2025-30023 is a critical remote code execution vulnerability in a client-server communication protocol that allows authenticated users to execute arbitrary code on affected systems. The flaw affects users with valid credentials who can access the affected service over an adjacent network segment, potentially compromising confidentiality, integrity, and availability across trust boundaries. While specific product details are limited in the provided data, this represents a high-severity risk requiring immediate patching, particularly if actively exploited or if public proof-of-concept code exists.
CVE-2025-52579 is a cleartext sensitive data storage vulnerability in Emerson ValveLink Products where cryptographic keys, credentials, or other sensitive information are retained unencrypted in process memory. An unauthenticated remote attacker can exploit this over the network with low complexity to extract sensitive data from memory dumps, core files, or crashed processes, potentially gaining unauthorized access to critical industrial control systems. The CVSS score of 9.4 reflects high confidentiality and integrity impact; however, KEV status, EPSS probability, and active exploitation data are not available in the provided sources, requiring real-time CISA monitoring for confirmation.