Skip to main content
CVE-2025-6679 CRITICAL Act Now

The Bit Form builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 2.20.4. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress RCE File Upload PHP
NVD
CVSS 3.1
9.8
EPSS
0.5%
CVE-2025-54466 CRITICAL PATCH Act Now

Improper Control of Generation of Code ('Code Injection') vulnerability leading to a possible RCE in Apache OFBiz scrum plugin.09.02 only when the scrum plugin is used. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

RCE Code Injection Apache Ofbiz
NVD
CVSS 3.1
9.8
EPSS
0.2%
CVE-2025-8995 CRITICAL PATCH Act Now

Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Authenticator Login allows Authentication Bypass.0.0 before 2.1.4. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Authenticator Login Drupal
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-9060 CRITICAL Act Now

A vulnerability has been found in the MSoft MFlash application that allows execution of arbitrary code on the server. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE
NVD GitHub
CVSS 3.1
9.1
EPSS
0.2%
CVE-2025-54473 CRITICAL This Week

An authenticated RCE vulnerability in Phoca Commander component 1.0.0-4.0.0 and 5.0.0-5.0.1 for Joomla was discovered. Rated critical severity (CVSS 9.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE File Upload Joomla
NVD
CVSS 4.0
9.2
EPSS
0.1%
CVE-2025-7778 CRITICAL This Week

The Icons Factory plugin for WordPress is vulnerable to Arbitrary File Deletion due to insufficient authorization and improper path validation within the delete_files() function in all versions up. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass WordPress PHP RCE
NVD
CVSS 3.1
9.8
EPSS
0.4%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy