Unauthenticated attackers bypass authentication and gain complete account access, including administrator privileges, in Search & Go - Directory WordPress Theme versions ≤2.7 when Facebook login functionality is enabled. Exploitation requires no user interaction and no authentication. The vulnerability stems from insufficient user validation in the search_and_go_elated_check_facebook_user() function, allowing arbitrary account takeover. No public exploit identified at time of analysis. This issue is remotely exploitable over the network with low attack complexity.
Remote code execution in Newforma Project Center Server (NPCS) 2024.3 allows unauthenticated attackers to execute arbitrary code with NT AUTHORITY\NetworkService privileges by sending malicious serialized .NET data to the '/ProjectCenter.rem' endpoint on TCP port 9003. The vulnerability stems from insecure deserialization of untrusted data on a network-exposed endpoint. While vendor architecture recommends internal-only deployment, the service accepts network connections without authentication (CVSS AV:N/PR:N), creating critical risk for organizations with exposed instances. CWE-306 (Missing Authentication) confirms the root cause as lack of authentication controls on a sensitive endpoint.