Skip to main content
CVE-2025-53521 CRITICAL POC KEV THREAT Emergency

F5 BIG-IP APM (Access Policy Manager) contains a remote code execution vulnerability triggered by specific malicious traffic when an access policy is configured on a virtual server.

RCE Denial Of Service
NVD VulDB GitHub
CVSS 4.0
9.3
EPSS
0.1%
Threat
5.8
CVE-2025-9967 CRITICAL Act Now

Account takeover in WordPress Orion SMS OTP Verification plugin (versions ≤1.1.7) allows unauthenticated remote attackers to reset arbitrary user passwords without identity verification. Attackers knowing a target's phone number can change that user's password to an attacker-controlled OTP, gaining complete account access with full privileges. CVSS 9.8 (Critical) reflects network-accessible, no-authentication-required exploitation with high confidentiality, integrity, and availability impact. No public exploit identified at time of analysis.

WordPress Privilege Escalation
NVD
CVSS 3.1
9.8
EPSS
0.2%
CVE-2025-10041 CRITICAL Act Now

Arbitrary file upload in Flex QR Code Generator plugin (WordPress) versions ≤1.2.5 allows unanauthenticated remote attackers to upload malicious files without restriction, enabling remote code execution on vulnerable web servers. The flaw stems from absent file type validation in the save_qr_code_to_db() function, accessible over the network with no authentication barrier. With CVSS 9.8 (critical) and EPSS data unavailable, this represents a severe exposure for WordPress sites running the affected plugin. No public exploit identified at time of analysis, and not listed in CISA KEV, but the trivial attack complexity (AC:L, PR:N) makes this a high-priority remediation target.

WordPress File Upload RCE
NVD
CVSS 3.1
9.8
EPSS
0.1%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy