Skip to main content
CVE-2025-56447 CRITICAL POC Act Now

Authentication bypass in TM2 Monitoring v3.04 allows remote attackers to circumvent login controls and access the application, which additionally stores and discloses user credentials in plaintext. Publicly available exploit code exists (POC published by researcher stSLAYER for RT-Systems' TM2), enabling full compromise of confidentiality, integrity, and availability. Not listed in CISA KEV and EPSS probability is low (0.32%), so no confirmed active exploitation despite the critical 9.8 CVSS score.

Authentication Bypass
NVD GitHub
CVSS 3.1
9.8
EPSS
0.3%
CVE-2025-58963 CRITICAL Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in 7oroof Medcity medcity allows Upload a Web Shell to a Web Server.This issue affects Medcity: from n/a through < 1.1.9.

File Upload
NVD
CVSS 3.1
10.0
EPSS
0.1%
CVE-2025-60206 CRITICAL Act Now

Remote code execution in Beplusthemes Alone WordPress theme through version 7.8.3 allows unauthenticated attackers to inject and execute arbitrary code via a code injection vulnerability. With a critical CVSS score of 10.0 and network-based exploitation requiring no privileges or user interaction, this vulnerability enables complete system compromise. EPSS exploitation probability is low (0.06%, 17th percentile), and no public exploit or CISA KEV listing identified at time of analysis.

WordPress PHP Code Injection
NVD
CVSS 3.1
10.0
EPSS
0.1%
CVE-2025-60238 CRITICAL Act Now

PHP object injection in UNIVERSAM WordPress plugin through deserialization of untrusted data allows remote unauthenticated attackers to achieve critical impact including remote code execution, complete data compromise, and denial of service. Affects all versions up to and including 9.03. EPSS exploitation probability is relatively low at 0.10% (28th percentile), with no public exploit identified at time of analysis, suggesting a lower immediate real-world risk despite the critical CVSS 9.8 score.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-60216 CRITICAL Act Now

PHP object injection in BoldThemes Addison WordPress theme versions prior to 1.4.8 enables unauthenticated remote attackers to execute arbitrary code through unsafe deserialization. The vulnerability carries a critical CVSS 9.8 score with network-accessible attack vector requiring no privileges or user interaction. No public exploit identified at time of analysis, with EPSS indicating 10th percentile exploitation probability (0.10%), suggesting low observed exploitation likelihood despite high theoretical severity.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-60214 CRITICAL Act Now

PHP object injection in BoldThemes Goldenblatt WordPress theme versions prior to 1.3.0 enables unauthenticated remote attackers to execute arbitrary code through deserialization of untrusted data. The vulnerability scores 9.8 (Critical) with network-exploitable attack vector requiring no privileges or user interaction. EPSS indicates low probability (0.10%, 28th percentile) of active exploitation, and no public exploit or KEV listing identified at time of analysis, suggesting theoretical high severity but currently limited real-world exploitation activity.

WordPress Deserialization Code Injection
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-49380 CRITICAL Act Now

PHP object injection in WooCommerce Vehicle Parts Finder plugin versions up to 3.7 enables remote unauthenticated attackers to achieve arbitrary code execution via deserialization of untrusted data. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms network-accessible exploitation without authentication or user interaction. Reported by Patchstack audit team, this represents a critical pre-authentication vulnerability in WordPress e-commerce environments. EPSS data unavailable; not currently listed in CISA KEV, suggesting limited widespread exploitation at time of disclosure.

WordPress Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-59007 CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in themesflat TF Woo Product Grid Addon For Elementor tf-woo-product-grid allows Object Injection.This issue affects TF Woo Product Grid Addon For Elementor: from n/a through <= 1.0.1.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-49915 CRITICAL Act Now

SQL injection in WordPress SMS Alert Order Notifications plugin through version 3.8.5 allows remote unauthenticated attackers to extract sensitive database contents via network-accessible injection points. The vulnerability achieves scope change with high confidentiality impact, enabling cross-boundary data exfiltration from the WordPress database. EPSS data unavailable; not currently listed in CISA KEV, indicating no confirmed widespread active exploitation at time of analysis, though the unauthenticated remote attack vector presents significant risk for WordPress installations using this plugin.

SQLi
NVD
CVSS 3.1
9.3
EPSS
0.1%
CVE-2025-59557 CRITICAL Act Now

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ThemeMove Learts Addons learts-addons allows SQL Injection.This issue affects Learts Addons: from n/a through < 1.7.5.

SQLi
NVD
CVSS 3.1
9.3
EPSS
0.0%
CVE-2025-49931 CRITICAL Act Now

Blind SQL injection in Crocoblock JetSearch plugin (WordPress) versions up to 3.5.10 allows unauthenticated remote attackers to extract database contents via crafted search queries. The vulnerability carries a critical CVSS 9.3 score due to network-based exploitation requiring no authentication or user interaction, though EPSS exploitation probability remains low at 0.04% (12th percentile), and no public exploit identified at time of analysis. The flaw enables data exfiltration from WordPress databases hosting sites using the vulnerable search plugin.

SQLi
NVD
CVSS 3.1
9.3
EPSS
0.0%
CVE-2025-52758 CRITICAL Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in Gesundheit Bewegt GmbH Zippy zippy allows Using Malicious Files.This issue affects Zippy: from n/a through <= 1.7.0.

File Upload
NVD
CVSS 3.1
9.1
EPSS
0.1%
CVE-2025-62023 CRITICAL Act Now

Improper Control of Generation of Code ('Code Injection') vulnerability in Cristián Lávaque s2Member s2member.This issue affects s2Member: from n/a through <= 250905.

Code Injection RCE
NVD
CVSS 3.1
9.0
EPSS
0.1%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy