THREAT ALERT

EMERGENCY CVE-2025-53521 9.3 F5 BIG-IP APM (Access Policy Manager) contains a remote code execution vulnerability triggered by specific malicious traffic when an access policy is configured on a virtual server. | ACT NOW CVE-2025-49844 9.9 UAF in Redis 8.2.1 via crafted Lua scripts by authenticated users. EPSS 12.4%. Patch available. | ACT NOW CVE-2025-60787 7.2 MotionEye video surveillance software version 0.43.1b4 and earlier contains an authenticated OS command injection via configuration parameters such as image_file_name. Admin users can inject commands that execute when the Motion daemon restarts, achieving code execution on the surveillance server. |

Daily vulnerability intelligence for defenders – fresh CVEs with exploitability signals, patch status, and action-oriented priorities from 17 sources.

CVEs published

Track vulnerabilities that matter to your stack

Personalized alerts, dashboards, and weekly digests – free.

Trending Now

Critical Watch

Attack Technique Trend

Prediction based on ZDI Disclosures & CVE data · 30 days

Analytics

Vendor Today – Quick Filter

Techniques

results

Sort:

Base Score

Vector String

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

Integrity (I)

Availability (A)

0 | 3.9| 6.9| 8.9| 10

NONE LOW MEDIUM HIGH CRITICAL

CVSS Filter – CVEs match

No CVEs match the selected criteria

Browse older vulnerabilities in Archive

Live Feed auto-refresh 60s

Vulnerability Intelligence — November 01, 2025

34 CVEs tracked today. 5 Critical, 9 High, 18 Medium, 2 Low.

CVE-2025-12601 CRITICAL CVSS 10.0
Denial of Service Due to SlowLoris.19.5; BLU-IC4: through 1.19.5. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Blu Ic2 Firmware Blu Ic4 Firmware
CVE-2025-12600 CRITICAL CVSS 10.0
Web UI Malfunction when setting unexpected locale via API.19.5; BLU-IC4: through 1.19.5. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Blu Ic2 Firmware Blu Ic4 Firmware
CVE-2025-12599 CRITICAL CVSS 10.0
Multiple Devices are Sharing the Same Secrets for SDKSocket (TCP/5000).19.5; BLU-IC4: through 1.19.5. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Blu Ic2 Firmware Blu Ic4 Firmware
CVE-2025-11833 CRITICAL CVSS 9.8
The Post SMTP - Complete SMTP Solution with Logs, Alerts, Backup SMTP & Mobile App plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 12.8% and no vendor patch available.

WordPress Authentication Bypass PHP
CVE-2025-11499 CRITICAL CVSS 9.8
The Tablesome Table - Contact Form DB - WPForms, CF7, Gravity, Forminator, Fluent plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

File Upload RCE WordPress PHP
CVE-2025-36367 HIGH CVSS 8.8
IBM i 7.6, 7.5, 7.4, 7.3, and 7.2 is vulnerable to privilege escalation caused by an invalid IBM i SQL services authorization check. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass IBM Privilege Escalation
CVE-2025-12171 HIGH CVSS 8.8
The RESTful Content Syndication plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the ingest_image() function in versions 1.1.0 to 1.5.0. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

File Upload RCE WordPress PHP
CVE-2025-11995 HIGH CVSS 7.2
The Community Events plugin for WordPress is vulnerable to Stored Cross-Site Scripting via event details parameter in all versions up to, and including, 1.5.2 due to insufficient input sanitization. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress XSS PHP
CVE-2025-11920 HIGH CVSS 8.8
The WPCOM Member plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.7.14 via the action parameter in one of its shortcodes. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Lfi WordPress Information Disclosure RCE PHP
CVE-2025-11755 HIGH CVSS 8.8
The WP Delicious - Recipe Plugin for Food Bloggers (formerly Delicious Recipes) plugin for WordPress is vulnerable to arbitrary file uploads when importing recipes via CSV in all versions up to, and. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

File Upload PHP RCE WordPress
CVE-2025-10487 HIGH CVSS 7.3
The Advanced Ads - Ad Manager & AdSense plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.0.12 via the select_one() function. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress Information Disclosure RCE Code Injection PHP
CVE-2025-6990 HIGH CVSS 8.8
The kallyas theme for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.24.0 via the `TH_PhpCode` pagebuilder widget. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress RCE Code Injection PHP
CVE-2025-6574 HIGH CVSS 8.8
The Service Finder Bookings plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and excluding, 6.1. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress Authentication Bypass Privilege Escalation PHP
CVE-2025-5949 HIGH CVSS 8.8
The Service Finder Bookings plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 6.0. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress Authentication Bypass Privilege Escalation PHP
CVE-2025-62276 MEDIUM CVSS 4.6
The Document Library and the Adaptive Media modules in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through. Rated medium severity (CVSS 4.6), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Digital Experience Platform Liferay Portal
CVE-2025-62275 MEDIUM CVSS 6.9
Blogs in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 GA through update 92, and older. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Digital Experience Platform Liferay Portal
CVE-2025-12367 MEDIUM CVSS 4.3
The SiteSEO - SEO Simplified plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 1.3.1. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress Authentication Bypass PHP
CVE-2025-12180 MEDIUM CVSS 4.3
The Qi Blocks plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.4.3. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress Authentication Bypass PHP
CVE-2025-12137 MEDIUM CVSS 4.9
The Import WP - Export and Import CSV and XML files to WordPress plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 2.14.16. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress Information Disclosure PHP
CVE-2025-12118 MEDIUM CVSS 6.4
The Schema Scalpel plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the post title in all versions up to, and including, 1.6.1 due to insufficient input sanitization and output. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress XSS PHP
CVE-2025-12090 MEDIUM CVSS 6.4
The Employee Spotlight - Team Member Showcase & Meet the Team Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Social URLs in all versions up to, and including, 5.1.2 due. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress XSS PHP
CVE-2025-12038 MEDIUM CVSS 4.3
The Folderly plugin for WordPress is vulnerable to unauthorized modification of data due to an insufficient capability check on the /wp-json/folderly/v1/config/clear-all-data REST API endpoint in all. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress Authentication Bypass PHP
CVE-2025-11983 MEDIUM CVSS 4.3
The WP Discourse plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 2.5.9. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress Information Disclosure PHP
CVE-2025-11928 MEDIUM CVSS 4.4
The CSS & JavaScript Toolbox plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 12.0.5 due to insufficient input sanitization. Rated medium severity (CVSS 4.4), this vulnerability is remotely exploitable. No vendor patch available.

WordPress XSS PHP
CVE-2025-11927 MEDIUM CVSS 4.4
The Flying Images: Optimize and Lazy Load Images for Faster Page Speed plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including,. Rated medium severity (CVSS 4.4), this vulnerability is remotely exploitable. No vendor patch available.

WordPress XSS PHP
CVE-2025-11922 MEDIUM CVSS 6.4
The Inactive Logout plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'ina_redirect_page_individual_user' parameter in all versions up to, and including, 3.5.5 due to. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress XSS PHP
CVE-2025-11816 MEDIUM CVSS 5.3
The Privacy Policy Generator, Terms & Conditions Generator WordPress Plugin : WP Legal Pages plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress Authentication Bypass PHP
CVE-2025-11740 MEDIUM CVSS 6.5
The wpForo Forum plugin for WordPress is vulnerable to SQL Injection via the Subscriptions Manager in all versions up to, and including, 2.4.9 due to insufficient escaping on the user supplied. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress SQLi PHP
CVE-2025-11502 MEDIUM CVSS 6.4
The Schema & Structured Data for WP & AMP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'saswp_tiny_multiple_faq' shortcode in all versions up to, and including,. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress XSS PHP
CVE-2025-11377 MEDIUM CVSS 4.3
The List category posts plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 0.92.0 via the 'catlist' shortcode due to insufficient restrictions on which. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress Information Disclosure PHP
CVE-2025-11174 MEDIUM CVSS 5.3
The Document Library Lite plugin for WordPress is vulnerable to Improper Authorization in all versions up to, and including, 1.1.6. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress Authentication Bypass PHP
CVE-2025-6988 MEDIUM CVSS 6.4
The kallyas theme for WordPress is vulnerable to Stored Cross-Site Scripting via several of the plugin's shortcodes in all versions up to, and including, 4.23.0 due to insufficient input sanitization. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress XSS PHP
CVE-2025-12603 LOW CVSS 2.3
/etc/timezone can be Arbitrarily Written.19.5; BLU-IC4: through 1.19.5. Rated low severity (CVSS 2.3), this vulnerability is remotely exploitable. No vendor patch available.

Memory Corruption Buffer Overflow Blu Ic2 Firmware Blu Ic4 Firmware
CVE-2025-12602 LOW CVSS 2.3
/etc/avahi/services/z9.service can be Arbitrarily Written.19.5; BLU-IC4: through 1.19.5. Rated low severity (CVSS 2.3), this vulnerability is remotely exploitable. No vendor patch available.

Memory Corruption Buffer Overflow Blu Ic2 Firmware Blu Ic4 Firmware

Today's Vulnerabilities Vulnerabilities