Arbitrary command execution in MineAdmin v3.x arises from insecure permissions on its scheduled-tasks (cron) feature, letting attackers inject and run OS-level commands (CWE-94) and pivot to full account takeover. Any deployment of the MineAdmin 3.x backend administration framework is affected. The referenced GitHub Gist appears to document the technique; no CISA KEV listing exists, and EPSS is low at 0.47% (37th percentile), indicating no confirmed widespread exploitation yet.
Arbitrary file deletion in Multi Uploader for Gravity Forms (WordPress plugin ≤1.1.7) allows unauthenticated remote attackers to delete any file on the server through insufficient path validation in the plupload_ajax_delete_file function. Exploitation requires no credentials or user interaction. CVSS 9.8 Critical severity reflects network-accessible attack with high impact to confidentiality, integrity, and availability. Low observed exploitation activity (EPSS 0.37%). No public exploit identified at time of analysis.