Unauthenticated information disclosure in WordPress Easy Appointments plugin ≤3.12.21 exposes customer appointment data via unprotected REST API endpoint. Remote attackers without authentication can extract full names, email addresses, phone numbers, IP addresses, appointment descriptions, and pricing information through `/wp-json/wp/v2/eablocks/ea_appointments/`. CVSS score 7.5 (High) with EPSS data not yet available. Patch released in version 3.12.22 per WordPress plugin repository changeset. No active exploitation confirmed (not in CISA KEV), but the trivial exploit complexity (AV:N/AC:L/PR:N/UI:N) and privacy impact make this a priority for sites handling sensitive appointment data.
File upload validation bypass in Postiz social media scheduler (versions before 2.21.6) allows authenticated users to upload executable file types (HTML, SVG) with spoofed Content-Type headers, achieving stored XSS when nginx serves files using their original extensions. Attackers can hijack sessions and take over other user accounts. CVSS 8.9 (High) reflects network attack vector with low complexity requiring only low-privilege authentication and user interaction. EPSS data not provided. Not listed in CISA KEV. Vendor patch released in version 2.21.6.
Remote code execution in CMP - Coming Soon & Maintenance Plugin by NiteoThemes for WordPress (versions ≤4.1.16) allows authenticated attackers with Administrator-level privileges to upload and execute arbitrary PHP code via a malicious ZIP file. The vulnerability stems from insufficient capability checking (publish_pages instead of manage_options) and absent file validation in the cmp_theme_update_install AJAX action. CVSS 8.8 reflects high impact across confidentiality, integrity, and availability. No CISA KEV listing or public exploit code identified at time of analysis, suggesting limited real-world exploitation despite the high severity rating. Wordfence Threat Intelligence disclosed this vulnerability with detailed source code references.
Privilege escalation in Movary (self-hosted movie tracking app) versions before 0.71.1 allows any authenticated user to create administrator accounts and access user-management functions. The vulnerability stems from missing middleware enforcement and a broken boolean condition in authorization checks for /settings/users endpoints. Attack requires only low-privilege authenticated access (CVSS PR:L) with no user interaction (UI:N), enabling complete system takeover (C:H/I:H/A:H). Vendor has released patch version 0.71.1. No public exploit identified at time of analysis, but exploitation is trivial given the simple bypass mechanism.
Command injection in Apache Airflow's BashOperator documentation example allows authenticated attackers to escalate privileges from UI user to worker-level code execution. Affects all Airflow versions before 3.2.0. The vulnerability stems from documentation suggesting unsafe handling of dag_run.conf parameters, which organizations may have replicated in production DAGs. EPSS score of 0.03% indicates low observed exploitation probability, though the upstream fix (PR #64129) demonstrates vendor acknowledgment and remediation.
{userId}` with `isAdmin=true` for their own user ID, low-privilege users gain full administrative access. Movary versions prior to 0.71.1 are affected. Vendor-released patch version 0.71.1 available. EPSS data not provided; no CISA KEV listing identified. GitHub references include security advisory GHSA-mcfq-8rx7-w25v and fix commit 12c8a090.
Stack-based buffer overflow in editorconfig-core-c library (versions ≤0.12.10) enables local attackers to crash applications or potentially execute arbitrary code via maliciously crafted .editorconfig files and directory structures. This incomplete fix for CVE-2023-0341 left the l_pattern[8194] stack buffer unprotected while only addressing the pcre_str buffer in version 0.12.6. Patched in version 0.12.11. No active exploitation confirmed (not in CISA KEV), but publicly exploitable with local access and minimal complexity (CVSS AV:L/AC:L/PR:N).
Cross-Site Request Forgery (CSRF) in ChurchCRM versions before 7.2.0 allows remote attackers to permanently delete family records and all associated data (notes, pledges, persons, property) through the SelectDelete.php endpoint. The endpoint executes irreversible deletions via unauthenticated GET requests without CSRF token validation, requiring only that an authenticated administrator visit a malicious page. Attackers can weaponize this via phishing emails or malicious websites to trigger silent data destruction. Fixed in version 7.2.0 via PR #8613 and commit 3936162. No KEV listing or public POC identified at time of analysis, though exploitation is trivial given the simplicity of CSRF attacks against GET endpoints.
Server-Side Request Forgery in Movary movie tracking application allows authenticated users to probe internal networks and metadata endpoints. The /settings/jellyfin/server-url-verify endpoint accepts user-controlled URLs without validating against private IP ranges, enabling internal reconnaissance through the server's context. Affects all versions prior to 0.71.1. EPSS data not available, but exploitation requires only low-privilege authentication (CVSS PR:L) with no attack complexity, making this readily exploitable by any registered user. Upstream fix confirmed in version 0.71.1 via GitHub commit d459b35.
Path traversal in SecureDrop Client 0.17.4 and below allows a compromised SecureDrop Server to execute arbitrary code on journalist workstations by injecting malicious filenames during gzip archive extraction. The vulnerability enables overwriting the SQLite database and other critical files in the sd-app VM, potentially exposing decrypted source submissions. Fixed in version 0.17.5. No active exploitation confirmed (not in CISA KEV). CVSS 7.5 reflects high impact but complex attack chain requiring prior server compromise and user interaction. EPSS data not available, but real-world risk is constrained by the requirement to first breach a Tor-hidden, hardened server infrastructure.
Apache Airflow before 3.2.0 exposes SQL exception stack traces through API responses despite api/expose_stack_traces=false configuration, allowing remote unauthenticated attackers to enumerate database schema details, table names, query structure, and internal filesystem paths. CVSS 7.5 (High) with network vector and no authentication required. EPSS score of 0.02% (4th percentile) indicates low probability of widespread exploitation. Vendor patch available in Airflow 3.2.0 per Apache advisory. No active exploitation confirmed (not in CISA KEV) and no public POC identified at time of analysis.
Apache Airflow 3.0.x prior to 3.2.0 allows remote unauthenticated attackers to trigger unauthorized DAG (Directed Acyclic Graph) execution via the UI or API, bypassing asset materialize permission checks. Despite CVSS 7.5 HIGH, the CVSS vector (PR:N) contradicts the description's requirement for 'UI/API user with asset materialize permission', suggesting authentication IS required-a critical discrepancy that demands verification. EPSS of 0.01% (3rd percentile) indicates minimal observed exploitation activity. Vendor-released patch available in Airflow 3.2.0 per Apache advisory.
Deserialization vulnerability in Apache Airflow webserver (all versions before 3.2.0) allows network-accessible attackers to execute arbitrary code by injecting malicious XCom payloads, despite vendor-assigned Low severity due to the trusted Dag Author threat model. CVSS 9.8 Critical rating reflects unauthenticated network-based RCE capability (AV:N/PR:N), contradicting the description's trust assumption. EPSS 0.07% (22nd percentile) suggests low immediate exploitation likelihood. No active exploitation confirmed; vendor patch available in version 3.2.0 with public GitHub PR.
Consensus-breaking cache logic error in Zcash Zebra node software (all versions <4.3.1) allows malicious miners to partition the network by mining blocks containing height-invalid transactions. By submitting a transaction valid at height H+1 but invalid at H+2, then mining it into block H+2 and submitting that block before H+1, attackers trigger cached verification bypass-vulnerable Zebra nodes accept the invalid block while honest nodes reject it, creating a consensus split. This enables double-spend attacks against isolated nodes. EPSS data unavailable; not in CISA KEV. Classified as CWE-1025 (comparison logic error). Fixed in Zebra 4.3.1 by removing the risky cache optimization entirely.
{personId} API endpoint. While legacy UI enforces canEditPerson() checks, the API layer completely omits these authorization controls, enabling horizontal privilege escalation. Fixed in version 7.2.0. CVSS 7.1 (AV:N/AC:L/PR:L) indicates network-accessible exploitation by any low-privileged authenticated user with no technical complexity. EPSS data unavailable; no KEV listing or public POC identified at time of analysis, though the fix commit and GitHub advisory provide full technical details for replication.
SQL injection in ChurchCRM's FinancialService getMemberByScanString() method allows authenticated attackers to exfiltrate sensitive database contents and modify limited data. Affects ChurchCRM versions prior to 7.2.0. The vulnerability stems from unsanitized $routeAndAccount parameter concatenated directly into SQL queries without parameterization. Fixed via commit 214694eb and pull request #8607. EPSS data not available. Not listed in CISA KEV. Public exploit code exists (GitHub advisory GHSA-hc37-vx3w-34fg with PoC). CVSS 7.1 reflects network-accessible attack requiring low-privileged authentication with high confidentiality impact and low integrity impact.