WordPress Time Capsule Plugin 1.21.16 contains an authentication bypass vulnerability that allows unauthenticated attackers to gain administrative access by sending a crafted POST request with the. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Denial of service and potential memory corruption in vLLM versions 0.10.2 through 0.12.x stems from missing sparse tensor validation in multimodal embeddings processing, allowing authenticated remote users to submit crafted prompt-embedding requests with malformed tensor indices. Because PyTorch disables sparse tensor invariant checks by default, attackers can crash the inference server or exhaust resources, with potential out-of-bounds or write-what-where memory corruption. No public exploit identified at time of analysis; this continuation of CVE-2025-62164 addresses the root cause that the prior fix only masked by disabling the feature by default.
Account takeover in Capgo before 12.128.12 allows authenticated low-privileged users to hijack other users' SSO identities by abusing the SSO provisioning endpoint's reliance on a user-mutable email field as an account-merge key. By updating their own public.users.email to a target's corporate SSO address before the victim's first SSO login, an attacker causes the provision-user flow to merge the victim's federated identity into the attacker-controlled account. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.
Unauthenticated information disclosure in AVideo through 26.0 exposes payment transaction records via multiple list.json.php endpoints in the PayPalYPT, AuthorizeNet, and BTCPayments plugins that lack User::isAdmin() authorization checks. Remote attackers can issue direct GET requests to harvest PayPal billing agreement IDs, Express Checkout tokens, Authorize.Net webhook payloads, and Bitcoin transaction records without credentials. No public exploit identified at time of analysis, but the GHSA advisory from WWBN/AVideo and VulnCheck disclosure provide full endpoint paths sufficient for trivial reproduction.
Privilege escalation in Capgo before 12.128.2 allows holders of app-limited API keys to mint new unrestricted keys via the POST /functions/v1/apikey endpoint by submitting empty limit fields. The flaw effectively bypasses the API key scoping model, granting org-wide access to app listings and other protected resources from any compromised low-privilege key. No public exploit identified at time of analysis, but a vendor advisory (GHSA-2ff8-7h96-hwfp) and a VulnCheck writeup confirm the issue.
Unauthenticated information disclosure in Capgo before 12.128.2 lets remote attackers enumerate organizations and reveal billing status by invoking the Supabase PostgREST RPC endpoints is_trial_org and is_paying_org with the publicly distributed sb_publishable key. The flaw is reachable directly over the network without credentials and produces distinguishable responses that identify paying customers, enabling targeted profiling; no public exploit identified at time of analysis.
Arbitrary file deletion in the Database for Contact Form 7, WPforms, Elementor forms WordPress plugin (versions ≤1.5.1) allows remote unauthenticated attackers to poison form entries with traversal payloads that, when later viewed by an administrator, delete arbitrary server files and can be escalated to remote code execution by removing wp-config.php. Reported by Wordfence with publicly available exploit code exists via the Wordfence advisory; no public exploit identified at time of analysis as weaponized in-the-wild attacks, and the issue is not in CISA KEV.
Authorization bypass in Apache NiFi 1.12.0 through 2.9.0 allows authenticated users with general write access to add Restricted-annotated extension components when replacing Process Groups, despite lacking the explicit Restricted-component privilege. The flaw stems from the framework failing to enforce Restricted-annotation checks during Process Group replacement, effectively letting privileged-component installation bypass its intended authorization boundary. No public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.
Unauthenticated arbitrary file deletion in the Simple File List WordPress plugin (versions up to and including 6.3.7) allows remote attackers to delete any file the web server can write to, including wp-config.php, which can escalate to remote code execution. The flaw lives in the eeSFL_DeleteFile function and is reachable via the simplefilelist_edit_job AJAX action registered through wp_ajax_nopriv_, with the is_admin() guard rendered ineffective because that function always returns true on admin-ajax.php. No public exploit identified at time of analysis, but the trivial reachability and high-value target (WordPress) make weaponization straightforward.
Arbitrary file modification and deletion in the Simple File List WordPress plugin (versions up to and including 6.3.7) allows unauthenticated remote attackers to alter or remove files on the server. The flaw stems from a broken authorization guard where an is_admin() check short-circuits before the AllowFrontManage setting is evaluated, leaving every installation exposed regardless of configuration. No public exploit identified at time of analysis, but the bug is reachable on default settings and was disclosed by Wordfence.