2026-07-17
Privilege escalation and full site takeover affects the AI Copilot WordPress plugin before 1.5.4, which fails to bind OAuth access tokens to a specific WordPress user and treats any valid token as an administrator session. An unauthenticated attacker who completes the plugin's public OAuth flow can invoke privileged MCP (Model Context Protocol) tools as an administrator, creating new users and escalating roles. Publicly available exploit code exists and the flaw carries a CVSS 9.8; no active exploitation has been confirmed (not in CISA KEV).
Unauthenticated privilege escalation in the Bricksforge WordPress plugin (versions ≤ 3.1.8.6) lets remote attackers create a new administrator account by abusing the Pro Forms User Registration action. The plugin fails to validate the fieldIds parameter, so attacker-supplied field IDs are injected into the trusted form-field whitelist, enabling mass-assignment of a privileged role. No public exploit has been identified at time of analysis, but the flaw is trivially exploitable (CVSS 9.8) on any site exposing a Pro Forms registration element.
Privilege escalation in the Aimogen Pro (Aiomatic) all-in-one AI toolkit plugin for WordPress affects all versions through 2.8.4 and lets unauthenticated attackers create administrator accounts. The 'aiomatic_call_google_ai_function' AJAX handler lacks a capability check, allowing the 'aimogen_wp_god_mode' tool to clear function blacklists and invoke arbitrary PHP functions. No public exploit identified at time of analysis, but the pre-auth nature and 9.8 CVSS make this a full-site-takeover risk.
Authentication bypass in Vimesoft Enterprise Video Platform (versions 3.11.0.0 up to but not including 3.25.0) lets a remote, unauthenticated attacker change a victim's password without verifying the existing credential (CWE-620), enabling full account takeover. Reported by Turkey's national CERT (TR-CERT/USOM) and rated CVSS 9.8, the flaw grants complete control over targeted accounts. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
SQL injection in GisLab Laboratory Management System (versions 1.4.03 through 08072026) allows remote unauthenticated attackers to inject arbitrary SQL commands via improperly neutralized special elements, per a TR-CERT advisory (TR-26-0573). The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N, C:H/I:H/A:H, 9.8) indicates full compromise of the backend database with no authentication or user interaction. No public exploit identified at time of analysis and the flaw is not listed in CISA KEV.
XML External Entity injection in the libpve-storage-perl library (the storage-management Perl backend of Proxmox VE) affects builds identified as libpvestorage-perl v9.1.1 and libpve-storage-perl v8.3.7, per MITRE. An attacker able to submit crafted XML to an affected storage-handling code path can force the parser to resolve external entities, enabling arbitrary local file disclosure and potential SSRF or denial of service. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV; EPSS was not provided.
Authorization bypass in Vimesoft Enterprise Video Platform (versions 3.11.0.0 up to but not including 3.25.0) lets remote unauthenticated attackers manipulate a user-controlled key (an IDOR-style reference) to reach functionality that should be restricted by access-control lists. Reported to Turkey's national CSIRT (USOM) with a CVSS 9.4, it enables reading and altering other tenants'/users' resources; no public exploit identified at time of analysis and the flaw is not in CISA KEV.
Unauthenticated SQL injection in Sangoma Switchvox SMB Edition 8.3 (build 104997) lets remote attackers execute arbitrary SQL against the backend PostgreSQL database via the /pa endpoint, which concatenates the attacker-supplied PhoneIP value from a <PolycomIPPhone> XML body into queries without parameterization. Because SQL access on this PostgreSQL deployment can be escalated to command execution, a single crafted, unauthenticated request yields full database compromise and remote code execution on the VoIP appliance. There is no public exploit identified at time of analysis, though vendor SRA published a technical writeup, and the CVSS 4.0 base score is 9.3 (Critical).
Session forgery in the clawvet self-hosted API server (apps/api) before 0.7.5 lets a remote unauthenticated attacker fully impersonate any user and steal their secret apiKey. The server ships a hard-coded fallback JWT secret ('clawvet-dev-secret-change-me') in auth.ts and .env.example, while an unauthenticated GET /api/v1/scans endpoint leaks victim userId values; combining these, an attacker forges a valid HS256 cg_session cookie offline and calls GET /api/v1/auth/me to exfiltrate the victim's email, subscription plan, and API key. There is no public exploit identified at time of analysis and the flaw is not in CISA KEV, but the technique is fully described and trivially reproducible; only the self-hosted API is affected, not the published clawvet npm CLI package.
Two-factor authentication bypass in Grav CMS before 2.0.4 lets an attacker who already knows a victim's password overwrite that user's TOTP secret and log in with full 2FA protection stripped away. During the pending TOTP challenge window the login plugin's regenerate2FASecret task verifies only that the user exists — not that the caller is authorized — and requires no CSRF nonce, so the attacker sets an attacker-chosen secret, computes a valid code, and completes login. VulnCheck-reported and CVSS 4.0 scored 9.1; no public exploit identified at time of analysis.
Improper access control in Vimesoft Enterprise Video Platform (versions 3.11.0.0 up to but not including 3.25.0) allows remote unauthenticated attackers to invoke privileged functionality that is not properly constrained by access control lists. Because the missing authorization check exposes state-changing operations, an attacker can modify or disrupt platform data and availability without credentials. This was reported by Turkey's national CSIRT (USOM); no public exploit has been identified at time of analysis and no EPSS or CISA KEV data is available.