The Consensus Security Vulnerability Alert

ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html

Experimental Suspicious Domain Feed

Published: 2025-07-13

Last Updated: 2025-07-13 23:33:36 UTC

by Johannes Ullrich (Version: 1)

We have had a "newly registered domain" feed for a few years. This feed pulls data from ICANN's centralized zone data service (https://czds.icann.org) and TLS certificate transparency logs.

The ICANN CZDS is a good start, but it only offers data from top-level domains collaborating with ICANN. Missing are in particular country-level domains. Country-level zone files can be hard to come by, so we use TLS certificate transparency logs as a "cheap" alternative. Pretty much all domain registrars will, by default, create a "parked" website, and with that, they will make a certificate. Even if they do not, any halfway self-respecting phishing site will use TLS and register a certificate with a public certificate authority at one point. The TLS certificate transparency logs also help capture older domains.

Each day, we capture around 250,000 new domains using this system. But of course, we want to know which domains are used for malicious purposes. However, as the sample below shows, there are a lot of "odd" domain names ...

Read the full entry: https://isc.sans.edu/diary/Experimental+Suspicious+Domain+Feed/32102/

SSH Tunneling in Action: direct-tcp requests [Guest Diary]

Published: 2025-07-09

Last Updated: 2025-07-10 21:22:00 UTC

by Guy Bruneau (Version: 1)

[This is a Guest Diary by Sihui Neo, an ISC intern as part of the SANS.edu BACS program]

As part of the SANS degree program curriculum, I had the opportunity to set up a honeypot to monitor log activities mimicking a vulnerable server. I used the AWS free tier EC2 instance to set up the honeypot sensor in Japan and deployed Cowrie, a SSH and Telnet honeypot designed to log brute force attacks and shell interaction performed by an attacker.

In addition to the sensor setup, to allow me to easily look at all the logs in a single platform, I purchased a separate virtual private server and installed ELK SIEM, following the setup instructions from ISC mentor, Guy Bruneau’s github page. Then setup the sensor to send all logs to the SIEM server.

Since the setup of the honeypot, one of the interesting observations in logs was direct-tcp connection requests. More than 1000 different IPs within a month were seen to have made these requests and more than 75% were made to a single destination IP. In this post, I’ll cover how and why these connections are set up, and where the destination IP points to.

What did the logs look like? ...

Read the full entry: https://isc.sans.edu/diary/SSH+Tunneling+in+Action+directtcp+requests+Guest+Diary/32094/

More Free File Sharing Services Abuse

Published: 2025-07-16

Last Updated: 2025-07-16 13:00:28 UTC

by Xavier Mertens (Version: 1)

A few months ago, I wrote a diary about online services used to exfiltrate data. In this diary, I mentioned some well-known services. One of them was catbox[.]moe. Recently, I found a sample that was trying to download some payload from this website. I performed a quick research and collected more samples!

I collected (and stopped because it was a constant flood!) 612 URLs pointing to direct downloads (hxxps://files[.]catbox[.]moe/xxxxxx). Some were popular and used by multiple samples ...

Read the full entry: https://isc.sans.edu/diary/More+Free+File+Sharing+Services+Abuse/32112/

Keylogger Data Stored in an ADS (2025.07.15)

https://isc.sans.edu/diary/Keylogger+Data+Stored+in+an+ADS/32108/

DShield Honeypot Log Volume Increase (2025.07.14)

https://isc.sans.edu/diary/DShield+Honeypot+Log+Volume+Increase/32100/

Setting up Your Own Certificate Authority for Development: Why and How. (2025.07.09)

https://isc.sans.edu/diary/Setting+up+Your+Own+Certificate+Authority+for+Development+Why+and+How/32092/

The list is assembled by pulling recent vulnerabilities from NIST NVD, Microsoft, Twitter mentions of vulnerabilities, ISC Diaries and Podcast, and the CISA list of known exploited vulnerabilities. There are also some unscored, but significant, vulnerabilities at the end. This includes vulnerabilities that have not been added to the NVD yet.

CVE-2025-47812 - Wing FTP Server before 7.4.4 allows injection of arbitrary Lua code into user session files, leading to remote code execution and total server compromise via anonymous FTP accounts.

Product: Wftpserver Wing FTP Server

CVSS Score: 10.0

** KEV since 2025-07-14 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-47812

ISC Podcast: https://isc.sans.edu/podcastdetail/9524

NVD References:

- https://www.rcesecurity.com/2025/06/what-the-null-wing-ftp-server-rce-cve-2025-47812/

- https://www.wftpserver.com

- https://www.huntress.com/blog/wing-ftp-server-remote-code-execution-cve-2025-47812-exploited-in-wild

CVE-2025-42963 - SAP NetWeaver Application server for Java Log Viewer allows authenticated administrators to exploit unsafe Java object deserialization, enabling full operating system compromise and granting attackers complete control over the affected system, severely impacting confidentiality, integrity, and availability.

Product: SAP NetWeaver Application server

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-42963

NVD References: https://url.sap/sapsecuritypatchday

CVE-2025-42964 - SAP NetWeaver Enterprise Portal Administration is vulnerable to content upload attacks that could compromise system security.

Product: SAP NetWeaver Enterprise Portal Administration

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-42964

NVD References: https://url.sap/sapsecuritypatchday

CVE-2025-42966 - SAP NetWeaver XML Data Archiving Service is vulnerable to an insecure Java deserialization issue, potentially enabling an authenticated attacker with administrative privileges to compromise the confidentiality, integrity, and availability of the application.

Product: SAP NetWeaver XML Data Archiving Service

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-42966

NVD References: https://url.sap/sapsecuritypatchday

CVE-2025-42967 - SAP S/4HANA and SAP SCM Characteristic Propagation allows remote code execution, granting attackers full control of the system and compromising the confidentiality, integrity, and availability of the application.

Product: SAP S/4HANA

CVSS Score: 9.9

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-42967

NVD References: https://url.sap/sapsecuritypatchday

CVE-2025-42980 - SAP NetWeaver Enterprise Portal Federated Portal Network is vulnerable to a potential compromise of confidentiality, integrity, and availability when a privileged user uploads untrusted or malicious content.

Product: SAP NetWeaver Enterprise Portal

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-42980

NVD References: https://url.sap/sapsecuritypatchday

CVE-2025-20680 - Bluetooth driver may allow for out of bounds write, enabling local privilege escalation without user interaction, Patch ID: WCNCR00418044; Issue ID: MSV-3482.

Product: Mediatek Nbiot SDK

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-20680

NVD References: https://corp.mediatek.com/product-security-bulletin/July-2025

CVE-2025-20681 - The wlan AP driver allows for a possible out of bounds write leading to local privilege escalation without user interaction.

Product: Mediatek Software Development Kit

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-20681

NVD References: https://corp.mediatek.com/product-security-bulletin/July-2025

CVE-2025-20682, CVE-2025-20683, CVE-2025-20684 - Wlan AP driver has a potential out of bounds write vulnerabilities allowing for local privilege escalation without user interaction

Product: Mediatek Software Development Kit

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-20682

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-20683

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-20684

NVD References: https://corp.mediatek.com/product-security-bulletin/July-2025

CVE-2025-25270 - Phoenix Contact CHARX SEC-3xxx charging controllers are vulnerable to improper control of dynamically-managed code resources. An unauthenticated remote attacker can alter the device configuration in a way to get remote code execution as root with specific configurations

Product: Phoenixcontact Charx Sec-3000

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-25270

NVD References: https://certvde.com/de/advisories/VDE-2025-019

CVE-2025-40736 - SINEC NMS (All versions < V4.0) allows unauthorized modification of administrative credentials, potentially granting full control to unauthenticated attackers.

Product: Siemens SINEC NMS

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-40736

NVD References: https://cert-portal.siemens.com/productcert/html/ssa-078892.html

CVE-2025-21450 - Cryptographic issue occurs due to use of insecure connection method while downloading.

Product: Qualcomm GPS components

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-21450

NVD References: https://docs.qualcomm.com/product/publicresources/securitybulletin/july-2025-bulletin.html

CVE-2025-47981 - Heap-based buffer overflow in Windows SPNEGO Extended Negotiation allows an unauthorized attacker to execute code over a network.

Product: Microsoft Windows 10 1507

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-47981

NVD References: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-47981

CVE-2025-37103 - HPE Networking Instant On Access Points contain hard-coded login credentials, enabling unauthorized access and potential administrative control by remote attackers.

Product: HPE Networking Instant On Access Points

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-37103

NVD References: https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04894en_us&docLocale=en_US

CVE-2025-49535 - ColdFusion versions 2025.2, 2023.14, 2021.20 and earlier are affected by an XXE vulnerability allowing for a security feature bypass, leading to potential information disclosure or denial of service attacks.

Product: Adobe ColdFusion

CVSS Score: 9.3

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-49535

NVD References: https://helpx.adobe.com/security/products/coldfusion/apsb25-69.html

CVE-2025-27203 - Adobe Connect versions 24.0 and earlier are vulnerable to a Deserialization of Untrusted Data flaw allowing attackers to execute arbitrary code through user interaction.

Product: Adobe Connect

CVSS Score: 9.6

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-27203

NVD References: https://helpx.adobe.com/security/products/connect/apsb25-61.html

CVE-2025-49533 - Adobe Experience Manager versions 6.5.23.0 and earlier are vulnerable to arbitrary code execution due to a Deserialization of Untrusted Data flaw, without requiring user interaction.

Product: Adobe Experience Manager (MS)

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-49533

NVD References: https://helpx.adobe.com/security/products/aem-forms/apsb25-67.html

CVE-2025-7206 - D-Link DIR-825 2.10 is vulnerable to a critical remote stack-based buffer overflow in its httpd component, allowing for attacks if the Language argument is manipulated, but only affects unsupported products.

Product: D-Link DIR-825

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-7206

CVE-2025-3498 - Radiflow iSAP Smart Collector (CentOS 7 - VSAP 1.20) is vulnerable to unauthorized access and modification through unauthenticated REST APIs on TCP ports 8084 and 8086.

Product: Radiflow iSAP Smart Collector

CVSS Score: 9.9

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-3498

NVD References: https://www.cvcn.gov.it/cvcn/cve/CVE-2025-3498

CVE-2025-3499 - The device has two web servers with unauthenticated REST APIs vulnerable to OS command injection over TCP ports 8084 and 8086.

Product: Siemens RUGGEDCOM ROS

CVSS Score: 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-3499

NVD References: https://www.cvcn.gov.it/cvcn/cve/CVE-2025-3499

CVE-2025-6514 - mcp-remote is vulnerable to OS command injection when connecting to untrusted MCP servers through crafted input in the authorization_endpoint response URL.

Product: mcp-remote MCP

CVSS Score: 9.6

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-6514

CVE-2025-53546 - Folo’s feed content organization can be exploited through pull_request_target in .github/workflows/auto-fix-lint-format-commit.yml, granting attackers access to secrets and exfiltration of GITHUB_TOKEN with high privileges, fixed in commit 585c6a591440cd39f92374230ac5d65d7dd23d6a.

Product: GitHub Actions

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-53546

CVE-2025-53624 - Docusaurus gists plugin versions prior to 4.0.0 inadvertently expose GitHub Personal Access Tokens in production build artifacts.

Product: Docusaurus docusaurus-plugin-content-gists

CVSS Score: 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-53624

NVD References: https://github.com/webbertakken/docusaurus-plugin-content-gists/security/advisories/GHSA-qf34-qpr4-5pph

CVE-2025-23048 - Apache HTTP Server versions 2.4.35 through 2.4.63 are vulnerable to an access control bypass by trusted clients through TLS 1.3 session resumption.

Product: Apache HTTP Server mod_ssl

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-23048

NVD References: https://httpd.apache.org/security/vulnerabilities_24.html

CVE-2025-53371 - DiscordNotifications allows for DOS and SSRF vulnerabilities by sending requests to arbitrary URLs set via $wgDiscordIncomingWebhookUrl and $wgDiscordAdditionalIncomingWebhookUrls, potentially leading to RCE.

Product: MediaWiki DiscordNotifications

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-53371

CVE-2025-2523 - The Honeywell Experion PKS and OneWireless WDM components are vulnerable to an Integer Underflow, leading to Communication Channel Manipulation and potential remote code execution.

Product: Honeywell Experion PKS

CVSS Score: 9.4

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-2523

CVE-2025-52579 - Emerson ValveLink Products fail to securely handle sensitive information stored in memory, potentially exposing it in various scenarios.

Product: Emerson ValveLink Products

CVSS Score: 9.4

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-52579

NVD References:

- https://www.cisa.gov/news-events/ics-advisories/icsa-25-189-01

- https://www.emerson.com/en-us/support/security-notifications

CVE-2025-30023 - The vulnerable product allows authenticated users to execute remote code by exploiting a flaw in the communication protocol used between client and server.

Product: Nozomi Networks Guardian

CVSS Score: 9.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-30023

NVD References: https://www.axis.com/dam/public/9b/a5/72/cve-2025-30023pdf-en-US-485733.pdf

CVE-2025-52950 - Juniper Networks Security Director has a Missing Authorization vulnerability that allows an attacker to access unauthorized data via the web interface, potentially leading to further compromises in downstream managed devices.

Product: Juniper Networks Security Director

CVSS Score: 9.6

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-52950

NVD References: https://supportportal.juniper.net/JSA100054

CVE-2023-38036 - Ivanti Avalanche Manager before version 6.4.1 is vulnerable to a potential buffer overflow attack that could lead to service disruption or execution of arbitrary code by an unauthenticated attacker.

Product: Ivanti Avalanche

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-38036

NVD References: https://forums.ivanti.com/s/article/Security-Advisory-Avalanche-CVE-2023-38036

CVE-2025-7451 - iSherlock by Hgiga is vulnerable to OS Command Injection, allowing remote attackers to execute arbitrary commands on the server.

Product: Hgiga iSherlock

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-7451

NVD References:

- https://www.twcert.org.tw/en/cp-139-10238-f2bba-2.html

- https://www.twcert.org.tw/tw/cp-132-10237-9e0f7-1.html

CVE-2025-7574 - LB-LINK BL-AC1900, BL-AC2100_AZ3, BL-AC3600, BL-AX1800, BL-AX5400P and BL-WR9000 up to 20250702 are vulnerable to a critical improper authentication issue in the Web Interface, allowing remote attackers to launch attacks through the reboot/restore function of the file /cgi-bin/lighttpd.cgi.

Product: LB-LINK BL-AC1900, BL-AC2100_AZ3, BL-AC3600, BL-AX1800, BL-AX5400P, BL-WR9000

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-7574

CVE-2025-50756 - Wavlink WN535K3 20191010 is susceptible to command injection via the newpass parameter, enabling attackers to run malicious commands through a crafted request.

Product: Wavlink WN535K3

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-50756

CVE-2025-53825 - Dokploy allows unauthenticated users to execute arbitrary code and access sensitive environment variables through a preview deployment vulnerability, putting all public users at risk.

Product: Dokploy Platform as a Service (PaaS)

CVSS Score: 9.4

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-53825

CVE-2025-53833 - LaRecipe version 2.8.1 allows for Server-Side Template Injection (SSTI) and potential Remote Code Execution (RCE) in vulnerable configurations.

Product: LaRecipe

CVSS Score: 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-53833

NVD References: https://github.com/saleem-hadad/larecipe/security/advisories/GHSA-jv7x-xhv2-p5v2

CVE-2025-53835 - XWiki Rendering allows for XSS attacks in versions prior to 14.10 due to the `xdom+xml/current` syntax enabling insertion of arbitrary HTML content.

Product: XWiki Rendering

CVSS Score: 9.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-53835

NVD References: https://github.com/xwiki/xwiki-rendering/security/advisories/GHSA-w3wh-g4m9-783p

CVE-2025-53836 - XWiki Rendering allows for execution of forbidden macros in restricted mode due to a vulnerability in versions prior to 13.10.11, 14.4.7, and 14.10, requiring comments to be disabled for untrusted users until an upgrade is completed.

Product: XWiki Rendering

CVSS Score: 9.9

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-53836

NVD References: https://github.com/xwiki/xwiki-rendering/security/advisories/GHSA-32mf-57h2-64x9

CVE-2025-53890 - Pyload is vulnerable to an unsafe JavaScript evaluation exploit that allows unauthenticated attackers to execute malicious code, leading to potential session hijacking, credential theft, and remote code execution.

Product: Pyload Download Manager

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-53890

CVE-2025-3621 - ActADUR local server product, developed and maintained by ProTNS, is vulnerable to Remote Code Inclusion due to Command Injection, Hard-coded Credentials, Improper Authentication, and Binding to an Unrestricted IP Address.

Product: ProTNS ActADUR

CVSS Score: 9.6

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-3621

CVE-2025-52376 - Nexxt Solutions NCM-X1800 Mesh Router firmware UV1.2.7 and below is vulnerable to an authentication bypass in the /web/um_open_telnet.cgi endpoint, enabling attackers to remotely activate Telnet without authentication and gain administrative control with hard-coded credentials.

Product: Nexxt Solutions NCM-X1800 Mesh Router

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-52376

NVD References: https://github.com/Vagebondcur/nexxt-solutions-NCM-X1800-exploits/blob/main/CVE-2025-52376/writeup.md

CVE-2025-41236 - VMware ESXi, Workstation, and Fusion are vulnerable to an integer-overflow flaw in the VMXNET3 virtual network adapter, allowing local admins to execute code on the host.

Product: VMware ESXi

CVSS Score: 9.3

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-41236

NVD References: https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/35877

CVE-2025-41237 - VMware ESXi, Workstation, and Fusion are vulnerable to integer-underflow in VMCI, allowing a local attacker to execute code on the host.

Product: VMware ESXi, Workstation, Fusion

CVSS Score: 9.3

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-41237

NVD References: https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/35877

CVE-2025-41238 - VMware ESXi, Workstation, and Fusion are vulnerable to a heap-overflow issue in the PVSCSI controller allowing local administrative actors to execute code on the host or machine.

Product: VMware ESXi

CVSS Score: 9.3

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-41238

NVD References: https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/35877

CVE-2025-50067 - Oracle Application Express (component: Strategic Planner Starter App) versions 24.2.4 and 24.2.5 allow a low privileged attacker with network access to compromise the system, potentially resulting in a complete takeover.

Product: Oracle Application Express

CVSS Score: 9.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-50067

NVD References: https://www.oracle.com/security-alerts/cpujul2025.html

CVE-2025-5333 - Remote attackers can execute arbitrary code in the context of the vulnerable service process.

Product: Microsoft

Product name: Windows Operating System

CVSS Score: 0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-5333

ISC Podcast: https://isc.sans.edu/podcastdetail/9528

CVE-2025-4828 - The Support Board plugin for WordPress is vulnerable to arbitrary file deletion, allowing attackers to delete files on the server and potentially execute remote code.

Product: Schiocco Support Board

Active Installations: unknown

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-4828

NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/33989611-8640-4c33-a34e-14f10cd7286d?source=cve

CVE-2025-4855 - The Support Board plugin for WordPress is susceptible to unauthorized data access and manipulation due to hardcoded default secrets, potentially allowing unauthenticated attackers to execute arbitrary actions and exploit CVE-2025-4828.

Product: Schiocco Support Board

Active Installations: unknown

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-4855

NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/afd48bc8-d490-4a3e-97fc-70cf008cbf66?source=cve

CVE-2025-4606 - The Sala - Startup & SaaS WordPress Theme is vulnerable to privilege escalation through account takeover by allowing unauthenticated attackers to change any user's password, including administrators, in versions up to 1.1.4.

Product: The Sala Startup & SaaS WordPress Theme

Active Installations: unknown

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-4606

NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/aa385a1f-1623-4f0a-bb2f-d4564b8f91bf?source=cve

CVE-2025-7401 - The Premium Age Verification / Restriction for WordPress plugin is vulnerable to arbitrary file read and write, allowing unauthenticated attackers to access sensitive information or execute remote code.

Product: WordPress Premium Age Verification / Restriction_plugin

Active Installations: unknown

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-7401

NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/e0906a45-6d9b-48a0-98ae-df7b591a8848?source=cve

CVE-2020-36847 - The Simple-File-List Plugin for WordPress is vulnerable to Remote Code Execution via the rename function, allowing unauthenticated attackers to execute code on the server.

Product: WordPress Simple-File-List Plugin

Active Installations: 6,000+

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2020-36847

NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/9eb835fd-6ebf-4162-856c-0366b663a07e?source=cve

CVE-2020-36849 - The AIT CSV import/export plugin for WordPress allows arbitrary file uploads, potentially enabling remote code execution.

Product: AIT CSV import/export plugin

Active Installations: Unknown. Update to version 3.0.4, or a newer patched version

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2020-36849

NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/cece751c-400d-42b4-9438-950d5aca51fc?source=cve

CVE-2025-5393 & CVE-2025-5394 - Vulnerabilities in the Alone – Charity Multipurpose Non-profit WordPress Theme could be exploited by unauthenticated attackers to achieve remote code execution.

Product: Alone Charity Multipurpose Non-profit WordPress Theme

Active Installations: Unknown. Update to version 7.8.5, or a newer patched version

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-5393

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-5394

NVD References:

- https://www.wordfence.com/threat-intel/vulnerabilities/id/2cb1b526-0df6-42a1-9294-90bc61730209?source=cve

- https://www.wordfence.com/threat-intel/vulnerabilities/id/86f91589-b309-49aa-8b04-ca972acaf8fb?source=cve

CVE-2025-7340, CVE-2025-7341, CVE-2025-7360 - Multiple vulnerabilities in the HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder plugin for WordPress could allow unauthenticated attackers to potentially execute remote code.

Product: HT Plugins HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder

Active Installations: 10,000+

CVSS Scores: 9.1 - 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-7340

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-7341

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-7360

NVD References:

- https://www.wordfence.com/threat-intel/vulnerabilities/id/f0cb666b-bfab-492f-a74e-11dc9b171136?source=cve

- https://www.wordfence.com/threat-intel/vulnerabilities/id/32da04ba-bee3-4fd3-b91b-57e588d5f4e4?source=cve

- https://www.wordfence.com/threat-intel/vulnerabilities/id/dd42c83c-c51c-45a5-8ad5-0df2c0cc411d?source=cve

The following vulnerability needs a manual review:

CVE-2025-25257 - An improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability [CWE-89] in FortiWeb may allow an unauthenticated attacker to execute unauthorized SQL code or commands via crafted HTTP or HTTPs requests.

Product: Fortinet FortiWeb Fabric Connector.

CVSS Score: 9.6

NVD: N/A

ISC Podcast: https://isc.sans.edu/podcastdetail/9524

NVD References:

- https://pwner.gg/blog/2025-07-10-fortiweb-fabric-rce

- https://fortiguard.fortinet.com/psirt/FG-IR-25-151

- https://labs.watchtowr.com/pre-auth-sql-injection-to-rce-fortinet-fortiweb-fabric-connector-cve-2025-25257/