The Consensus Security Vulnerability Alert

ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html

Securing Firebase: Lessons Re-Learned from the Tea Breach

Published: 2025-07-30

Last Updated: 2025-07-30 20:19:26 UTC

by Johannes Ullrich (Version: 1)

Today we are trying something a bit different (again). Brandon Evans, senior instructor with SANS, contributed the video below, talking a bit about the breach of the Tea App, and how to prevent and detect this vulnerability.

Firebase is a very popular database developed by Google. It easily ties in with modern web and mobile applications. Sadly, as so often, it comes with some configuration challenges out of the box.

As a traditional ("old school") web developer, it would have never crossed my mind to allow users to connect directly to my backend database. But modern tools like Firebase often encourage just that. All security controls must now reside in the database itself, and many modern, in particular "NoSQL" databases, are lacking the fine-grained access control rules we learned to love in traditional SQL databases. This leads to applications that may implement detailed access control rules, but they become meaningless once the user connects directly to the database, bypassing any application-specific controls. Flawed applications often rely on client-based access control "tricks" that are easily bypassed.

Sadly, this is not just a vibe-coding issue. Developers have been able to code defective applications without the help of AI, and this is not only a bad, but also a sad, pattern found in many modern applications using tools like Firebase.

Fixing this issue is not necessarily hard. Start by implementing strong Firebase rules, or avoid these tools in favor of backend data stores with stronger access controls out of the box. If you do rely on specific strong configurations, make sure they are verified as part of your CI/CD pipeline. And as always, lock down your cloud configuration. Firebase does inherit GCP IAM policies ...

Video: https://www.youtube.com/watch?v=owKQMToTny4

Read the full entry: https://isc.sans.edu/diary/Securing+Firebase+Lessons+ReLearned+from+the+Tea+Breach/32158

Apple Updates Everything: July 2025

Published: 2025-07-29

Last Updated: 2025-07-29 21:24:55 UTC

by Johannes Ullrich (Version: 1)

Apple today released updates for iOS, iPadOS, macOS, watchOS, tvOS, and visionOS. This is a feature release, but it includes significant security updates. Apple patches a total of 89 different vulnerabilities. None of these vulnerabilities has been identified as exploited.

Apple's vulnerability descriptions are not very telling. Most vulnerabilities are likely DoS issues, causing a system or individual subsystems to crash. There are a few privilege escalation and sandbox escape vulnerabilities that Apple addressed in this update. Vulnerabilities identified as memory corruption or heap corruption may lead to code execution, but the exact scope is difficult to ascertain from Apple's limited information.

There are a few "interesting" vulnerabilities:

CVE-2025-43217: Privacy Indicators for microphone or camera access may not be correctly displayed. This, likely, refers to the green dot displayed next to the control center, not the physical LED used by some Apple laptops.

- https://nvd.nist.gov/vuln/detail/CVE-2025-43217

CVE-2025-43240: A download's origin may be incorrectly associated. A "Mark of the Web" issue? Apple uses extended file attributes for this. Sadly, no details to review existing downloads.

- https://nvd.nist.gov/vuln/detail/CVE-2025-43240

For macOS, security-only updates are available for versions back to Ventura (macOS 13). For iOS/iPad OS, updates are available for 18 and 17.

Read the full entry: https://isc.sans.edu/diary/Apple+Updates+Everything+July+2025/32154/

Parasitic SharePoint Exploits

Published: 2025-07-28

Last Updated: 2025-07-28 15:25:29 UTC

by Johannes Ullrich (Version: 1)

Last week, newly exploited SharePoint vulnerabilities took a lot of our attention. It is fair to assume that last Monday (July 21st), all exposed vulnerable SharePoint installs were exploited. Of course, there is nothing to prevent multiple exploitation of the same instance, and a lot of that certainly happened. But why exploit it yourself if you can just take advantage of backdoors left behind by prior exploits? A number of these backdoors were widely publicised. The initial backdoor was frequently observed and Microsoft listed various variations of this filename.

Since then, we have observed attempts to access these backdoors. The scans started a week ago, just as the exploits (and the name of the backdoors) became better known ...

The graph displays the number of requests we see in our honeypots each day for URLs like ... . This includes some exploit attempts, as they also match this pattern. But see a few "untargeted" exploit attempts at this point. Many of the requests originate from researchers counting the number of exploited systems.

Here is the complete list of possible URLs, including the date they were first detected by our honeypots ...

Read the full entry: https://isc.sans.edu/diary/Parasitic+Sharepoint+Exploits/32148/

Triage is Key! Python to the Rescue! (2025.07.29)

https://isc.sans.edu/diary/Triage+is+Key+Python+to+the+Rescue/32152/

Sinkholing Suspicious Scripts or Executables on Linux (2025.07.25)

https://isc.sans.edu/diary/Sinkholing+Suspicious+Scripts+or+Executables+on+Linux/32144/

New Tool: ficheck.py (2025.07.24)

https://isc.sans.edu/diary/New+Tool+ficheckpy/32136/

Analyzing SharePoint Exploits (CVE-2025-53770, CVE-2025-53771) (2025.07.23)

https://isc.sans.edu/diary/Analyzing+Sharepoint+Exploits+CVE202553770+CVE202553771/32138/

The list is assembled by pulling recent vulnerabilities from NIST NVD, Microsoft, Twitter mentions of vulnerabilities, ISC Diaries and Podcast, and the CISA list of known exploited vulnerabilities. There are also some unscored, but significant, vulnerabilities at the end. This includes vulnerabilities that have not been added to the NVD yet.

CVE-2025-53770 - Microsoft SharePoint Server is vulnerable to code execution by unauthorized attackers through deserialization of untrusted data, with an exploit already in the wild for CVE-2025-53770.

Product: Microsoft SharePoint Server

CVSS Score: 0

** KEV since 2025-07-20 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-53770

ISC Podcast: https://isc.sans.edu/podcastdetail/9536

CVE-2025-53771 - Microsoft Office SharePoint is susceptible to path traversal which could enable a spoofing attack over a network.

Product: Microsoft Office SharePoint

CVSS Score: 0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-53771

ISC Podcast: https://isc.sans.edu/podcastdetail/9536

CVE-2025-20281 - Cisco ISE and Cisco ISE-PIC are susceptible to a remote code execution vulnerability that allows an unauthenticated attacker to gain root access by manipulating user input.

Product: Cisco ISE and Cisco ISE-PIC

CVSS Score: 0

** KEV since 2025-07-28 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-20281

ISC Podcast: https://isc.sans.edu/podcastdetail/9546

CVE-2025-6558 - Google Chrome prior to 138.0.7204.157 is vulnerable to sandbox escape via crafted HTML pages due to insufficient validation of untrusted input in ANGLE and GPU.

Product: Google Chrome

CVSS Score: 0

** KEV since 2025-07-22 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-6558

ISC Diary: https://isc.sans.edu/diary/32154

CVE-2025-4285 - Agentis: before 4.32 is vulnerable to SQL Injection due to improper neutralization of special elements in SQL commands.

Product: Rolantis Information Technologies Agentis

CVSS Score: 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-4285

CVE-2025-8028, CVE-2025-8031, CVE-2025-8037, CVE-2025-8038, CVE-2025-8043, CVE-2025-8044 - Mozilla Vulnerabilities

Product: Mozilla Firefox, Firefox ESR, and Thunderbird

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-8028

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-8031

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-8037

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-8038

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-8043

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-8044

NVD References:

- https://www.mozilla.org/security/advisories/mfsa2025-56/

- https://www.mozilla.org/security/advisories/mfsa2025-57/

- https://www.mozilla.org/security/advisories/mfsa2025-58/

- https://www.mozilla.org/security/advisories/mfsa2025-59/

- https://www.mozilla.org/security/advisories/mfsa2025-61/

- https://www.mozilla.org/security/advisories/mfsa2025-62/

- https://www.mozilla.org/security/advisories/mfsa2025-63/

CVE-2025-54438, CVE-2025-54443, & CVE-2025-54446 - Samsung Electronics MagicINFO 9 Server Path Traversal vulnerabilities enable the upload of a Web Shell to a Web Server before version 21.1080.0.

Product: Samsung Electronics MagicINFO 9 Server

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-54438

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-54443

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-54446

NVD References: https://security.samsungtv.com/securityUpdates

CVE-2025-54440, CVE-2025-54442, CVE-2025-54444, CVE-2025-54448, & CVE-2025-54449 - Samsung Electronics MagicINFO 9 Server unrestricted file upload vulnerabilities enable code injection in versions less than 21.1080.0.

Product: Samsung Electronics MagicINFO 9 Server

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-54440

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-54442

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-54444

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-54448

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-54449

NVD References: https://security.samsungtv.com/securityUpdates

CVE-2025-54451 - Samsung Electronics MagicINFO 9 Server is vulnerable to Code Injection due to improper control of code generation, impacting versions less than 21.1080.0.

Product: Samsung MagicINFO 9 Server

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-54451

NVD References: https://security.samsungtv.com/securityUpdates

CVE-2025-54454 & CVE-2025-54455 - Samsung Electronics MagicINFO 9 Server Authentication Bypass vulnerabilities due to the use of hard-coded credentials in versions less than 21.1080.0.

Product: Samsung MagicINFO 9 Server

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-54454

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-54455

NVD References: https://security.samsungtv.com/securityUpdates

CVE-2025-41687 - u-link Management API allows an unauthenticated remote attacker to exploit a stack based buffer overflow and gain full access on affected devices.

Product: u-blox u-link Management API

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-41687

NVD References: https://certvde.com/de/advisories/VDE-2025-052

CVE-2025-53882 - openSUSEs mailman3 package vulnerability allows escalation from mailman to root due to reliance on untrusted inputs in the logrotate configuration.

Product: openSUSE mailman3 package

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-53882

NVD References: https://bugzilla.suse.com/show_bug.cgi?id=CVE-2025-53882

CVE-2025-40599 - SonicWall SMA 100 series web management interface has an authenticated arbitrary file upload vulnerability allowing remote attackers with administrative privileges to potentially execute remote code.

Product: SonicWall SMA 100 series

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-40599

NVD References: https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2025-0014

CVE-2025-41240 - The Three Bitnami Helm charts vulnerability exposes sensitive credentials through predictable directory paths within the web server document root.

Product: Bitnami Helm charts

CVSS Score: 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-41240

NVD References: https://github.com/bitnami/charts/security/advisories/GHSA-wgg9-9qgw-529w

CVE-2025-4822 - Bayraktar Solar Energies ScadaWatt Otopilot is vulnerable to SQL Injection before 27.05.2025.

Product: Bayraktar Solar Energies ScadaWatt Otopilot

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-4822

CVE-2025-5243 - SMG Software Information Portal allows for OS Command Injection, Code Injection, and Upload of a Web Shell, impacting versions before 13.06.2025.

Product: SMG Software Information Portal

CVSS Score: 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-5243

CVE-2025-4784 - Moderec Tourtella is vulnerable to SQL Injection, allowing attackers to manipulate SQL commands before 26.05.2025.

Product: Moderec Tourtella

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-4784

CVE-2025-41420, CVE-2025-46410, CVE-2025-50128, & CVE-2025-53084 - WWBN AVideo 14.4 and dev master commit 8a8954ff cross-site scripting (XSS) vulnerabilities

Product: WWBN AVideo

CVSS Score: 9.6

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-41420

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-46410

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-50128

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-53084

NVD References:

- https://talosintelligence.com/vulnerability_reports/TALOS-2025-2209

- https://talosintelligence.com/vulnerability_reports/TALOS-2025-2205

- https://talosintelligence.com/vulnerability_reports/TALOS-2025-2207

- https://talosintelligence.com/vulnerability_reports/TALOS-2025-2206

CVE-2025-6260 - Thermostat's embedded web server contains a vulnerability allowing unauthenticated attackers to reset user credentials via manipulation of the web interface.

Product: Thermostat Vendor Thermostat product

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-6260

NVD References: https://www.cisa.gov/news-events/ics-advisories/icsa-25-205-02

CVE-2025-45777 - Chavara Matrimony Site v2.0 is vulnerable to authentication bypass through a crafted request in its OTP mechanism.

Product: Chavara Family Welfare Centre Chavara Matrimony Site

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-45777

CVE-2025-29631 - An issue in Gardyn 4 allows a remote attacker execute arbitrary code

Product: Gardyn 4

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-29631

CVE-2025-46199 - Grav v1.7.48 and earlier versions are vulnerable to Cross Site Scripting, allowing attackers to run arbitrary code through manipulated form fields.

Product: Grav v.1.7.48

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-46199

CVE-2025-30135 - IROAD Dashcam FX2 devices are vulnerable to unauthorized dumping of files over HTTP and RTSP without authentication, potentially allowing attackers to access sensitive video recordings and live footage.

Product: IROAD Dashcam FX2

CVSS Score: 9.4

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-30135

NVD References: https://github.com/geo-chen/IROAD?tab=readme-ov-file

CVE-2025-54416 - The tj-actions/branch-names GitHub actions repository in versions 8.2.1 and below allows arbitrary command execution in downstream workflows due to inconsistent input sanitization and unescaped output.

Product: tj-actions branch-names

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-54416

CVE-2025-6918 - Ncvav Virtual PBX Software before 09.07.2025 is vulnerable to SQL Injection, enabling attackers to manipulate SQL commands.

Product: Ncvav Virtual PBX Software

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-6918

CVE-2025-26469 - MedDream PACS Premium 7.3.3.840 has an incorrect default permissions vulnerability that allows an attacker to decrypt stored credentials using a specially crafted application.

Product: MedDream PACS Premium

CVSS Score: 9.3

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-26469

NVD References: https://talosintelligence.com/vulnerability_reports/TALOS-2025-2154

CVE-2025-27724 - MedDream PACS Premium 7.3.3.840 allows for privilege escalation through a specially crafted .php file upload.

Product: MedDream PACS Premium

CVSS Score: 9.3

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-27724

NVD References: https://talosintelligence.com/vulnerability_reports/TALOS-2025-2156

CVE-2025-54418 - CodeIgniter is vulnerable to a command injection affecting versions prior to 4.6.2 when using the ImageMagick handler for image processing, allowing for execution of malicious code through user-controlled filenames or text content.

Product: CodeIgniter ImageMagick Handler

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-54418

NVD References: https://github.com/codeigniter4/CodeIgniter4/security/advisories/GHSA-9952-gv64-x94c

CVE-2025-54419 - Node-SAML version 5.0.1 allows an attacker to modify authentication details within a valid SAML assertion, potentially compromising user credentials.

Product: Node-SAML SAML library

CVSS Score: 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-54419

NVD References: https://github.com/node-saml/node-saml/security/advisories/GHSA-4mxg-3p6v-xgq3

CVE-2025-54428 - RevelaCode inadvertently exposed sensitive database credentials in versions below 1.0.1, allowing potential unauthorized access and data compromise.

Product: RevelaCode AI-powered faith-tech project

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-54428

NVD References: https://github.com/musombi123/RevelaCode-Backend/security/advisories/GHSA-m253-qvcr-cr48

CVE-2025-8264 - Z-push/z-push-dev versions before 2.7.6 are vulnerable to SQL Injection, allowing attackers to manipulate the username field in basic authentication and potentially access or modify sensitive third-party database data.

Product: Z-Push z-push/z-push-dev

CVSS Score: 9.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-8264

NVD References: https://security.snyk.io/vuln/SNYK-PHP-ZPUSHZPUSHDEV-10908180

CVE-2025-46059 - Langchain-ai v0.3.51 is vulnerable to an indirect prompt injection in the GmailToolkit component, enabling attackers to execute arbitrary code through a malicious email.

Product: langchain-ai GmailToolkit

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-46059

CVE-2025-50738 - The Memos application up to version v0.24.3 allows for arbitrary URL embedding in markdown images, exposing users' IP addresses and browser information without explicit consent.

Product: Memos application

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-50738

CVE-2025-44136 - MapTiler Tileserver-php v2.0 is vulnerable to Cross Site Scripting (XSS) due to the unencoded reflection of the "layer" GET parameter in error messages.

Product: MapTiler Tileserver-php v2.0

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-44136

CVE-2025-54381 - BentoML version 1.4.0 until 1.4.19 is vulnerable to SSRF attacks due to an unauthenticated remote attackers exploit in the file upload processing system.

Product: BentoML Python library

CVSS Score: 9.9

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-54381

CVE-2025-43217 - iPadOS and iOS may not correctly display Privacy Indicators for microphone or camera access, fixed in versions 17.7.9, 18.6, and 18.6.

Product: Apple iPadOS and iOS

CVSS Score: 0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-43217

ISC Diary: https://isc.sans.edu/diary/32154

NVD References:

- https://support.apple.com/en-us/124147

- https://support.apple.com/en-us/124148

CVE-2025-43240 - macOS Sequoia 15.6 fixed a logic issue with improved checks, preventing incorrect associations of a download's origin.

Product: Apple macOS Sequoia

CVSS Score: 0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-43240

ISC Diary: https://isc.sans.edu/diary/32154

NVD References: https://support.apple.com/en-us/124149

CVE-2025-24220 - A permissions issue was addressed with additional restrictions. This issue is fixed in iOS 18.4 and iPadOS 18.4. An app may be able to read a persistent device identifier.

Product: Apple iOs and iPadOS

CVSS Score: N/A

NVD: https://nvd.nist.gov/vuln/detail/cve-2025-24220

ISC Diary: https://isc.sans.edu/diary/32154

ISC Podcast: https://isc.sans.edu/podcastdetail/9548

NVD References: https://support.apple.com/en-us/122371

CVE-2012-10020 - The FoxyPress plugin for WordPress allows unauthenticated attackers to upload arbitrary files on the affected site's server, potentially leading to remote code execution.

Product: FoxyPress WordPress

Active Installations: This plugin has been closed as of October 9, 2014 and is not available for download. Reason: Unknown.

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2012-10020

NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/8fbc88da-8944-433c-b94d-9604ffe13d8a?source=cve

CVE-2015-10137 - The Website Contact Form With File Upload plugin for WordPress allows unauthenticated attackers to upload arbitrary files, potentially leading to remote code execution.

Product: WordPress Website Contact Form With File Upload plugin

Active Installations: This plugin has been closed as of October 24, 2016 and is not available for download. Reason: Unknown.

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2015-10137

NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/8395e0c4-3feb-4551-9f2f-7b80cd187eca?source=cve

CVE-2025-6187 - The bSecure plugin for WordPress allows unauthenticated attackers to escalate privileges by exploiting missing authorization in its order_info REST endpoint.

Product: bSecure WordPress plugin

Active Installations: This plugin has been closed as of July 21, 2025 and is not available for download. This closure is temporary, pending a full review.

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-6187

NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/f8f51029-0748-4943-b0ef-fc822b14614a?source=cve

CVE-2025-7437 - The Ebook Store plugin for WordPress allows unauthenticated attackers to upload arbitrary files and potentially execute remote code due to missing file type validation.

Product: WordPress Ebook Store plugin

Active Installations: 1,000+

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-7437

NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/0dc5c05d-51b7-4aee-bb4e-366ded45c4d8?source=cve

CVE-2025-6380 - The ONLYOFFICE Docs plugin for WordPress is vulnerable to Privilege Escalation due to missing authorization within its oo.callback REST endpoint.

Product: ONLYOFFICE Docs plugin for WordPress

Active Installations: 100+

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-6380

NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/608b0506-074b-4df3-8c30-57cfb090f553?source=cve

CVE-2025-6441 - WebinarIgnition plugin for WordPress is vulnerable to unauthenticated login token generation, allowing attackers to generate login tokens for arbitrary users and potentially bypass authentication.

Product: WebinarIgnition plugin for WordPress

Active Installations: 100+

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-6441

NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/52c19707-df18-4239-af46-12ea5ee86a4b?source=cve

CVE-2025-7852 - The WPBookit plugin for WordPress is vulnerable to arbitrary file uploads allowing unauthenticated attackers to potentially achieve remote code execution.

Product: WordPress WPBookit plugin

Active Installations: 30+

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-7852

NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/0bb11092-4367-4f51-9dd7-22fbd655a03f?source=cve

CVE-2015-10143 - The Platform WordPress theme is vulnerable to unauthorized data modification and privilege escalation.

Product: WordPress Platform theme

Active Installations: Unknown. Update to version 1.4.4, or a newer patched version.

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2015-10143

NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/c16fab08-6b2c-433a-9105-fc15f5c52575?source=cve

CVE-2019-25224 - The WP Database Backup plugin for WordPress is vulnerable to OS Command Injection before version 5.2.

Product: WP Database Backup WordPress

Active Installations: 30,000+

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2019-25224

NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/d21cf285-9d75-43a2-9e81-67116f0bf896?source=cve

CVE-2025-6895 - The Melapress Login Security plugin for WordPress allows unauthenticated attackers to bypass authentication checks and log in as any user by exploiting an Authentication Bypass vulnerability.

Product: Melapress Login Security plugin for WordPress

Active Installations: 2,000+

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-6895

NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/6f65d5c4-6f53-4836-9130-c9f4ed3be893?source=cve

The following vulnerabilities need a manual review:

CVE-2025-43187, CVE-2025-43202, CVE-2025-43210, CVE-2025-4321, CVE-2025-43236, CVE-2025-43238, CVE-2025-43255, CVE-2025-43257, CVE-2025-43268

Product: Multiple Apple products

CVSS Scores: N/A

NVD: N/A

ISC Diary: https://isc.sans.edu/diary/32154

ISC Podcast: https://isc.sans.edu/podcastdetail/9548