The Consensus Security Vulnerability Alert

ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. https://isc.sans.edu/about.html

TikTok Videos Promoting Malware Installation

Published: 2025-10-17

Last Updated: 2025-10-17 16:23:40 UTC

by Xavier Mertens (Version: 1)

Attackers are everywhere! They try to abuse victims using new communication channels and social engineering techniques! Somebody pointed my to the following Tik-Tok video: hxxps://vm[.]tiktok[.]com/ZGdaCkbEF/.

The author pretends to provide you an easy way to activate Photoshop for free ...

Note that the video has already been liked more than 500 times!

The technique is similar to the ClickFix attack scenario. The victim is asked to start a PowerShell as administrator and execute a one-liner ...

Read the full entry: https://isc.sans.edu/diary/TikTok+Videos+Promoting+Malware+Installation/32380/

What time is it? Accuracy of pool.ntp.org.

Published: 2025-10-21

Last Updated: 2025-10-22 12:42:06 UTC

by Johannes Ullrich (Version: 1)

Yesterday, Chinese security services published a story alleging a multi-year attack against the systems operating the Chinese standard time (CST), sometimes called Beijing Standard Time. China uses only one time zone across the country, and has not used daylight saving time since 1991. Most operating systems use UTC internally and display local time zones for user convenience. Modern operating systems use NTP to synchronize time. Popular implementations are ntpd and chrony. The client will poll several servers, disregard outliers, and usually sync with the "best" time server based on latency and jitter detected.

Based on the "Beijing Time Incident", let's review options to synchronize your network's clocks. One popular option is to use the NTP "Pool", "pool[.]ntp[.]org", or a subset of this pool (like north-america[.]pool[.]ntp[.]org or aisa[.]pool[.]ntp[.]org). Currently, ntppool[.]org counts 5788 participants, which is impressive. ntppool[.]org monitors the servers and recently upgraded its monitoring system. Participating servers are assigned scores, which are then used to rank them in the pool. The open nature of the NTP Pool project has sometimes led to questions about the reliability and safety of the pool. Shodan, for example, added systems with IPv6 addresses to the NTP Pool to identify IPv6 addresses worthy of scanning.

We have published a list of IP addresses in the NTP Pool for a few years. We obtain this list from DNS lookups and some from our honeypot data. NTP servers can trigger false positives with firewalls that have difficulty managing UDP "state". You can use our API to retrieve the current list we identified ...

Read the full entry: https://isc.sans.edu/diary/What+time+is+it+Accuracy+of+poolntporg/32390/

New DShield Support Slack

Published: 2025-10-16

Last Updated: 2025-10-17 14:42:46 UTC

by Johannes Ullrich (Version: 1)

This week, we set up a new Slack workspace for DShield.org. This workspace replaces the old workspace we originally configured back in 2016 or 2017. The workspace was originally configured as a free workspace to support the DShield.org community. Over the years, it has had a good following and a good amount of traffic.

Sadly, we learned that none of the "S" in SaaS stands for security or privacy. A couple of years ago, the SANS Institute decided to purchase an enterprise license for its Slack workspace. The details have been lost to time and to a complete turnover of contacts at Slack and now Salesforce. But our DShield.org workspace ended up as part of the Enterprise account, leading to an inflated subscription fee for SANS. As "Owner" of the DShield.org Slack, I was never asked to have the DShield.org Slack merged with the SANS account. As far as I can tell, nobody from SANS asked for it. This was not the only Slack affected. Several smaller Slack workspaces created by SANS instructors for their personal use were merged as well.

Salesforce, the current owner of the Slack brand, offered two options: Keep paying for the Slack workspace (several $ per month per user) or create a new workspace. They repeatedly denied that there is any other option. SANS did consult with me about how to move forward, and I did interact with several contacts at Salesforce to attempt to verify what exactly happened. But none of the Salesforce contacts were familiar with what exactly happened in part due to high turnover. I got various conflicting answers, but they remained consistent in being unable to "undo" the switch that turned the DShield.org workspace into an enterprise account.

SANS did offer to pay the inflated fee, but I do not think it is right to just roll over and pay. Instead, I started a new Slack this week. You can find it here ...

Read the full entry: https://isc.sans.edu/diary/New+DShield+Support+Slack/32376/

Using Syscall() for Obfuscation/Fileless Activity (2025.10.20)

https://isc.sans.edu/diary/Using+Syscall+for+ObfuscationFileless+Activity/32384/

Microsoft Patch Tuesday October 2025 (2025.10.14)

https://isc.sans.edu/diary/Microsoft+Patch+Tuesday+October+2025/32368/

The list is assembled by pulling recent vulnerabilities from NIST NVD, Microsoft, Twitter mentions of vulnerabilities, ISC Diaries and Podcast, and the CISA list of known exploited vulnerabilities. There are also some unscored, but significant, vulnerabilities at the end. This includes vulnerabilities that have not been added to the NVD yet.

CVE-2025-20352 - Cisco IOS Software and Cisco IOS XE Software are vulnerable to a DoS attack and potential code execution by an attacker with low or high privileges through the SNMP subsystem.

Product: Cisco IOS Software and Cisco IOS XE Software

CVSS Score: 0

** KEV since 2025-09-29 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-20352

ISC Podcast: https://isc.sans.edu/podcastdetail/9660

CVE-2025-24990 - Agere Modem driver has a vulnerability which will be removed in a upcoming update resulting in non-functioning fax modem hardware on Windows.

Product: Microsoft Windows 10 1507

CVSS Score: 7.8

** KEV since 2025-10-14 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-24990

NVD References: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-24990

CVE-2025-59230 - Improper access control in Windows Remote Access Connection Manager allows an authorized attacker to elevate privileges locally.

Product: Microsoft Windows 10 1507

CVSS Score: 7.8

** KEV since 2025-10-14 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-59230

NVD References: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-59230

CVE-2016-7836 - SKYSEA Client View Ver.11.221.03 and earlier is vulnerable to remote code execution due to a flaw in processing authentication on the TCP connection.

Product: Skygroup Skysea_Client_View

CVSS Score: 0

** KEV since 2025-10-14 **

NVD: https://nvd.nist.gov/vuln/detail/CVE-2016-7836

CVE-2025-42910 - SAP Supplier Relationship Management is vulnerable to arbitrary file uploads, allowing attackers to potentially execute malicious code and significantly compromise system security.

Product: SAP Supplier Relationship Management

CVSS Score: 9.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-42910

CVE-2025-42937 - SAPSprint allows unauthenticated attackers to overwrite system files by traversing to parent directories, compromising confidentiality, integrity, and availability.

Product: SAP Print Service (SAPSprint)

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-42937

CVE-2025-46581 - ZTE's ZXCDN product is susceptible to a Struts remote code execution vulnerability allowing unauthenticated attackers to execute commands remotely.

Product: ZTE ZXCDN

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-46581

CVE-2025-40765 - TeleControl Server Basic V3.1 (All versions >= V3.1.2.2 < V3.1.2.3) is vulnerable to an information disclosure flaw that allows unauthenticated remote attackers to access password hashes and perform authenticated actions in the database service.

Product: Siemens Telecontrol Server Basic

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-40765

NVD References: https://cert-portal.siemens.com/productcert/html/ssa-062309.html

CVE-2025-40771 - SIMATIC CP 1542SP-1, SIMATIC CP 1542SP-1 IRC, SIMATIC CP 1543SP-1, SIPLUS ET 200SP CP 1542SP-1 IRC TX RAIL, SIPLUS ET 200SP CP 1543SP-1 ISEC, and SIPLUS ET 200SP CP 1543SP-1 ISEC TX RAIL devices are vulnerable to unauthorized configuration data access due to a lack of proper authentication.

Product: Siemens SIMATIC CP 1542SP-1, SIMATIC CP 1542SP-1 IRC, SIMATIC CP 1543SP-1, SIPLUS ET 200SP CP 1542SP-1 IRC TX RAIL, SIPLUS ET 200SP CP 1543SP-1 ISEC, SIPLUS ET 200SP CP 1543SP-1 ISEC TX RAIL

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-40771

NVD References: https://cert-portal.siemens.com/productcert/html/ssa-486936.html

CVE-2025-10610 - Winsure allows Blind SQL Injection through Version dated 21.08.2025.

Product: SFS Consulting Information Processing Industry and Foreign Trade Inc. Winsure

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-10610

CVE-2025-11708 - Use-after-free in MediaTrackGraphImpl::GetInstance() This vulnerability affects Firefox < 144, Firefox ESR < 140.4, Thunderbird < 144, and Thunderbird < 140.4.

Product: Mozilla Firefox

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-11708

CVE-2025-11709 - Firefox and Thunderbird are vulnerable to out of bounds reads and writes triggered by a compromised web process using manipulated WebGL textures.

Product: Mozilla Firefox

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-11709

CVE-2025-11710 - Firefox and Thunderbird versions prior to 144 and 140.4 are vulnerable to revealing blocks of memory due to compromised web processes using malicious IPC messages.

Product: Mozilla Firefox

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-11710

CVE-2025-11717 - Firefox displays a black screen instead of the password edit screen when switching between Android apps in the card carousel.

Product: Mozilla Firefox

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-11717

CVE-2025-11719 - Firefox versions before 144 and Thunderbird versions before 144 are vulnerable to memory corruption from use-after-free issues in the native messaging API on Windows.

Product: Mozilla Firefox

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-11719

CVE-2025-11721 - Firefox 143 and Thunderbird 143 have a memory safety bug affecting versions below 144, potentially allowing for arbitrary code execution.

Product: Mozilla Firefox

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-11721

CVE-2025-49708 - Use after free in Microsoft Graphics Component allows an authorized attacker to elevate privileges over a network.

Product: Microsoft Graphics Component

CVSS Score: 9.9

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-49708

NVD References: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-49708

CVE-2025-55315 - ASP.NET Core allows an authorized attacker to bypass a security feature over a network due to inconsistent interpretation of http requests.

Product: Microsoft ASP.NET Core

CVSS Score: 9.9

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-55315

NVD References: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-55315

CVE-2025-59287 - Deserialization of untrusted data in Windows Server Update Service allows an unauthorized attacker to execute code over a network.

Product: Microsoft Windows Server Update Service

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-59287

NVD References: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-59287

CVE-2025-49553 - Adobe Connect versions 12.9 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability allowing attackers to execute malicious scripts in a victim's browser.

Product: Adobe Connect

CVSS Score: 9.3

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-49553

NVD References: https://helpx.adobe.com/security/products/connect/apsb25-70.html

CVE-2025-56749 - Creativeitem Academy LMS up to and including 6.14 is vulnerable to authentication bypass and unauthorized access via a hardcoded default JWT secret.

Product: Creativeitem Academy LMS

CVSS Score: 9.4

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-56749

NVD References: https://suryadina.com/academy-lms-jwt-secret-7k9m2x4p8q/

CVE-2025-62583 - Whale Browser before 4.33.325.17 allows an attacker to escape the iframe sandbox in a dual-tab environment.

Product: Navercorp Whale

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-62583

CVE-2025-41018 - Sergestec's Exito v8.0 is vulnerable to SQL injection, allowing attackers to manipulate databases through the 'cat' parameter in '/public.php'.

Product: Sergestec Exito

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-41018

NVD References: https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-sergestec-products

CVE-2025-54539 - The Apache ActiveMQ NMS AMQP Client is vulnerable to deserialization of untrusted data, allowing for potential arbitrary code execution on the client side.

Product: Apache ActiveMQ NMS AMQP Client

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-54539

NVD References: https://lists.apache.org/thread/9k684j07ljrshy3hxwhj5m0xjmkz1g2n

CVE-2025-10611 - WSO2 Products are vulnerable to insufficient access control implementation, potentially allowing unauthorized users to bypass authentication and authorization checks on certain REST APIs, leading to possible unauthorized administrative access and operations.

Product: WSO2 Products

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-10611

NVD References: https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4585/

CVE-2025-9152 - WSO2 API Manager is vulnerable to improper privilege management, allowing malicious users to generate access tokens with elevated privileges and potentially gain administrative access.

Product: WSO2 Api Control Plane

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-9152

NVD References: https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4483/

CVE-2025-9804 - WSO2 products have an improper access control vulnerability in internal SOAP Admin Services and System REST APIs, allowing low-privileged users to perform unauthorized operations and access server-level information.

Product: WSO2 products

CVSS Score: 9.6

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-9804

NVD References: https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4503/

CVE-2025-61922 - PrestaShop Checkout's Express Checkout feature prior to versions 4.4.1 and 5.0.5 allows silent login, enabling account takeover via email with no known workarounds.

Product: PrestaShop Checkout

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-61922

CVE-2025-62586 - OPEXUS FOIAXpress allows a remote, unauthenticated attacker to reset the administrator password. Fixed in FOIAXpress version 11.13.2.0.

Product: OPEXUS FOIAXpress

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-62586

CVE-2025-11492 - ConnectWise Automate Agent allows for HTTP communication instead of HTTPS, leaving room for interception, modification, or replay attacks by on-path threat actors, prompting an update in Automate 2025.9 to enforce HTTPS for all agent communications.

Product: ConnectWise Automate Agent

CVSS Score: 9.6

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-11492

NVD References: https://www.connectwise.com/company/trust/security-bulletins/connectwise-automate-2025.9-security-fix

CVE-2025-11900 - The iSherlock by HGiga is vulnerable to OS Command Injection, permitting unauthorized remote attackers to execute arbitrary commands on the server.

Product: HGiga iSherlock

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-11900

NVD References: https://www.twcert.org.tw/en/cp-139-10441-00aaf-2.html

CVE-2025-11849 - Mammoth versions before 1.11.0 are vulnerable to Directory Traversal, allowing attackers to read arbitrary files on the system or cause excessive resource consumption via crafted docx files containing external image links.

Product: org.zwobble Mammoth

CVSS Score: 9.3

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-11849

CVE-2023-28814 - iSecure Center Product by Hikvision has an improper file upload control vulnerability that allows attackers to upload malicious files due to lack of verification.

Product: Hikvision iSecure Center

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-28814

CVE-2023-28815 - Hikvision's iSecure Center product is prone to a command injection vulnerability due to insufficient parameter validation, potentially allowing attackers to gain platform privileges and execute malicious commands.

Product: Hikvision iSecure Center

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-28815

NVD References: https://www.hikvision.com/cn/support/CybersecurityCenter/SecurityNotices/2023-04/

CVE-2025-49655 - Keras framework is vulnerable to deserialization of untrusted data in versions 3.11.0 up to 3.11.3, allowing for the execution of arbitrary code from maliciously uploaded Keras files with TorchModuleWrapper class.

Product: Keras framework

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-49655

CVE-2025-57567 - PluXml CMS theme editor is vulnerable to remote code execution through the minify.php file, allowing authenticated administrators to execute system commands.

Product: PluXml CMS theme editor

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-57567

CVE-2025-60279 - Illia Cloud illia-Builder before v4.8.5 allows authenticated users to send arbitrary requests to internal services via the API, potentially enabling them to enumerate open ports and interact with internal services.

Product: Illia Cloud illia-Builder

CVSS Score: 9.6

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-60279

CVE-2025-62353 - Windsurf IDE allows threat actors to read and write arbitrary local files in and outside of current projects due to a path traversal vulnerability.

Product: Windsurf IDE

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-62353

CVE-2025-62168 - Squid caching proxy is vulnerable to information disclosure due to a failure to redact HTTP authentication credentials in error handling, potentially allowing remote clients to learn authentication credentials used by trusted clients.

Product: Squid caching proxy

CVSS Score: 10.0

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-62168

CVE-2025-56218 - An arbitrary file upload vulnerability in SigningHub v8.6.8 allows attackers to execute arbitrary code via uploading a crafted PDF file.

Product: SigningHub v8.6.8

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-56218

CVE-2025-56221 - SigningHub v8.6.8 is vulnerable to brute force attacks due to a lack of rate limiting in its login mechanism.

Product: SigningHub v8.6.8

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-56221

CVE-2025-56316 - MCMS 5.5.0 is vulnerable to SQL injection in the content_title parameter of the /cms/content/list endpoint, allowing remote attackers to execute arbitrary SQL queries.

Product: MCMS 5.5.0

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-56316

CVE-2025-62515 - Pyquokka framework is vulnerable to remote code execution through pickle.loads() deserialization in multiple functions.

Product: Pyquokka framework for making data lakes work for time series

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-62515

CVE-2025-62645 - The RBI assistant platform is vulnerable to remote authenticated attackers obtaining administrative privileges through the createToken GraphQL mutation.

Product: Restaurant Brands International RBI assistant platform

CVSS Score: 9.9

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-62645

CVE-2025-11948 - Excellent Infotek's Document Management System has an Arbitrary File Upload vulnerability that allows remote attackers to execute web shell backdoors on the server.

Product: Excellent Infotek Document Management System

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-11948

NVD References: https://www.twcert.org.tw/en/cp-139-10453-43e63-2.html

CVE-2025-61455 - Bhabishya-123 E-commerce 1.0 is susceptible to SQL Injection via the signup.inc.php endpoint, granting unauthorized access.

Product: Bhabishya-123 E-commerce 1.0

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-61455

CVE-2025-9574 - ABB ALS-mini-s4 IP and ABB ALS-mini-s8 IP are vulnerable to Missing Authentication for Critical Function on all firmware versions between the Serial Numbers 2000 to 5166.

Product: ABB ALS-mini-s4 IP, ALS-mini-s8 IP

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-9574

CVE-2025-61303 - The Hatching Triage Sandbox Windows 10 build 2004 and Windows 10 LTSC 2021 has a vulnerability in its Windows behavioral analysis engine, allowing malware to evade detection and cause denial-of-analysis by generating excessive child processes.

Product: Hatching Triage Sandbox Windows 10

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-61303

NVD References: https://github.com/eGkritsis/CVE-2025-61303

CVE-2025-10020 - Zohocorp ManageEngine ADManager Plus version before 8024 are vulnerable to authenticated command injection vulnerability in the Custom Script component.

Product: Zohocorp ManageEngine ADManager Plus

CVSS Score: 9.9

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-10020

NVD References: https://www.manageengine.com/products/ad-manager/admanager-kb/cve-2025-10020.html

CVE-2025-53037 - Oracle Financial Services Analytical Applications Infrastructure product is vulnerable to an easily exploitable attack that allows unauthorized access and potential takeover of the system.

Product: Oracle Financial Services Analytical Applications Infrastructure

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-53037

NVD References: https://www.oracle.com/security-alerts/cpuoct2025.html

CVE-2025-53072 - Oracle Marketing in Oracle E-Business Suite (component: Marketing Administration) versions 12.2.3-12.2.14 is vulnerable to an easily exploitable attack by unauthenticated attackers via HTTP, potentially leading to a complete takeover of Oracle Marketing with a CVSS Base Score of 9.8.

Product: Oracle E-Business Suite

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-53072

NVD References: https://www.oracle.com/security-alerts/cpuoct2025.html

CVE-2025-61757 - The vulnerability in the Identity Manager product of Oracle Fusion Middleware allows an unauthenticated attacker to compromise the system and potentially take it over.

Product: Oracle Identity Manager

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-61757

NVD References: https://www.oracle.com/security-alerts/cpuoct2025.html

CVE-2025-62481 - Oracle Marketing in Oracle E-Business Suite (component: Marketing Administration) versions 12.2.3-12.2.14 is vulnerable to an easily exploitable attack by unauthenticated attackers via HTTP, potentially leading to a complete takeover of Oracle Marketing with a CVSS Base Score of 9.8.

Product: Oracle E-Business Suite

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-62481

NVD References: https://www.oracle.com/security-alerts/cpuoct2025.html

CVE-2025-10041 - The Flex QR Code Generator plugin for WordPress is vulnerable to arbitrary file uploads allowing unauthenticated attackers to potentially execute remote code.

Product: Flex QR Code Generator plugin for WordPress

Active Installations: 30+

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-10041

NVD References: https://wordpress.org/plugins/flex-qr-code-generator/

NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/40000879-a5ef-48f2-97e4-77d527259af0?source=cve

CVE-2025-10294 - The OwnID Passwordless Login plugin for WordPress up to version 1.3.4 allows unauthenticated attackers to log in as other users by bypassing authentication checks.

Product: OwnID OwnID Passwordless Login plugin for WordPress

Active Installations: This plugin has been closed as of October 14, 2025 and is not available for download. This closure is temporary, pending a full review.

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-10294

NVD References: https://wordpress.org/plugins/ownid-passwordless-login/

NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/b8dd6008-e9b8-4a87-b1c7-0dc272850cbd?source=cve

CVE-2025-9967 - The Orion SMS OTP Verification plugin for WordPress is vulnerable to privilege escalation via account takeover up to version 1.1.7, allowing unauthenticated attackers to change user passwords to one-time passwords with knowledge of the user's phone number.

Product: Orion SMS OTP Verification plugin for WordPress

Active Installations: This plugin has been closed as of October 14, 2025 and is not available for download. This closure is temporary, pending a full review.

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-9967

NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/b121fdb4-93a8-400c-89c2-3195cb40e03c?source=cve

CVE-2025-10742 - The Truelysell Core plugin for WordPress up to version 1.8.6 is vulnerable to Arbitrary User Password Change due to user-controlled access to objects, allowing unauthenticated attackers to potentially take over administrator accounts.

Product: Truelysell Core plugin for WordPress

Active Installations: Unknown

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-10742

NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/a636e865-9556-4afb-8726-4537a160f379?source=cve

CVE-2025-10850 - The Felan Framework plugin for WordPress up to version 1.1.4 is vulnerable to improper authentication, allowing unauthenticated attackers to log in as any existing user who registered with Facebook or Google social login without changing their password.

Product: Felan Framework plugin for WordPress

Active Installations: Unknown. Update to version 1.1.5, or a newer patched version.

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-10850

NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/ab4c7656-544c-4f2f-a42f-264ac90e3b61?source=cve

CVE-2017-20206 - The Appointments plugin for WordPress is vulnerable to PHP Object Injection via deserialization of untrusted input, allowing attackers to inject PHP Objects and create backdoors.

Product: WordPress Appointments plugin

Active Installations: This plugin has been closed as of May 7, 2019 and is not available for download. This closure is permanent. Reason: Author Request.

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2017-20206

NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/7e8f230e-3f96-4efd-806d-72725b960303?source=cve

CVE-2017-20207 - The Flickr Gallery plugin for WordPress is vulnerable to PHP Object Injection through the `pager` parameter, allowing unauthenticated attackers to exploit the WP_Theme() class for backdoor creation.

Product: Flickr Gallery WordPress

Active Installations: This plugin has been closed as of May 13, 2018 and is not available for download. This closure is permanent. Reason: Author Request.

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2017-20207

NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/b52ae51d-7b9a-4047-82bf-723ea87d2375?source=cve

CVE-2017-20208 - The RegistrationMagic plugin for WordPress is vulnerable to PHP Object Injection through deserialization of untrusted input, enabling attackers to inject a PHP Object and install a remote file on the site.

Product: RegistrationMagic Custom Registration Forms

Active Installations: 10,000+

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2017-20208

NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/c2b79193-f8fc-4ea2-8973-fe292cfb926b?source=cve

CVE-2025-11391 - The PPOM – Product Addons & Custom Fields for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads, allowing unauthenticated attackers to potentially execute remote code on affected websites.

Product: PPOM Product Addons & Custom Fields for WooCommerce plugin

Active Installations: 20,000+

CVSS Score: 9.8

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-11391

NVD References: https://www.wordfence.com/threat-intel/vulnerabilities/id/cf851bed-f5d8-44e2-810d-906ba3d3c1c5?source=cve

CVE-2025-10916 - The FormGent WordPress plugin before 1.0.4 allows unauthenticated attackers to delete arbitrary files on the server due to insufficient file path validation.

Product: FormGent WordPress plugin

Active Installations: 700+

CVSS Score: 9.1

NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-10916