Subscribe, build a custom feed, or pitch a sponsorship at hello@acadenix.com
Latest intel// live feed
CVE-2025-27012 — Site: Cross-Site Request Forgery (CSRF) vulnerability in a1post A1POST.BG Shipping for Woo a1post-bg-shipping-for-woocommerce allows Privilege
Cross-Site Request Forgery (CSRF) vulnerability in a1post A1POST.BG Shipping for Woo a1post-bg-shipping-for-woocommerce allows Privilege Escalation.This issue affects A1POST.BG Shipping for Woo: from n/a through <= 1.5. CVSSv3.1 8.8 (HIGH)
CVE-2025-26776 — Upload: Unrestricted Upload of File with Dangerous Type vulnerability in NotFound Chaty Pro chaty-pro allows
Unrestricted Upload of File with Dangerous Type vulnerability in NotFound Chaty Pro chaty-pro allows Upload a Web Shell to a Web Server.This issue affects Chaty Pro: from n/a through <= 3.3.3. CVSSv3.1 10.0 (CRITICAL)
CVE-2025-26763 — Deserialization: of Untrusted Data vulnerability in MetaSlider Responsive Slider by MetaSlider ml-slider allows Object
Deserialization of Untrusted Data vulnerability in MetaSlider Responsive Slider by MetaSlider ml-slider allows Object Injection.This issue affects Responsive Slider by MetaSlider: from n/a through <= 3.94.0. CVSSv3.1 9.8 (CRITICAL)
CVE-2024-13789 — Matiskiba Ravpage: The ravpage plugin for WordPress is vulnerable to PHP Object Injection in all versions
The ravpage plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.31 via deserialization of untrusted input from the 'paramsv2' parameter. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an add CVSSv3.1 9.8 (CRITICAL)
CVE-2024-13753 — Webcodingplace Ultimate_classified_listings: The Ultimate Classified Listings plugin for WordPress is vulnerable to Cross-Site Request Forgery in
The Ultimate Classified Listings plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5. This is due to missing or incorrect nonce validation on the update_profile function. This makes it possible for unauthenticated attackers to modify victim's email via a forged request, which might lead to account takeover, granted they can trick a user into performing an action such as clicking on a link. CVSSv3.1 8.1 (HIGH)
CVE-2020-35546 — Lexmark: MX6500 LW75.JD.P296 and previous devices have Incorrect Access Control via the access control
Lexmark MX6500 LW75.JD.P296 and previous devices have Incorrect Access Control via the access control settings. CVSSv3.1 9.1 (CRITICAL) · EPSS 25th percentile
CVE-2025-22663 — Limitation: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in videowhisper
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in videowhisper Paid Videochat Turnkey Site ppv-live-webcams allows Path Traversal.This issue affects Paid Videochat Turnkey Site: from n/a through <= 7.2.12. CVSSv3.1 8.6 (HIGH)
CVE-2025-22656 — Control: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Oscar Alvarez Cookie Monster cookie-monster allows PHP Local File Inclusion.This issue affects Cookie Monster: from n/a through <= 1.2.2. CVSSv3.1 8.1 (HIGH)
CVE-2025-22654 — Upload: Unrestricted Upload of File with Dangerous Type vulnerability in kodeshpa Simplified simplified allows Using
Unrestricted Upload of File with Dangerous Type vulnerability in kodeshpa Simplified simplified allows Using Malicious Files.This issue affects Simplified: from n/a through <= 1.0.6. CVSSv3.1 10.0 (CRITICAL)
CVE-2025-22639 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Techspawn Distance Rate Shipping for WooCommerce distance-rate-shipping-for-woocommerce-pro allows Blind SQL Injection.This issue affects Distance Rate Shipping for WooCommerce: from n/a through <= 1.3.4. CVSSv3.1 8.5 (HIGH)
CVE-2024-56000 — Incorrect: Privilege Assignment vulnerability in SeventhQueen K Elements k-elements allows Privilege Escalation.This issue affects
Incorrect Privilege Assignment vulnerability in SeventhQueen K Elements k-elements allows Privilege Escalation.This issue affects K Elements: from n/a through < 5.4.0. CVSSv3.1 9.8 (CRITICAL) · EPSS 27th percentile
CVE-2025-26465 — Openbsd Openssh: A vulnerability was found in OpenSSH when the VerifyHostKeyDNS option is enabled.
A vulnerability was found in OpenSSH when the VerifyHostKeyDNS option is enabled. A machine-in-the-middle attack can be performed by a malicious machine impersonating a legit server. This issue occurs due to how OpenSSH mishandles error codes in specific conditions when verifying the host key. For an attack to be considered successful, the attacker needs to manage to exhaust the client's memory resource first, turning the attack complexity high. CVSSv3.1 6.8 (MEDIUM) · EPSS 99th percentile
CVE-2025-1035 — Limitation: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Komtera
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Komtera Technolgies KLog Server allows Manipulating Web Input to File System Calls. This issue affects KLog Server: before 3.1.1. CVSSv3.1 5.7 (MEDIUM) · EPSS 99th percentile
CVE-2024-13725 — Keap Keap_official_opt_in_forms: The Keap Official Opt-in Forms plugin for WordPress is vulnerable to Local File Inclusion
The Keap Official Opt-in Forms plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.0.1 via the service parameter. This makes it possible for unauthenticated attackers to include PHP files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where PHP files can be uploaded and included. If register_argc_argv is en CVSSv3.1 9.8 (CRITICAL)
CVE-2024-13684 — Smartzminds Reset: The Reset plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions
The Reset plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.6. This is due to missing or incorrect nonce validation on the reset_db_page() function. This makes it possible for unauthenticated attackers to reset several tables in the database like comments, themes, plugins, and more via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. CVSSv3.1 8.1 (HIGH)
CVE-2025-22290 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in enituretechnology LTL Freight Quotes – FreightQuote Edition ltl-freight-quotes-freightquote-edition allows SQL Injection.This issue affects LTL Freight Quotes – FreightQuote Edition: from n/a through <= 2.3.11. CVSSv3.1 9.3 (CRITICAL)
CVE-2024-12651 — Exposed: HGS Mobile App allows Manipulating User-Controlled Variables.
Exposed Dangerous Method or Function vulnerability in PTT Inc. HGS Mobile App allows Manipulating User-Controlled Variables. This issue affects HGS Mobile App: before 6.5.0. CVSSv3.1 8.5 (HIGH) · EPSS 27th percentile
CVE-2024-13152 — Neutralization: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in BSS Software Mobuy Online Machinery Monitoring Panel allows SQL Injection. This issue affects Mobuy Online Machinery Monitoring Panel: before 2.0. CVSSv3.1 10.0 (CRITICAL) · EPSS 27th percentile
CVE-2025-22630 — Neutralization: Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Marketing
Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in Marketing Fire Widget Options widget-options allows OS Command Injection.This issue affects Widget Options: from n/a through <= 4.1.0. CVSSv3.1 9.9 (CRITICAL)
Multiple Russian Threat Actors Targeting Microsoft Device Code Authentication
Volexity disclosed coordinated campaigns by Russian threat actors (CozyLarch/APT29, UTA0304, UTA0307) exploiting Microsoft Device Code Authentication flow via spear-phishing and social engineering since mid-January 2025. Attackers impersonated US State Department, Ukrainian Ministry of Defence, and EU Parliament officials to trick targets into entering device codes, granting long-term account access to M365 tenants. The technique bypasses MFA by leveraging the legitimate 15-minute device code window and real-time communication coordination to ensure victim compliance.
CVE-2025-1244 — A command injection flaw was found in the text editor Emacs.
A command injection flaw was found in the text editor Emacs. It could allow a remote, unauthenticated attacker to execute arbitrary shell commands on a vulnerable system. Exploitation is possible by tricking users into visiting a specially crafted website or an HTTP URL with a redirect. CVSSv3.1 8.8 (HIGH) · EPSS 84th percentile
CVE-2024-12296 — Apusthemes Superio: The Apus Framework plugin for WordPress is vulnerable to unauthorized modification of data that
The Apus Framework plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the 'import_page_options' function in all versions up to, and including, 2.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable CVSSv3.1 8.8 (HIGH)
CVE-2024-12213 — Apusthemes Superio: The WP Job Board Pro plugin for WordPress is vulnerable to privilege escalation in
The WP Job Board Pro plugin for WordPress is vulnerable to privilege escalation in all versions up to 2.3.16. This is due to the plugin allowing a user to supply the 'role' field when registering. This makes it possible for unauthenticated attackers to register as an administrator on vulnerable sites. Please note that this may have been patched sooner, however, the oldest available version for us to confirm this is patched in was 1.2.85. CVSSv3.1 9.8 (CRITICAL)
CVE-2024-13653 — Mvpthemes Zoxpress: The ZoxPress - The All-In-One WordPress News Theme theme for WordPress is vulnerable to
The ZoxPress - The All-In-One WordPress News Theme theme for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the 'backup_options' and 'restore_options' functions in all versions up to, and including, 2.12.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the defau CVSSv3.1 8.8 (HIGH)
oidc-code-to-cloud — Tool for mapping attack paths between Entra ID and GitHub
O3 Cyber released oidc-code-to-cloud, a Python tool that maps attack paths between Entra ID and GitHub by fetching tenant data via Graph and ARM APIs and visualizing relationships in Neo4j. The tool demonstrates how OIDC federation and service principal configurations can create lateral movement and privilege escalation vectors across cloud identity and CI/CD infrastructure.