Multiple Critical Vulnerabilities Disclosed Across Popular Software Platforms
A series of critical vulnerabilities have been disclosed affecting a wide range of popular software platforms, including WordPress plugins, web frameworks, developer tools, and enterprise applications. Notable issues include unauthenticated remote code execution (RCE) flaws in Next.js (CVE-2025-66478), WordPress core (CVE-2025-6389), and the ACF Extended plugin (CVE-2025-13486), as well as privilege escalation and authentication bypass vulnerabilities in the WP Directory Kit plugin (CVE-2025-13390) and cPanel. Several of these vulnerabilities are reported to be under active exploitation, with proof-of-concept code available for some, increasing the urgency for immediate patching and mitigation.
Other significant disclosures include a high-severity flaw in Vim for Windows (CVE-2025-66476) allowing arbitrary code execution, a critical SQL injection chain in Synology BeeStation, and a directory traversal vulnerability in cPanel that could lead to full server takeover. Additional advisories cover issues in lz4-java, Longwatch OT surveillance, Django, Elementor, Apache Struts, nopCommerce, and OpenVPN, with many rated as critical or high severity by CVSS. Organizations are strongly advised to review affected products and apply security updates promptly to mitigate the risk of exploitation.
Timeline
Dec 4, 2025
WordPress CVE-2025-6389 reported under active exploitation
A critical WordPress vulnerability, CVE-2025-6389, was disclosed as allowing unauthenticated remote code execution, with reports that attackers were already actively exploiting the flaw.
Dec 4, 2025
Next.js maximum-severity RCE CVE-2025-66478 disclosed
A critical remote code execution flaw in Next.js, CVE-2025-66478, was disclosed with a CVSS score of 10.0, indicating maximum severity and significant risk to affected deployments.
Dec 4, 2025
Vim for Windows CVE-2025-66476 disclosed
A high-severity Vim for Windows vulnerability, CVE-2025-66476, was reported as risking arbitrary code execution when users interact with compromised folders.
Dec 4, 2025
Synology BeeStation flaw chain with root RCE and PoC revealed
A Synology BeeStation exploit chain combining SQL injection with a novel dirty file write technique was disclosed as leading to root remote code execution, and a proof-of-concept was made available.
Dec 3, 2025
WP Directory Kit CVE-2025-13390 disclosed as auth bypass to admin takeover
CVE-2025-13390 was published for WP Directory Kit versions through 1.4.4, describing a predictable auto-login token weakness that allows unauthenticated attackers to bypass authentication and gain administrative access.
Dec 3, 2025
ACF Extended CVE-2025-13486 exposes 100,000 WordPress sites to RCE
A critical flaw in the ACF Extended WordPress plugin, CVE-2025-13486, was disclosed as allowing unauthenticated remote code execution and affecting roughly 100,000 sites.
Dec 3, 2025
Critical cPanel traversal and LPE flaw disclosed
A critical cPanel vulnerability with CVSS 9.3 was reported as enabling directory traversal and local privilege escalation, potentially leading to full server takeover in shared hosting environments.
Dec 3, 2025
Elementor plugin flaw CVE-2025-8489 reported under active exploitation
A critical Elementor plugin vulnerability, CVE-2025-8489, was disclosed with a CVSS score of 9.8 and reports of active exploitation enabling unauthenticated administrator takeover.
Dec 3, 2025
Django SQL injection flaw CVE-2025-13372 disclosed
A vulnerability in Django, tracked as CVE-2025-13372, was reported as allowing SQL injection through PostgreSQL FilteredRelation handling.
Dec 3, 2025
CISA warns of critical Longwatch OT surveillance RCE
CISA issued a warning for CVE-2025-13658, a critical Longwatch vulnerability rated CVSS 9.8 that could allow unauthenticated attackers to gain SYSTEM-level control of OT surveillance deployments.
Dec 3, 2025
lz4-java CVE-2025-12183 prompts migration to community fork
A high-severity vulnerability, CVE-2025-12183, was reported in the discontinued lz4-java library, with users urged to migrate to a community-maintained fork because the original project is no longer maintained.
Dec 2, 2025
nopCommerce session flaw CVE-2025-11699 reported
CVE-2025-11699 in nopCommerce was disclosed as a session management flaw that could allow attackers to reuse admin session cookies after logout and take over administrator accounts.
Dec 2, 2025
OpenVPN fixes critical heap over-read and HMAC bypass flaws
A report disclosed critical OpenVPN vulnerabilities including a heap over-read rated CVSS 9.1 and an HMAC bypass issue that could enable denial-of-service attacks, indicating fixes were made available.
Dec 2, 2025
Apache Struts file leak vulnerability CVE-2025-64775 disclosed
A new Apache Struts vulnerability, CVE-2025-64775, was identified and reported as a file leak issue that could let attackers exhaust disk space on affected systems.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Organizations
Sources
5 more from sources like security online info
Related Stories
Multiple Unrelated Critical Vulnerabilities Disclosed in October 2025
A series of critical and high-severity vulnerabilities affecting a diverse set of software products were publicly disclosed in October 2025. Epsilon RH by Grupo Castilla was found to have a SQL injection vulnerability (CVE-2025-41028) that allows attackers to manipulate the database by sending crafted POST requests to the 'sEstadoUsr' parameter in the '/epsilonnetws/WSAvisos.asmx' endpoint. Lanscope Endpoint Manager (CVE-2025-61932) was reported to have an improper origin verification flaw, enabling attackers to execute arbitrary code via specially crafted packets, though remote exploitation is not possible. Galaxy Software Services Vitals ESP Forum Module (CVE-2025-31342) was discovered to allow remote authenticated users to upload dangerous files, leading to arbitrary command execution. Fsas Technologies Inc.'s ETERNUS SF (CVE-2025-62577) contains incorrect default permissions, allowing low-privileged users to obtain database credentials and potentially escalate privileges to execute OS commands as an administrator. Excellent Infotek's Document Management System (CVE-2025-11948) is vulnerable to unauthenticated arbitrary file upload, enabling attackers to deploy web shells and execute code on the server. Vvveb CMS up to version 1.0.5 is susceptible to authenticated code injection via its Code Editor, allowing attackers to modify files and achieve remote code execution. The Theme Editor plugin for WordPress (CVE-2025-9890) is vulnerable to cross-site request forgery, which can be exploited to achieve remote code execution if an administrator is tricked into clicking a malicious link. The PPOM plugin for WooCommerce (CVE-2025-11391) allows unauthenticated arbitrary file uploads, posing a severe risk to affected e-commerce sites. The Appointments plugin for WordPress (CVE-2017-20206) and the Flickr Gallery plugin (CVE-2017-20207) both suffer from unauthenticated PHP object injection vulnerabilities, which have been actively exploited to create backdoors using the WP_Theme() class. RegistrationMagic (CVE-2017-20208) is also affected by a PHP object injection flaw, allowing attackers to fetch and install remote files. Finally, BLU-IC2 and BLU-IC4 devices (CVE-2025-11925) have an API that returns an incorrect Content-Type header, potentially enabling HTML/JavaScript injection in responses. Each of these vulnerabilities presents a significant risk, with several allowing remote code execution, privilege escalation, or the installation of persistent backdoors. The affected products span web applications, content management systems, endpoint management tools, and specialized enterprise software. Security teams are advised to review the specific advisories, apply patches or mitigations where available, and monitor for signs of exploitation, as several vulnerabilities have been reported as actively exploited in the wild. The diversity and severity of these disclosures underscore the ongoing need for rigorous vulnerability management and timely response to public advisories.
1 months ago
Multiple High-Impact Vulnerabilities Disclosed Across Diverse Software Platforms
A series of critical and high-severity vulnerabilities have been disclosed affecting a wide range of software products, including workflow automation tools, web applications, network devices, and desktop software. Notable issues include remote code execution (RCE) flaws in *n8n*, *Lilac-Reloaded for Nagios*, *FileZilla Client*, and *AVideo*, as well as privilege escalation vulnerabilities in products like *Versa SASE Client*, *AspEmail*, and *ActFax*. Several vulnerabilities allow unauthenticated attackers to upload arbitrary files, bypass authentication, or exploit weak session management, potentially leading to full system compromise or unauthorized access to sensitive data. Many of these vulnerabilities have public exploits available, increasing the risk of active exploitation in the wild. Vendors have released patches for several of the affected products, and administrators are strongly advised to update to the latest versions or apply recommended mitigations. The vulnerabilities span a variety of attack vectors, including buffer overflows, improper input validation, insecure file upload mechanisms, and misconfigured authentication endpoints. Organizations should prioritize patching systems exposed to the internet and review access controls to limit the impact of potential exploitation. Immediate attention is warranted for products with critical CVSS scores and those with known public exploits.
1 months ago
Multiple Critical Vulnerabilities Disclosed Across Popular Software Platforms
Several critical vulnerabilities have been disclosed affecting a range of widely used software platforms, including the Linux InputPlumber component, Apache Uniffle, legacy Vivotek cameras, Ubuntu Linux Kernel, Apache Struts 2, and React Router. Each vulnerability presents unique risks, such as remote code execution, information disclosure, privilege escalation, and unauthorized access, potentially impacting both enterprise and consumer environments. Security advisories urge immediate attention to patching and mitigation, as attackers could exploit these flaws to compromise systems, intercept sensitive data, or disrupt operations. The Ubuntu Linux Kernel advisory details multiple CVEs affecting various LTS versions, with potential impacts including denial of service, elevation of privilege, and information disclosure. Other reports highlight specific vulnerabilities: InputPlumber flaws could allow hijacking of Linux gaming sessions, Apache Uniffle and Struts 2 flaws expose clusters and data to eavesdropping and leakage, React Router's CVE-2025-61686 could lead to server file exposure, and unpatched Vivotek cameras are broadcasting live video feeds publicly. Organizations are advised to review vendor advisories and apply security updates promptly to mitigate these threats.
1 months ago