Mar 14, 2022 Cyber Threat Intelligence
Track daily vulnerability activity, KEV additions, public exploits, critical disclosures, and EPSS risk shifts.
Daily summary
- WordPress plugin RCE/exploit activity: 5 CVEs flagged today.
- 10 new critical disclosures — review patch status on exposed services.
Top threats today
Three highest-priority changes — analyst brief, not a CVE dump.
Critical exposure
CVE-2021-25003
Wptaskforce Wpcargo Track \& Trace RCE
- CVSS 9.8
- Internet-facing CMS deployments affected
New critical Wptaskforce Wpcargo Track \& Trace RCE (CVSS 9.8) — fresh disclosure window; early internet scanning often precedes mature exploit chains.
Critical exposure
CVE-2021-25007
Molie Instructure Canvas Linking Tool Project Molie Instructure Canvas Linking Tool SQL Injection
- CVSS 9.8
- Internet-facing CMS deployments affected
New critical Molie Instructure Canvas Linking Tool Project Molie Instructure Canvas Linking Tool SQL Injection (CVSS 9.8) — fresh disclosure window; early internet scanning often precedes mature exploit chains.
Critical exposure
CVE-2022-0169
10web Photo Gallery SQL Injection
- CVSS 9.8
- Internet-facing CMS deployments affected
New critical 10web Photo Gallery SQL Injection (CVSS 9.8) — fresh disclosure window; early internet scanning often precedes mature exploit chains.
Active exploitation
CISA KEV — confirmed in-the-wild exploitation.
Nothing flagged in this category for this digest.
View KEV additions
Exploitation dynamics
Nothing flagged in this category for this digest.
See EPSS increases
New critical disclosures
The WPCargo Track & Trace WordPress plugin before 6.9.0 contains a file which could allow unauthenticated attackers to write a PHP file a...
The MOLIE WordPress plugin through 0.5 does not validate and escape a post parameter before using in a SQL statement, leading to an SQL I...
The Photo Gallery by 10Web WordPress plugin before 1.6.0 does not validate and escape the bwg_tag_id_bwg_thumbnails_0 parameter before us...
The WordPress Zero Spam WordPress plugin before 5.2.11 does not properly sanitise and escape the order and orderby parameters before usin...
The CommonsBooking WordPress plugin before 2.6.8 does not sanitise and escape the location parameter of the calendar_data AJAX action (av...
Apache HTTP Server 2.4.52 and earlier fails to close inbound connection when errors are encountered discarding the request body, exposing...
If LimitXMLRequestBody is set to allow request bodies larger than 350MB (defaults to 1M) on 32 bit systems an integer overflow happens wh...
Out-of-bounds Write vulnerability in mod_sed of Apache HTTP Server allows an attacker to overwrite heap memory with possibly attacker pro...
With administrator or admin privileges the application can be tricked into overwriting files in app_data/Config folder, e.g.
The Rambus SafeZone Basic Crypto Module before 10.4.0, as used in certain Fujifilm (formerly Fuji Xerox) devices before 2022-03-01, Canon...
View critical disclosures
cvelogic
Threat Intelligence