Mar 14, 2022 Cyber Threat Intelligence

Track daily vulnerability activity, KEV additions, public exploits, critical disclosures, and EPSS risk shifts.

Daily summary

  • WordPress plugin RCE/exploit activity: 5 CVEs flagged today.
  • 10 new critical disclosures — review patch status on exposed services.

Top threats today

Three highest-priority changes — analyst brief, not a CVE dump.

Critical exposure

CVE-2021-25003 Wptaskforce Wpcargo Track \& Trace RCE

  • CVSS 9.8
  • Internet-facing CMS deployments affected

New critical Wptaskforce Wpcargo Track \& Trace RCE (CVSS 9.8) — fresh disclosure window; early internet scanning often precedes mature exploit chains.

Critical exposure

CVE-2021-25007 Molie Instructure Canvas Linking Tool Project Molie Instructure Canvas Linking Tool SQL Injection

  • CVSS 9.8
  • Internet-facing CMS deployments affected

New critical Molie Instructure Canvas Linking Tool Project Molie Instructure Canvas Linking Tool SQL Injection (CVSS 9.8) — fresh disclosure window; early internet scanning often precedes mature exploit chains.

Critical exposure

CVE-2022-0169 10web Photo Gallery SQL Injection

  • CVSS 9.8
  • Internet-facing CMS deployments affected

New critical 10web Photo Gallery SQL Injection (CVSS 9.8) — fresh disclosure window; early internet scanning often precedes mature exploit chains.

Active exploitation

CISA KEV — confirmed in-the-wild exploitation.

Nothing flagged in this category for this digest.

View KEV additions

Exploit & PoC activity

Nothing flagged in this category for this digest.

View new exploit links

Exploitation dynamics

Nothing flagged in this category for this digest.

See EPSS increases

New critical disclosures

CVE-2021-25003 CVSS 9.8

The WPCargo Track & Trace WordPress plugin before 6.9.0 contains a file which could allow unauthenticated attackers to write a PHP file a...

CVE-2021-25007 CVSS 9.8

The MOLIE WordPress plugin through 0.5 does not validate and escape a post parameter before using in a SQL statement, leading to an SQL I...

CVE-2022-0169 CVSS 9.8

The Photo Gallery by 10Web WordPress plugin before 1.6.0 does not validate and escape the bwg_tag_id_bwg_thumbnails_0 parameter before us...

CVE-2022-0254 CVSS 9.8

The WordPress Zero Spam WordPress plugin before 5.2.11 does not properly sanitise and escape the order and orderby parameters before usin...

CVE-2022-0658 CVSS 9.8

The CommonsBooking WordPress plugin before 2.6.8 does not sanitise and escape the location parameter of the calendar_data AJAX action (av...

CVE-2022-22720 CVSS 9.8

Apache HTTP Server 2.4.52 and earlier fails to close inbound connection when errors are encountered discarding the request body, exposing...

CVE-2022-22721 CVSS 9.1

If LimitXMLRequestBody is set to allow request bodies larger than 350MB (defaults to 1M) on 32 bit systems an integer overflow happens wh...

CVE-2022-23943 CVSS 9.8

Out-of-bounds Write vulnerability in mod_sed of Apache HTTP Server allows an attacker to overwrite heap memory with possibly attacker pro...

CVE-2022-24387 CVSS 9.1

With administrator or admin privileges the application can be tricked into overwriting files in app_data/Config folder, e.g.

CVE-2022-26320 CVSS 9.1

The Rambus SafeZone Basic Crypto Module before 10.4.0, as used in certain Fujifilm (formerly Fuji Xerox) devices before 2022-03-01, Canon...

View critical disclosures

cvelogic Threat Intelligence