Apr 25, 2022 Cyber Threat Intelligence

Track daily vulnerability activity, KEV additions, public exploits, critical disclosures, and EPSS risk shifts.

Daily summary

  • Microsoft Windows: 4 CVEs added to CISA KEV today.
  • WordPress plugin RCE/exploit activity: 7 CVEs flagged today.
  • 10 new critical disclosures — review patch status on exposed services.

Top threats today

Three highest-priority changes — analyst brief, not a CVE dump.

Critical active threat

CVE-2021-40450 Microsoft Win32k Privilege Escalation

  • Actively exploited (CISA KEV)
  • Listed on CISA KEV
  • Potential privilege escalation to admin/root

Microsoft Win32k Privilege Escalation is on CISA KEV — confirmed in-the-wild exploitation. Expect continued targeting while the issue remains on the catalog.

Critical exposure

CVE-2022-0657 5 Stars Rating Funnel Project 5 Stars Rating Funnel SQL Injection

  • CVSS 9.8
  • Internet-facing CMS deployments affected

New critical 5 Stars Rating Funnel Project 5 Stars Rating Funnel SQL Injection (CVSS 9.8) — fresh disclosure window; early internet scanning often precedes mature exploit chains.

Critical exposure

CVE-2022-0693 Devbunch Master Elements SQL Injection

  • CVSS 9.8
  • Internet-facing CMS deployments affected

New critical Devbunch Master Elements SQL Injection (CVSS 9.8) — fresh disclosure window; early internet scanning often precedes mature exploit chains.

Active exploitation

CISA KEV — confirmed in-the-wild exploitation.

CVE-2022-29464 KEV

WSO2 Multiple Products Unrestrictive Upload of File

CVE-2022-26904 KEV

Microsoft Windows User Profile Service Privilege Escalation

CVE-2022-21919 KEV

Microsoft Windows User Profile Service Privilege Escalation

View KEV additions

Exploit & PoC activity

Nothing flagged in this category for this digest.

View new exploit links

Exploitation dynamics

Nothing flagged in this category for this digest.

See EPSS increases

New critical disclosures

CVE-2022-0541 CVSS 9.8

The flo-launch WordPress plugin before 2.4.1 injects code into wp-config.php when creating a cloned site, allowing any attacker to initia...

CVE-2022-0657 CVSS 9.8

The 5 Stars Rating Funnel WordPress Plugin | RRatingg WordPress plugin before 1.2.54 does not properly sanitise, validate and escape lead...

CVE-2022-0693 CVSS 9.8

The Master Elements WordPress plugin through 8.0 does not validate and escape the meta_ids parameter of its remove_post_meta_condition AJ...

CVE-2022-0769 CVSS 9.8

The Users Ultra WordPress plugin through 3.1.0 fails to properly sanitize and escape the data_target parameter before it is being interpo...

CVE-2022-0782 CVSS 9.8

The Donations WordPress plugin through 1.8 does not sanitise and escape the nd_donations_id parameter before using it in a SQL statement...

CVE-2022-1390 CVSS 9.8

The Admin Word Count Column WordPress plugin through 2.2 does not validate the path parameter given to readfile(), which could allow unau...

CVE-2022-1391 CVSS 9.8

The Cab fare calculator WordPress plugin before 1.0.4 does not validate the controller parameter before using it in require statements, w...

CVE-2022-28093 CVSS 9.8

SCBS Online Sports Venue Reservation System v1.0 was discovered to contain a local file inclusion vulnerability which allow attackers to...

CVE-2022-29078 CVSS 9.8

The ejs (aka Embedded JavaScript templates) package 3.1.6 for Node.js allows server-side template injection in settings[view options][out...

View critical disclosures

cvelogic Threat Intelligence