Jan 2, 2023 Cyber Threat Intelligence

Track daily vulnerability activity, KEV additions, public exploits, critical disclosures, and EPSS risk shifts.

Daily summary

  • WordPress plugin RCE/exploit activity: 5 CVEs flagged today.
  • 10 new critical disclosures — review patch status on exposed services.

Top threats today

Three highest-priority changes — analyst brief, not a CVE dump.

Critical exposure

CVE-2022-43931 Synology Vpn Plus Server Out-of-Bounds Write

  • CVSS 10

New critical Synology Vpn Plus Server Out-of-Bounds Write (CVSS 10) — fresh disclosure window; early internet scanning often precedes mature exploit chains.

Critical exposure

CVE-2022-39039 aEnrich’s a+HRD has inadequate filtering for specific URL parameter.

  • CVSS 9.8

New critical Aenrich A\+hrd SSRF (CVSS 9.8) — fresh disclosure window; early internet scanning often precedes mature exploit chains.

Critical exposure

CVE-2022-39041 aEnrich a+HRD has insufficient user input validation for specific API parameter.

  • CVSS 9.8

New critical Aenrich A\+hrd SQL injection (CVSS 9.8) — fresh disclosure window; early internet scanning often precedes mature exploit chains.

Active exploitation

CISA KEV — confirmed in-the-wild exploitation.

Nothing flagged in this category for this digest.

View KEV additions

Exploit & PoC activity

Nothing flagged in this category for this digest.

View new exploit links

Exploitation dynamics

Nothing flagged in this category for this digest.

See EPSS increases

New critical disclosures

CVE-2022-39039 CVSS 9.8

aEnrich’s a+HRD has inadequate filtering for specific URL parameter.

CVE-2022-39041 CVSS 9.8

aEnrich a+HRD has insufficient user input validation for specific API parameter.

CVE-2022-39042 CVSS 9.8

aEnrich a+HRD has improper validation for login function.

CVE-2022-4059 CVSS 9.8

The Cryptocurrency Widgets Pack WordPress plugin before 2.0 does not sanitise and escape some parameter before using it in a SQL statemen...

CVE-2022-4099 CVSS 9.8

The Joy Of Text Lite WordPress plugin before 2.3.1 does not properly sanitise and escape some parameters before using them in SQL stateme...

CVE-2022-4297 CVSS 9.8

The WP AutoComplete Search WordPress plugin through 1.0.4 does not sanitise and escape a parameter before using it in a SQL statement via...

CVE-2022-4298 CVSS 9.8

The Wholesale Market WordPress plugin before 2.2.1 does not have authorisation check, as well as does not validate user input used to gen...

CVE-2022-4357 CVSS 9.8

The LetsRecover WordPress plugin before 1.2.0 does not properly sanitise and escape a parameter before using it in a SQL statement via an...

CVE-2022-43931 CVSS 10

Out-of-bounds write vulnerability in Remote Desktop Functionality in Synology VPN Plus Server before 1.4.3-0534 and 1.4.4-0635 allows rem...

CVE-2022-47618 CVSS 9.8

Merit LILIN AH55B04 & AH55B08 DVR firm has hard-coded administrator credentials.

View critical disclosures

cvelogic Threat Intelligence