Nov 20, 2023 Cyber Threat Intelligence

Track daily vulnerability activity, KEV additions, public exploits, critical disclosures, and EPSS risk shifts.

Daily summary

  • WordPress plugin RCE/exploit activity: 3 CVEs flagged today.
  • 10 new critical disclosures — review patch status on exposed services.

Top threats today

Three highest-priority changes — analyst brief, not a CVE dump.

Critical exposure

CVE-2023-40151 When user authentication is not enabled the shell can execute commands with the highest privileges.

  • CVSS 10
  • Potential privilege escalation to admin/root

New critical Redlioncontrols St-ipm-6350 Firmware privilege escalation (CVSS 10) — fresh disclosure window; early internet scanning often precedes mature exploit chains.

Critical exposure

CVE-2023-42770 Redlioncontrols St-ipm-6350 Firmware

  • CVSS 10

New critical disclosure (CVSS 10) — high severity with a short public awareness window before exploit material typically surfaces.

Critical exposure

CVE-2023-38823 Tenda Ac18 Firmware Buffer Overflow

  • CVSS 9.8

New critical Tenda Ac18 Firmware Buffer Overflow (CVSS 9.8) — fresh disclosure window; early internet scanning often precedes mature exploit chains.

Active exploitation

CISA KEV — confirmed in-the-wild exploitation.

Nothing flagged in this category for this digest.

View KEV additions

Exploit & PoC activity

Nothing flagged in this category for this digest.

View new exploit links

Exploitation dynamics

Nothing flagged in this category for this digest.

See EPSS increases

New critical disclosures

CVE-2023-38823 CVSS 9.8

Buffer Overflow vulnerability in Tenda Ac19 v.1.0, AC18, AC9 v.1.0, AC6 v.2.0 and v.1.0 allows a remote attacker to execute arbitrary cod...

CVE-2023-40151 CVSS 10

When user authentication is not enabled the shell can execute commands with the highest privileges.

CVE-2023-42770 CVSS 10

Red Lion SixTRAK and VersaTRAK Series RTUs with authenticated users enabled (UDR-A) any Sixnet UDR message will meet an authentication ch...

CVE-2023-46990 CVSS 9.8

Deserialization of Untrusted Data in PublicCMS v.4.0.202302.e allows a remote attacker to execute arbitrary code via a crafted script to...

CVE-2023-48176 CVSS 9.8

An Insecure Permissions issue in WebsiteGuide v.0.2 allows a remote attacker to gain escalated privileges via crafted jwt (JSON web token).

CVE-2023-48310 CVSS 9.1

TestingPlatform is a testing platform for Internet Security Standards.

CVE-2023-5340 CVSS 9.8

The Five Star Restaurant Menu and Food Ordering WordPress plugin before 2.4.11 unserializes user input via an AJAX action available to un...

CVE-2023-5640 CVSS 9.8

The Article Analytics WordPress plugin does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX a...

CVE-2023-5652 CVSS 9.8

The WP Hotel Booking WordPress plugin before 2.0.8 does not have authorisation and CSRF checks, as well as does not escape user input bef...

CVE-2023-6144 CVSS 9.1

Dev blog v1.0 allows to exploit an account takeover through the "user" cookie.

View critical disclosures

cvelogic Threat Intelligence