May 17, 2025 Cyber Threat Intelligence

Track daily vulnerability activity, KEV additions, public exploits, critical disclosures, and EPSS risk shifts.

Daily summary

  • WordPress plugin RCE/exploit activity: 2 CVEs flagged today.
  • 5 new critical disclosures — review patch status on exposed services.

Top threats today

Three highest-priority changes — analyst brief, not a CVE dump.

Critical exposure

CVE-2025-4918 An attacker was able to perform an out-of-bounds read or write on a JavaScript `Promise` object.

  • CVSS 9.8

New critical Mozilla Firefox Out-of-Bounds Write (CVSS 9.8) — fresh disclosure window; early internet scanning often precedes mature exploit chains.

Critical exposure

CVE-2025-4389 The Crawlomatic Multipage Scraper Post Generator plugin for WordPress is vulnerable to arbitrary...

  • CVSS 9.8
  • Internet-facing CMS deployments affected

New critical disclosure (CVSS 9.8) — high severity with a short public awareness window before exploit material typically surfaces.

Critical exposure

CVE-2025-4391 The Echo RSS Feed Post Generator plugin for WordPress is vulnerable to arbitrary file uploads due...

  • CVSS 9.8
  • Internet-facing CMS deployments affected

New critical disclosure (CVSS 9.8) — high severity with a short public awareness window before exploit material typically surfaces.

Active exploitation

CISA KEV — confirmed in-the-wild exploitation.

Nothing flagged in this category for this digest.

View KEV additions

Exploit & PoC activity

Nothing flagged in this category for this digest.

View new exploit links

Exploitation dynamics

Nothing flagged in this category for this digest.

See EPSS increases

New critical disclosures

CVE-2025-4389 CVSS 9.8

The Crawlomatic Multipage Scraper Post Generator plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type va...

CVE-2025-4391 CVSS 9.8

The Echo RSS Feed Post Generator plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the...

CVE-2025-47945 CVSS 9.1

Donetick an open-source app for managing tasks and chores.

CVE-2025-48187 CVSS 9.1

RAGFlow through 0.18.1 allows account takeover because it is possible to conduct successful brute-force attacks against email verificatio...

CVE-2025-4918 CVSS 9.8

An attacker was able to perform an out-of-bounds read or write on a JavaScript `Promise` object.

View critical disclosures

cvelogic Threat Intelligence