Sep 18, 2025 Cyber Threat Intelligence

Track daily vulnerability activity, KEV additions, public exploits, critical disclosures, and EPSS risk shifts.

Daily summary

  • WordPress plugin RCE/exploit activity: 4 CVEs flagged today.
  • 9 new critical disclosures — review patch status on exposed services.

Top threats today

Three highest-priority changes — analyst brief, not a CVE dump.

Critical exposure

CVE-2025-10035 Fortra GoAnywhere MFT Deserialization of Untrusted Data

  • CVSS 10

New critical Fortra GoAnywhere MFT Command Injection (CVSS 10) — fresh disclosure window; early internet scanning often precedes mature exploit chains.

Critical exposure

CVE-2025-9083 Ninjaforms Ninja Forms

  • CVSS 9.8
  • Internet-facing CMS deployments affected

New critical disclosure (CVSS 9.8) — high severity with a short public awareness window before exploit material typically surfaces.

Critical exposure

CVE-2024-13151 CWE - 89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') v...

  • CVSS 9.8

New critical disclosure (CVSS 9.8) — high severity with a short public awareness window before exploit material typically surfaces.

Active exploitation

CISA KEV — confirmed in-the-wild exploitation.

Nothing flagged in this category for this digest.

View KEV additions

Exploit & PoC activity

Nothing flagged in this category for this digest.

View new exploit links

Exploitation dynamics

Nothing flagged in this category for this digest.

See EPSS increases

New critical disclosures

CVE-2024-13151 CVSS 9.8

CWE - 89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ESBI Information and Tel...

CVE-2025-10035 CVSS 10

Fortra GoAnywhere MFT Deserialization of Untrusted Data

CVE-2025-10690 CVSS 9.8

The Goza - Nonprofit Charity WordPress Theme theme for WordPress is vulnerable to unauthorized arbitrary file uploads due to a missing ca...

CVE-2025-30519 CVSS 9.3

Dover Fueling Solutions ProGauge MagLink LX4 Devices have default root credentials that cannot be changed through standard administrative...

CVE-2025-5305 CVSS 9.8

The Password Reset with Code for WordPress REST API WordPress plugin before 0.0.17 does not use cryptographically sound algorithms to gen...

CVE-2025-54807 CVSS 9.3

The secret used for validating authentication tokens is hardcoded in device firmware for affected versions.

CVE-2025-8942 CVSS 9.1

The WP Hotel Booking WordPress plugin before 2.2.3 lacks proper server-side validation for review ratings, allowing an attacker to manipu...

CVE-2025-9083 CVSS 9.8

The Ninja Forms WordPress plugin before 3.11.1 unserializes user input via form field, which could allow Unauthenticated users to perform...

View critical disclosures

cvelogic Threat Intelligence