Two proof-of-concept exploits have appeared for Craft CMS vulnerabilities that were already vendor-fixed, raising the pressure on administrators to patch before testing turns into abuse.