Remote code execution in the WP Query Console WordPress plugin (versions up to and including 1.0) by Ajit Bohra allows unauthenticated attackers to inject and execute arbitrary PHP code on the server. The CVSS 10.0 score reflects network-reachable exploitation with no privileges or user interaction and a scope change, and publicly available exploit code combined with an EPSS of 91.90% (100th percentile) indicates very high likelihood of opportunistic exploitation, though the vulnerability is not yet listed in CISA KEV.
Authentication bypass in the Stacks Mobile App Builder WordPress plugin (versions up to and including 5.2.3) allows unauthenticated remote attackers to circumvent login controls via an alternate path or channel, leading to full compromise of confidentiality, integrity, and availability. Publicly available exploit code exists, and EPSS scores this at 81.93% (99th percentile), indicating significant exploitation likelihood, though it is not currently listed in CISA KEV. The flaw is reported through Patchstack's audit program and affects WordPress installations using this plugin.
Privilege escalation in Tareq Hasan's Meetup WordPress plugin (versions through 0.1) allows remote unauthenticated attackers to bypass authorization checks via user-controlled key manipulation. With EPSS at 65.62% (98th percentile), exploitation probability is high, though no public exploit identified at time of analysis. Patchstack reported this CVSS 9.8 issue affecting a WordPress ecosystem plugin.
Remote authentication bypass in the 1-Click Login: Passwordless Authentication WordPress plugin (swoop-password-free-authentication) through version 1.4.5 allows unauthenticated attackers to bypass the primary authentication mechanism and gain access to protected accounts. With a CVSS score of 9.8 and an EPSS of 41.02% (97th percentile), this represents elevated exploitation probability although no public exploit identified at time of analysis. The flaw stems from CWE-305 (Authentication Bypass by Primary Weakness), meaning the core auth check itself can be circumvented rather than merely weakened.
SQL injection in the MicahBlu RSVP ME WordPress plugin (versions up to and including 1.9.9) allows remote unauthenticated attackers to inject crafted SQL statements that read sensitive database contents and partially impact integrity of backend systems. The CVSS 9.3 score reflects a network-reachable, no-privilege, no-interaction attack with scope change, and an EPSS of 37.74% (97th percentile) indicates substantially elevated exploitation probability relative to the broader CVE population, though no public exploit identified at time of analysis. The flaw was reported through Patchstack's WordPress plugin audit program.
An issue in pyload-ng v0.5.0b3.dev85 running under python3.11 or below allows attackers to execute arbitrary code via a crafted HTTP request. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
LyLme Spage <=1.6.0 is vulnerable to SQL Injection via /admin/group.php. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
LyLme Spage 1.2.0 through 1.6.0 is vulnerable to SQL Injection via /admin/apply.php. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
In Cleo Harmony before 5.8.0.21, VLTrader before 5.8.0.21, and LexiCom before 5.8.0.21, there is an unrestricted file upload and download that could lead to remote code execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Unauthenticated arbitrary file upload in the AR For WordPress plugin (versions up to and including 6.6) allows remote attackers to upload web shells and achieve full site compromise. With a maximum CVSS score of 10.0 and CWE-434 (Unrestricted Upload of File with Dangerous Type), the flaw is critical, though no public exploit identified at time of analysis and EPSS sits at 1.31% (80th percentile) indicating moderate predicted exploitation activity. Reported via Patchstack, the issue affects all known versions of the plugin from webandprint.
Unrestricted file upload in the Plugin Propagator WordPress plugin (versions up to and including 0.1) by nunomorgadinho allows remote unauthenticated attackers to upload arbitrary files, including web shells, to the web server. With a CVSS of 10.0 and a changed scope, successful exploitation results in full compromise of the underlying WordPress site and potentially adjacent systems. No public exploit identified at time of analysis, though the 1.31% EPSS score (80th percentile) indicates above-average attacker interest relative to the broader CVE population.
Authentication Bypass Using an Alternate Path or Channel vulnerability in realtyworkstation Realty Workstation realty-workstation allows Authentication Bypass.0.45. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Authentication Bypass Using an Alternate Path or Channel vulnerability in Acnoo MaanStore API maanstore-api allows Authentication Bypass.0.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Authentication Bypass Using an Alternate Path or Channel vulnerability in Acnoo Acnoo Flutter API acnoo-flutter-api allows Authentication Bypass.0.5. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
The MRBS version 1.5.0 has an SQL injection vulnerability in the edit_entry_handler.php file, specifically in the rooms%5B%5D parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
The eHDR CTMS from Sunnet has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL command to read, modify, and delete database contents. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A custom URL scheme handling issue was addressed with improved input validation. Rated critical severity (CVSS 9.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in chenyenming Woocommerce Quote Calculator woo-quote-calculator-order allows Blind SQL Injection.1. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A permissions issue was addressed by removing vulnerable code and adding additional checks. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Spring WebFlux applications that have Spring Security authorization rules on static resources can be bypassed under certain circumstances. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.