Skip to main content
CVE-2025-21424 HIGH PATCH This Week

Memory corruption while calling the NPU driver APIs concurrently. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. This Use After Free vulnerability could allow attackers to access freed memory to execute arbitrary code or crash the application.

Use After Free Memory Corruption Buffer Overflow 315 5g Iot Modem Firmware Aqt1000 Firmware +231
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2024-43055 HIGH This Week

Memory corruption while processing camera use case IOCTL call. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Buffer Overflow Fastconnect 6900 Firmware Fastconnect 7800 Firmware Sdm429w Firmware Snapdragon 429 Firmware +10
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2024-53032 HIGH This Week

Memory corruption may occur in keyboard virtual device due to guest VM interaction. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Buffer Overflow Qam8255p Firmware Qam8295p Firmware Qam8620p Firmware Qam8650p Firmware +22
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2024-53028 HIGH This Week

Memory corruption may occur while processing message from frontend during allocation. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Buffer Overflow Qam8255p Firmware Qam8295p Firmware Qam8620p Firmware Qam8650p Firmware +32
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-20645 HIGH This Week

In KeyInstall, there is a possible out of bounds write due to a missing bounds check. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Memory Corruption Buffer Overflow Privilege Escalation Android Google
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-0555 HIGH This Week

A Cross Site Scripting (XSS) vulnerability in GitLab-EE affecting all versions from 16.6 prior to 17.7.6, 17.8 prior to 17.8.4, and 17.9 prior to 17.9.1 allows an attacker to bypass security controls. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable. No vendor patch available.

Gitlab XSS
NVD
CVSS 3.1
7.7
EPSS
0.2%
CVE-2025-26540 HIGH This Week

Arbitrary file deletion in Helloprint WordPress plugin (versions up to 2.0.7) allows authenticated attackers with low privileges to delete critical system files via path traversal, potentially causing complete site unavailability. The CVSS 7.7 score reflects the Changed scope and High availability impact - an attacker can traverse directories to target files outside the plugin's intended boundary, triggering denial of service. EPSS score of 0.18% (40th percentile) indicates low current exploitation probability, and no active exploitation or public POC has been identified at time of analysis.

Path Traversal
NVD
CVSS 3.1
7.7
EPSS
0.2%
CVE-2024-47092 HIGH PATCH This Week

Insecure deserialization and improper certificate validation in Checkmk Exchange plugin check-mk-api prior to 5.8.1. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, no authentication required. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Microsoft Deserialization Check Mk Python Api
NVD GitHub
CVSS 4.0
7.7
EPSS
0.2%
CVE-2025-25112 HIGH This Week

Blind SQL injection in the NotFound Social Links WordPress plugin (versions ≤1.2) allows authenticated administrators with high privileges to extract sensitive database contents remotely. The CVSS scope change indicates potential compromise beyond the vulnerable plugin's database context. EPSS score of 0.12% suggests low automated exploitation probability, and no public exploit or CISA KEV listing exists at time of analysis. However, the privileged access requirement significantly limits real-world risk to scenarios involving compromised admin accounts or malicious insiders.

SQLi
NVD
CVSS 3.1
7.6
EPSS
0.1%
CVE-2025-25162 HIGH This Week

Absolute path traversal in Sports Rankings and Lists WordPress plugin versions up to 1.0.2 allows unauthenticated remote attackers to read arbitrary files from the server filesystem. The vulnerability enables unauthorized access to sensitive configuration files, credentials, and source code without requiring authentication or user interaction. EPSS score of 0.25% suggests low probability of mass exploitation, and no public exploit code or active exploitation has been identified at time of analysis.

Path Traversal
NVD
CVSS 3.1
7.5
EPSS
0.3%
CVE-2025-27264 HIGH This Week

Local File Inclusion (LFI) in Doctor Appointment Booking WordPress plugin version 1.0.0 and earlier allows authenticated attackers with low privileges to read arbitrary files from the server filesystem, potentially exposing configuration files, credentials, and sensitive application data. Despite the network attack vector, exploitation requires high complexity conditions and low-level authentication. EPSS score of 0.24% (47th percentile) suggests low probability of widespread exploitation, with no CISA KEV listing or confirmed active exploitation at time of analysis.

Information Disclosure LFI PHP
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2025-23945 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in NotFound Popliup allows PHP Local File Inclusion.1.1. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.

Information Disclosure LFI PHP
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2025-24846 HIGH This Week

Authentication bypass vulnerability exists in FutureNet AS series (Industrial Routers) provided by Century Systems Co., Ltd. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2025-27421 HIGH PATCH This Week

Abacus is a highly scalable and stateless counting API. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Suse
NVD GitHub
CVSS 3.1
7.5
EPSS
0.2%
CVE-2024-53027 HIGH PATCH This Week

Transient DOS may occur while processing the country IE. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Buffer Copy without Size Check vulnerability could allow attackers to overflow a buffer to corrupt adjacent memory.

Buffer Overflow Qca9367 Firmware Qca9377 Firmware Qcc2073 Firmware Qcc2076 Firmware +202
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2025-25130 HIGH This Week

Path traversal in Delete Comments By Status (WordPress plugin) versions up to 2.1.1 enables remote attackers to include arbitrary PHP files from the local filesystem, potentially achieving remote code execution. Attack requires high complexity (AC:H) and user interaction (UI:R), limiting exploitation to social engineering scenarios. EPSS score of 0.18% (39th percentile) indicates low widespread exploitation probability. No active exploitation confirmed (not in CISA KEV), and no public POC identified at time of analysis.

PHP Path Traversal
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2025-27422 HIGH This Week

FACTION is a PenTesting Report Generation and Collaboration Framework. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass
NVD GitHub
CVSS 3.1
7.5
EPSS
0.2%
CVE-2025-25951 HIGH This Week

An information disclosure vulnerability in the component /rest/cb/executeBasicSearch of Serosoft Solutions Pvt Ltd Academia Student Information System (SIS) EagleR v1.0.118 allows attackers to access. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Academia Student Information System
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2024-41771 HIGH This Week

IBM Engineering Requirements Management DOORS Next 7.0.2, 7.0.3, and 7.1 could allow a remote attacker to download temporary files which could expose application logic or other sensitive information. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure IBM Engineering Requirements Management Doors Next
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2024-41770 HIGH This Week

IBM Engineering Requirements Management DOORS Next 7.0.2, 7.0.3, and 7.1 could allow a remote attacker to download temporary files which could expose application logic or other sensitive information. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure IBM Engineering Requirements Management Doors Next
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2024-8261 HIGH This Week

Authorization Bypass Through User-Controlled Key vulnerability in Proliz Software OBS allows Exploiting Incorrectly Configured Access Control Security Levels.0927. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-26988 HIGH This Week

SQL injection in the Cozy Vision 'SMS Alert Order Notifications - WooCommerce' WordPress plugin (all versions up to and including 3.7.8) lets remote attackers inject crafted SQL into backend database queries, enabling extraction of arbitrary data such as customer records, order details, and WordPress credential hashes. The CVSS:3.1 vector (AV:N/AC:L/PR:N/UI:N) indicates network-reachable, low-complexity exploitation with high confidentiality impact and no integrity or availability impact, consistent with a read-oriented (e.g. UNION/blind) injection. No public exploit was identified at time of analysis and EPSS is low (0.11%, 30th percentile), but the flaw was reported by Patchstack, a credible WordPress vulnerability research source.

WordPress SQLi Sms Alert Order Notifications
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2024-51961 HIGH This Week

There is a local file inclusion vulnerability in ArcGIS Server 11.3 and below that may allow a remote, unauthenticated attacker to craft a URL that could potentially disclose sensitive configuration. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Arcgis Server
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-27423 HIGH PATCH This Week

Vim is an open source, command line text editor. Rated high severity (CVSS 7.1), this vulnerability is no authentication required, low attack complexity. This Command Injection vulnerability could allow attackers to inject arbitrary commands into system command execution.

Command Injection Vim Hci Compute Node Red Hat Suse
NVD GitHub
CVSS 3.1
7.1
EPSS
1.0%
CVE-2025-26885 HIGH This Week

Deserialization of Untrusted Data vulnerability in Brent Jett Assistant allows Object Injection.5.1. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization
NVD
CVSS 3.1
7.2
EPSS
0.2%
CVE-2025-25127 HIGH This Week

Reflected cross-site scripting (XSS) in the WordPress plugin 'Contact Us By Lord Linus' (versions up to 2.6) allows remote attackers to execute arbitrary JavaScript in victim browsers by crafting malicious URLs. Exploitation requires user interaction (clicking a link or visiting a crafted page), but no authentication is needed. CVSS 7.1 reflects scope change indicating potential session hijacking across security contexts. EPSS score of 0.15% (36th percentile) suggests low mass-exploitation probability, though XSS vulnerabilities in WordPress plugins remain attractive targets for phishing and account takeover campaigns.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2025-25124 HIGH This Week

Reflected cross-site scripting in Status Updater WordPress plugin (versions ≤1.9.2) allows remote unauthenticated attackers to inject malicious scripts that execute in victims' browsers with changed security context (CVSS scope change). Attack vector is network-based with low complexity but requires user interaction (typically clicking a crafted link). EPSS score of 0.15% (36th percentile) indicates low automated exploitation probability. No CISA KEV listing or public POC identified at time of analysis. Patchstack database entry suggests this may be part of a broader WordPress plugin vulnerability pattern, though reference URLs contain inconsistent metadata (titles reference different plugin 'WP Spell Check' despite CVE being for Status Updater).

XSS
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2025-25113 HIGH This Week

Reflected cross-site scripting in Implied Cookie Consent WordPress plugin through version 1.3 allows remote attackers to execute arbitrary JavaScript in victims' browsers via crafted URLs requiring user interaction. Reported by Patchstack's security audit team, this network-accessible vulnerability scores CVSS 7.1 due to scope change enabling attacks across security contexts. EPSS exploitation probability is low at 0.15% (36th percentile), and no active exploitation has been confirmed in CISA KEV, though Patchstack tracking suggests awareness in vulnerability databases targeting WordPress plugins.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2025-25099 HIGH This Week

Reflected cross-site scripting in Appointment Buddy Widget (WordPress plugin) versions up to 1.2 allows remote attackers to execute malicious scripts in victim browsers via crafted URLs. Scope change in CVSS vector indicates potential session hijacking or data exfiltration across origin boundaries. EPSS score of 0.15% (36th percentile) suggests low likelihood of mass exploitation, but XSS remains a viable social engineering attack vector. Reported by Patchstack audit team with public disclosure via vulnerability database.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2025-25092 HIGH This Week

Reflected cross-site scripting (XSS) in All push notification for WP plugin versions through 1.5.3 allows remote attackers to execute arbitrary JavaScript in victim browsers via crafted URLs requiring user interaction. While CVSS rates this 7.1 (High) with changed scope indicating potential token theft or session hijacking beyond the plugin context, EPSS exploitation probability remains low at 0.15% (36th percentile), and no public exploit code or active exploitation (non-KEV) has been identified. Patchstack identified and reported this vulnerability, indicating security research focus on WordPress plugins.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2025-25089 HIGH This Week

Reflected cross-site scripting in Image Rotator WordPress plugin allows remote attackers to inject malicious JavaScript via crafted URLs that execute in victim browsers when users click attacker-controlled links. Affects all versions through 2.0 with no public exploit identified at time of analysis. EPSS score of 0.15% (36th percentile) indicates low predicted exploitation probability, consistent with typical WordPress plugin XSS requiring user interaction.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2025-25070 HIGH This Week

Stored cross-site scripting (XSS) in Album Reviewer WordPress plugin versions up to 2.0.2 allows remote unauthenticated attackers to inject malicious JavaScript into album review content that executes when other users view the compromised pages. The vulnerability enables session hijacking, credential theft, and malicious actions performed in the context of victim users, with cross-site scope allowing attacks beyond the vulnerable component's security boundary. EPSS score of 0.15% (36th percentile) indicates relatively low automated exploitation probability, and no active exploitation is documented in CISA KEV at time of analysis.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2025-24654 HIGH This Week

Missing Authorization vulnerability in SEO Squirrly SEO Plugin by Squirrly SEO.4.05. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-27279 HIGH This Week

Reflected cross-site scripting in Flashfader WordPress plugin through version 1.1.1 allows remote attackers to execute arbitrary JavaScript in victim browsers via crafted URLs requiring user interaction. EPSS exploitation probability is low (0.09%, 26th percentile) with no confirmed active exploitation (not in CISA KEV). Patchstack vulnerability database lists this as a reflected XSS requiring social engineering or phishing to trick users into clicking malicious links. The changed scope (S:C) in CVSS indicates potential for cross-context attacks including session hijacking or privilege escalation within WordPress admin environments.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-27278 HIGH This Week

Reflected cross-site scripting in AcuGIS Leaflet Maps WordPress plugin (versions through 5.1.1.0) allows remote attackers to execute arbitrary JavaScript in victim browsers via crafted URLs. The vulnerability requires user interaction (clicking a malicious link) but no authentication, enabling potential session hijacking, credential theft, or malicious actions in the context of authenticated WordPress users. EPSS score of 0.09% (26th percentile) indicates low probability of mass exploitation, and no public exploit code has been identified at time of analysis.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-27275 HIGH This Week

Reflected cross-site scripting (XSS) in WOO Codice Fiscale WordPress plugin versions up to 1.6.3 enables remote attackers to execute arbitrary JavaScript in victim browsers when users click malicious links. The vulnerability requires user interaction (clicking a crafted URL) but no authentication, allowing attackers to steal session cookies, perform actions as the victim, or deliver malware. EPSS score of 0.09% (26th percentile) indicates low likelihood of mass exploitation. No evidence of active exploitation (not in CISA KEV) or public proof-of-concept at time of analysis.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-27271 HIGH This Week

Reflected XSS in DB Tables Import/Export WordPress plugin through version 1.0.1 allows remote attackers to execute arbitrary JavaScript in victim browsers through crafted links requiring user interaction. The vulnerability stems from inadequate input sanitization during web page generation, enabling scope change attacks with potential for session hijacking, credential theft, and administrative action execution. EPSS score of 0.09% (26th percentile) indicates low current exploitation probability, with no CISA KEV listing or public exploit code identified at time of analysis.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-27269 HIGH This Week

Reflected cross-site scripting in .htaccess Login block WordPress plugin versions up to 0.9a allows remote unauthenticated attackers to execute malicious JavaScript in victim browsers through crafted URLs. The vulnerability requires user interaction (clicking a malicious link) but enables session hijacking, credential theft, and malicious actions in the context of authenticated WordPress administrators. EPSS score of 0.09% (26th percentile) indicates low probability of widespread exploitation, and no active exploitation or public POC has been identified at time of analysis.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-26914 HIGH This Week

Reflected cross-site scripting in Variable Inspector WordPress plugin versions up to 2.6.2 enables remote attackers to execute arbitrary JavaScript in victim browsers via crafted URLs requiring user interaction. The vulnerability stems from improper neutralization of input during page generation (CWE-79). With CVSS 7.1 and scope change capability, successful exploitation allows limited data theft, session hijacking, and malicious actions under victim context. EPSS score of 0.09% (26th percentile) suggests low probability of mass exploitation. No public exploit identified at time of analysis, and no CISA KEV listing indicates no confirmed active exploitation campaigns.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-26879 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Cristián Lávaque s2Member Pro allows Reflected XSS. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-26589 HIGH This Week

Reflected cross-site scripting in IE CSS3 Support WordPress plugin through version 2.0.1 allows remote attackers to execute arbitrary JavaScript in victim browsers via crafted URLs. The vulnerability requires user interaction (clicking a malicious link) but needs no authentication and can impact other site origins due to changed scope (S:C in CVSS). EPSS probability is low (0.09%, 26th percentile) with no confirmed active exploitation or CISA KEV listing, indicating limited real-world targeting despite moderate CVSS 7.1 scoring.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-26588 HIGH This Week

Reflected cross-site scripting (XSS) in the WordPress TTT Crop plugin versions up to 1.0 enables remote attackers to inject malicious JavaScript into victim browsers via crafted URLs. With a CVSS score of 7.1 and changed scope, successful exploitation allows attackers to steal session tokens, perform actions as the victim, or deliver phishing content within the WordPress admin context. EPSS exploitation probability is low at 0.09% (26th percentile), and no public exploit code or active exploitation has been identified at time of analysis.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-26587 HIGH This Week

Reflected cross-site scripting (XSS) in sidebarTabs WordPress plugin versions ≤3.1 enables remote attackers to inject malicious scripts via crafted URLs that execute in victim browsers when user interaction occurs. Reported by Patchstack security research (audit@patchstack.com), this vulnerability exploits improper input neutralization during page generation. EPSS score of 0.09% (26th percentile) suggests low widespread exploitation probability, with no CISA KEV listing or public POC identified at time of analysis, indicating limited active exploitation despite moderate CVSS severity.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-26586 HIGH This Week

Reflected XSS in Events Planner WordPress plugin versions up to 1.3.10 allows remote attackers to inject malicious scripts via crafted URLs that execute in victims' browsers when clicked. Reported by Patchstack security researchers, the vulnerability requires user interaction (opening a malicious link) but needs no authentication, enabling session hijacking, credential theft, or malicious actions in the context of authenticated WordPress users. EPSS score of 0.09% (26th percentile) indicates low observed exploitation probability in the wild, with no CISA KEV listing or public proof-of-concept identified at time of analysis.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-26585 HIGH This Week

Reflected cross-site scripting in DL Leadback WordPress plugin versions up to 1.2.1 allows remote attackers to inject malicious scripts that execute in victim browsers when users click crafted links. The vulnerability permits theft of session cookies, credential harvesting, or defacement of WordPress admin interfaces. EPSS score of 0.09% (26th percentile) suggests low observed exploitation activity, and no active exploitation is confirmed via CISA KEV. Patchstack documented this XSS flaw affecting all installations through version 1.2.1.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-26563 HIGH This Week

Reflected cross-site scripting (XSS) in the Rocket Mobile WordPress plugin through version 1.3.3 allows remote attackers to inject malicious scripts via crafted URLs. Successful exploitation requires victim interaction (clicking a malicious link). The vulnerability enables scope change (S:C), allowing attackers to execute JavaScript in the context of another user's session, potentially leading to session hijacking, credential theft, or site defacement. EPSS score of 0.09% (26th percentile) suggests low observed exploitation in the wild, and no public exploit code or CISA KEV listing identified at time of analysis.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-26557 HIGH This Week

Reflected cross-site scripting (XSS) in ViperBar WordPress plugin versions up to 2.0 allows remote attackers to execute arbitrary JavaScript in victim browsers through crafted URLs requiring user interaction. Reported by Patchstack security researchers, this network-exploitable vulnerability has a low EPSS score (0.09%, 26th percentile) indicating minimal observed exploitation activity. The changed scope (S:C) in the CVSS vector indicates potential impact beyond the vulnerable component, enabling session hijacking or privilege escalation within WordPress installations.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-25170 HIGH This Week

Reflected cross-site scripting in the Migrate Posts WordPress plugin (versions ≤1.0) allows remote attackers to execute arbitrary JavaScript in victim browsers via crafted requests. Attack requires user interaction (CVSS UI:R) but no authentication (PR:N), enabling social engineering vectors such as malicious links in phishing emails. Exploitation probability is low (EPSS 0.09%, 26th percentile) with no public exploit identified at time of analysis. Patchstack vulnerability database confirms the flaw but patch status requires verification with plugin maintainers.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-25169 HIGH This Week

Reflected cross-site scripting (XSS) in Authors Autocomplete Meta Box WordPress plugin versions up to 1.2 allows remote attackers to execute arbitrary JavaScript in victim browsers. Exploitation requires user interaction - a logged-in administrator or editor must click a malicious link. While CVSS rates this 7.1 (High) due to changed scope, the EPSS score of 0.09% (26th percentile) indicates low probability of mass exploitation. No active exploitation confirmed; no CISA KEV listing.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-25165 HIGH This Week

Stored Cross-Site Scripting (XSS) in WordPress Staff Directory Plugin (Company Directory) versions up to 4.3 allows remote unauthenticated attackers to inject malicious JavaScript that executes in victims' browsers. The CVSS 7.1 score reflects Changed scope (S:C), indicating the injected script can operate outside the vulnerable component's security context. EPSS probability is low (0.09%, 26th percentile) with no confirmed active exploitation. Patchstack database identifies this as a stored XSS variant, meaning the malicious payload persists in the WordPress database and triggers whenever affected pages are viewed.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.1%
Prev Page 2 of 5 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy