Skip to main content
CVE-2025-25164 HIGH This Week

Reflected XSS in the Meta Accelerator WordPress plugin through version 1.0.4 enables remote attackers to execute arbitrary JavaScript in victim browsers through crafted URLs. The vulnerability exploits improper input sanitization in web page generation, requiring victim interaction (user must click a malicious link) but no authentication. Changed scope (S:C) indicates potential session hijacking or actions outside the vulnerable component's context. EPSS score of 0.09% (26th percentile) suggests low observed exploitation probability. No CISA KEV listing or public exploit code identified at time of analysis.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-25161 HIGH This Week

Reflected cross-site scripting in WP Find Your Nearest WordPress plugin versions up to 0.3.1 allows remote attackers to execute malicious JavaScript in victim browsers via crafted URLs. The vulnerability enables attackers to steal session cookies, perform actions as the victim, or deliver malware, provided the victim clicks a malicious link. EPSS score of 0.09% suggests low current exploitation probability, and no active exploitation or public proof-of-concept has been identified at time of analysis.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-25158 HIGH This Week

Reflected cross-site scripting in the Uncomplicated SEO WordPress plugin through version 1.2 allows remote attackers to execute arbitrary JavaScript in victim browsers. The vulnerability requires user interaction (CVSS UI:R) and features a changed scope (S:C), indicating potential access to resources beyond the vulnerable component. With EPSS exploitation probability at 0.09% (26th percentile) and no CISA KEV listing, this represents a moderate real-world threat primarily relevant to targeted phishing campaigns against WordPress site administrators.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-25157 HIGH This Week

Reflected cross-site scripting in WP Church Center plugin (versions ≤1.3.3) enables network-based attackers to execute arbitrary JavaScript in victim browsers without authentication, requiring only that a user click a malicious link. The scope-change vector indicates potential compromise beyond the vulnerable plugin itself. EPSS exploitation probability is low (0.09%, 26th percentile) with no evidence of active exploitation or public proof-of-concept at time of analysis, suggesting this remains a theoretical risk requiring social engineering to weaponize.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-25142 HIGH This Week

Stored cross-site scripting in WP Less Compiler WordPress plugin versions through 1.3.0 enables remote unauthenticated attackers to inject malicious scripts that execute in victim browsers when triggered by user interaction. The vulnerability affects a WordPress LESS CSS preprocessor plugin, with scope change (S:C) indicating potential attack escalation beyond the plugin's security context. EPSS score of 0.09% (26th percentile) suggests low probability of widespread exploitation attempts. No active exploitation confirmed by CISA KEV at time of analysis.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-25133 HIGH This Week

Cross-site scripting (XSS) in WP Frontend Submit 1.1.0 and earlier allows remote attackers to execute arbitrary JavaScript in victim browsers via maliciously crafted input. The vulnerability features network-based attack vector with low complexity but requires user interaction, enabling attackers to modify page content and steal session tokens with changed security context (scope:changed). EPSS score of 0.09% (26th percentile) indicates very low automated exploitation probability, and no active exploitation or public POC has been identified at time of analysis.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-25132 HIGH This Week

Stored cross-site scripting (XSS) in the Visitor Details WordPress plugin through version 1.0.1 allows remote unauthenticated attackers to inject malicious scripts that execute when authenticated users view visitor logs. The vulnerability leverages improper input sanitization in user-controllable fields (likely visitor metadata like User-Agent, referrer, or custom parameters). Exploitation requires victim interaction (UI:R) with the modified scope (S:C) enabling attacks beyond the vulnerable plugin's context. EPSS exploitation probability is low at 0.09% (26th percentile), and no active exploitation or public POC has been identified at time of analysis, making this a moderate-priority remediation for sites using this plugin in administrative contexts.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-25129 HIGH This Week

Reflected cross-site scripting (XSS) in the Callback Request WordPress plugin through version 1.4 allows remote attackers to inject malicious JavaScript by manipulating user-supplied input reflected in web page output without proper sanitization. Exploitation requires victim interaction (UI:R) with a crafted link but needs no authentication (PR:N), enabling attacks via phishing or malicious websites. The changed scope (S:C) indicates potential impact beyond the vulnerable plugin itself. EPSS score of 0.09% (26th percentile) suggests low immediate exploitation risk, and no active exploitation or public POC has been identified at time of analysis.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-25121 HIGH This Week

Stored cross-site scripting in Theme Options Z WordPress plugin through version 1.4 allows remote attackers to inject malicious scripts that execute in victim browsers when authenticated users view affected pages. Despite the CVSS 7.1 rating suggesting network-accessible exploitation without authentication (PR:N), stored XSS vulnerabilities in WordPress plugins typically require at least contributor-level access to inject payloads, creating a discrepancy between the CVSS vector and realistic exploitation requirements. EPSS score of 0.09% (26th percentile) indicates low observed exploitation probability, and no active exploitation has been confirmed by CISA KEV or other threat intelligence sources.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-25119 HIGH This Week

Reflected cross-site scripting in Woocommerce osCommerce Sync WordPress plugin versions through 2.0.20 enables remote attackers to execute arbitrary JavaScript in victim browsers via malicious URLs. The vulnerability requires user interaction (clicking a crafted link) but no authentication, making it exploitable through phishing or social engineering campaigns. With EPSS at 0.09% (26th percentile), exploitation probability remains low, and no active exploitation or public POC has been identified at time of analysis.

WordPress XSS
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-25118 HIGH This Week

Reflected cross-site scripting in WPOptin (WordPress plugin 'Top Bar - PopUps - by WPOptin') versions up to 2.0.8 allows remote attackers to inject malicious JavaScript through unsanitized input parameters. With CVSS 7.1 (AV:N/AC:L/PR:N/UI:R/S:C), successful exploitation requires user interaction but no authentication, enabling session hijacking, credential theft, or malicious actions in victim context. EPSS score of 0.09% (26th percentile) indicates low observed exploitation activity. Patchstack vulnerability database confirms this issue with no current evidence of active exploitation or public POC.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-25114 HIGH This Week

Reflected cross-site scripting (XSS) in the User Role WordPress plugin versions up to 1.0 allows remote attackers to execute arbitrary JavaScript in victim browsers via crafted URL parameters. The vulnerability requires user interaction (victim must click a malicious link) but needs no authentication, enabling attackers to steal session cookies, perform actions as the victim, or deliver malware. EPSS score of 0.09% (26th percentile) indicates low probability of mass exploitation. No CISA KEV listing confirms this is not yet actively exploited in the wild, though Patchstack has documented the flaw in their WordPress vulnerability database.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-25108 HIGH This Week

Reflected cross-site scripting in SW Plus WordPress plugin through version 2.1 allows remote attackers to inject malicious scripts into web pages viewed by other users. Attack requires user interaction (victim must click a malicious link) but needs no authentication. EPSS score of 0.09% (26th percentile) indicates low probability of mass exploitation, consistent with typical reflected XSS patterns requiring social engineering. Patchstack database lists this as a confirmed vulnerability with dedicated entry, though no public exploit code or CISA KEV listing exists at time of analysis.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-25102 HIGH This Week

Reflected cross-site scripting in the Yahoo BOSS WordPress plugin (versions up to 0.7) allows remote attackers to execute arbitrary JavaScript in victims' browsers through crafted URLs. The vulnerability requires user interaction (clicking a malicious link) but no authentication, enabling session hijacking, credential theft, and phishing attacks against WordPress site users. EPSS score of 0.09% (26th percentile) indicates low probability of mass exploitation, and no active exploitation is documented in CISA KEV. Patchstack database confirms the vulnerability with technical details available.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-25090 HIGH This Week

Reflected cross-site scripting in the Dreamstime Stock Photos WordPress plugin (versions up to 4.1) allows remote attackers to inject malicious JavaScript into user browsers via crafted URLs. The vulnerability requires victim interaction (UI:R) but no authentication (PR:N), enabling session hijacking, credential theft, or malicious redirects when users click attacker-controlled links. EPSS exploitation probability is low at 0.09% (26th percentile), with no confirmed active exploitation or public proof-of-concept at time of analysis. The changed scope (S:C) in the CVSS vector indicates potential impact beyond the vulnerable plugin context, affecting the WordPress installation or user session integrity.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-25087 HIGH This Week

Reflected XSS in seekXL Snapr WordPress plugin (versions through 2.0.6) allows remote attackers to inject malicious scripts via unsanitized input parameters, executing arbitrary JavaScript in victim browsers when users click crafted links. The CVSS 7.1 score reflects changed scope (S:C) indicating potential impact beyond the vulnerable component, though the low EPSS score (0.09%, 26th percentile) suggests minimal active exploitation. Patchstack published the vulnerability details, but no vendor patch version beyond 2.0.6 is confirmed in available data.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-25083 HIGH This Week

Stored cross-site scripting in EP4 More Embeds WordPress plugin (all versions up to 1.0.0) allows remote attackers to inject malicious JavaScript into website content that executes in victims' browsers. Despite CVSS 7.1, exploitation probability is very low (EPSS 0.09%, 26th percentile) and requires user interaction. No active exploitation confirmed, no vendor patch identified, and limited deployment scope of this niche WordPress plugin significantly reduces real-world risk.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-24758 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CreativeMindsSolutions CM Map Locations allows Reflected XSS.0.8. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-24694 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CreativeMindsSolutions CM Email Registration Blacklist and Whitelist allows Reflected XSS.5.5. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-23956 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound WP Easy Post Mailer allows Reflected XSS.64. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-23904 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Rebrand Fluent Forms allows Reflected XSS.0. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-23903 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Local Shipping Labels for WooCommerce allows Reflected XSS.0.0. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress XSS
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-23883 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Stray Random Quotes allows Reflected XSS.9.9. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-23881 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound LJ Custom Menu Links allows Reflected XSS.5. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-23879 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PillarDev Easy Automatic Newsletter Lite allows Reflected XSS.2.0. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-23852 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound First Comment Redirect allows Reflected XSS.0.3. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-23850 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Mojo Under Construction allows Reflected XSS.1.2. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-23847 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Site Launcher allows Reflected XSS.9.4. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-23843 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wphrmanager WP-HR Manager: The Human Resources Plugin for WordPress allows Reflected XSS.1.0. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress XSS
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-23814 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound CRUDLab Like Box allows Reflected XSS.0.9. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-23813 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Guten Free Options allows Reflected XSS.9.5. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-23762 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound DsgnWrks Twitter Importer allows Reflected XSS.1.4. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-23753 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound DN Sitemap Control allows Reflected XSS.0.6. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-23741 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Notifications Center allows Reflected XSS.5.2. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-23740 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Easy School Registration allows Reflected XSS.9.8. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-23739 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound WP Ultimate Reviews FREE allows Reflected XSS.0.2. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-23738 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Ps Ads Pro allows Reflected XSS.0.0. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-23736 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Form To JSON allows Reflected XSS.0. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-23731 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in infosoftplugin Tax Report for WooCommerce allows Reflected XSS.2. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress XSS
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-23726 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound ComparePress allows Reflected XSS.0.8. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-23721 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Mobigate allows Reflected XSS.0.3. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-23718 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Mancx AskMe Widget allows Reflected XSS.3. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-23716 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Login Watchdog allows Stored XSS.0.4. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-23688 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Cobwebo URL Plugin allows Reflected XSS.0. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-23670 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound 4 author cheer up donate allows Reflected XSS.3. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-23668 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound ChatGPT Open AI Images & Content for WooCommerce allows Reflected XSS.2.0. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress XSS
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-23663 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Adrian Vaquez Contexto allows Reflected XSS.0. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-23637 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound 新淘客WordPress插件 allows Reflected XSS.1.2. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-23619 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Catch Duplicate Switcher allows Reflected XSS.0. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-23616 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NotFound Canalplan allows Reflected XSS.31. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.1%
Prev Page 3 of 5 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy