Skip to main content
CVE-2025-30066 HIGH POC KEV THREAT Act Now

tj-actions/changed-files GitHub Action was compromised in a supply chain attack where modified tags pointed to credential-stealing code, exposing secrets from GitHub Actions workflows across thousands of repositories.

Information Disclosure Changed Files
NVD GitHub
CVSS 3.1
8.6
EPSS
92.0%
CVE-2025-2322 MEDIUM POC This Month

A vulnerability was found in 274056675 springboot-openai-chatgpt e84f6f5. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Java Springboot Openai Chatgpt
NVD VulDB
CVSS 4.0
6.9
EPSS
0.2%
CVE-2025-1771 CRITICAL Act Now

The Traveler theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.1.8 via the 'hotel_alone_load_more_post' function 'style' parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure PHP RCE LFI WordPress +1
NVD
CVSS 3.1
9.8
EPSS
1.1%
CVE-2025-2334 MEDIUM POC This Month

A vulnerability classified as problematic has been found in 274056675 springboot-openai-chatgpt e84f6f5. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Springboot Openai Chatgpt
NVD VulDB
CVSS 4.0
5.3
EPSS
0.4%
CVE-2025-26875 CRITICAL Act Now

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in silverplugins217 Multiple Shipping And Billing Address For Woocommerce allows SQL Injection.3. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress SQLi
NVD
CVSS 3.1
9.3
EPSS
0.1%
CVE-2025-2321 MEDIUM POC This Month

A vulnerability was found in 274056675 springboot-openai-chatgpt e84f6f5 and classified as critical. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Springboot Openai Chatgpt
NVD VulDB
CVSS 4.0
5.3
EPSS
0.1%
CVE-2025-2323 MEDIUM POC This Month

A vulnerability was found in 274056675 springboot-openai-chatgpt e84f6f5. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Springboot Openai Chatgpt
NVD VulDB
CVSS 4.0
5.3
EPSS
0.1%
CVE-2025-26921 HIGH This Week

PHP object injection in Booking and Rental Manager for WooCommerce (WordPress plugin) versions up to 2.2.6 allows authenticated attackers with low privileges to execute arbitrary PHP code or manipulate application logic through deserialization of untrusted data. The CVSS score of 8.8 reflects high impact across confidentiality, integrity, and availability, though the low EPSS score (0.23%, 45th percentile) indicates minimal observed exploitation attempts. Patchstack discovered and reported this vulnerability, suggesting patch availability through their advisory.

Deserialization
NVD
CVSS 3.1
8.8
EPSS
0.2%
CVE-2025-1657 HIGH This Week

The Directory Listings WordPress plugin - uListing plugin for WordPress is vulnerable to unauthorized modification of data and PHP Object Injection due to a missing capability check on the. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress PHP Authentication Bypass
NVD
CVSS 3.1
8.8
EPSS
0.2%
CVE-2025-1667 HIGH This Week

The School Management System - WPSchoolPress plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the wpsp_UpdateTeacher() function in all versions up to,. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress Authentication Bypass Privilege Escalation
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-1653 HIGH This Week

The Directory Listings WordPress plugin - uListing plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 2.1.7. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress Privilege Escalation
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-26961 HIGH This Week

Broken access control in Fresh Framework WordPress plugin through version 1.70.0 allows remote unauthenticated attackers to access privileged functionality without proper authorization checks. The vulnerability bypasses authentication requirements (tagged as Authentication Bypass), enabling unauthorized modification of plugin settings or data (high integrity impact) with partial information disclosure. EPSS probability remains low (0.12%, 31st percentile), indicating limited observed exploitation attempts, though the network-accessible attack vector and lack of complexity make exploitation straightforward once discovered.

Authentication Bypass
NVD
CVSS 3.1
8.6
EPSS
0.1%
CVE-2025-27281 HIGH This Week

Blind SQL injection in All In Menu WordPress plugin versions up to 1.1.5 allows authenticated attackers with low-level privileges to extract sensitive database information and potentially cause limited denial of service. The vulnerability's scope change (S:C) indicates potential cross-boundary impact, enabling attackers to access data beyond the plugin's normal authorization scope. No public exploit identified at time of analysis, with low EPSS score (0.12%, 31st percentile) indicating minimal observed exploitation activity in the wild.

SQLi
NVD
CVSS 3.1
8.5
EPSS
0.1%
CVE-2025-26976 HIGH This Week

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Aldo Latino PrivateContent.11.4. Rated high severity (CVSS 8.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi
NVD
CVSS 3.1
8.5
EPSS
0.1%
CVE-2025-26978 HIGH This Week

SQL injection in FS Poster WordPress plugin version 6.5.8 and earlier allows authenticated attackers with low privileges to extract sensitive database information and potentially cause service disruption. The vulnerability enables cross-scope impact, meaning attackers can access resources beyond their authorized boundary. With a low EPSS score (0.09%, 25th percentile), widespread exploitation is not currently observed, though authenticated exploitation reduces the attack surface compared to unauthenticated flaws. Patchstack has documented this vulnerability, indicating security researcher awareness and potential for proof-of-concept development.

SQLi
NVD
CVSS 3.1
8.5
EPSS
0.1%
CVE-2025-26969 HIGH This Week

Broken access control in PrivateContent WordPress plugin through version 8.11.5 allows authenticated subscribers to bypass authorization checks and execute high-impact modifications or deletions across the site. Reported by Patchstack security researchers, this vulnerability enables low-privileged users to perform administrative actions they should not have access to. EPSS exploitation probability is low at 0.13% (32nd percentile), and no active exploitation or public exploit code has been identified at time of analysis.

Authentication Bypass
NVD
CVSS 3.1
8.3
EPSS
0.1%
CVE-2025-26886 HIGH This Week

SQL injection in PublishPress Authors plugin (versions ≤4.7.3) allows authenticated high-privilege WordPress administrators to extract database contents and potentially cause denial of service via crafted SQL queries. CVSS vector indicates network-accessible attack with low complexity but requires high-privilege authentication and has changed scope (C:H/I:N/A:L). EPSS score of 0.12% (31st percentile) suggests relatively low probability of exploitation in the wild. No CISA KEV listing or public proof-of-concept identified at time of analysis. Patchstack vulnerability database serves as the primary disclosure source, indicating this was discovered through security research rather than incident response.

SQLi
NVD
CVSS 3.1
7.6
EPSS
0.1%
CVE-2024-13497 HIGH PATCH This Week

The WordPress form builder plugin for contact forms, surveys and quizzes - Tripetto plugin for WordPress is vulnerable to Stored Cross-Site Scripting via attachment uploads in all versions up to, and. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

WordPress XSS Tripetto
NVD
CVSS 3.1
7.2
EPSS
0.7%
CVE-2025-2325 HIGH PATCH This Week

The WP Test Email plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Email Logs in all versions up to, and including, 1.1.8 due to insufficient input sanitization and output. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

WordPress XSS Wp Test Email PHP
NVD
CVSS 3.1
7.2
EPSS
0.5%
CVE-2025-26972 HIGH This Week

Reflected cross-site scripting (XSS) in PrivateContent WordPress plugin through version 8.11.5 allows remote attackers to inject malicious JavaScript into victim browsers by crafting specially-formed URLs. The vulnerability requires user interaction (victim must click malicious link) but no authentication. Exploitation probability is low (EPSS 9%, 26th percentile) with no active exploitation confirmed and no CISA KEV listing. Patchstack has documented this vulnerability, indicating security research awareness.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-26556 HIGH This Week

Reflected cross-site scripting (XSS) in WP AntiDDOS WordPress plugin versions through 2.0 allows remote attackers to execute arbitrary JavaScript in victim browsers through crafted URLs requiring user interaction. Reported by Patchstack with CVSS 7.1 due to changed scope, though EPSS score of 0.09% (26th percentile) indicates low observed exploitation probability. No active exploitation confirmed via CISA KEV and no public proof-of-concept identified at time of analysis.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-26555 HIGH This Week

Reflected cross-site scripting in Debug-Bar-Extender WordPress plugin versions through 0.5 allows remote attackers to execute arbitrary JavaScript in victim browsers via crafted URLs. This requires user interaction (victim must click a malicious link) but no authentication. Exploitation probability is low (EPSS 0.09%, 26th percentile) with no evidence of active exploitation or public proof-of-concept code at time of analysis. The vulnerability affects a WordPress debugging tool typically used in development environments, reducing real-world exposure.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-26554 HIGH This Week

Reflected cross-site scripting (XSS) in WP Discord Post WordPress plugin versions up to 2.1.0 enables remote attackers to execute arbitrary JavaScript in victim browsers via malicious links. Exploitation requires victim interaction (clicking a crafted URL) but no authentication, achieving cross-site scope impact with potential session hijacking and account takeover. Reported by Patchstack's audit team with EPSS exploitation probability at 0.09% (26th percentile), indicating low observed exploitation activity. No CISA KEV listing confirms this remains a theoretical risk rather than widespread active threat.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-26553 HIGH This Week

Reflected cross-site scripting (XSS) in Pre Order Addon for WooCommerce versions through 2.2 allows remote attackers to execute malicious JavaScript in victim browsers via specially crafted URLs. The vulnerability requires victim interaction (UI:R) and enables cross-site scope (S:C) attacks, potentially leading to session hijacking, credential theft, or malicious actions performed in the context of authenticated WooCommerce administrators. EPSS score of 0.09% (26th percentile) indicates low probability of mass exploitation, with no public exploit code or CISA KEV listing identified. This is a typical stored input validation flaw in WordPress plugin development affecting e-commerce environments.

WordPress XSS Java
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-26548 HIGH This Week

Reflected cross-site scripting (XSS) in Random Image Selector WordPress plugin versions through 2.4 allows remote attackers to execute arbitrary JavaScript in victim browsers when users click malicious links. The vulnerability requires user interaction (UI:R) but no authentication (PR:N), enabling attacks via phishing or social engineering. EPSS score of 0.09% (26th percentile) indicates low exploitation probability. No public exploit identified at time of analysis, and vulnerability is not present in CISA KEV, suggesting limited real-world targeting despite medium-high CVSS 7.1.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-23744 HIGH This Week

Reflected cross-site scripting (XSS) in Random Posts, Mp3 Player + ShareButton WordPress plugin through version 1.4.1 allows remote attackers to inject malicious scripts that execute in victim browsers with changed security context (scope change indicated in CVSS). Discovered by Patchstack security audit team. EPSS score of 0.08% (23rd percentile) indicates low current exploitation probability in the wild, and no active exploitation confirmed by CISA KEV. No public exploit code identified at time of analysis, though XSS vulnerabilities typically have low weaponization barriers.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-2025 MEDIUM PATCH This Month

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the give_reports_earnings() function in. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. This Missing Authorization vulnerability could allow attackers to access resources or perform actions without proper authorization checks.

WordPress Authentication Bypass Givewp PHP
NVD
CVSS 3.1
6.5
EPSS
0.4%
CVE-2024-12336 MEDIUM This Month

The WC Affiliate - A Complete WooCommerce Affiliate Plugin plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'export_all_data' function in all. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress Authentication Bypass
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-2267 MEDIUM This Month

The WP01 plugin for WordPress is vulnerable to Arbitrary File Download in all versions up to, and including, 2.6.2 due to a missing capability check and insufficient restrictions on the. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress Authentication Bypass
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-1670 MEDIUM This Month

The School Management System - WPSchoolPress plugin for WordPress is vulnerable to SQL Injection via the 'cid' parameter in all versions up to, and including, 2.2.16 due to insufficient escaping on. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress SQLi
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-1669 MEDIUM This Month

The School Management System - WPSchoolPress plugin for WordPress is vulnerable to SQL Injection via the 'addNotify' action in all versions up to, and including, 2.2.16 due to insufficient escaping. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress SQLi
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-26924 MEDIUM This Month

Improper Control of Generation of Code ('Code Injection') vulnerability in NotFound Ohio Extra allows Code Injection.4.7. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Code Injection
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-26895 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in maennchen1.de m1.DownloadList allows DOM-Based XSS.DownloadList: from n/a through 0.19. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-26899 MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in Recapture Cart Recovery and Email Marketing Recapture for WooCommerce allows Cross Site Request Forgery.0.43. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress CSRF
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-25225 MEDIUM This Month

A privilege escalation vulnerability in the Hikashop component versions 1.0.0-5.1.3 for Joomla allows authenticated attackers (administrator) to escalate their privileges to Super Admin Permissions. Rated medium severity (CVSS 6.5), this vulnerability is low attack complexity. No vendor patch available.

Authentication Bypass Privilege Escalation Hikashop Joomla
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-26940 MEDIUM This Month

Path Traversal vulnerability in NotFound Pie Register Premium.8.3.2. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable. No vendor patch available.

Path Traversal
NVD
CVSS 3.1
6.3
EPSS
0.1%
CVE-2025-2164 MEDIUM This Month

The pixelstats plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'post_id' and 'sortby' parameters in all versions up to, and including, 0.8.2 due to insufficient input. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress XSS Pixelstats PHP
NVD
CVSS 3.1
6.1
EPSS
0.7%
CVE-2025-1773 MEDIUM This Month

The Traveler theme for WordPress is vulnerable to Reflected Cross-Site Scripting via multiple parameters in all versions up to, and including, 3.1.8 due to insufficient input sanitization and output. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress XSS Traveler PHP
NVD
CVSS 3.1
6.1
EPSS
0.5%
CVE-2025-2163 MEDIUM This Month

The Zoorum Comments plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.9. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress CSRF XSS Zoorum Comments PHP
NVD
CVSS 3.1
6.1
EPSS
0.1%
CVE-2019-25222 MEDIUM This Month

The Thumbnail carousel slider plugin for WordPress is vulnerable to SQL Injection via the 'id' parameter in all versions up to, and including, 1.0.4 due to insufficient escaping on the user supplied. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress SQLi Thumbnail Carousel Slider
NVD
CVSS 3.1
4.9
EPSS
0.4%
CVE-2025-1668 MEDIUM This Month

The School Management System - WPSchoolPress plugin for WordPress is vulnerable to arbitrary user deletion due to a missing capability check on the wpsp_DeleteUser() function in all versions up to,. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.1%
CVE-2025-1530 MEDIUM PATCH This Month

The Tripetto plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 8.0.9. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Request Forgery (CSRF) vulnerability could allow attackers to trick authenticated users into performing unintended actions.

WordPress CSRF Tripetto PHP
NVD
CVSS 3.1
4.3
EPSS
0.1%
CVE-2025-1057 MEDIUM PATCH This Month

A flaw was found in Keylime, a remote attestation solution, where strict type checking introduced in version 7.12.0 prevents the registrar from reading database entries created by previous versions,. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure
NVD VulDB GitHub
CVSS 3.1
4.3
EPSS
0.1%
CVE-2025-2157 LOW Monitor

A flaw was found in Foreman/Red Hat Satellite. Rated low severity (CVSS 3.3), this vulnerability is low attack complexity. No vendor patch available.

Red Hat Information Disclosure Privilege Escalation
NVD
CVSS 3.1
3.3
EPSS
0.0%
CVE-2025-0524 Awaiting Data

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. No vendor patch available.

Information Disclosure
NVD
CVE-2025-2333 Awaiting Data

Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. No vendor patch available.

Information Disclosure
NVD
CVE-2024-13847 Awaiting Data

Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. No vendor patch available.

Information Disclosure
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy