Skip to main content
CVE-2025-30066 HIGH POC KEV THREAT Act Now

tj-actions/changed-files GitHub Action was compromised in a supply chain attack where modified tags pointed to credential-stealing code, exposing secrets from GitHub Actions workflows across thousands of repositories.

Information Disclosure Changed Files
NVD GitHub
CVSS 3.1
8.6
EPSS
92.0%
CVE-2025-26921 HIGH This Week

PHP object injection in Booking and Rental Manager for WooCommerce (WordPress plugin) versions up to 2.2.6 allows authenticated attackers with low privileges to execute arbitrary PHP code or manipulate application logic through deserialization of untrusted data. The CVSS score of 8.8 reflects high impact across confidentiality, integrity, and availability, though the low EPSS score (0.23%, 45th percentile) indicates minimal observed exploitation attempts. Patchstack discovered and reported this vulnerability, suggesting patch availability through their advisory.

Deserialization
NVD
CVSS 3.1
8.8
EPSS
0.2%
CVE-2025-1657 HIGH This Week

The Directory Listings WordPress plugin - uListing plugin for WordPress is vulnerable to unauthorized modification of data and PHP Object Injection due to a missing capability check on the. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress PHP Authentication Bypass
NVD
CVSS 3.1
8.8
EPSS
0.2%
CVE-2025-1667 HIGH This Week

The School Management System - WPSchoolPress plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the wpsp_UpdateTeacher() function in all versions up to,. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress Authentication Bypass Privilege Escalation
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-1653 HIGH This Week

The Directory Listings WordPress plugin - uListing plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 2.1.7. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

WordPress Privilege Escalation
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-26961 HIGH This Week

Broken access control in Fresh Framework WordPress plugin through version 1.70.0 allows remote unauthenticated attackers to access privileged functionality without proper authorization checks. The vulnerability bypasses authentication requirements (tagged as Authentication Bypass), enabling unauthorized modification of plugin settings or data (high integrity impact) with partial information disclosure. EPSS probability remains low (0.12%, 31st percentile), indicating limited observed exploitation attempts, though the network-accessible attack vector and lack of complexity make exploitation straightforward once discovered.

Authentication Bypass
NVD
CVSS 3.1
8.6
EPSS
0.1%
CVE-2025-27281 HIGH This Week

Blind SQL injection in All In Menu WordPress plugin versions up to 1.1.5 allows authenticated attackers with low-level privileges to extract sensitive database information and potentially cause limited denial of service. The vulnerability's scope change (S:C) indicates potential cross-boundary impact, enabling attackers to access data beyond the plugin's normal authorization scope. No public exploit identified at time of analysis, with low EPSS score (0.12%, 31st percentile) indicating minimal observed exploitation activity in the wild.

SQLi
NVD
CVSS 3.1
8.5
EPSS
0.1%
CVE-2025-26976 HIGH This Week

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Aldo Latino PrivateContent.11.4. Rated high severity (CVSS 8.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi
NVD
CVSS 3.1
8.5
EPSS
0.1%
CVE-2025-26978 HIGH This Week

SQL injection in FS Poster WordPress plugin version 6.5.8 and earlier allows authenticated attackers with low privileges to extract sensitive database information and potentially cause service disruption. The vulnerability enables cross-scope impact, meaning attackers can access resources beyond their authorized boundary. With a low EPSS score (0.09%, 25th percentile), widespread exploitation is not currently observed, though authenticated exploitation reduces the attack surface compared to unauthenticated flaws. Patchstack has documented this vulnerability, indicating security researcher awareness and potential for proof-of-concept development.

SQLi
NVD
CVSS 3.1
8.5
EPSS
0.1%
CVE-2025-26969 HIGH This Week

Broken access control in PrivateContent WordPress plugin through version 8.11.5 allows authenticated subscribers to bypass authorization checks and execute high-impact modifications or deletions across the site. Reported by Patchstack security researchers, this vulnerability enables low-privileged users to perform administrative actions they should not have access to. EPSS exploitation probability is low at 0.13% (32nd percentile), and no active exploitation or public exploit code has been identified at time of analysis.

Authentication Bypass
NVD
CVSS 3.1
8.3
EPSS
0.1%
CVE-2025-26886 HIGH This Week

SQL injection in PublishPress Authors plugin (versions ≤4.7.3) allows authenticated high-privilege WordPress administrators to extract database contents and potentially cause denial of service via crafted SQL queries. CVSS vector indicates network-accessible attack with low complexity but requires high-privilege authentication and has changed scope (C:H/I:N/A:L). EPSS score of 0.12% (31st percentile) suggests relatively low probability of exploitation in the wild. No CISA KEV listing or public proof-of-concept identified at time of analysis. Patchstack vulnerability database serves as the primary disclosure source, indicating this was discovered through security research rather than incident response.

SQLi
NVD
CVSS 3.1
7.6
EPSS
0.1%
CVE-2024-13497 HIGH PATCH This Week

The WordPress form builder plugin for contact forms, surveys and quizzes - Tripetto plugin for WordPress is vulnerable to Stored Cross-Site Scripting via attachment uploads in all versions up to, and. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

WordPress XSS Tripetto
NVD
CVSS 3.1
7.2
EPSS
0.7%
CVE-2025-2325 HIGH PATCH This Week

The WP Test Email plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Email Logs in all versions up to, and including, 1.1.8 due to insufficient input sanitization and output. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

WordPress XSS Wp Test Email PHP
NVD
CVSS 3.1
7.2
EPSS
0.5%
CVE-2025-26972 HIGH This Week

Reflected cross-site scripting (XSS) in PrivateContent WordPress plugin through version 8.11.5 allows remote attackers to inject malicious JavaScript into victim browsers by crafting specially-formed URLs. The vulnerability requires user interaction (victim must click malicious link) but no authentication. Exploitation probability is low (EPSS 9%, 26th percentile) with no active exploitation confirmed and no CISA KEV listing. Patchstack has documented this vulnerability, indicating security research awareness.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-26556 HIGH This Week

Reflected cross-site scripting (XSS) in WP AntiDDOS WordPress plugin versions through 2.0 allows remote attackers to execute arbitrary JavaScript in victim browsers through crafted URLs requiring user interaction. Reported by Patchstack with CVSS 7.1 due to changed scope, though EPSS score of 0.09% (26th percentile) indicates low observed exploitation probability. No active exploitation confirmed via CISA KEV and no public proof-of-concept identified at time of analysis.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-26555 HIGH This Week

Reflected cross-site scripting in Debug-Bar-Extender WordPress plugin versions through 0.5 allows remote attackers to execute arbitrary JavaScript in victim browsers via crafted URLs. This requires user interaction (victim must click a malicious link) but no authentication. Exploitation probability is low (EPSS 0.09%, 26th percentile) with no evidence of active exploitation or public proof-of-concept code at time of analysis. The vulnerability affects a WordPress debugging tool typically used in development environments, reducing real-world exposure.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-26554 HIGH This Week

Reflected cross-site scripting (XSS) in WP Discord Post WordPress plugin versions up to 2.1.0 enables remote attackers to execute arbitrary JavaScript in victim browsers via malicious links. Exploitation requires victim interaction (clicking a crafted URL) but no authentication, achieving cross-site scope impact with potential session hijacking and account takeover. Reported by Patchstack's audit team with EPSS exploitation probability at 0.09% (26th percentile), indicating low observed exploitation activity. No CISA KEV listing confirms this remains a theoretical risk rather than widespread active threat.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-26553 HIGH This Week

Reflected cross-site scripting (XSS) in Pre Order Addon for WooCommerce versions through 2.2 allows remote attackers to execute malicious JavaScript in victim browsers via specially crafted URLs. The vulnerability requires victim interaction (UI:R) and enables cross-site scope (S:C) attacks, potentially leading to session hijacking, credential theft, or malicious actions performed in the context of authenticated WooCommerce administrators. EPSS score of 0.09% (26th percentile) indicates low probability of mass exploitation, with no public exploit code or CISA KEV listing identified. This is a typical stored input validation flaw in WordPress plugin development affecting e-commerce environments.

WordPress XSS Java
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-26548 HIGH This Week

Reflected cross-site scripting (XSS) in Random Image Selector WordPress plugin versions through 2.4 allows remote attackers to execute arbitrary JavaScript in victim browsers when users click malicious links. The vulnerability requires user interaction (UI:R) but no authentication (PR:N), enabling attacks via phishing or social engineering. EPSS score of 0.09% (26th percentile) indicates low exploitation probability. No public exploit identified at time of analysis, and vulnerability is not present in CISA KEV, suggesting limited real-world targeting despite medium-high CVSS 7.1.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-23744 HIGH This Week

Reflected cross-site scripting (XSS) in Random Posts, Mp3 Player + ShareButton WordPress plugin through version 1.4.1 allows remote attackers to inject malicious scripts that execute in victim browsers with changed security context (scope change indicated in CVSS). Discovered by Patchstack security audit team. EPSS score of 0.08% (23rd percentile) indicates low current exploitation probability in the wild, and no active exploitation confirmed by CISA KEV. No public exploit code identified at time of analysis, though XSS vulnerabilities typically have low weaponization barriers.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.1%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy