Skip to main content
CVE-2025-34126 HIGH POC This Week

Arbitrary file disclosure in RIPS Scanner 0.54 lets remote unauthenticated attackers read any file readable by the web server by supplying a directory-traversal payload in the 'file' parameter of the 'windows/code.php' script. Publicly available exploit code exists, including a Metasploit auxiliary module (rips_traversal.rb) and Exploit-DB entry 18660, making trivial mass exploitation of exposed instances practical. Not listed in CISA KEV, so no confirmed active exploitation, but the low-complexity, no-auth network vector combined with ready-made tooling makes opportunistic use straightforward.

Microsoft Path Traversal PHP
NVD Exploit-DB
CVSS 4.0
8.7
EPSS
1.5%
CVE-2025-29009 CRITICAL Act Now

Unrestricted file upload vulnerability in Webkul Medical Prescription Attachment Plugin for WooCommerce through version 1.2.3 allows attackers to upload web shells to the server, enabling remote code execution. The plugin fails to properly validate uploaded file types, permitting dangerous executable files to be stored in web-accessible directories. No CVSS score or public exploit code has been published; however, the low EPSS score (0.11%, 29th percentile) suggests minimal exploitation probability despite the high intrinsic severity of arbitrary file upload to WordPress environments.

WordPress File Upload
NVD
CVSS 3.1
10.0
EPSS
0.1%
CVE-2025-30973 CRITICAL Act Now

Deserialization of untrusted data in Codexpert Inc's CoSchool LMS WordPress plugin through version 1.4.3 enables PHP object injection attacks, potentially allowing remote code execution or arbitrary action execution by unauthenticated attackers. EPSS score of 0.13% (33rd percentile) indicates low measured exploitation probability at time of analysis, with no confirmed active exploitation or public exploit code identified.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-30949 CRITICAL Act Now

Deserialization of untrusted data in the Guru Team Site Chat on Telegram WordPress plugin through version 1.0.4 enables PHP object injection attacks. An attacker can inject malicious serialized objects that, when unserialized by the plugin, trigger arbitrary code execution or enable further exploitation via gadget chain abuse. No CVSS score is assigned and exploitation probability is low (EPSS 0.13%), but the vulnerability affects all installations of this plugin up to and including version 1.0.4.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-28961 CRITICAL Act Now

Deserialization of untrusted data in the exact-links WordPress plugin (versions up to 3.0.7) enables object injection attacks that could allow remote code execution or privilege escalation. The vulnerability stems from improper handling of serialized PHP objects without validation, permitting attackers to instantiate arbitrary objects and exploit magic methods for malicious purposes. While no CVSS vector or exploit proof-of-concept is publicly documented, the underlying deserialization flaw (CWE-502) represents a critical attack surface in WordPress environments.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-52836 CRITICAL Act Now

Privilege escalation in Unity Business Technology's E-Commerce ERP plugin (profitori) through version 2.1.1.3 allows attackers to gain elevated permissions due to incorrect privilege assignment. The vulnerability affects the WordPress plugin with EPSS exploitation probability at 0.09%, indicating low real-world exploitation likelihood despite the privilege escalation impact. No public exploit code or active exploitation (KEV status) has been confirmed.

Privilege Escalation
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-54010 CRITICAL Act Now

Cross-site request forgery (CSRF) vulnerability in WordPress FluentSnippets plugin versions up to 10.50 allows unauthenticated attackers to execute unwanted actions on behalf of authenticated users without their knowledge or consent. The vulnerability affects the easy-code-manager component and has a low exploitation probability (EPSS 0.03%), but CSRF attacks typically require social engineering to trick users into visiting a malicious site, making real-world impact dependent on site traffic and user behavior rather than technical exploitability alone.

CSRF
NVD
CVSS 3.1
9.6
EPSS
0.0%
CVE-2025-28982 CRITICAL Act Now

SQL injection in WP Pipes WordPress plugin versions through 1.4.3 enables unauthenticated remote attackers to extract sensitive database contents and potentially disrupt service availability. The vulnerability carries CVSS 9.3 (Critical) due to network-accessible attack vector with no authentication or user interaction required, though real-world risk is moderated by low EPSS score (0.06%, 19th percentile) indicating minimal observed exploitation activity. Exploitation requires no special conditions beyond accessing the vulnerable WordPress installation, and Patchstack has published detailed vulnerability intelligence.

SQLi
NVD
CVSS 3.1
9.3
EPSS
0.1%
CVE-2025-52714 CRITICAL Act Now

SQL injection vulnerability in shinetheme Traveler WordPress theme versions before 3.2.2 allows attackers to execute arbitrary SQL commands through improper neutralization of special elements in SQL queries. The vulnerability affects all versions up to and including 3.2.1, with an extremely low EPSS score of 0.05% (17th percentile) suggesting minimal real-world exploitation probability despite the critical nature of SQL injection attacks.

SQLi
NVD
CVSS 3.1
9.3
EPSS
0.1%
CVE-2025-30936 CRITICAL Act Now

SQL injection vulnerability in Torod Company for Information Technology's Torod plugin through version 2.1 allows unauthenticated remote attackers to execute arbitrary SQL commands. The vulnerability affects all versions up to and including 2.1, with no CVSS vector provided but classified as SQL injection (CWE-89). No public exploit code or active exploitation has been confirmed at time of analysis.

SQLi
NVD
CVSS 3.1
9.3
EPSS
0.1%
CVE-2025-28959 CRITICAL Act Now

SQL injection vulnerability in Md Yeasin Ul Haider URL Shortener (exact-links) plugin versions up to 3.0.7 allows unauthenticated attackers to execute arbitrary SQL queries against the underlying database. The vulnerability stems from improper sanitization of user-supplied input in SQL commands, enabling data exfiltration, modification, or deletion depending on database permissions. Actively exploited status unknown, though the issue affects a WordPress plugin with broad installation base; EPSS probability is low at 0.05% percentile, suggesting limited real-world exploitation despite technical severity.

SQLi
NVD
CVSS 3.1
9.3
EPSS
0.1%
CVE-2025-24759 CRITICAL Act Now

Blind SQL injection in CMSJunkie WP-BusinessDirectory WordPress plugin versions up to 3.1.4 allows unauthenticated remote attackers to execute arbitrary SQL queries against the plugin's database. This vulnerability, reported by Patchstack, enables attackers to extract sensitive data or manipulate database contents without direct visibility into query results, posing a significant risk to WordPress installations using affected versions.

WordPress SQLi
NVD
CVSS 3.1
9.3
EPSS
0.1%
CVE-2025-48300 CRITICAL Act Now

Upload of arbitrary files in Groundhogg WordPress plugin through version 4.2.1 enables attackers to upload web shells to the server, achieving remote code execution. The vulnerability stems from insufficient validation of uploaded file types, allowing an attacker to bypass file type restrictions and execute malicious code on the affected web server. This is a critical vulnerability affecting a widely-used WordPress plugin, though current EPSS scoring (0.09%) suggests low real-world exploitation probability at time of analysis.

File Upload
NVD
CVSS 3.1
9.1
EPSS
0.1%
CVE-2025-24777 HIGH This Week

Deserialization of Untrusted Data vulnerability in awethemes Hillter hillter allows Object Injection.This issue affects Hillter: from n/a through <= 3.0.7.

Deserialization
NVD
CVSS 3.1
8.8
EPSS
0.2%
CVE-2025-31422 HIGH This Week

Object injection via unsafe deserialization in designthemes Visual Art | Gallery WordPress Theme (versions 2.4 and earlier) allows attackers to instantiate arbitrary PHP objects, potentially leading to remote code execution or information disclosure depending on available gadget chains in the WordPress environment. No CVSS vector is available, and exploitation probability is low at 0.16 EPSS percentile 36%, with no confirmed public exploit code or active exploitation reported at time of analysis.

WordPress Deserialization
NVD
CVSS 3.1
8.8
EPSS
0.2%
CVE-2025-24779 HIGH This Week

Object injection via unsafe deserialization in NooTheme Yogi WordPress theme versions before 2.9.3 allows attackers to instantiate arbitrary PHP objects, potentially leading to remote code execution or data manipulation. The vulnerability affects all Yogi theme installations below version 2.9.3 and carries a low exploitation probability (EPSS 0.16%, percentile 36%), with no confirmed active exploitation at time of analysis.

Deserialization
NVD
CVSS 3.1
8.8
EPSS
0.2%
CVE-2025-28965 HIGH This Week

Missing authorization controls in the exact-links WordPress URL Shortener plugin (versions up to 3.0.7) allow unauthenticated or low-privileged attackers to access functionality that should be restricted by access control lists. The vulnerability stems from improper ACL enforcement, enabling unauthorized users to perform actions beyond their intended permissions without authentication requirements.

Authentication Bypass
NVD
CVSS 3.1
8.6
EPSS
0.1%
CVE-2025-32574 HIGH This Week

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in mojoomla WPGYM gym-management allows SQL Injection.This issue affects WPGYM: from n/a through <= 65.0.

SQLi
NVD
CVSS 3.1
8.5
EPSS
0.1%
CVE-2025-52819 HIGH This Week

SQL injection vulnerability in Pakke Envíos WordPress plugin versions up to 1.0.2 allows unauthenticated attackers to execute arbitrary SQL commands through improper input neutralization. The vulnerability affects a widely-distributed WordPress plugin with no CVSS score available; however, EPSS data indicates low exploitation probability at 0.05%, suggesting limited real-world attack interest or technical barriers. No public exploit code or active exploitation has been confirmed.

SQLi
NVD
CVSS 3.1
8.5
EPSS
0.1%
CVE-2025-49876 HIGH This Week

SQL injection vulnerability in ProfileGrid WordPress plugin versions through 5.9.5.2 allows unauthenticated remote attackers to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion of database contents. The vulnerability affects a widely-deployed WordPress community plugin with no active public exploitation confirmed at analysis time, but the low EPSS score (0.05th percentile) does not diminish the critical nature of SQL injection in production environments.

SQLi
NVD
CVSS 3.1
8.5
EPSS
0.1%
CVE-2025-47645 HIGH This Week

SQL injection vulnerability in ELEX WooCommerce Advanced Bulk Edit Products plugin allows authenticated attackers to execute arbitrary SQL commands through unvalidated input in versions up to 1.4.9. The vulnerability requires subscriber-level or higher WordPress user privileges and carries low exploitation probability (EPSS 0.05%) despite its critical nature, suggesting limited practical attack incentive or complexity factors currently limiting real-world abuse.

WordPress SQLi
NVD
CVSS 3.1
8.5
EPSS
0.1%
CVE-2025-54026 HIGH This Week

SQL injection in QuanticaLabs GymBase Theme Classes WordPress plugin versions up to 1.4 enables unauthenticated remote attackers to execute arbitrary SQL queries against the underlying database. The vulnerability exists in the gymbase_classes component and carries an EPSS score of 0.05% (16th percentile), indicating very low exploitation probability despite the critical nature of SQL injection flaws. No public exploit code or active exploitation has been identified at the time of analysis.

SQLi
NVD
CVSS 3.1
8.5
EPSS
0.1%
CVE-2025-7359 HIGH This Week

Arbitrary file deletion in Counter live visitors for WooCommerce plugin (WordPress) versions ≤1.3.6 allows unauthenticated attackers to delete entire directories on the server through insufficient path validation in wcvisitor_get_block function. Exploitation wipes all files within targeted directories, causing data loss or denial of service. Attack requires no authentication (CVSS PR:N). No public exploit identified at time of analysis.

Path Traversal WordPress Denial Of Service
NVD
CVSS 3.1
8.2
EPSS
0.9%
CVE-2025-6043 HIGH This Week

Arbitrary file deletion in Malcure Malware Scanner for WordPress (versions ≤17.0) permits authenticated attackers with Subscriber-level privileges to delete critical system files via wpmr_delete_file() function lacking capability checks. Exploitation enables path traversal to wp-config.php or other core files, creating conditions for remote code execution through redeployment of malicious files. Vulnerability active only when plugin's advanced mode enabled. Affects authenticated low-privilege users (PR:L). No public exploit identified at time of analysis.

RCE WordPress Authentication Bypass
NVD
CVSS 3.1
8.1
EPSS
0.7%
CVE-2025-49034 HIGH This Week

SQL injection in Aman Funnel Builder by FunnelKit WordPress plugin (versions through 3.10.2) allows attackers to execute arbitrary SQL commands against the site database. The vulnerability affects an unspecified function that fails to properly sanitize or parameterize user-supplied input before inclusion in SQL queries. No CVSS score, EPSS probability (0.05%, 15th percentile) indicates low real-world exploitation likelihood at time of analysis, and no active exploitation via CISA KEV or public exploit code has been confirmed.

SQLi
NVD
CVSS 3.1
7.6
EPSS
0.0%
CVE-2025-54043 HIGH This Week

SQL injection in YayCommerce SMTP for Amazon SES WordPress plugin through version 1.9 allows authenticated attackers to execute arbitrary SQL queries against the site database. The vulnerability exists in the plugin's improper handling of user input in SQL commands, enabling data exfiltration, modification, or deletion. Although no CVSS vector or public exploit code has been published, the low EPSS score (0.05%, 15th percentile) suggests limited practical exploitation despite the vulnerability's presence in an actively maintained plugin.

SQLi
NVD
CVSS 3.1
7.6
EPSS
0.0%
CVE-2025-48301 HIGH This Week

SQL injection vulnerability in YayCommerce SMTP for SendGrid (YaySMTP) WordPress plugin version 1.5 and earlier allows authenticated attackers to execute arbitrary SQL commands against the plugin's database queries. The vulnerability enables data exfiltration, modification, or deletion depending on database permissions. EPSS score of 0.05% indicates low exploitation probability despite the SQL injection classification.

SQLi
NVD
CVSS 3.1
7.6
EPSS
0.0%
CVE-2025-48299 HIGH This Week

SQL injection vulnerability in YayCommerce YayExtra WordPress plugin up to version 1.5.5 allows unauthenticated remote attackers to execute arbitrary SQL commands against the underlying database. The flaw stems from improper sanitization of user-supplied input in SQL queries, enabling database enumeration, data exfiltration, or potential privilege escalation. No public exploit code or active exploitation has been confirmed at time of analysis, though the low EPSS score (0.05%) suggests minimal real-world attack activity despite the vulnerability's technical severity.

SQLi
NVD
CVSS 3.1
7.6
EPSS
0.0%
CVE-2025-48161 HIGH This Week

SQL injection vulnerability in YayCommerce YaySMTP WordPress plugin through version 1.3 allows attackers to execute arbitrary SQL commands against the plugin's database queries. The vulnerability affects the smtp-sendinblue plugin and has been reported by Patchstack security researchers; however, no public exploit code or confirmed active exploitation has been identified at this time. With an EPSS score of 0.05% (15th percentile), this represents a low exploitation probability despite the critical nature of SQL injection vulnerabilities.

SQLi
NVD
CVSS 3.1
7.6
EPSS
0.0%
CVE-2025-31070 HIGH This Week

Path traversal vulnerability in LambertGroup HTML5 Radio Player WPBakery Page Builder Addon (lbg-cleverbakery) versions 2.5 and earlier allows unauthenticated attackers to download arbitrary files from the server by manipulating pathname parameters. The vulnerability is rooted in improper input validation of file path requests, enabling attackers to traverse directory structures using relative path sequences. No active exploitation has been confirmed, and the low EPSS score (0.11th percentile) suggests limited real-world attack probability despite the moderate technical impact.

Path Traversal
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-28955 HIGH This Week

Path traversal in FWDesign Easy Video Player WordPress plugin through version 10.0 allows unauthenticated attackers to read arbitrary files from the server via directory traversal sequences. The vulnerability affects all versions up to and including 10.0, enabling direct file access without authentication. No public exploit code has been independently confirmed, though the low EPSS score (0.11%, 30th percentile) suggests limited real-world exploitation likelihood despite the straightforward attack vector.

WordPress Path Traversal
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-29000 HIGH This Week

August Infotech's Multi-language Responsive Contact Form WordPress plugin up to version 2.8 fails to properly enforce access controls, allowing unauthenticated attackers to access administrative functionality that should be restricted by role-based access control lists. The missing authorization checks enable unauthorized users to perform actions intended only for administrators, as evidenced by the CWE-862 classification and authentication bypass tag. EPSS scoring (0.07%) indicates low exploitation probability in the wild, but the vulnerability represents a direct authorization failure affecting a widely-distributed WordPress plugin.

Authentication Bypass
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-52803 HIGH This Week

Missing Authorization vulnerability in uxper Sala sala allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Sala: from n/a through <= 1.1.3.

Authentication Bypass
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-52804 HIGH This Week

Missing authorization controls in uxper Nuss theme through version 1.3.7.1 allow unauthenticated or low-privileged users to access functionality that should be restricted by access control lists. The vulnerability, classified as CWE-862 (Missing Authorization), enables attackers to bypass ACL restrictions and perform unauthorized actions within the theme's administrative or sensitive functions.

Authentication Bypass
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-53990 HIGH This Week

Object injection via unsafe deserialization in JetFormBuilder WordPress plugin through version 3.5.1.2 allows attackers to instantiate arbitrary PHP objects and potentially achieve remote code execution. The vulnerability affects all versions up to and including 3.5.1.2, with no CVSS score publicly assigned yet. EPSS exploitation probability is low at 0.14% (35th percentile), and no public exploit code or confirmed active exploitation has been identified at this time.

Deserialization
NVD
CVSS 3.1
7.2
EPSS
0.1%
CVE-2025-49888 HIGH This Week

Missing authorization in PW WooCommerce On Sale plugin up to version 1.39 allows attackers to exploit incorrectly configured access controls, potentially accessing restricted functionality without proper permission verification. This WordPress plugin vulnerability affects all versions through 1.39 and has low exploitation probability (EPSS 0.07%, percentile 22%), with no confirmed active exploitation or public exploit code identified at time of analysis.

WordPress Authentication Bypass
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-52787 HIGH This Week

Reflected cross-site scripting (XSS) in EZiHosting Tennis Court Bookings WordPress plugin through version 1.2.7 allows unauthenticated attackers to inject malicious scripts into web pages viewed by administrators and users. The vulnerability stems from improper input neutralization during page generation, enabling attackers to steal session tokens, redirect users, or perform actions on behalf of victims through crafted URLs. No public exploit code or active exploitation has been confirmed at time of analysis.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-52786 HIGH This Week

Reflected cross-site scripting (XSS) in Kingdom Creation Media Folder WordPress plugin versions through 1.0.0 allows unauthenticated attackers to inject malicious scripts into web pages viewed by other users. The vulnerability exists in input handling during page generation and can be exploited by crafting specially-formed URLs, enabling session hijacking, credential theft, or malware distribution without requiring authentication or user interaction beyond visiting a malicious link.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-52779 HIGH This Week

Reflected cross-site scripting (XSS) in the WordPress plugin Dot html,php,xml etc pages version 1.0 and earlier allows unauthenticated attackers to inject malicious scripts into web pages viewed by other users. The vulnerability stems from improper input neutralization during page generation, enabling attackers to execute arbitrary JavaScript in victims' browsers. While a public advisory exists, the EPSS score of 0.04% indicates low exploitation probability, and no active exploitation or public proof-of-concept has been confirmed.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-52777 HIGH This Week

Reflected cross-site scripting (XSS) in cmsMinds Pay with Contact Form 7 WordPress plugin through version 1.0.4 allows unauthenticated remote attackers to inject malicious scripts into web pages viewed by victims. The vulnerability stems from improper input neutralization during web page generation, enabling attackers to steal session cookies, perform actions on behalf of users, or redirect users to malicious sites. No public exploit code or active exploitation has been confirmed at time of analysis, and the 0.04% EPSS score indicates very low exploitation probability.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-49031 HIGH This Week

Reflected cross-site scripting (XSS) in Stefan M. SMu Manual DoFollow WordPress plugin through version 1.8.1 allows unauthenticated attackers to inject malicious scripts into web pages viewed by site visitors. An attacker can craft a malicious URL and trick users into clicking it, executing arbitrary JavaScript in their browsers within the context of the vulnerable site. No public exploit code has been identified at the time of analysis, and the EPSS score of 0.04% indicates low likelihood of exploitation in the wild, though the vulnerability remains a valid security concern for WordPress administrators.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-48345 HIGH This Week

Reflected cross-site scripting (XSS) in Contact Form 7 Editor Button WordPress plugin version 1.0.0 and earlier allows unauthenticated remote attackers to inject malicious scripts into web pages viewed by users. The vulnerability exists in the plugin's input handling during web page generation, enabling attackers to steal session cookies, perform actions on behalf of victims, or redirect users to malicious sites through crafted URLs. No public exploit code or active exploitation has been confirmed at the time of analysis, though the vulnerability is readily exploitable given the low complexity of XSS attacks.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-48291 HIGH This Week

Stored cross-site scripting (XSS) in Contest Gallery WordPress plugin version 26.0.6 and earlier allows authenticated or unauthenticated attackers to inject malicious scripts that execute in other users' browsers when viewing affected pages. The vulnerability stems from improper input neutralization during web page generation, enabling persistent payload storage in the plugin's database. No public exploit code has been identified, and real-world exploitation risk is considered low based on EPSS scoring (0.04% probability).

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-47652 HIGH This Week

Reflected cross-site scripting (XSS) in Infility Global WordPress plugin through version 2.13.4 allows unauthenticated remote attackers to inject malicious scripts into web pages viewed by other users. The vulnerability stems from improper input neutralization during page generation, enabling attackers to steal session cookies, perform actions on behalf of users, or redirect victims to malicious sites. No public exploit code or active exploitation has been confirmed at the time of analysis, though the low EPSS score (0.04%) suggests limited practical exploitation likelihood despite the XSS attack vector.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-47554 HIGH This Week

Reflected cross-site scripting (XSS) in the CSS3 Compare Pricing Tables for WordPress plugin through version 11.6 allows unauthenticated remote attackers to inject malicious scripts into web pages viewed by other users. The vulnerability stems from improper input neutralization during web page generation, enabling attackers to steal session cookies, perform actions on behalf of victims, or redirect users to malicious sites through specially crafted URLs. No public exploit code or active exploitation has been confirmed, and the low EPSS score (0.04%, 13th percentile) suggests limited real-world attack likelihood despite the XSS vector.

WordPress XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-46500 HIGH This Week

Reflected cross-site scripting (XSS) in ValvePress WordPress Auto Spinner plugin versions up to 3.26.0 allows unauthenticated remote attackers to inject malicious scripts into web pages viewed by other users. The vulnerability exploits improper input neutralization during page generation, enabling attackers to steal session tokens, deface content, or redirect users to phishing sites through crafted URLs. No public exploit code has been identified, and exploitation likelihood is assessed as very low (EPSS 0.04%), suggesting this is a low-priority vulnerability despite the XSS classification.

WordPress XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-31427 HIGH This Week

Reflected cross-site scripting (XSS) vulnerability in designthemes Invico WordPress theme version 1.9 and earlier allows unauthenticated remote attackers to inject malicious scripts into web pages viewed by other users. The vulnerability stems from improper input neutralization during web page generation, enabling attackers to steal session tokens, perform unauthorized actions, or redirect users to malicious sites by crafting specially crafted URLs. No CVSS score has been assigned, but the EPSS exploitation probability is very low at 0.04% (13th percentile), and no public exploit code or active exploitation has been confirmed at time of analysis.

WordPress XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-31072 HIGH This Week

Reflected cross-site scripting (XSS) in the Ofiz WordPress Business Consulting Theme through version 2.0 allows unauthenticated attackers to inject malicious scripts into web pages viewed by other users. The vulnerability stems from improper input neutralization during web page generation, enabling attackers to craft malicious URLs that execute arbitrary JavaScript in victims' browsers when clicked. No public exploit code or active exploitation has been confirmed; the low EPSS score (0.04%) suggests limited real-world attack probability despite the vector's potential for user interaction.

WordPress XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-31055 HIGH This Week

Reflected cross-site scripting (XSS) in vergatheme Electrician WordPress theme version 1.0 and earlier allows unauthenticated attackers to inject malicious scripts into web pages viewed by other users through crafted URLs. The vulnerability stems from improper input neutralization during web page generation, enabling stored or reflected payload execution in victim browsers without authentication requirements.

WordPress XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-30955 HIGH This Week

Reflected cross-site scripting (XSS) in GT3themes ListingEasy WordPress theme through version 1.9.2 allows unauthenticated attackers to inject arbitrary JavaScript into web pages viewed by other users. The vulnerability exists in unspecified input handling during page generation, enabling attackers to craft malicious URLs that execute scripts in victims' browsers when clicked. No public exploit code or active exploitation has been confirmed, though the low EPSS score (0.04%) suggests limited real-world attack likelihood despite the high-impact nature of XSS.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
Page 1 of 2 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy