THREAT ALERT

Daily vulnerability intelligence for defenders – fresh CVEs with exploitability signals, patch status, and action-oriented priorities from 17 sources.

CVEs published

Track vulnerabilities that matter to your stack

Personalized alerts, dashboards, and weekly digests – free.

Trending Now

Critical Watch

Attack Technique Trend

Prediction based on ZDI Disclosures & CVE data · 30 days

Analytics

Vendor Today – Quick Filter

Techniques

results

Sort:

Base Score

Vector String

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

Integrity (I)

Availability (A)

0 | 3.9| 6.9| 8.9| 10

NONE LOW MEDIUM HIGH CRITICAL

CVSS Filter – CVEs match

No CVEs match the selected criteria

Browse older vulnerabilities in Archive

Live Feed auto-refresh 60s

Vulnerability Intelligence — July 16, 2025

91 CVEs tracked today. 0 Critical, 2 High, 3 Medium, 0 Low.

CVE-2025-7359 HIGH CVSS 8.2
Arbitrary file deletion in Counter live visitors for WooCommerce plugin (WordPress) versions ≤1.3.6 allows unauthenticated attackers to delete entire directories on the server through insufficient path validation in wcvisitor_get_block function. Exploitation wipes all files within targeted directories, causing data loss or denial of service. Attack requires no authentication (CVSS PR:N). No public exploit identified at time of analysis.

Path Traversal WordPress Denial Of Service
CVE-2025-6043 HIGH CVSS 8.1
Arbitrary file deletion in Malcure Malware Scanner for WordPress (versions ≤17.0) permits authenticated attackers with Subscriber-level privileges to delete critical system files via wpmr_delete_file() function lacking capability checks. Exploitation enables path traversal to wp-config.php or other core files, creating conditions for remote code execution through redeployment of malicious files. Vulnerability active only when plugin's advanced mode enabled. Affects authenticated low-privilege users (PR:L). No public exploit identified at time of analysis.

RCE WordPress Authentication Bypass
CVE-2025-54050 MEDIUM CVSS 5.4
Stored cross-site scripting (XSS) in CyberChimps Responsive Addons for Elementor versions up to 1.7.3 allows authenticated users with limited privileges to inject malicious scripts that execute in the browsers of other site visitors, enabling credential theft, malware distribution, or website defacement. The vulnerability requires user interaction and affects WordPress installations using this plugin; exploitation probability is low (EPSS 0.04%) but impact is moderate given the stored nature of the attack.

WordPress PHP XSS Responsive Addons For Elementor
CVE-2025-5845 MEDIUM CVSS 6.4
Stored cross-site scripting in Affiliate Reviews plugin for WordPress (versions up to 1.0.6) allows authenticated attackers with Contributor-level or higher privileges to inject arbitrary JavaScript via the 'numColumns' parameter, which executes in the browsers of any user viewing the affected page. The vulnerability stems from insufficient input sanitization and output escaping in the block-reviews-grid-style.php template. No public exploit code or active exploitation has been confirmed at time of analysis.

WordPress XSS
CVE-2025-5843 MEDIUM CVSS 6.4
Stored Cross-Site Scripting (XSS) in the Brandfolder WordPress plugin up to version 5.0.19 allows authenticated attackers with Contributor-level permissions or above to inject arbitrary JavaScript via the 'id' parameter, which executes in the browser context of any user accessing the affected page. The vulnerability stems from insufficient input sanitization and output escaping. No public exploit code or active exploitation has been confirmed at the time of analysis; however, the low attack complexity and requirement only for Contributor-level authentication make this a practical risk in multi-user WordPress environments. A patched version (5.0.20) is available from the vendor.

WordPress XSS
CVE-2025-54051 None
Stored cross-site scripting (XSS) vulnerability in bPlugins LightBox Block WordPress plugin versions 1.1.30 and earlier allows authenticated attackers to inject malicious scripts that execute in the browsers of site administrators and other users viewing affected content. The vulnerability exists in the web page generation process where user input is not properly neutralized before being rendered, enabling persistence of malicious payloads within the WordPress database. No active exploitation has been confirmed, though the low EPSS score (0.04%, 13th percentile) suggests minimal real-world exploitation risk despite the stored nature of the vulnerability.

WordPress PHP XSS
CVE-2025-54047 None
Missing authorization controls in QuanticaLabs Cost Calculator WordPress plugin version 7.4 and earlier allow unauthenticated or low-privileged attackers to bypass access control restrictions and exploit incorrectly configured security levels. The vulnerability enables attackers to access or modify calculator functionality that should be restricted, with an extremely low exploitation probability (EPSS 0.05%) suggesting minimal real-world attack activity despite the access control weakness.

WordPress PHP Authentication Bypass
CVE-2025-54043 None
SQL injection in YayCommerce SMTP for Amazon SES WordPress plugin through version 1.9 allows authenticated attackers to execute arbitrary SQL queries against the site database. The vulnerability exists in the plugin's improper handling of user input in SQL commands, enabling data exfiltration, modification, or deletion. Although no CVSS vector or public exploit code has been published, the low EPSS score (0.05%, 15th percentile) suggests limited practical exploitation despite the vulnerability's presence in an actively maintained plugin.

SQLi
CVE-2025-54042 None
Cross-site request forgery in Xfinitysoft WP Post Hide plugin for WordPress versions 1.0.9 and earlier allows unauthenticated attackers to perform unauthorized actions on behalf of site administrators through malicious web pages, with an EPSS exploitation probability of 0.02% indicating minimal real-world attack likelihood despite the vulnerability's presence.

WordPress PHP CSRF
CVE-2025-54041 None
Cross-site request forgery in WP Swings Wallet System for WooCommerce plugin through version 2.6.7 allows unauthenticated attackers to perform unauthorized actions on behalf of authenticated users by crafting malicious web pages. The vulnerability affects all installations of the plugin up to and including version 2.6.7, with no public exploit code identified at time of analysis, though the low EPSS score (0.02%) suggests minimal real-world exploitation likelihood despite the straightforward attack mechanism.

WordPress PHP CSRF Woocommerce
CVE-2025-54039 None
Cross-site request forgery (CSRF) in Toast Plugins Animator WordPress plugin versions through 3.0.16 allows attackers to perform unauthorized actions on behalf of authenticated users without their knowledge. The vulnerability affects the scroll-triggered-animations plugin and carries low exploitation probability (EPSS 0.02%, 6th percentile) with no active exploitation confirmed. While CSRF vulnerabilities typically require social engineering to trick users into visiting malicious pages, this issue could be leveraged to modify plugin settings or website content if a site administrator visits an attacker-controlled page.

WordPress PHP CSRF
CVE-2025-54038 None
Cross-site request forgery (CSRF) in Restaurant Menu by MotoPress WordPress plugin versions up to 2.4.6 allows unauthenticated attackers to perform unauthorized actions on behalf of authenticated administrators by tricking them into visiting malicious web pages. The vulnerability affects the plugin's core request handling and lacks CVSS score data, but EPSS analysis indicates low exploitation probability (0.02%, 6th percentile). No public exploit code or active exploitation has been identified.

WordPress PHP CSRF
CVE-2025-54037 None
News Kit Elementor Addons WordPress plugin version 1.3.4 and earlier contains a missing authorization vulnerability that allows attackers to exploit incorrectly configured access control, potentially bypassing security restrictions on protected functionality. The vulnerability stems from improper access control checks and affects a widely-distributed WordPress plugin used for news content management within Elementor page builder environments. While CVSS scoring is unavailable, the EPSS score of 0.07% indicates low real-world exploitation probability at time of analysis, and no public exploit code or active exploitation has been confirmed.

WordPress PHP Authentication Bypass
CVE-2025-54036 None
Cross-site request forgery (CSRF) in Webba Appointment Booking plugin (webba-booking-lite) through version 5.1.20 allows unauthenticated attackers to perform unwanted actions on behalf of authenticated users by crafting malicious requests. The vulnerability affects the WordPress plugin and carries a low exploitation probability (EPSS 0.02%, percentile 6%), with no public exploit code identified at the time of analysis.

WordPress PHP CSRF
CVE-2025-54035 None
Cross-site request forgery in Tribulant Software Newsletters (newsletters-lite) plugin versions up to 4.10 allows attackers to perform unauthorized administrative actions by tricking authenticated users into visiting malicious pages. The vulnerability affects a widely-distributed WordPress plugin with no CVSS vector or CVSS score assigned, though EPSS scoring indicates minimal real-world exploitation probability (0.02%, 6th percentile). No public exploit code or active exploitation has been confirmed.

WordPress PHP CSRF
CVE-2025-54033 None
Cross-site request forgery (CSRF) in BlocksWP Theme Builder For Elementor plugin versions through 1.2.3 allows unauthenticated attackers to perform unauthorized actions on behalf of authenticated users. The vulnerability lacks a published CVSS score and shows minimal exploitation probability (0.02% EPSS), with no public exploit code or active exploitation reported, suggesting limited real-world risk despite the security-conscious WordPress ecosystem.

WordPress PHP CSRF
CVE-2025-54030 None
Cross-Site Request Forgery (CSRF) vulnerability in WesternDeal WooCommerce Google Sheet Connector plugin versions up to 1.3.20 allows unauthenticated attackers to perform unauthorized actions on behalf of authenticated WordPress administrators. The plugin fails to implement proper CSRF token validation on critical functionality, enabling attackers to craft malicious requests that execute actions without explicit user consent. Although EPSS scoring indicates low exploitation probability (0.02%), CSRF vulnerabilities targeting WordPress admin functions represent a meaningful risk in multi-admin environments where social engineering can trick administrators into visiting attacker-controlled pages.

WordPress Woocommerce PHP CSRF
CVE-2025-54026 None
SQL injection in QuanticaLabs GymBase Theme Classes WordPress plugin versions up to 1.4 enables unauthenticated remote attackers to execute arbitrary SQL queries against the underlying database. The vulnerability exists in the gymbase_classes component and carries an EPSS score of 0.05% (16th percentile), indicating very low exploitation probability despite the critical nature of SQL injection flaws. No public exploit code or active exploitation has been identified at the time of analysis.

WordPress PHP SQLi
CVE-2025-54024 None
DOM-based cross-site scripting (XSS) in WPAdverts WordPress plugin versions 2.2.5 and earlier allows attackers to inject malicious scripts into web pages viewed by users. The vulnerability enables arbitrary JavaScript execution in the context of affected websites, potentially leading to session hijacking, credential theft, or malware distribution. No active exploitation has been confirmed, and EPSS probability remains low at 0.04%.

WordPress PHP XSS
CVE-2025-54023 None
DOM-based cross-site scripting (XSS) vulnerability in WP Delicious plugin versions 1.8.4 and earlier allows attackers to inject malicious scripts into web pages viewed by other users. The vulnerability stems from improper neutralization of user input during web page generation, enabling stored or reflected XSS attacks against WordPress sites using the affected plugin. No CVSS score or exploitation data is available, but the low EPSS score (0.04%) suggests limited real-world exploitation probability at the time of analysis.

WordPress PHP XSS
CVE-2025-54022 None
Cross-site request forgery (CSRF) in the RelyWP Coupon Affiliates WordPress plugin (woo-coupon-usage) through version 6.4.0 allows attackers to perform unauthorized actions on behalf of authenticated users without their knowledge or consent. The vulnerability affects the plugin's coupon management functionality and requires user interaction (tricking an admin into visiting a malicious page), but carries negligible real-world exploitation probability per EPSS scoring (0.02%, 6th percentile).

WordPress PHP CSRF
CVE-2025-54020 None
Erik AntiSpam for Contact Form 7 plugin versions through 0.6.3 fails to implement proper CSRF token validation, allowing attackers to forge requests that modify plugin settings or trigger unintended actions on behalf of authenticated administrators. The vulnerability affects WordPress installations with this plugin active, though the extremely low EPSS score (0.02%) suggests practical exploitation barriers or limited real-world impact despite the CVSS categorization.

WordPress PHP CSRF
CVE-2025-54018 None
Missing authorization controls in CreativeMindsSolutions CM Pop-Up banners WordPress plugin versions 1.8.4 and earlier allow unauthenticated attackers to bypass access control restrictions and exploit incorrectly configured security levels. The vulnerability stems from improper implementation of access control checks on sensitive functionality, enabling attackers to perform unauthorized actions through direct API or parameter manipulation without requiring valid credentials or proper authorization validation.

WordPress PHP Authentication Bypass
CVE-2025-54016 None
DOM-based cross-site scripting (XSS) in Kyle Gilman Videopack plugin for WordPress (versions up to 4.10.3) allows authenticated attackers to inject malicious scripts into video embed pages. The vulnerability improperly neutralizes user input during web page generation, enabling attackers to execute arbitrary JavaScript in the context of affected video pages. No active exploitation has been confirmed, and the EPSS score of 0.04% indicates minimal probability of exploitation.

WordPress PHP XSS
CVE-2025-54015 None
Local file inclusion vulnerability in HT Contact Form 7 plugin version 2.0.0 and earlier allows unauthenticated attackers to read arbitrary files from the server filesystem, potentially exposing sensitive configuration files, credentials, and source code. The vulnerability exists in PHP file inclusion/require statements that fail to properly validate or sanitize user-supplied input, enabling attackers to traverse the directory structure and access files outside the intended directory scope. With an EPSS score of 0.14% indicating low exploitation probability despite the technical capability, this vulnerability requires direct web interaction but poses information disclosure risks rather than remote code execution.

Information Disclosure PHP
CVE-2025-54013 None
Stored cross-site scripting (XSS) in Welcart e-Commerce WordPress plugin versions 2.11.16 and earlier allows authenticated users to inject malicious scripts that execute in the browsers of other site visitors, potentially compromising administrator accounts or customer data. The vulnerability exists in the web page generation process where user input is not properly sanitized before being stored and rendered to other users. No public exploit code or active exploitation has been confirmed, but the low EPSS score (0.04%) suggests limited real-world attack probability despite the XSS classification.

WordPress PHP XSS
CVE-2025-54011 None
Missing authorization in SMTP2GO WordPress plugin versions through 1.12.1 allows unauthenticated attackers to exploit incorrectly configured access control mechanisms to bypass authentication and gain unauthorized access to SMTP2GO functionality. The vulnerability stems from broken access control rather than a cryptographic or input validation flaw, enabling attackers to interact with protected endpoints without proper privilege verification. While EPSS scoring indicates low exploitation probability (0.05%, percentile 17%), the nature of access control bypass vulnerabilities means real-world risk depends heavily on what sensitive operations are exposed.

Authentication Bypass
CVE-2025-54010 None
Cross-site request forgery (CSRF) vulnerability in WordPress FluentSnippets plugin versions up to 10.50 allows unauthenticated attackers to execute unwanted actions on behalf of authenticated users without their knowledge or consent. The vulnerability affects the easy-code-manager component and has a low exploitation probability (EPSS 0.03%), but CSRF attacks typically require social engineering to trick users into visiting a malicious site, making real-world impact dependent on site traffic and user behavior rather than technical exploitability alone.

WordPress PHP CSRF
CVE-2025-54009 None
Stored cross-site scripting (XSS) in Crocoblock JetSmartFilters WordPress plugin through version 3.6.8 allows attackers to inject persistent malicious scripts that execute in the browsers of site administrators and users. The vulnerability stems from improper input neutralization during web page generation, enabling attackers to compromise site integrity and steal sensitive data or session tokens. No public exploit code has been identified at the time of analysis, and the low EPSS score (0.04%, 13th percentile) suggests limited real-world exploitation likelihood despite the high-severity XSS classification.

WordPress PHP XSS
CVE-2025-54006 None
Stored cross-site scripting (XSS) in Bold Page Builder WordPress plugin through version 5.4.1 allows authenticated attackers to inject malicious scripts that execute in the browsers of other users viewing affected pages. The vulnerability stems from improper input neutralization during page generation, enabling attackers with page creation or editing capabilities to embed persistent XSS payloads. No public exploit code or active exploitation has been confirmed; the low EPSS score (0.04th percentile) reflects limited real-world attack probability despite the vulnerability's presence in a widely-installed page builder plugin.

WordPress PHP XSS
CVE-2025-53997 None
Missing authorization controls in favethemes Houzez WordPress theme through version 4.0.4 allow unauthenticated attackers to bypass access control restrictions and access resources they should not be permitted to view. The vulnerability stems from incorrectly configured access control security levels that fail to properly validate user permissions before granting access to sensitive functionality. With an EPSS score of 0.05% (17th percentile), real-world exploitation risk is low despite the vulnerability's presence in a popular real estate theme.

WordPress PHP Authentication Bypass
CVE-2025-53996 None
Stored cross-site scripting (XSS) in Crocoblock JetSearch WordPress plugin versions 3.5.10.1 and earlier allows attackers to inject malicious scripts that persist in the application and execute in users' browsers when the affected pages are viewed. The vulnerability resides in improper input neutralization during web page generation, enabling attackers with sufficient permissions to store XSS payloads that compromise other users' sessions and data. No public exploit code or active exploitation has been confirmed; however, the low EPSS score (0.04%, 13th percentile) suggests limited real-world attack probability despite the persistent nature of the vulnerability.

WordPress PHP XSS
CVE-2025-53995 None
Stored XSS vulnerability in Crocoblock JetPopup WordPress plugin up to version 2.0.15.1 allows authenticated attackers to inject malicious scripts that execute in the browsers of site visitors and administrators. The vulnerability exists in web page generation logic where user input is not properly sanitized before being rendered, enabling persistent script injection. Despite low EPSS score (0.04%), stored XSS in WordPress plugins poses significant risk due to broad exposure to site visitors and the potential for session hijacking, credential theft, or privilege escalation when executed in admin contexts.

WordPress PHP XSS
CVE-2025-53994 None
Improper input neutralization in Crocoblock JetPopup plugin (versions up to 2.0.15) allows DOM-based cross-site scripting (XSS) attacks. The vulnerability enables attackers to inject and execute malicious JavaScript in the context of a web browser when a user interacts with a popup, potentially leading to session hijacking, credential theft, or malware distribution. No public exploit code or active exploitation has been confirmed; the low EPSS score (0.04%, 13th percentile) suggests minimal real-world exploitation likelihood despite the vulnerability being disclosed.

WordPress PHP XSS
CVE-2025-53991 None
Stored cross-site scripting (XSS) in Crocoblock JetTricks WordPress plugin versions up to 1.5.4.1 allows authenticated attackers to inject malicious scripts that persist in the application and execute in the browsers of other users. The vulnerability stems from improper input sanitization during web page generation, enabling attackers with plugin access to compromise site visitors. No public exploit code or active exploitation has been identified at the time of analysis.

WordPress PHP XSS
CVE-2025-53990 None
Object injection via unsafe deserialization in JetFormBuilder WordPress plugin through version 3.5.1.2 allows attackers to instantiate arbitrary PHP objects and potentially achieve remote code execution. The vulnerability affects all versions up to and including 3.5.1.2, with no CVSS score publicly assigned yet. EPSS exploitation probability is low at 0.14% (35th percentile), and no public exploit code or confirmed active exploitation has been identified at this time.

Deserialization
CVE-2025-53989 None
Stored cross-site scripting in Crocoblock JetBlocks For Elementor plugin versions up to 1.3.19 enables authenticated attackers to inject malicious scripts into web pages that execute in the browsers of site visitors and administrators. The vulnerability resides in improper input sanitization during page generation, allowing persistent XSS payload storage in the WordPress database. No public exploit code has been identified at time of analysis, though the low EPSS score (0.04%) suggests limited real-world exploitation despite the stored XSS vector.

WordPress PHP XSS
CVE-2025-53986 None
Missing authorization controls in themeisle Hestia WordPress theme through version 3.2.10 allow unauthenticated attackers to access functionality that should be restricted by access control lists, enabling potential unauthorized actions within affected WordPress installations. The vulnerability has a low exploitation probability (EPSS 0.06%) and no confirmed active exploitation or public exploit code at time of analysis.

WordPress PHP Authentication Bypass
CVE-2025-53984 None
Stored XSS vulnerability in Crocoblock JetTabs WordPress plugin version 2.2.9 and earlier allows authenticated attackers to inject malicious scripts into web pages, which execute in the browsers of site visitors. The vulnerability stems from improper input sanitization during web page generation, enabling persistent payload storage and site-wide impact. No public exploit code or active exploitation has been confirmed, and the low EPSS score (0.04%) suggests limited real-world exploitation probability despite the persistent nature of stored XSS.

WordPress PHP XSS
CVE-2025-53982 None
Stored cross-site scripting (XSS) in Crocoblock JetElements For Elementor plugin version 2.7.7 and earlier allows authenticated users to inject malicious scripts into web pages that execute in the browsers of other users viewing the affected content. The vulnerability exists in the plugin's input handling during web page generation, enabling persistent XSS attacks through stored payloads. While no public exploit code has been identified, the low EPSS score (0.04%) suggests limited real-world exploitation likelihood despite the moderate attack surface of WordPress plugins.

WordPress PHP XSS
CVE-2025-52836 None
Privilege escalation in Unity Business Technology's E-Commerce ERP plugin (profitori) through version 2.1.1.3 allows attackers to gain elevated permissions due to incorrect privilege assignment. The vulnerability affects the WordPress plugin with EPSS exploitation probability at 0.09%, indicating low real-world exploitation likelihood despite the privilege escalation impact. No public exploit code or active exploitation (KEV status) has been confirmed.

Privilege Escalation
CVE-2025-52819 None
SQL injection vulnerability in Pakke Envíos WordPress plugin versions up to 1.0.2 allows unauthenticated attackers to execute arbitrary SQL commands through improper input neutralization. The vulnerability affects a widely-distributed WordPress plugin with no CVSS score available; however, EPSS data indicates low exploitation probability at 0.05%, suggesting limited real-world attack interest or technical barriers. No public exploit code or active exploitation has been confirmed.

SQLi
CVE-2025-52804 None
Missing authorization controls in uxper Nuss theme through version 1.3.7.1 allow unauthenticated or low-privileged users to access functionality that should be restricted by access control lists. The vulnerability, classified as CWE-862 (Missing Authorization), enables attackers to bypass ACL restrictions and perform unauthorized actions within the theme's administrative or sensitive functions.

Information Disclosure
CVE-2025-52787 None
Reflected cross-site scripting (XSS) in EZiHosting Tennis Court Bookings WordPress plugin through version 1.2.7 allows unauthenticated attackers to inject malicious scripts into web pages viewed by administrators and users. The vulnerability stems from improper input neutralization during page generation, enabling attackers to steal session tokens, redirect users, or perform actions on behalf of victims through crafted URLs. No public exploit code or active exploitation has been confirmed at time of analysis.

WordPress PHP XSS
CVE-2025-52786 None
Reflected cross-site scripting (XSS) in Kingdom Creation Media Folder WordPress plugin versions through 1.0.0 allows unauthenticated attackers to inject malicious scripts into web pages viewed by other users. The vulnerability exists in input handling during page generation and can be exploited by crafting specially-formed URLs, enabling session hijacking, credential theft, or malware distribution without requiring authentication or user interaction beyond visiting a malicious link.

WordPress XSS PHP
CVE-2025-52779 None
Reflected cross-site scripting (XSS) in the WordPress plugin Dot html,php,xml etc pages version 1.0 and earlier allows unauthenticated attackers to inject malicious scripts into web pages viewed by other users. The vulnerability stems from improper input neutralization during page generation, enabling attackers to execute arbitrary JavaScript in victims' browsers. While a public advisory exists, the EPSS score of 0.04% indicates low exploitation probability, and no active exploitation or public proof-of-concept has been confirmed.

PHP XSS
CVE-2025-52777 None
Reflected cross-site scripting (XSS) in cmsMinds Pay with Contact Form 7 WordPress plugin through version 1.0.4 allows unauthenticated remote attackers to inject malicious scripts into web pages viewed by victims. The vulnerability stems from improper input neutralization during web page generation, enabling attackers to steal session cookies, perform actions on behalf of users, or redirect users to malicious sites. No public exploit code or active exploitation has been confirmed at time of analysis, and the 0.04% EPSS score indicates very low exploitation probability.

WordPress PHP XSS
CVE-2025-52714 None
SQL injection vulnerability in shinetheme Traveler WordPress theme versions before 3.2.2 allows attackers to execute arbitrary SQL commands through improper neutralization of special elements in SQL queries. The vulnerability affects all versions up to and including 3.2.1, with an extremely low EPSS score of 0.05% (17th percentile) suggesting minimal real-world exploitation probability despite the critical nature of SQL injection attacks.

WordPress PHP SQLi
CVE-2025-50028 None
CodeSolz Ultimate Push Notifications WordPress plugin through version 1.2.0 contains a missing authorization vulnerability allowing unauthenticated attackers to exploit incorrectly configured access control to bypass security levels and gain unauthorized access to sensitive functionality. The vulnerability is classified as CWE-862 (Missing Authorization) with low exploitation probability (EPSS 0.07%, 22nd percentile), indicating real-world exploitation risk is minimal despite the access control deficiency.

WordPress PHP Authentication Bypass
CVE-2025-49888 None
Missing authorization in PW WooCommerce On Sale plugin up to version 1.39 allows attackers to exploit incorrectly configured access controls, potentially accessing restricted functionality without proper permission verification. This WordPress plugin vulnerability affects all versions through 1.39 and has low exploitation probability (EPSS 0.07%, percentile 22%), with no confirmed active exploitation or public exploit code identified at time of analysis.

WordPress PHP Authentication Bypass
CVE-2025-49884 None
Missing authorization controls in the Internal Linking of Related Contents WordPress plugin (versions up to 1.1.8) allow attackers to exploit incorrectly configured access control security levels, potentially enabling unauthorized access to plugin functionality. The vulnerability stems from improper implementation of access controls (CWE-862) and carries a low EPSS score of 0.07% despite the authorization flaw, suggesting limited real-world exploitation probability at time of analysis.

WordPress PHP Authentication Bypass
CVE-2025-49876 None
SQL injection vulnerability in ProfileGrid WordPress plugin versions through 5.9.5.2 allows unauthenticated remote attackers to execute arbitrary SQL queries, potentially leading to unauthorized data access, modification, or deletion of database contents. The vulnerability affects a widely-deployed WordPress community plugin with no active public exploitation confirmed at analysis time, but the low EPSS score (0.05th percentile) does not diminish the critical nature of SQL injection in production environments.

WordPress PHP SQLi
CVE-2025-49319 None
Missing authorization in WPFactory Wishlist for WooCommerce through version 3.2.3 allows unauthenticated attackers to exploit incorrectly configured access controls to perform unauthorized actions on wishlists. The vulnerability stems from broken access control mechanisms (CWE-862) that fail to properly validate user permissions before granting access to sensitive wish-list functionality. With an EPSS score of 0.07% (22nd percentile), real-world exploitation likelihood is currently low, but the issue affects a popular WooCommerce plugin used across numerous e-commerce sites.

WordPress PHP Authentication Bypass
CVE-2025-49034 None
SQL injection in Aman Funnel Builder by FunnelKit WordPress plugin (versions through 3.10.2) allows attackers to execute arbitrary SQL commands against the site database. The vulnerability affects an unspecified function that fails to properly sanitize or parameterize user-supplied input before inclusion in SQL queries. No CVSS score, EPSS probability (0.05%, 15th percentile) indicates low real-world exploitation likelihood at time of analysis, and no active exploitation via CISA KEV or public exploit code has been confirmed.

WordPress PHP SQLi
CVE-2025-49031 None
Reflected cross-site scripting (XSS) in Stefan M. SMu Manual DoFollow WordPress plugin through version 1.8.1 allows unauthenticated attackers to inject malicious scripts into web pages viewed by site visitors. An attacker can craft a malicious URL and trick users into clicking it, executing arbitrary JavaScript in their browsers within the context of the vulnerable site. No public exploit code has been identified at the time of analysis, and the EPSS score of 0.04% indicates low likelihood of exploitation in the wild, though the vulnerability remains a valid security concern for WordPress administrators.

WordPress PHP XSS
CVE-2025-48345 None
Reflected cross-site scripting (XSS) in Contact Form 7 Editor Button WordPress plugin version 1.0.0 and earlier allows unauthenticated remote attackers to inject malicious scripts into web pages viewed by users. The vulnerability exists in the plugin's input handling during web page generation, enabling attackers to steal session cookies, perform actions on behalf of victims, or redirect users to malicious sites through crafted URLs. No public exploit code or active exploitation has been confirmed at the time of analysis, though the vulnerability is readily exploitable given the low complexity of XSS attacks.

WordPress PHP XSS
CVE-2025-48301 None
SQL injection vulnerability in YayCommerce SMTP for SendGrid (YaySMTP) WordPress plugin version 1.5 and earlier allows authenticated attackers to execute arbitrary SQL commands against the plugin's database queries. The vulnerability enables data exfiltration, modification, or deletion depending on database permissions. EPSS score of 0.05% indicates low exploitation probability despite the SQL injection classification.

WordPress PHP SQLi
CVE-2025-48300 None
Upload of arbitrary files in Groundhogg WordPress plugin through version 4.2.1 enables attackers to upload web shells to the server, achieving remote code execution. The vulnerability stems from insufficient validation of uploaded file types, allowing an attacker to bypass file type restrictions and execute malicious code on the affected web server. This is a critical vulnerability affecting a widely-used WordPress plugin, though current EPSS scoring (0.09%) suggests low real-world exploitation probability at time of analysis.

WordPress PHP File Upload RCE
CVE-2025-48299 None
SQL injection vulnerability in YayCommerce YayExtra WordPress plugin up to version 1.5.5 allows unauthenticated remote attackers to execute arbitrary SQL commands against the underlying database. The flaw stems from improper sanitization of user-supplied input in SQL queries, enabling database enumeration, data exfiltration, or potential privilege escalation. No public exploit code or active exploitation has been confirmed at time of analysis, though the low EPSS score (0.05%) suggests minimal real-world attack activity despite the vulnerability's technical severity.

SQLi PHP
CVE-2025-48295 None
Stored cross-site scripting (XSS) in Easy Elementor Addons WordPress plugin through version 2.2.5 allows authenticated users to inject malicious scripts that execute in the browsers of other site visitors, potentially compromising administrator accounts or website functionality. The vulnerability affects the plugin's web page generation process and has been confirmed by security researchers at Patchstack, though no evidence of active exploitation or public exploit code is documented.

WordPress PHP XSS
CVE-2025-48294 None
Server-Side Request Forgery (SSRF) in FG Drupal to WordPress plugin versions 3.90.0 and earlier allows remote attackers to make arbitrary HTTP requests from the affected WordPress server, potentially accessing internal services, cloud metadata endpoints, or other backend resources. The vulnerability has an extremely low EPSS score (0.03%, 10th percentile), indicating minimal observed exploitation probability despite public availability of vulnerability details.

WordPress PHP SSRF
CVE-2025-48291 None
Stored cross-site scripting (XSS) in Contest Gallery WordPress plugin version 26.0.6 and earlier allows authenticated or unauthenticated attackers to inject malicious scripts that execute in other users' browsers when viewing affected pages. The vulnerability stems from improper input neutralization during web page generation, enabling persistent payload storage in the plugin's database. No public exploit code has been identified, and real-world exploitation risk is considered low based on EPSS scoring (0.04% probability).

WordPress PHP XSS
CVE-2025-48167 None
Missing authorization controls in Chatbox Manager WordPress plugin versions 1.2.5 and earlier allow unauthenticated or low-privileged attackers to bypass access control restrictions and exploit incorrectly configured security levels. The vulnerability stems from improper implementation of role-based access checks, potentially enabling unauthorized users to access or modify sensitive chatbox functionality. With an EPSS score of 0.05% and no evidence of active exploitation, this is a lower-priority vulnerability suitable for routine patching cycles.

WordPress PHP Authentication Bypass
CVE-2025-48166 None
Missing authorization controls in the Stop and Block Bots plugin (Anti bots) for WordPress through version 1.48 allows attackers to access functionality that should be restricted by access control lists, enabling unauthorized administrative operations without proper authentication. The vulnerability is classified as broken access control (CWE-862) with low exploitation probability (EPSS 0.06%) and no confirmed active exploitation.

WordPress PHP Authentication Bypass
CVE-2025-48161 None
SQL injection vulnerability in YayCommerce YaySMTP WordPress plugin through version 1.3 allows attackers to execute arbitrary SQL commands against the plugin's database queries. The vulnerability affects the smtp-sendinblue plugin and has been reported by Patchstack security researchers; however, no public exploit code or confirmed active exploitation has been identified at this time. With an EPSS score of 0.05% (15th percentile), this represents a low exploitation probability despite the critical nature of SQL injection vulnerabilities.

WordPress PHP SQLi
CVE-2025-48156 None
Stored XSS in Parakoos Image Wall WordPress plugin through version 3.1 allows authenticated users to inject malicious scripts that execute in the context of other users' browsers, potentially compromising admin accounts or stealing session data. The vulnerability resides in improper input sanitization during web page generation, affecting a plugin with low real-world exploitation probability (EPSS 0.04%) but representing a functional security flaw in plugin logic.

XSS PHP
CVE-2025-48155 None
Missing authorization controls in enituretechnology Residential Address Detection WordPress plugin versions up to 2.5.9 allow unauthenticated attackers to access restricted functionality by bypassing access control lists. The vulnerability stems from insufficient ACL enforcement, enabling attackers to invoke protected features without proper permission validation. EPSS exploitation probability is low at 0.06%, though the authentication bypass classification indicates practical attack feasibility.

Information Disclosure
CVE-2025-48153 None
Cross-site request forgery in the WordPress Import CDN-Remote Images plugin versions up to 2.1.2 enables stored cross-site scripting attacks through forged requests that bypass CSRF protections. An attacker can craft malicious requests to inject persistent JavaScript payloads into the plugin's configuration or imported content, affecting WordPress installations running vulnerable versions of the plugin. The vulnerability carries low exploitation probability (EPSS 0.02%) and no public exploit code has been identified.

WordPress PHP CSRF XSS
CVE-2025-48150 None
Missing authorization controls in the Real Estate Property 2024 Create Your Own Fields and Search Bar WordPress plugin (versions up to 4.48) permit unauthenticated or low-privileged users to access functionality and data intended for higher privilege levels. The vulnerability stems from inadequately configured access control checks on plugin endpoints, allowing attackers to bypass intended security boundaries. With an EPSS score of 0.05% (17th percentile), real-world exploitation risk is minimal, and no public exploit code or active exploitation has been identified.

WordPress PHP Authentication Bypass
CVE-2025-47652 None
Reflected cross-site scripting (XSS) in Infility Global WordPress plugin through version 2.13.4 allows unauthenticated remote attackers to inject malicious scripts into web pages viewed by other users. The vulnerability stems from improper input neutralization during page generation, enabling attackers to steal session cookies, perform actions on behalf of users, or redirect victims to malicious sites. No public exploit code or active exploitation has been confirmed at the time of analysis, though the low EPSS score (0.04%) suggests limited practical exploitation likelihood despite the XSS attack vector.

XSS Information Disclosure
CVE-2025-47645 None
SQL injection vulnerability in ELEX WooCommerce Advanced Bulk Edit Products plugin allows authenticated attackers to execute arbitrary SQL commands through unvalidated input in versions up to 1.4.9. The vulnerability requires subscriber-level or higher WordPress user privileges and carries low exploitation probability (EPSS 0.05%) despite its critical nature, suggesting limited practical attack incentive or complexity factors currently limiting real-world abuse.

WordPress Woocommerce PHP SQLi
CVE-2025-47554 None
Reflected cross-site scripting (XSS) in the CSS3 Compare Pricing Tables for WordPress plugin through version 11.6 allows unauthenticated remote attackers to inject malicious scripts into web pages viewed by other users. The vulnerability stems from improper input neutralization during web page generation, enabling attackers to steal session cookies, perform actions on behalf of victims, or redirect users to malicious sites through specially crafted URLs. No public exploit code or active exploitation has been confirmed, and the low EPSS score (0.04%, 13th percentile) suggests limited real-world attack likelihood despite the XSS vector.

WordPress PHP XSS
CVE-2025-46500 None
Reflected cross-site scripting (XSS) in ValvePress WordPress Auto Spinner plugin versions up to 3.26.0 allows unauthenticated remote attackers to inject malicious scripts into web pages viewed by other users. The vulnerability exploits improper input neutralization during page generation, enabling attackers to steal session tokens, deface content, or redirect users to phishing sites through crafted URLs. No public exploit code has been identified, and exploitation likelihood is assessed as very low (EPSS 0.04%), suggesting this is a low-priority vulnerability despite the XSS classification.

WordPress PHP XSS
CVE-2025-31427 None
Reflected cross-site scripting (XSS) vulnerability in designthemes Invico WordPress theme version 1.9 and earlier allows unauthenticated remote attackers to inject malicious scripts into web pages viewed by other users. The vulnerability stems from improper input neutralization during web page generation, enabling attackers to steal session tokens, perform unauthorized actions, or redirect users to malicious sites by crafting specially crafted URLs. No CVSS score has been assigned, but the EPSS exploitation probability is very low at 0.04% (13th percentile), and no public exploit code or active exploitation has been confirmed at time of analysis.

WordPress PHP XSS
CVE-2025-31422 None
Object injection via unsafe deserialization in designthemes Visual Art | Gallery WordPress Theme (versions 2.4 and earlier) allows attackers to instantiate arbitrary PHP objects, potentially leading to remote code execution or information disclosure depending on available gadget chains in the WordPress environment. No CVSS vector is available, and exploitation probability is low at 0.16 EPSS percentile 36%, with no confirmed public exploit code or active exploitation reported at time of analysis.

WordPress PHP Deserialization
CVE-2025-31072 None
Reflected cross-site scripting (XSS) in the Ofiz WordPress Business Consulting Theme through version 2.0 allows unauthenticated attackers to inject malicious scripts into web pages viewed by other users. The vulnerability stems from improper input neutralization during web page generation, enabling attackers to craft malicious URLs that execute arbitrary JavaScript in victims' browsers when clicked. No public exploit code or active exploitation has been confirmed; the low EPSS score (0.04%) suggests limited real-world attack probability despite the vector's potential for user interaction.

WordPress PHP XSS
CVE-2025-31070 None
Path traversal vulnerability in LambertGroup HTML5 Radio Player WPBakery Page Builder Addon (lbg-cleverbakery) versions 2.5 and earlier allows unauthenticated attackers to download arbitrary files from the server by manipulating pathname parameters. The vulnerability is rooted in improper input validation of file path requests, enabling attackers to traverse directory structures using relative path sequences. No active exploitation has been confirmed, and the low EPSS score (0.11th percentile) suggests limited real-world attack probability despite the moderate technical impact.

WordPress PHP Path Traversal
CVE-2025-31055 None
Reflected cross-site scripting (XSS) in vergatheme Electrician WordPress theme version 1.0 and earlier allows unauthenticated attackers to inject malicious scripts into web pages viewed by other users through crafted URLs. The vulnerability stems from improper input neutralization during web page generation, enabling stored or reflected payload execution in victim browsers without authentication requirements.

WordPress PHP XSS
CVE-2025-30973 None
Deserialization of untrusted data in Codexpert Inc's CoSchool LMS WordPress plugin through version 1.4.3 enables PHP object injection attacks, potentially allowing remote code execution or arbitrary action execution by unauthenticated attackers. EPSS score of 0.13% (33rd percentile) indicates low measured exploitation probability at time of analysis, with no confirmed active exploitation or public exploit code identified.

Deserialization Code Injection
CVE-2025-30959 None
Missing authorization controls in WPFactory's Product XML Feed Manager for WooCommerce through version 2.9.2 allow attackers to exploit incorrectly configured access control security levels, potentially exposing sensitive product feed data or enabling unauthorized administrative actions. The vulnerability affects all versions up to and including 2.9.2, with no publicly available exploit code identified at time of analysis, and an EPSS score of 0.07% indicating very low real-world exploitation probability despite the authorization defect.

WordPress Woocommerce PHP Authentication Bypass
CVE-2025-30955 None
Reflected cross-site scripting (XSS) in GT3themes ListingEasy WordPress theme through version 1.9.2 allows unauthenticated attackers to inject arbitrary JavaScript into web pages viewed by other users. The vulnerability exists in unspecified input handling during page generation, enabling attackers to craft malicious URLs that execute scripts in victims' browsers when clicked. No public exploit code or active exploitation has been confirmed, though the low EPSS score (0.04%) suggests limited real-world attack likelihood despite the high-impact nature of XSS.

WordPress PHP XSS
CVE-2025-30949 None
Deserialization of untrusted data in the Guru Team Site Chat on Telegram WordPress plugin through version 1.0.4 enables PHP object injection attacks. An attacker can inject malicious serialized objects that, when unserialized by the plugin, trigger arbitrary code execution or enable further exploitation via gadget chain abuse. No CVSS score is assigned and exploitation probability is low (EPSS 0.13%), but the vulnerability affects all installations of this plugin up to and including version 1.0.4.

WordPress PHP Deserialization
CVE-2025-30936 None
SQL injection vulnerability in Torod Company for Information Technology's Torod plugin through version 2.1 allows unauthenticated remote attackers to execute arbitrary SQL commands. The vulnerability affects all versions up to and including 2.1, with no CVSS vector provided but classified as SQL injection (CWE-89). No public exploit code or active exploitation has been confirmed at time of analysis.

SQLi Information Disclosure
CVE-2025-29009 None
Unrestricted file upload vulnerability in Webkul Medical Prescription Attachment Plugin for WooCommerce through version 1.2.3 allows attackers to upload web shells to the server, enabling remote code execution. The plugin fails to properly validate uploaded file types, permitting dangerous executable files to be stored in web-accessible directories. No CVSS score or public exploit code has been published; however, the low EPSS score (0.11%, 29th percentile) suggests minimal exploitation probability despite the high intrinsic severity of arbitrary file upload to WordPress environments.

WordPress PHP Woocommerce File Upload RCE
CVE-2025-29000 None
August Infotech's Multi-language Responsive Contact Form WordPress plugin up to version 2.8 fails to properly enforce access controls, allowing unauthenticated attackers to access administrative functionality that should be restricted by role-based access control lists. The missing authorization checks enable unauthorized users to perform actions intended only for administrators, as evidenced by the CWE-862 classification and authentication bypass tag. EPSS scoring (0.07%) indicates low exploitation probability in the wild, but the vulnerability represents a direct authorization failure affecting a widely-distributed WordPress plugin.

WordPress PHP Authentication Bypass
CVE-2025-28965 None
Missing authorization controls in the exact-links WordPress URL Shortener plugin (versions up to 3.0.7) allow unauthenticated or low-privileged attackers to access functionality that should be restricted by access control lists. The vulnerability stems from improper ACL enforcement, enabling unauthorized users to perform actions beyond their intended permissions without authentication requirements.

WordPress PHP Authentication Bypass
CVE-2025-28961 None
Deserialization of untrusted data in the exact-links WordPress plugin (versions up to 3.0.7) enables object injection attacks that could allow remote code execution or privilege escalation. The vulnerability stems from improper handling of serialized PHP objects without validation, permitting attackers to instantiate arbitrary objects and exploit magic methods for malicious purposes. While no CVSS vector or exploit proof-of-concept is publicly documented, the underlying deserialization flaw (CWE-502) represents a critical attack surface in WordPress environments.

WordPress PHP Deserialization
CVE-2025-28959 None
SQL injection vulnerability in Md Yeasin Ul Haider URL Shortener (exact-links) plugin versions up to 3.0.7 allows unauthenticated attackers to execute arbitrary SQL queries against the underlying database. The vulnerability stems from improper sanitization of user-supplied input in SQL commands, enabling data exfiltration, modification, or deletion depending on database permissions. Actively exploited status unknown, though the issue affects a WordPress plugin with broad installation base; EPSS probability is low at 0.05% percentile, suggesting limited real-world exploitation despite technical severity.

WordPress PHP SQLi
CVE-2025-28955 None
Path traversal in FWDesign Easy Video Player WordPress plugin through version 10.0 allows unauthenticated attackers to read arbitrary files from the server via directory traversal sequences. The vulnerability affects all versions up to and including 10.0, enabling direct file access without authentication. No public exploit code has been independently confirmed, though the low EPSS score (0.11%, 30th percentile) suggests limited real-world exploitation likelihood despite the straightforward attack vector.

WordPress PHP Path Traversal
CVE-2025-24779 None
Object injection via unsafe deserialization in NooTheme Yogi WordPress theme versions before 2.9.3 allows attackers to instantiate arbitrary PHP objects, potentially leading to remote code execution or data manipulation. The vulnerability affects all Yogi theme installations below version 2.9.3 and carries a low exploitation probability (EPSS 0.16%, percentile 36%), with no confirmed active exploitation at time of analysis.

WordPress PHP Deserialization
CVE-2025-24759 None
Blind SQL injection in CMSJunkie WP-BusinessDirectory WordPress plugin versions up to 3.1.4 allows unauthenticated remote attackers to execute arbitrary SQL queries against the plugin's database. This vulnerability, reported by Patchstack, enables attackers to extract sensitive data or manipulate database contents without direct visibility into query results, posing a significant risk to WordPress installations using affected versions.

WordPress PHP SQLi

Today's Vulnerabilities Vulnerabilities