Unrestricted file upload vulnerability in Webkul Medical Prescription Attachment Plugin for WooCommerce through version 1.2.3 allows attackers to upload web shells to the server, enabling remote code execution. The plugin fails to properly validate uploaded file types, permitting dangerous executable files to be stored in web-accessible directories. No CVSS score or public exploit code has been published; however, the low EPSS score (0.11%, 29th percentile) suggests minimal exploitation probability despite the high intrinsic severity of arbitrary file upload to WordPress environments.
Deserialization of untrusted data in Codexpert Inc's CoSchool LMS WordPress plugin through version 1.4.3 enables PHP object injection attacks, potentially allowing remote code execution or arbitrary action execution by unauthenticated attackers. EPSS score of 0.13% (33rd percentile) indicates low measured exploitation probability at time of analysis, with no confirmed active exploitation or public exploit code identified.
Deserialization of untrusted data in the Guru Team Site Chat on Telegram WordPress plugin through version 1.0.4 enables PHP object injection attacks. An attacker can inject malicious serialized objects that, when unserialized by the plugin, trigger arbitrary code execution or enable further exploitation via gadget chain abuse. No CVSS score is assigned and exploitation probability is low (EPSS 0.13%), but the vulnerability affects all installations of this plugin up to and including version 1.0.4.
Deserialization of untrusted data in the exact-links WordPress plugin (versions up to 3.0.7) enables object injection attacks that could allow remote code execution or privilege escalation. The vulnerability stems from improper handling of serialized PHP objects without validation, permitting attackers to instantiate arbitrary objects and exploit magic methods for malicious purposes. While no CVSS vector or exploit proof-of-concept is publicly documented, the underlying deserialization flaw (CWE-502) represents a critical attack surface in WordPress environments.
Privilege escalation in Unity Business Technology's E-Commerce ERP plugin (profitori) through version 2.1.1.3 allows attackers to gain elevated permissions due to incorrect privilege assignment. The vulnerability affects the WordPress plugin with EPSS exploitation probability at 0.09%, indicating low real-world exploitation likelihood despite the privilege escalation impact. No public exploit code or active exploitation (KEV status) has been confirmed.
Cross-site request forgery (CSRF) vulnerability in WordPress FluentSnippets plugin versions up to 10.50 allows unauthenticated attackers to execute unwanted actions on behalf of authenticated users without their knowledge or consent. The vulnerability affects the easy-code-manager component and has a low exploitation probability (EPSS 0.03%), but CSRF attacks typically require social engineering to trick users into visiting a malicious site, making real-world impact dependent on site traffic and user behavior rather than technical exploitability alone.
SQL injection in WP Pipes WordPress plugin versions through 1.4.3 enables unauthenticated remote attackers to extract sensitive database contents and potentially disrupt service availability. The vulnerability carries CVSS 9.3 (Critical) due to network-accessible attack vector with no authentication or user interaction required, though real-world risk is moderated by low EPSS score (0.06%, 19th percentile) indicating minimal observed exploitation activity. Exploitation requires no special conditions beyond accessing the vulnerable WordPress installation, and Patchstack has published detailed vulnerability intelligence.
SQL injection vulnerability in shinetheme Traveler WordPress theme versions before 3.2.2 allows attackers to execute arbitrary SQL commands through improper neutralization of special elements in SQL queries. The vulnerability affects all versions up to and including 3.2.1, with an extremely low EPSS score of 0.05% (17th percentile) suggesting minimal real-world exploitation probability despite the critical nature of SQL injection attacks.
SQL injection vulnerability in Torod Company for Information Technology's Torod plugin through version 2.1 allows unauthenticated remote attackers to execute arbitrary SQL commands. The vulnerability affects all versions up to and including 2.1, with no CVSS vector provided but classified as SQL injection (CWE-89). No public exploit code or active exploitation has been confirmed at time of analysis.
SQL injection vulnerability in Md Yeasin Ul Haider URL Shortener (exact-links) plugin versions up to 3.0.7 allows unauthenticated attackers to execute arbitrary SQL queries against the underlying database. The vulnerability stems from improper sanitization of user-supplied input in SQL commands, enabling data exfiltration, modification, or deletion depending on database permissions. Actively exploited status unknown, though the issue affects a WordPress plugin with broad installation base; EPSS probability is low at 0.05% percentile, suggesting limited real-world exploitation despite technical severity.
Blind SQL injection in CMSJunkie WP-BusinessDirectory WordPress plugin versions up to 3.1.4 allows unauthenticated remote attackers to execute arbitrary SQL queries against the plugin's database. This vulnerability, reported by Patchstack, enables attackers to extract sensitive data or manipulate database contents without direct visibility into query results, posing a significant risk to WordPress installations using affected versions.
Upload of arbitrary files in Groundhogg WordPress plugin through version 4.2.1 enables attackers to upload web shells to the server, achieving remote code execution. The vulnerability stems from insufficient validation of uploaded file types, allowing an attacker to bypass file type restrictions and execute malicious code on the affected web server. This is a critical vulnerability affecting a widely-used WordPress plugin, though current EPSS scoring (0.09%) suggests low real-world exploitation probability at time of analysis.