THREAT ALERT

Daily vulnerability intelligence for defenders – fresh CVEs with exploitability signals, patch status, and action-oriented priorities from 17 sources.

CVEs published

Track vulnerabilities that matter to your stack

Personalized alerts, dashboards, and weekly digests – free.

Trending Now

Critical Watch

Attack Technique Trend

Prediction based on ZDI Disclosures & CVE data · 30 days

Analytics

Vendor Today – Quick Filter

Techniques

results

Sort:

Base Score

Vector String

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

Integrity (I)

Availability (A)

0 | 3.9| 6.9| 8.9| 10

NONE LOW MEDIUM HIGH CRITICAL

CVSS Filter – CVEs match

No CVEs match the selected criteria

Browse older vulnerabilities in Archive

Live Feed auto-refresh 60s

Vulnerability Intelligence — October 22, 2025

29 CVEs tracked today. 5 Critical, 11 High, 13 Medium, 0 Low.

CVE-2025-60238 CRITICAL CVSS 9.8
PHP object injection in UNIVERSAM WordPress plugin through deserialization of untrusted data allows remote unauthenticated attackers to achieve critical impact including remote code execution, complete data compromise, and denial of service. Affects all versions up to and including 9.03. EPSS exploitation probability is relatively low at 0.10% (28th percentile), with no public exploit identified at time of analysis, suggesting a lower immediate real-world risk despite the critical CVSS 9.8 score.

Deserialization Code Injection
CVE-2025-60216 CRITICAL CVSS 9.8
PHP object injection in BoldThemes Addison WordPress theme versions prior to 1.4.8 enables unauthenticated remote attackers to execute arbitrary code through unsafe deserialization. The vulnerability carries a critical CVSS 9.8 score with network-accessible attack vector requiring no privileges or user interaction. No public exploit identified at time of analysis, with EPSS indicating 10th percentile exploitation probability (0.10%), suggesting low observed exploitation likelihood despite high theoretical severity.

Deserialization
CVE-2025-60214 CRITICAL CVSS 9.8
PHP object injection in BoldThemes Goldenblatt WordPress theme versions prior to 1.3.0 enables unauthenticated remote attackers to execute arbitrary code through deserialization of untrusted data. The vulnerability scores 9.8 (Critical) with network-exploitable attack vector requiring no privileges or user interaction. EPSS indicates low probability (0.10%, 28th percentile) of active exploitation, and no public exploit or KEV listing identified at time of analysis, suggesting theoretical high severity but currently limited real-world exploitation activity.

WordPress Deserialization Code Injection
CVE-2025-60206 CRITICAL CVSS 10.0
Remote code execution in Beplusthemes Alone WordPress theme through version 7.8.3 allows unauthenticated attackers to inject and execute arbitrary code via a code injection vulnerability. With a critical CVSS score of 10.0 and network-based exploitation requiring no privileges or user interaction, this vulnerability enables complete system compromise. EPSS exploitation probability is low (0.06%, 17th percentile), and no public exploit or CISA KEV listing identified at time of analysis.

WordPress PHP Code Injection
CVE-2025-49931 CRITICAL CVSS 9.3
Blind SQL injection in Crocoblock JetSearch plugin (WordPress) versions up to 3.5.10 allows unauthenticated remote attackers to extract database contents via crafted search queries. The vulnerability carries a critical CVSS 9.3 score due to network-based exploitation requiring no authentication or user interaction, though EPSS exploitation probability remains low at 0.04% (12th percentile), and no public exploit identified at time of analysis. The flaw enables data exfiltration from WordPress databases hosting sites using the vulnerable search plugin.

WordPress PHP SQLi
CVE-2025-60222 HIGH CVSS 8.8
Privilege escalation in FantasticPlugins SUMO Memberships for WooCommerce (versions ≤7.8.0) allows authenticated users with low-level privileges to elevate permissions and gain unauthorized high-level access to WordPress site functions. The vulnerability stems from incorrect privilege assignment (CWE-266), enabling attackers to bypass intended access controls. With CVSS 8.8 (High) severity, the flaw permits complete compromise of confidentiality, integrity, and availability. EPSS probability is low (0.06%, 17th percentile), and no public exploit identified at time of analysis, though Patchstack has published advisory details.

WordPress PHP Privilege Escalation
CVE-2025-53428 HIGH CVSS 8.8
Privilege escalation in N-Media Simple User Registration (WordPress plugin) through version 6.8 allows authenticated low-privilege users to elevate their access to administrator-level permissions via incorrect privilege assignment. With EPSS at 0.06% (17th percentile) and no public exploit identified at time of analysis, real-world exploitation risk remains low despite the high CVSS score. The vulnerability requires low-privilege authentication (PR:L) but has low attack complexity (AC:L) and no user interaction (UI:N), making it straightforward to exploit once an attacker has basic user credentials.

WordPress PHP Privilege Escalation
CVE-2025-53425 HIGH CVSS 7.6
Privilege escalation in Dokan Lite WordPress plugin (versions ≤4.1.3) enables low-privileged authenticated users to elevate privileges on vulnerable sites. The vulnerability stems from incorrect privilege assignment (CWE-266), exploitable remotely with low attack complexity and no user interaction required. With EPSS score of 0.08% (24th percentile), real-world exploitation probability is currently low, and no active exploitation or public exploit code has been identified at time of analysis. Authenticated attackers can gain unauthorized high-level confidentiality access with limited integrity and availability impact.

Privilege Escalation
CVE-2025-52756 HIGH CVSS 7.4
Code injection in WP Last Modified Info plugin versions ≤1.9.4 allows authenticated attackers with low-level privileges to execute arbitrary code remotely via vulnerable code generation controls. The CVSS 7.4 rating reflects network accessibility, low attack complexity, and scope change enabling cross-boundary impact. EPSS probability is minimal (0.05%, 15th percentile), no active exploitation confirmed (not in CISA KEV), and no public exploit code identified at time of analysis, suggesting limited real-world exploitation activity despite the critical vulnerability class.

WordPress PHP Code Injection RCE
CVE-2025-52753 HIGH CVSS 7.1
Reflected cross-site scripting (XSS) in the Contact Form by Supsystic WordPress plugin (versions through 1.7.36) allows unauthenticated remote attackers to execute malicious JavaScript in victims' browsers via crafted URLs. The vulnerability enables session hijacking, credential theft, and malicious actions performed in the context of the victim's authenticated session. EPSS probability indicates low exploitation likelihood (0.07%, 22nd percentile) with no public exploit identified at time of analysis.

WordPress PHP XSS
CVE-2025-52743 HIGH CVSS 7.1
Reflected Cross-Site Scripting (XSS) in WordPress plugin oik-privacy-policy versions ≤1.4.10 allows remote attackers to execute arbitrary JavaScript in victims' browsers. Exploitation requires user interaction (victim must click malicious link). EPSS probability is low (0.07%, 22nd percentile), and no active exploitation is confirmed. Reported by Patchstack security audit team, indicating professional vulnerability disclosure.

WordPress PHP XSS
CVE-2025-49962 HIGH CVSS 7.1
Reflected cross-site scripting in bbPress Notify plugin versions up to 2.19.5 allows unauthenticated remote attackers to execute malicious JavaScript in victim browsers through crafted URLs. The vulnerability stems from improper input sanitization during web page generation (CWE-79). With CVSS 7.1 and changed scope (S:C), successful exploitation enables session hijacking, credential theft, and malicious actions in the victim's context. EPSS score of 0.03% (8th percentile) indicates low observed exploitation probability, and no active exploitation is confirmed (not in CISA KEV), though Patchstack has publicly documented the vulnerability.

WordPress PHP XSS
CVE-2025-49958 HIGH CVSS 7.1
Reflected cross-site scripting in Robokassa Payment Gateway for WooCommerce plugin (versions ≤1.8.5) allows unauthenticated remote attackers to inject malicious scripts into web pages viewed by other users. The vulnerability enables changed-scope attacks where attackers can steal session tokens, perform unauthorized actions, or redirect victims to malicious sites through crafted URLs. No public exploit identified at time of analysis, with EPSS score of 0.03% indicating minimal observed exploitation activity.

WordPress Woocommerce PHP XSS
CVE-2025-49950 HIGH CVSS 7.3
Privilege escalation in Official Integration for Billingo WordPress plugin (versions ≤4.3.0) enables unauthenticated remote attackers to bypass authorization controls and gain elevated access. The vulnerability stems from missing authorization checks (CWE-862), allowing attackers over the network with low complexity and no user interaction. No active exploitation confirmed (EPSS 0.06%, 18th percentile), but the unauthenticated remote attack vector with straightforward exploitation makes this a notable risk for WordPress sites using this billing integration plugin.

Privilege Escalation
CVE-2025-49930 HIGH CVSS 7.1
Reflected cross-site scripting (XSS) in Crocoblock JetSearch WordPress plugin versions through 3.5.10 allows unauthenticated remote attackers to execute arbitrary JavaScript in victim browsers via maliciously crafted URLs. The vulnerability requires user interaction (clicking a malicious link) but carries a changed scope, meaning successful exploitation can impact resources beyond the vulnerable component. EPSS probability is low (0.07%, 22nd percentile), indicating minimal observed exploitation attempts, and no public exploit code or CISA KEV listing exists at time of analysis.

WordPress PHP XSS
CVE-2025-49921 HIGH CVSS 7.3
Local file inclusion vulnerability in Crocoblock JetReviews WordPress plugin (versions ≤3.0.0) allows unauthenticated remote attackers to read arbitrary files from the server filesystem via improper filename control in PHP include/require statements. The vulnerability carries moderate real-world risk with EPSS exploitation probability of 0.13% (33rd percentile), indicating relatively low attacker interest despite the network-accessible attack vector requiring no privileges. No public exploit identified at time of analysis, and no active exploitation confirmed.

WordPress PHP Lfi
CVE-2025-52757 MEDIUM CVSS 6.3
Unauthenticated attackers can bypass access controls in SUMO Memberships for WooCommerce versions below 7.8.0 to perform unauthorized actions including content modification and deletion through incorrectly configured membership level enforcement. The vulnerability requires user interaction (UI:R) but affects confidentiality, integrity, and availability of protected content. No public exploit code or active exploitation has been confirmed.

WordPress PHP Authentication Bypass
CVE-2025-52735 MEDIUM CVSS 6.5
Reflected cross-site scripting (XSS) in XLPlugins NextMove Lite WordPress plugin versions up to 2.24.0 allows authenticated attackers to inject malicious scripts via unvalidated input during web page generation. An attacker with user credentials can craft a malicious link that, when clicked by another user, executes arbitrary JavaScript in their browser context. The vulnerability carries a moderate CVSS score of 6.5 but exhibits very low real-world exploitation probability (EPSS 0.03%, 8th percentile), indicating it has not been actively exploited in practice despite the presence of public vulnerability disclosure.

WordPress PHP XSS Nextmove
CVE-2025-49952 MEDIUM CVSS 6.3
Authorization bypass in Houzez WordPress theme versions up to 4.2.5 allows authenticated users to access or modify resources they should not have permission to reach through insecure direct object reference (IDOR) vulnerabilities. An authenticated attacker with low privileges can exploit inadequately configured access controls to view or modify data belonging to other users, achieving limited information disclosure and integrity compromise. The vulnerability is not confirmed as actively exploited, though the attack vector is network-based with low complexity.

WordPress PHP Authentication Bypass
CVE-2025-49939 MEDIUM CVSS 6.5
Stored cross-site scripting (XSS) in Crocoblock JetElements For Elementor plugin through version 2.7.8 allows authenticated users with low privileges to inject malicious scripts that execute in the browsers of site visitors, potentially compromising site integrity and user sessions. The vulnerability requires user interaction (UI:R) and affects authenticated users (PR:L), limiting immediate blast radius but posing persistent risk to WordPress installations using this Elementor extension.

WordPress PHP XSS
CVE-2025-49938 MEDIUM CVSS 6.5
Stored XSS in Crocoblock JetEngine WordPress plugin versions 3.7.3 and earlier allows authenticated users with limited privileges to inject malicious scripts that execute in the browsers of other users, including administrators. The vulnerability requires user interaction (UI:R) to trigger and affects confidentiality, integrity, and availability with limited scope. With EPSS at 0.07% and no KEV status indicating active exploitation, this represents a low-probability but real risk requiring patching in multi-user WordPress environments.

WordPress PHP XSS
CVE-2025-49934 MEDIUM CVSS 5.4
Stored cross-site scripting (XSS) in Crocoblock JetBlocks For Elementor plugin versions up to 1.3.18 allows authenticated users with low privileges to inject malicious scripts that execute in the browsers of other site visitors. The vulnerability requires user interaction (UI:R) and affects confidentiality and integrity, with an EPSS score of 0.06% indicating very low real-world exploitation likelihood despite the moderate CVSS 5.4 rating.

WordPress PHP XSS
CVE-2025-49933 MEDIUM CVSS 6.5
Reflected cross-site scripting (XSS) in Crocoblock JetBlog WordPress plugin through version 2.4.4 allows authenticated users to inject malicious scripts that execute in other users' browsers when they interact with crafted links. The vulnerability requires user interaction (UI:R) and authenticated access (PR:L), limiting but not eliminating real-world risk; EPSS score of 0.07% indicates low exploitation probability despite the moderate CVSS 6.5 rating.

WordPress PHP XSS
CVE-2025-49932 MEDIUM CVSS 6.5
Stored Cross-Site Scripting (XSS) in Crocoblock JetBlog WordPress plugin through version 2.4.4.1 allows authenticated users with low privileges to inject malicious scripts that persist in web pages and execute in the browsers of other site visitors, potentially compromising session tokens, stealing sensitive data, or performing unauthorized actions. EPSS score of 0.07% and lack of public exploit code indicate low real-world exploitation probability despite the moderate CVSS 6.5 score.

WordPress PHP XSS
CVE-2025-49928 MEDIUM CVSS 6.5
DOM-based cross-site scripting (XSS) in Crocoblock JetWooBuilder plugin through version 2.1.20 allows authenticated users with low privileges to inject malicious scripts that execute in other users' browsers when they interact with affected pages. The vulnerability requires user interaction (UI:R per CVSS) and affects the plugin's web page generation functions. No public exploit code or active exploitation has been confirmed, though the issue carries a moderate CVSS score of 6.5 and low EPSS probability (0.07%, 22nd percentile) suggesting limited real-world attack incentive despite the authentication requirement being relatively low-barrier for WordPress environments.

WordPress PHP XSS
CVE-2025-49927 MEDIUM CVSS 6.5
Stored XSS vulnerability in Crocoblock JetWooBuilder WordPress plugin versions up to 2.1.20.1 allows authenticated users with low privileges to inject malicious scripts that execute in the browsers of other users viewing affected pages, potentially leading to session hijacking, credential theft, or defacement. The vulnerability requires user interaction (UI:R) from victims and affects the confidentiality, integrity, and availability of website content. No public exploit code or active exploitation has been confirmed at time of analysis.

WordPress PHP XSS
CVE-2025-11824 MEDIUM CVSS 6.4
Stored cross-site scripting in Cinza Grid WordPress plugin versions up to 1.2.1 allows authenticated contributors and above to inject arbitrary JavaScript into pages via the 'cgrid_skin_content' post meta field, which executes when other users view the affected pages. The vulnerability stems from missing input sanitization and output escaping in backend processing functions. CVSS 6.4 reflects moderate impact with network-accessible attack surface, though exploitation requires valid WordPress contributor-level credentials.

WordPress XSS
CVE-2025-11809 MEDIUM CVSS 6.4
Stored Cross-Site Scripting in WP-Force Images Download WordPress plugin versions up to 1.8 allows authenticated contributors and above to inject arbitrary JavaScript via the 'class' attribute of the 'wpfid' shortcode due to insufficient input sanitization and output escaping. The vulnerability executes malicious scripts in the browser of any user viewing an affected page, potentially enabling account compromise, malware distribution, or defacement with CVSS 6.4 (medium severity). No public exploit code or confirmed active exploitation has been identified at time of analysis.

WordPress XSS
CVE-2025-10047 MEDIUM CVSS 4.9
SQL injection in Email Tracker plugin for WordPress (versions up to 5.3.15) allows authenticated administrators to extract sensitive database information via the 'orderby' parameter due to insufficient escaping and query preparation. CVSS 4.9 reflects high confidentiality impact but requires high-privilege authenticated access; no public exploit code or active exploitation confirmed at analysis time.

WordPress SQLi

Today's Vulnerabilities Vulnerabilities