Skip to main content
CVE-2025-56447 CRITICAL POC Act Now

Authentication bypass in TM2 Monitoring v3.04 allows remote attackers to circumvent login controls and access the application, which additionally stores and discloses user credentials in plaintext. Publicly available exploit code exists (POC published by researcher stSLAYER for RT-Systems' TM2), enabling full compromise of confidentiality, integrity, and availability. Not listed in CISA KEV and EPSS probability is low (0.32%), so no confirmed active exploitation despite the critical 9.8 CVSS score.

Authentication Bypass
NVD GitHub
CVSS 3.1
9.8
EPSS
0.3%
CVE-2025-58963 CRITICAL Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in 7oroof Medcity medcity allows Upload a Web Shell to a Web Server.This issue affects Medcity: from n/a through < 1.1.9.

File Upload
NVD
CVSS 3.1
10.0
EPSS
0.1%
CVE-2025-60206 CRITICAL Act Now

Remote code execution in Beplusthemes Alone WordPress theme through version 7.8.3 allows unauthenticated attackers to inject and execute arbitrary code via a code injection vulnerability. With a critical CVSS score of 10.0 and network-based exploitation requiring no privileges or user interaction, this vulnerability enables complete system compromise. EPSS exploitation probability is low (0.06%, 17th percentile), and no public exploit or CISA KEV listing identified at time of analysis.

WordPress PHP Code Injection
NVD
CVSS 3.1
10.0
EPSS
0.1%
CVE-2025-60238 CRITICAL Act Now

PHP object injection in UNIVERSAM WordPress plugin through deserialization of untrusted data allows remote unauthenticated attackers to achieve critical impact including remote code execution, complete data compromise, and denial of service. Affects all versions up to and including 9.03. EPSS exploitation probability is relatively low at 0.10% (28th percentile), with no public exploit identified at time of analysis, suggesting a lower immediate real-world risk despite the critical CVSS 9.8 score.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-60216 CRITICAL Act Now

PHP object injection in BoldThemes Addison WordPress theme versions prior to 1.4.8 enables unauthenticated remote attackers to execute arbitrary code through unsafe deserialization. The vulnerability carries a critical CVSS 9.8 score with network-accessible attack vector requiring no privileges or user interaction. No public exploit identified at time of analysis, with EPSS indicating 10th percentile exploitation probability (0.10%), suggesting low observed exploitation likelihood despite high theoretical severity.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-60214 CRITICAL Act Now

PHP object injection in BoldThemes Goldenblatt WordPress theme versions prior to 1.3.0 enables unauthenticated remote attackers to execute arbitrary code through deserialization of untrusted data. The vulnerability scores 9.8 (Critical) with network-exploitable attack vector requiring no privileges or user interaction. EPSS indicates low probability (0.10%, 28th percentile) of active exploitation, and no public exploit or KEV listing identified at time of analysis, suggesting theoretical high severity but currently limited real-world exploitation activity.

WordPress Deserialization Code Injection
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-49380 CRITICAL Act Now

PHP object injection in WooCommerce Vehicle Parts Finder plugin versions up to 3.7 enables remote unauthenticated attackers to achieve arbitrary code execution via deserialization of untrusted data. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms network-accessible exploitation without authentication or user interaction. Reported by Patchstack audit team, this represents a critical pre-authentication vulnerability in WordPress e-commerce environments. EPSS data unavailable; not currently listed in CISA KEV, suggesting limited widespread exploitation at time of disclosure.

WordPress Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-59007 CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in themesflat TF Woo Product Grid Addon For Elementor tf-woo-product-grid allows Object Injection.This issue affects TF Woo Product Grid Addon For Elementor: from n/a through <= 1.0.1.

Deserialization
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-49915 CRITICAL Act Now

SQL injection in WordPress SMS Alert Order Notifications plugin through version 3.8.5 allows remote unauthenticated attackers to extract sensitive database contents via network-accessible injection points. The vulnerability achieves scope change with high confidentiality impact, enabling cross-boundary data exfiltration from the WordPress database. EPSS data unavailable; not currently listed in CISA KEV, indicating no confirmed widespread active exploitation at time of analysis, though the unauthenticated remote attack vector presents significant risk for WordPress installations using this plugin.

SQLi
NVD
CVSS 3.1
9.3
EPSS
0.1%
CVE-2025-59557 CRITICAL Act Now

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ThemeMove Learts Addons learts-addons allows SQL Injection.This issue affects Learts Addons: from n/a through < 1.7.5.

SQLi
NVD
CVSS 3.1
9.3
EPSS
0.0%
CVE-2025-49931 CRITICAL Act Now

Blind SQL injection in Crocoblock JetSearch plugin (WordPress) versions up to 3.5.10 allows unauthenticated remote attackers to extract database contents via crafted search queries. The vulnerability carries a critical CVSS 9.3 score due to network-based exploitation requiring no authentication or user interaction, though EPSS exploitation probability remains low at 0.04% (12th percentile), and no public exploit identified at time of analysis. The flaw enables data exfiltration from WordPress databases hosting sites using the vulnerable search plugin.

SQLi
NVD
CVSS 3.1
9.3
EPSS
0.0%
CVE-2025-52758 CRITICAL Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in Gesundheit Bewegt GmbH Zippy zippy allows Using Malicious Files.This issue affects Zippy: from n/a through <= 1.7.0.

File Upload
NVD
CVSS 3.1
9.1
EPSS
0.1%
CVE-2025-62023 CRITICAL Act Now

Improper Control of Generation of Code ('Code Injection') vulnerability in Cristián Lávaque s2Member s2member.This issue affects s2Member: from n/a through <= 250905.

Code Injection RCE
NVD
CVSS 3.1
9.0
EPSS
0.1%
CVE-2025-60222 HIGH This Week

Privilege escalation in FantasticPlugins SUMO Memberships for WooCommerce (versions ≤7.8.0) allows authenticated users with low-level privileges to elevate permissions and gain unauthorized high-level access to WordPress site functions. The vulnerability stems from incorrect privilege assignment (CWE-266), enabling attackers to bypass intended access controls. With CVSS 8.8 (High) severity, the flaw permits complete compromise of confidentiality, integrity, and availability. EPSS probability is low (0.06%, 17th percentile), and no public exploit identified at time of analysis, though Patchstack has published advisory details.

WordPress PHP Privilege Escalation
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-53428 HIGH This Week

Privilege escalation in N-Media Simple User Registration (WordPress plugin) through version 6.8 allows authenticated low-privilege users to elevate their access to administrator-level permissions via incorrect privilege assignment. With EPSS at 0.06% (17th percentile) and no public exploit identified at time of analysis, real-world exploitation risk remains low despite the high CVSS score. The vulnerability requires low-privilege authentication (PR:L) but has low attack complexity (AC:L) and no user interaction (UI:N), making it straightforward to exploit once an attacker has basic user credentials.

WordPress PHP Privilege Escalation
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-60041 HIGH This Week

Authentication Bypass Using an Alternate Path or Channel vulnerability in Iulia Cazan Emails Catch All emails-catch-all allows Password Recovery Exploitation.This issue affects Emails Catch All: from n/a through <= 3.5.3.

Authentication Bypass
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2025-60227 HIGH This Week

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in ThimPress WP Pipes wp-pipes allows Path Traversal.This issue affects WP Pipes: from n/a through <= 1.4.3.

Path Traversal
NVD
CVSS 3.1
8.6
EPSS
0.1%
CVE-2025-49916 HIGH This Week

Missing Authorization vulnerability in MultiVendorX MultiVendorX dc-woocommerce-multi-vendor allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects MultiVendorX: from n/a through <= 4.2.23.

WordPress Authentication Bypass
NVD
CVSS 3.1
8.6
EPSS
0.1%
CVE-2025-49378 HIGH This Week

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Themefic Hydra Booking hydra-booking allows SQL Injection.This issue affects Hydra Booking: from n/a through <= 1.1.10.

SQLi
NVD
CVSS 3.1
8.5
EPSS
0.1%
CVE-2025-48091 HIGH This Week

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Alexander AnyComment anycomment allows SQL Injection.This issue affects AnyComment: from n/a through <= 0.3.6.

SQLi
NVD
CVSS 3.1
8.5
EPSS
0.0%
CVE-2025-58967 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeMove Businext businext allows PHP Local File Inclusion.This issue affects Businext: from n/a through < 2.4.4.

PHP Information Disclosure LFI
NVD
CVSS 3.1
8.1
EPSS
0.1%
CVE-2025-58958 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeMove SmilePure smilepure allows PHP Local File Inclusion.This issue affects SmilePure: from n/a through < 1.8.5.

PHP Information Disclosure LFI
NVD
CVSS 3.1
8.1
EPSS
0.0%
CVE-2025-59566 HIGH This Week

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in AmentoTech Workreap (theme's plugin) workreap allows Path Traversal.This issue affects Workreap (theme's plugin): from n/a through <= 3.3.5.

Path Traversal
NVD
CVSS 3.1
7.7
EPSS
0.1%
CVE-2025-58959 HIGH This Week

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in AmentoTech Taskbot taskbot allows Path Traversal.This issue affects Taskbot: from n/a through <= 6.4.

Path Traversal
NVD
CVSS 3.1
7.7
EPSS
0.1%
CVE-2025-60217 HIGH This Week

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in ypromo PT Luxa Addons pt-luxa-addons allows Path Traversal.This issue affects PT Luxa Addons: from n/a through <= 1.2.2.

Path Traversal
NVD
CVSS 3.1
7.7
EPSS
0.1%
CVE-2025-62015 HIGH This Week

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Josh Kohlbach Advanced Coupons for WooCommerce Coupons advanced-coupons-for-woocommerce-free.This issue affects Advanced Coupons for WooCommerce Coupons: from n/a through <= 4.6.8.

WordPress SQLi
NVD
CVSS 3.1
7.6
EPSS
0.0%
CVE-2025-49921 HIGH This Week

Local file inclusion in Crocoblock JetReviews plugin versions through 3.0.0 allows authenticated attackers with low-level privileges to read arbitrary files on the WordPress server via PHP file inclusion flaws. With EPSS at 0.13% (33rd percentile), exploitation likelihood is currently low. No active exploitation confirmed (not in CISA KEV), but Patchstack has cataloged the vulnerability indicating professional security research attention. Attackers can access sensitive configuration files, credentials, and potentially chain with other vulnerabilities for code execution.

PHP LFI Information Disclosure
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-49935 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in xtemos WoodMart woodmart allows PHP Local File Inclusion.This issue affects WoodMart: from n/a through < 8.3.2.

PHP Information Disclosure LFI
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-49925 HIGH This Week

Missing Authorization vulnerability in VibeThemes WPLMS wplms_plugin allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects WPLMS: from n/a through <= 1.9.9.7.

Authentication Bypass
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-48338 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Kevon Adonis WP Abstracts wp-abstracts-manuscripts-manager allows PHP Local File Inclusion.This issue affects WP Abstracts: from n/a through <= 2.7.4.

PHP Information Disclosure LFI
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-30944 HIGH This Week

Missing Authorization vulnerability in Essekia Tablesome Table Premium tablesome-premium allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Tablesome Table Premium: from n/a through <= 1.1.23.

Authentication Bypass
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-62022 HIGH This Week

Missing Authorization vulnerability in BuddyPress BuddyPress buddypress.This issue affects BuddyPress: from n/a through <= 14.3.4.

Authentication Bypass
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-52756 HIGH This Week

Code injection in WP Last Modified Info plugin versions ≤1.9.4 allows authenticated attackers with low-level privileges to execute arbitrary code remotely via vulnerable code generation controls. The CVSS 7.4 rating reflects network accessibility, low attack complexity, and scope change enabling cross-boundary impact. EPSS probability is minimal (0.05%, 15th percentile), no active exploitation confirmed (not in CISA KEV), and no public exploit code identified at time of analysis, suggesting limited real-world exploitation activity despite the critical vulnerability class.

WordPress PHP Code Injection RCE
NVD
CVSS 3.1
7.4
EPSS
0.0%
CVE-2025-49926 HIGH This Week

Improper Control of Generation of Code ('Code Injection') vulnerability in Laborator Kalium kalium allows Code Injection.This issue affects Kalium: from n/a through <= 3.25.

Code Injection RCE
NVD
CVSS 3.1
7.2
EPSS
0.1%
CVE-2025-53425 HIGH This Week

Privilege escalation in Dokan (WordPress multi-vendor marketplace plugin) versions up to 4.1.3 allows high-privileged users to elevate their permissions beyond intended role boundaries. Reported by Patchstack audit team with EPSS exploitation probability of 0.08% (24th percentile), indicating low real-world exploitation likelihood. No confirmed active exploitation (not in CISA KEV) or public proof-of-concept identified at time of analysis.

Privilege Escalation
NVD
CVSS 3.1
7.2
EPSS
0.1%
CVE-2025-49950 HIGH This Week

Missing authorization in the Billingo WordPress plugin (versions ≤4.3.0) enables authenticated high-privilege users to escalate privileges through unprotected API endpoints. CVSS 7.2 indicates network-accessible exploitation requiring high-privilege authentication with high impact across confidentiality, integrity, and availability. EPSS score of 0.06% (18th percentile) suggests low observed exploitation probability. No CISA KEV listing or public exploit identified at time of analysis, though Patchstack vulnerability database confirms the vulnerability class as both authentication bypass and privilege escalation.

Privilege Escalation Authentication Bypass
NVD
CVSS 3.1
7.2
EPSS
0.1%
CVE-2025-49924 HIGH This Week

Incorrect Privilege Assignment vulnerability in Josh Kohlbach Wholesale Suite woocommerce-wholesale-prices allows Privilege Escalation.This issue affects Wholesale Suite: from n/a through <= 2.2.4.2.

WordPress Privilege Escalation
NVD
CVSS 3.1
7.2
EPSS
0.1%
CVE-2025-52753 HIGH This Week

Reflected cross-site scripting (XSS) in the Contact Form by Supsystic WordPress plugin (versions through 1.7.36) allows unauthenticated remote attackers to execute malicious JavaScript in victims' browsers via crafted URLs. The vulnerability enables session hijacking, credential theft, and malicious actions performed in the context of the victim's authenticated session. EPSS probability indicates low exploitation likelihood (0.07%, 22nd percentile) with no public exploit identified at time of analysis.

WordPress PHP XSS
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-52743 HIGH This Week

Reflected Cross-Site Scripting (XSS) in WordPress plugin oik-privacy-policy versions ≤1.4.10 allows remote attackers to execute arbitrary JavaScript in victims' browsers. Exploitation requires user interaction (victim must click malicious link). EPSS probability is low (0.07%, 22nd percentile), and no active exploitation is confirmed. Reported by Patchstack security audit team, indicating professional vulnerability disclosure.

WordPress PHP XSS
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-49930 HIGH This Week

Reflected cross-site scripting (XSS) in Crocoblock JetSearch WordPress plugin versions through 3.5.10 allows unauthenticated remote attackers to execute arbitrary JavaScript in victim browsers via maliciously crafted URLs. The vulnerability requires user interaction (clicking a malicious link) but carries a changed scope, meaning successful exploitation can impact resources beyond the vulnerable component. EPSS probability is low (0.07%, 22nd percentile), indicating minimal observed exploitation attempts, and no public exploit code or CISA KEV listing exists at time of analysis.

WordPress PHP XSS
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-53426 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Bob Likert Survey Master likert-survey-master allows Reflected XSS.This issue affects Likert Survey Master: from n/a through <= 0.8.0.1.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-52760 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Globalis MultiSite Clone Duplicator multisite-clone-duplicator allows Reflected XSS.This issue affects MultiSite Clone Duplicator: from n/a through <= 1.5.3.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-52735 HIGH This Week

Reflected cross-site scripting in NextMove Lite (WordPress thank-you page plugin) versions ≤2.24.0 allows unauthenticated remote attackers to execute malicious JavaScript in victim browsers via crafted URLs. The vulnerability requires user interaction (clicking a malicious link) but achieves scope change per CVSS vector, enabling session hijacking, credential theft, or malicious actions under victim's WordPress session. EPSS score of 0.03% (8th percentile) indicates low probability of mass exploitation, though XSS vulnerabilities are commonly used in targeted social engineering campaigns against WordPress site administrators.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-52734 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ERA404 CropRefine croprefine allows Reflected XSS.This issue affects CropRefine: from n/a through <= 1.2.1.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-49962 HIGH This Week

Reflected cross-site scripting in bbPress Notify plugin versions up to 2.19.5 allows unauthenticated remote attackers to execute malicious JavaScript in victim browsers through crafted URLs. The vulnerability stems from improper input sanitization during web page generation (CWE-79). With CVSS 7.1 and changed scope (S:C), successful exploitation enables session hijacking, credential theft, and malicious actions in the victim's context. EPSS score of 0.03% (8th percentile) indicates low observed exploitation probability, and no active exploitation is confirmed (not in CISA KEV), though Patchstack has publicly documented the vulnerability.

WordPress PHP XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-49958 HIGH This Week

Reflected cross-site scripting in Robokassa payment gateway for WooCommerce (versions ≤1.8.5) allows remote attackers to execute malicious JavaScript in victim browsers through specially crafted URLs. The scope-change CVSS flag indicates attackers can impact resources beyond the vulnerable plugin itself, potentially compromising WooCommerce admin sessions or customer payment data. EPSS probability is low (0.03%, 8th percentile), and no active exploitation or public POC has been identified at time of analysis.

WordPress XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-59006 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in themebon Easy Woocommerce Customizer easy-woocommerce-customizer allows Reflected XSS.This issue affects Easy Woocommerce Customizer: from n/a through <= 1.0.2.

WordPress XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-58966 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Basix NEX-Forms LITE nex-forms-lite allows Reflected XSS.This issue affects NEX-Forms LITE: from n/a through < 8.2.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-58921 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Arevico WP Tactical Popup wp-tactical-popup allows Reflected XSS.This issue affects WP Tactical Popup: from n/a through <= 1.1.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-58916 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Munzir Author: Munzir myshouts-shoutbox allows Reflected XSS.This issue affects Author: Munzir: from n/a through <= 0.9.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
Page 1 of 3 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy