102 CVEs tracked today. 12 Critical, 41 High, 49 Medium, 0 Low.
-
CVE-2025-62023
CRITICAL
CVSS 9.0
Improper Control of Generation of Code ('Code Injection') vulnerability in Cristián Lávaque s2Member s2member.This issue affects s2Member: from n/a through <= 250905.
RCE
Code Injection
-
CVE-2025-60238
CRITICAL
CVSS 9.8
PHP object injection in UNIVERSAM WordPress plugin through deserialization of untrusted data allows remote unauthenticated attackers to achieve critical impact including remote code execution, complete data compromise, and denial of service. Affects all versions up to and including 9.03. EPSS exploitation probability is relatively low at 0.10% (28th percentile), with no public exploit identified at time of analysis, suggesting a lower immediate real-world risk despite the critical CVSS 9.8 score.
Deserialization
-
CVE-2025-60216
CRITICAL
CVSS 9.8
PHP object injection in BoldThemes Addison WordPress theme versions prior to 1.4.8 enables unauthenticated remote attackers to execute arbitrary code through unsafe deserialization. The vulnerability carries a critical CVSS 9.8 score with network-accessible attack vector requiring no privileges or user interaction. No public exploit identified at time of analysis, with EPSS indicating 10th percentile exploitation probability (0.10%), suggesting low observed exploitation likelihood despite high theoretical severity.
Deserialization
-
CVE-2025-60214
CRITICAL
CVSS 9.8
PHP object injection in BoldThemes Goldenblatt WordPress theme versions prior to 1.3.0 enables unauthenticated remote attackers to execute arbitrary code through deserialization of untrusted data. The vulnerability scores 9.8 (Critical) with network-exploitable attack vector requiring no privileges or user interaction. EPSS indicates low probability (0.10%, 28th percentile) of active exploitation, and no public exploit or KEV listing identified at time of analysis, suggesting theoretical high severity but currently limited real-world exploitation activity.
WordPress
Deserialization
Code Injection
-
CVE-2025-60206
CRITICAL
CVSS 10.0
Remote code execution in Beplusthemes Alone WordPress theme through version 7.8.3 allows unauthenticated attackers to inject and execute arbitrary code via a code injection vulnerability. With a critical CVSS score of 10.0 and network-based exploitation requiring no privileges or user interaction, this vulnerability enables complete system compromise. EPSS exploitation probability is low (0.06%, 17th percentile), and no public exploit or CISA KEV listing identified at time of analysis.
PHP
WordPress
Code Injection
-
CVE-2025-59557
CRITICAL
CVSS 9.3
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ThemeMove Learts Addons learts-addons allows SQL Injection.This issue affects Learts Addons: from n/a through < 1.7.5.
SQLi
-
CVE-2025-59007
CRITICAL
CVSS 9.8
Deserialization of Untrusted Data vulnerability in themesflat TF Woo Product Grid Addon For Elementor tf-woo-product-grid allows Object Injection.This issue affects TF Woo Product Grid Addon For Elementor: from n/a through <= 1.0.1.
Deserialization
-
CVE-2025-58963
CRITICAL
CVSS 10.0
Unrestricted Upload of File with Dangerous Type vulnerability in 7oroof Medcity medcity allows Upload a Web Shell to a Web Server.This issue affects Medcity: from n/a through < 1.1.9.
File Upload
-
CVE-2025-52758
CRITICAL
CVSS 9.1
Unrestricted Upload of File with Dangerous Type vulnerability in Gesundheit Bewegt GmbH Zippy zippy allows Using Malicious Files.This issue affects Zippy: from n/a through <= 1.7.0.
File Upload
-
CVE-2025-49931
CRITICAL
CVSS 9.3
Blind SQL injection in Crocoblock JetSearch plugin (WordPress) versions up to 3.5.10 allows unauthenticated remote attackers to extract database contents via crafted search queries. The vulnerability carries a critical CVSS 9.3 score due to network-based exploitation requiring no authentication or user interaction, though EPSS exploitation probability remains low at 0.04% (12th percentile), and no public exploit identified at time of analysis. The flaw enables data exfiltration from WordPress databases hosting sites using the vulnerable search plugin.
SQLi
-
CVE-2025-49915
CRITICAL
CVSS 9.3
SQL injection in WordPress SMS Alert Order Notifications plugin through version 3.8.5 allows remote unauthenticated attackers to extract sensitive database contents via network-accessible injection points. The vulnerability achieves scope change with high confidentiality impact, enabling cross-boundary data exfiltration from the WordPress database. EPSS data unavailable; not currently listed in CISA KEV, indicating no confirmed widespread active exploitation at time of analysis, though the unauthenticated remote attack vector presents significant risk for WordPress installations using this plugin.
SQLi
-
CVE-2025-49380
CRITICAL
CVSS 9.8
PHP object injection in WooCommerce Vehicle Parts Finder plugin versions up to 3.7 enables remote unauthenticated attackers to achieve arbitrary code execution via deserialization of untrusted data. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms network-accessible exploitation without authentication or user interaction. Reported by Patchstack audit team, this represents a critical pre-authentication vulnerability in WordPress e-commerce environments. EPSS data unavailable; not currently listed in CISA KEV, suggesting limited widespread exploitation at time of disclosure.
WordPress
Deserialization
-
CVE-2025-62022
HIGH
CVSS 7.5
Missing Authorization vulnerability in BuddyPress BuddyPress buddypress.This issue affects BuddyPress: from n/a through <= 14.3.4.
Authentication Bypass
-
CVE-2025-62015
HIGH
CVSS 7.6
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Josh Kohlbach Advanced Coupons for WooCommerce Coupons advanced-coupons-for-woocommerce-free.This issue affects Advanced Coupons for WooCommerce Coupons: from n/a through <= 4.6.8.
WordPress
SQLi
-
CVE-2025-62005
HIGH
CVSS 7.1
Cross-Site Request Forgery (CSRF) vulnerability in FantasticPlugins SUMO Memberships for WooCommerce sumomemberships allows Cross Site Request Forgery.This issue affects SUMO Memberships for WooCommerce: from n/a through < 7.8.0.
WordPress
CSRF
-
CVE-2025-60227
HIGH
CVSS 8.6
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in ThimPress WP Pipes wp-pipes allows Path Traversal.This issue affects WP Pipes: from n/a through <= 1.4.3.
Path Traversal
-
CVE-2025-60222
HIGH
CVSS 8.8
Privilege escalation in FantasticPlugins SUMO Memberships for WooCommerce (versions ≤7.8.0) allows authenticated users with low-level privileges to elevate permissions and gain unauthorized high-level access to WordPress site functions. The vulnerability stems from incorrect privilege assignment (CWE-266), enabling attackers to bypass intended access controls. With CVSS 8.8 (High) severity, the flaw permits complete compromise of confidentiality, integrity, and availability. EPSS probability is low (0.06%, 17th percentile), and no public exploit identified at time of analysis, though Patchstack has published advisory details.
PHP
WordPress
Privilege Escalation
-
CVE-2025-60217
HIGH
CVSS 7.7
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in ypromo PT Luxa Addons pt-luxa-addons allows Path Traversal.This issue affects PT Luxa Addons: from n/a through <= 1.2.2.
Path Traversal
-
CVE-2025-60132
HIGH
CVSS 7.1
Cross-Site Request Forgery (CSRF) vulnerability in johnh10 Video Blogster Lite video-blogster-lite allows Stored XSS.This issue affects Video Blogster Lite: from n/a through <= 1.2.
XSS
CSRF
-
CVE-2025-60041
HIGH
CVSS 8.8
Authentication Bypass Using an Alternate Path or Channel vulnerability in Iulia Cazan Emails Catch All emails-catch-all allows Password Recovery Exploitation.This issue affects Emails Catch All: from n/a through <= 3.5.3.
Authentication Bypass
-
CVE-2025-59566
HIGH
CVSS 7.7
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in AmentoTech Workreap (theme's plugin) workreap allows Path Traversal.This issue affects Workreap (theme's plugin): from n/a through <= 3.3.5.
Path Traversal
-
CVE-2025-59006
HIGH
CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in themebon Easy Woocommerce Customizer easy-woocommerce-customizer allows Reflected XSS.This issue affects Easy Woocommerce Customizer: from n/a through <= 1.0.2.
WordPress
XSS
-
CVE-2025-58967
HIGH
CVSS 8.1
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeMove Businext businext allows PHP Local File Inclusion.This issue affects Businext: from n/a through < 2.4.4.
PHP
Information Disclosure
LFI
-
CVE-2025-58966
HIGH
CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Basix NEX-Forms LITE nex-forms-lite allows Reflected XSS.This issue affects NEX-Forms LITE: from n/a through < 8.2.
XSS
-
CVE-2025-58959
HIGH
CVSS 7.7
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in AmentoTech Taskbot taskbot allows Path Traversal.This issue affects Taskbot: from n/a through <= 6.4.
Path Traversal
-
CVE-2025-58958
HIGH
CVSS 8.1
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeMove SmilePure smilepure allows PHP Local File Inclusion.This issue affects SmilePure: from n/a through < 1.8.5.
PHP
Information Disclosure
LFI
-
CVE-2025-58921
HIGH
CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Arevico WP Tactical Popup wp-tactical-popup allows Reflected XSS.This issue affects WP Tactical Popup: from n/a through <= 1.1.
XSS
-
CVE-2025-58916
HIGH
CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Munzir Author: Munzir myshouts-shoutbox allows Reflected XSS.This issue affects Author: Munzir: from n/a through <= 0.9.
XSS
-
CVE-2025-53428
HIGH
CVSS 8.8
Privilege escalation in N-Media Simple User Registration (WordPress plugin) through version 6.8 allows authenticated low-privilege users to elevate their access to administrator-level permissions via incorrect privilege assignment. With EPSS at 0.06% (17th percentile) and no public exploit identified at time of analysis, real-world exploitation risk remains low despite the high CVSS score. The vulnerability requires low-privilege authentication (PR:L) but has low attack complexity (AC:L) and no user interaction (UI:N), making it straightforward to exploit once an attacker has basic user credentials.
PHP
WordPress
Privilege Escalation
-
CVE-2025-53426
HIGH
CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Bob Likert Survey Master likert-survey-master allows Reflected XSS.This issue affects Likert Survey Master: from n/a through <= 0.8.0.1.
XSS
-
CVE-2025-53425
HIGH
CVSS 7.2
Privilege escalation in Dokan (WordPress multi-vendor marketplace plugin) versions up to 4.1.3 allows high-privileged users to elevate their permissions beyond intended role boundaries. Reported by Patchstack audit team with EPSS exploitation probability of 0.08% (24th percentile), indicating low real-world exploitation likelihood. No confirmed active exploitation (not in CISA KEV) or public proof-of-concept identified at time of analysis.
Privilege Escalation
-
CVE-2025-53238
HIGH
CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Toast Plugins Toast Mobile Menu toast-responsive-menu allows Stored XSS.This issue affects Toast Mobile Menu: from n/a through <= 1.0.8.
XSS
-
CVE-2025-52760
HIGH
CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Globalis MultiSite Clone Duplicator multisite-clone-duplicator allows Reflected XSS.This issue affects MultiSite Clone Duplicator: from n/a through <= 1.5.3.
XSS
-
CVE-2025-52756
HIGH
CVSS 7.4
Code injection in WP Last Modified Info plugin versions ≤1.9.4 allows authenticated attackers with low-level privileges to execute arbitrary code remotely via vulnerable code generation controls. The CVSS 7.4 rating reflects network accessibility, low attack complexity, and scope change enabling cross-boundary impact. EPSS probability is minimal (0.05%, 15th percentile), no active exploitation confirmed (not in CISA KEV), and no public exploit code identified at time of analysis, suggesting limited real-world exploitation activity despite the critical vulnerability class.
PHP
WordPress
RCE
Code Injection
-
CVE-2025-52753
HIGH
CVSS 7.1
Reflected cross-site scripting (XSS) in the Contact Form by Supsystic WordPress plugin (versions through 1.7.36) allows unauthenticated remote attackers to execute malicious JavaScript in victims' browsers via crafted URLs. The vulnerability enables session hijacking, credential theft, and malicious actions performed in the context of the victim's authenticated session. EPSS probability indicates low exploitation likelihood (0.07%, 22nd percentile) with no public exploit identified at time of analysis.
PHP
WordPress
XSS
-
CVE-2025-52743
HIGH
CVSS 7.1
Reflected Cross-Site Scripting (XSS) in WordPress plugin oik-privacy-policy versions ≤1.4.10 allows remote attackers to execute arbitrary JavaScript in victims' browsers. Exploitation requires user interaction (victim must click malicious link). EPSS probability is low (0.07%, 22nd percentile), and no active exploitation is confirmed. Reported by Patchstack security audit team, indicating professional vulnerability disclosure.
PHP
WordPress
XSS
-
CVE-2025-52735
HIGH
CVSS 7.1
Reflected cross-site scripting in NextMove Lite (WordPress thank-you page plugin) versions ≤2.24.0 allows unauthenticated remote attackers to execute malicious JavaScript in victim browsers via crafted URLs. The vulnerability requires user interaction (clicking a malicious link) but achieves scope change per CVSS vector, enabling session hijacking, credential theft, or malicious actions under victim's WordPress session. EPSS score of 0.03% (8th percentile) indicates low probability of mass exploitation, though XSS vulnerabilities are commonly used in targeted social engineering campaigns against WordPress site administrators.
XSS
-
CVE-2025-52734
HIGH
CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ERA404 CropRefine croprefine allows Reflected XSS.This issue affects CropRefine: from n/a through <= 1.2.1.
XSS
-
CVE-2025-49962
HIGH
CVSS 7.1
Reflected cross-site scripting in bbPress Notify plugin versions up to 2.19.5 allows unauthenticated remote attackers to execute malicious JavaScript in victim browsers through crafted URLs. The vulnerability stems from improper input sanitization during web page generation (CWE-79). With CVSS 7.1 and changed scope (S:C), successful exploitation enables session hijacking, credential theft, and malicious actions in the victim's context. EPSS score of 0.03% (8th percentile) indicates low observed exploitation probability, and no active exploitation is confirmed (not in CISA KEV), though Patchstack has publicly documented the vulnerability.
PHP
WordPress
XSS
-
CVE-2025-49958
HIGH
CVSS 7.1
Reflected cross-site scripting in Robokassa payment gateway for WooCommerce (versions ≤1.8.5) allows remote attackers to execute malicious JavaScript in victim browsers through specially crafted URLs. The scope-change CVSS flag indicates attackers can impact resources beyond the vulnerable plugin itself, potentially compromising WooCommerce admin sessions or customer payment data. EPSS probability is low (0.03%, 8th percentile), and no active exploitation or public POC has been identified at time of analysis.
WordPress
XSS
-
CVE-2025-49957
HIGH
CVSS 7.1
Reflected cross-site scripting in Email Attachment by Order Status & Products WordPress plugin versions ≤1.0.1 allows remote unauthenticated attackers to execute arbitrary JavaScript in victim browsers through low-complexity attacks requiring user interaction. The vulnerability enables cross-site scope impact (S:C), allowing attackers to compromise confidentiality, integrity, and availability at a low level across security boundaries. No active exploitation or public POC is confirmed at time of analysis, with EPSS data unavailable for this recently published CVE.
XSS
-
CVE-2025-49950
HIGH
CVSS 7.2
Missing authorization in the Billingo WordPress plugin (versions ≤4.3.0) enables authenticated high-privilege users to escalate privileges through unprotected API endpoints. CVSS 7.2 indicates network-accessible exploitation requiring high-privilege authentication with high impact across confidentiality, integrity, and availability. EPSS score of 0.06% (18th percentile) suggests low observed exploitation probability. No CISA KEV listing or public exploit identified at time of analysis, though Patchstack vulnerability database confirms the vulnerability class as both authentication bypass and privilege escalation.
Authentication Bypass
Privilege Escalation
-
CVE-2025-49935
HIGH
CVSS 7.5
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in xtemos WoodMart woodmart allows PHP Local File Inclusion.This issue affects WoodMart: from n/a through < 8.3.2.
PHP
Information Disclosure
LFI
-
CVE-2025-49930
HIGH
CVSS 7.1
Reflected cross-site scripting (XSS) in Crocoblock JetSearch WordPress plugin versions through 3.5.10 allows unauthenticated remote attackers to execute arbitrary JavaScript in victim browsers via maliciously crafted URLs. The vulnerability requires user interaction (clicking a malicious link) but carries a changed scope, meaning successful exploitation can impact resources beyond the vulnerable component. EPSS probability is low (0.07%, 22nd percentile), indicating minimal observed exploitation attempts, and no public exploit code or CISA KEV listing exists at time of analysis.
PHP
WordPress
XSS
-
CVE-2025-49926
HIGH
CVSS 7.2
Improper Control of Generation of Code ('Code Injection') vulnerability in Laborator Kalium kalium allows Code Injection.This issue affects Kalium: from n/a through <= 3.25.
RCE
Code Injection
-
CVE-2025-49925
HIGH
CVSS 7.5
Missing Authorization vulnerability in VibeThemes WPLMS wplms_plugin allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects WPLMS: from n/a through <= 1.9.9.7.
Authentication Bypass
-
CVE-2025-49924
HIGH
CVSS 7.2
Incorrect Privilege Assignment vulnerability in Josh Kohlbach Wholesale Suite woocommerce-wholesale-prices allows Privilege Escalation.This issue affects Wholesale Suite: from n/a through <= 2.2.4.2.
WordPress
Privilege Escalation
-
CVE-2025-49921
HIGH
CVSS 7.5
Local file inclusion in Crocoblock JetReviews plugin versions through 3.0.0 allows authenticated attackers with low-level privileges to read arbitrary files on the WordPress server via PHP file inclusion flaws. With EPSS at 0.13% (33rd percentile), exploitation likelihood is currently low. No active exploitation confirmed (not in CISA KEV), but Patchstack has cataloged the vulnerability indicating professional security research attention. Attackers can access sensitive configuration files, credentials, and potentially chain with other vulnerabilities for code execution.
PHP
Information Disclosure
LFI
-
CVE-2025-49916
HIGH
CVSS 8.6
Missing Authorization vulnerability in MultiVendorX MultiVendorX dc-woocommerce-multi-vendor allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects MultiVendorX: from n/a through <= 4.2.23.
WordPress
Authentication Bypass
-
CVE-2025-49378
HIGH
CVSS 8.5
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Themefic Hydra Booking hydra-booking allows SQL Injection.This issue affects Hydra Booking: from n/a through <= 1.1.10.
SQLi
-
CVE-2025-48338
HIGH
CVSS 7.5
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Kevon Adonis WP Abstracts wp-abstracts-manuscripts-manager allows PHP Local File Inclusion.This issue affects WP Abstracts: from n/a through <= 2.7.4.
PHP
Information Disclosure
LFI
-
CVE-2025-48091
HIGH
CVSS 8.5
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Alexander AnyComment anycomment allows SQL Injection.This issue affects AnyComment: from n/a through <= 0.3.6.
SQLi
-
CVE-2025-30944
HIGH
CVSS 7.5
Missing Authorization vulnerability in Essekia Tablesome Table Premium tablesome-premium allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Tablesome Table Premium: from n/a through <= 1.1.23.
Authentication Bypass
-
CVE-2025-62073
MEDIUM
CVSS 4.3
Missing Authorization vulnerability in Sovlix MeetingHub meetinghub.This issue affects MeetingHub: from n/a through <= 1.23.9.
Authentication Bypass
-
CVE-2025-62072
MEDIUM
CVSS 4.3
Missing Authorization vulnerability in Rustaurius Front End Users front-end-only-users.This issue affects Front End Users: from n/a through <= 3.2.33.
Authentication Bypass
-
CVE-2025-62071
MEDIUM
CVSS 4.3
Missing Authorization vulnerability in Repuso Social proof testimonials and reviews by Repuso social-testimonials-and-reviews-widget.This issue affects Social proof testimonials and reviews by Repuso: from n/a through <= 5.29.
Authentication Bypass
-
CVE-2025-62070
MEDIUM
CVSS 4.3
Missing Authorization vulnerability in WPXPO WowRevenue revenue.This issue affects WowRevenue: from n/a through <= 1.2.13.
Authentication Bypass
-
CVE-2025-62062
MEDIUM
CVSS 5.5
Insertion of Sensitive Information Into Sent Data vulnerability in ThemeRuby Easy Post Submission easy-post-submission allows Retrieve Embedded Sensitive Data.This issue affects Easy Post Submission: from n/a through <= 1.7.0.
Information Disclosure
-
CVE-2025-62061
MEDIUM
CVSS 4.3
Cross-Site Request Forgery (CSRF) vulnerability in impleCode Product Catalog Simple post-type-x.This issue affects Product Catalog Simple: from n/a through <= 1.8.4.
CSRF
-
CVE-2025-62052
MEDIUM
CVSS 4.3
Missing Authorization vulnerability in Horea Radu One Page Express Companion one-page-express-companion.This issue affects One Page Express Companion: from n/a through <= 1.6.43.
Authentication Bypass
-
CVE-2025-62048
MEDIUM
CVSS 5.4
Missing Authorization vulnerability in WPMU DEV - Your All-in-One WordPress Platform SmartCrawl smartcrawl-seo.This issue affects SmartCrawl: from n/a through <= 3.14.3.
WordPress
Authentication Bypass
-
CVE-2025-62021
MEDIUM
CVSS 4.3
Missing Authorization vulnerability in Made Neat Acknowledgify acknowledgify.This issue affects Acknowledgify: from n/a through <= 1.1.3.
Authentication Bypass
-
CVE-2025-62013
MEDIUM
CVSS 4.3
Missing Authorization vulnerability in POSIMYTH UiChemy uichemy.This issue affects UiChemy: from n/a through <= 4.0.0.
Authentication Bypass
-
CVE-2025-62009
MEDIUM
CVSS 4.3
Cross-Site Request Forgery (CSRF) vulnerability in Dmitry V. (CEO of "UKR Solution") UPC/EAN/GTIN Code Generator upc-ean-barcode-generator allows Cross Site Request Forgery.This issue affects UPC/EAN/GTIN Code Generator: from n/a through <= 2.0.2.
CSRF
-
CVE-2025-62006
MEDIUM
CVSS 5.4
Missing Authorization vulnerability in VeronaLabs WP SMS wp-sms.This issue affects WP SMS: from n/a through <= 7.0.1.
Authentication Bypass
-
CVE-2025-60134
MEDIUM
CVSS 4.3
Cross-Site Request Forgery (CSRF) vulnerability in John James Jacoby WP Media Categories wp-media-categories allows Cross Site Request Forgery.This issue affects WP Media Categories: from n/a through <= 2.1.0.
CSRF
-
CVE-2025-60131
MEDIUM
CVSS 5.9
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Zoefff Werk aan de Muur werk-aan-de-muur allows Stored XSS.This issue affects Werk aan de Muur: from n/a through <= 1.5.
XSS
-
CVE-2025-59593
MEDIUM
CVSS 5.9
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Extend Themes Colibri Page Builder colibri-page-builder allows Stored XSS.This issue affects Colibri Page Builder: from n/a through < 1.0.334.
XSS
-
CVE-2025-59575
MEDIUM
CVSS 4.9
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Stylemix MasterStudy LMS masterstudy-lms-learning-management-system allows Retrieve Embedded Sensitive Data.This issue affects MasterStudy LMS: from n/a through <= 3.6.20.
Information Disclosure
-
CVE-2025-58970
MEDIUM
CVSS 6.3
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in AmentoTech Doctreat doctreat allows Code Injection.This issue affects Doctreat: from n/a through <= 1.6.7.
XSS
-
CVE-2025-53424
MEDIUM
CVSS 6.5
Missing Authorization vulnerability in vanquish WooCommerce Orders & Customers Exporter woocommerce-orders-ei allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WooCommerce Orders & Customers Exporter: from n/a through <= 5.4.
WordPress
Authentication Bypass
-
CVE-2025-53421
MEDIUM
CVSS 6.5
Missing Authorization vulnerability in PickPlugins Accordion accordions allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Accordion: from n/a through <= 2.3.14.
Authentication Bypass
-
CVE-2025-52757
MEDIUM
CVSS 6.5
Unauthenticated attackers can bypass access controls in SUMO Memberships for WooCommerce versions below 7.8.0 to perform unauthorized actions including content modification and deletion through incorrectly configured membership level enforcement. The vulnerability requires user interaction (UI:R) but affects confidentiality, integrity, and availability of protected content. No public exploit code or active exploitation has been confirmed.
WordPress
Authentication Bypass
-
CVE-2025-52738
MEDIUM
CVSS 6.5
Missing Authorization vulnerability in Wikimedia Foundation Wikipedia Preview wikipedia-preview allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Wikipedia Preview: from n/a through <= 1.15.0.
Authentication Bypass
-
CVE-2025-49961
MEDIUM
CVSS 6.5
Missing Authorization vulnerability in Breeze Team Breeze Checkout breeze-checkout allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Breeze Checkout: from n/a through <= 1.4.0.
Authentication Bypass
-
CVE-2025-49952
MEDIUM
CVSS 6.5
Authorization bypass in Houzez WordPress theme versions up to 4.2.5 allows authenticated users to access or modify resources they should not have permission to reach through insecure direct object reference (IDOR) vulnerabilities. An authenticated attacker with low privileges can exploit inadequately configured access controls to view or modify data belonging to other users, achieving limited information disclosure and integrity compromise. The vulnerability is not confirmed as actively exploited, though the attack vector is network-based with low complexity.
Authentication Bypass
-
CVE-2025-49949
MEDIUM
CVSS 5.4
Missing Authorization vulnerability in templazee Templazee templazee allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Templazee: from n/a through <= 1.0.2.
Authentication Bypass
-
CVE-2025-49939
MEDIUM
CVSS 6.5
Stored cross-site scripting (XSS) in Crocoblock JetElements For Elementor plugin through version 2.7.8 allows authenticated users with low privileges to inject malicious scripts that execute in the browsers of site visitors, potentially compromising site integrity and user sessions. The vulnerability requires user interaction (UI:R) and affects authenticated users (PR:L), limiting immediate blast radius but posing persistent risk to WordPress installations using this Elementor extension.
PHP
WordPress
XSS
-
CVE-2025-49938
MEDIUM
CVSS 6.5
Stored XSS in Crocoblock JetEngine WordPress plugin versions 3.7.3 and earlier allows authenticated users with limited privileges to inject malicious scripts that execute in the browsers of other users, including administrators. The vulnerability requires user interaction (UI:R) to trigger and affects confidentiality, integrity, and availability with limited scope. With EPSS at 0.07% and no KEV status indicating active exploitation, this represents a low-probability but real risk requiring patching in multi-user WordPress environments.
PHP
WordPress
XSS
-
CVE-2025-49937
MEDIUM
CVSS 4.3
Missing Authorization vulnerability in Syed Balkhi Smash Balloon Social Post Feed custom-facebook-feed allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Smash Balloon Social Post Feed: from n/a through <= 4.3.2.
Authentication Bypass
-
CVE-2025-49934
MEDIUM
CVSS 6.5
Stored cross-site scripting (XSS) in Crocoblock JetBlocks For Elementor plugin versions up to 1.3.18 allows authenticated users with low privileges to inject malicious scripts that execute in the browsers of other site visitors. The vulnerability requires user interaction (UI:R) and affects confidentiality and integrity, with an EPSS score of 0.06% indicating very low real-world exploitation likelihood despite the moderate CVSS 5.4 rating.
XSS
-
CVE-2025-49933
MEDIUM
CVSS 6.5
Reflected cross-site scripting (XSS) in Crocoblock JetBlog WordPress plugin through version 2.4.4 allows authenticated users to inject malicious scripts that execute in other users' browsers when they interact with crafted links. The vulnerability requires user interaction (UI:R) and authenticated access (PR:L), limiting but not eliminating real-world risk; EPSS score of 0.07% indicates low exploitation probability despite the moderate CVSS 6.5 rating.
PHP
WordPress
XSS
-
CVE-2025-49932
MEDIUM
CVSS 6.5
Stored Cross-Site Scripting (XSS) in Crocoblock JetBlog WordPress plugin through version 2.4.4.1 allows authenticated users with low privileges to inject malicious scripts that persist in web pages and execute in the browsers of other site visitors, potentially compromising session tokens, stealing sensitive data, or performing unauthorized actions. EPSS score of 0.07% and lack of public exploit code indicate low real-world exploitation probability despite the moderate CVSS 6.5 score.
PHP
WordPress
XSS
-
CVE-2025-49928
MEDIUM
CVSS 6.5
DOM-based cross-site scripting (XSS) in Crocoblock JetWooBuilder plugin through version 2.1.20 allows authenticated users with low privileges to inject malicious scripts that execute in other users' browsers when they interact with affected pages. The vulnerability requires user interaction (UI:R per CVSS) and affects the plugin's web page generation functions. No public exploit code or active exploitation has been confirmed, though the issue carries a moderate CVSS score of 6.5 and low EPSS probability (0.07%, 22nd percentile) suggesting limited real-world attack incentive despite the authentication requirement being relatively low-barrier for WordPress environments.
PHP
WordPress
XSS
-
CVE-2025-49927
MEDIUM
CVSS 6.5
Stored XSS vulnerability in Crocoblock JetWooBuilder WordPress plugin versions up to 2.1.20.1 allows authenticated users with low privileges to inject malicious scripts that execute in the browsers of other users viewing affected pages, potentially leading to session hijacking, credential theft, or defacement. The vulnerability requires user interaction (UI:R) from victims and affects the confidentiality, integrity, and availability of website content. No public exploit code or active exploitation has been confirmed at time of analysis.
PHP
WordPress
XSS
-
CVE-2025-49923
MEDIUM
CVSS 5.9
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Craig Hewitt Seriously Simple Podcasting seriously-simple-podcasting allows DOM-Based XSS.This issue affects Seriously Simple Podcasting: from n/a through <= 3.11.1.
XSS
-
CVE-2025-49922
MEDIUM
CVSS 4.3
Missing Authorization vulnerability in etruel WPeMatico RSS Feed Fetcher wpematico allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WPeMatico RSS Feed Fetcher: from n/a through <= 2.8.3.
Authentication Bypass
-
CVE-2025-49920
MEDIUM
CVSS 5.4
Missing Authorization vulnerability in accessiBe Web Accessibility By accessiBe accessibe allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Web Accessibility By accessiBe: from n/a through <= 2.10.
Authentication Bypass
-
CVE-2025-49913
MEDIUM
CVSS 5.3
Missing Authorization vulnerability in CoSchedule CoSchedule coschedule-by-todaymade allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects CoSchedule: from n/a through <= 3.4.0.
Authentication Bypass
-
CVE-2025-49907
MEDIUM
CVSS 4.3
Missing Authorization vulnerability in RealMag777 MDTF wp-meta-data-filter-and-taxonomy-filter allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects MDTF: from n/a through <= 1.3.3.9.
Authentication Bypass
-
CVE-2025-49906
MEDIUM
CVSS 5.3
Missing Authorization vulnerability in StellarWP WPComplete wpcomplete allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects WPComplete: from n/a through <= 2.9.5.3.
Authentication Bypass
-
CVE-2025-49903
MEDIUM
CVSS 5.3
Missing Authorization vulnerability in bdthemes ZoloBlocks zoloblocks allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ZoloBlocks: from n/a through <= 2.3.11.
Authentication Bypass
-
CVE-2025-49899
MEDIUM
CVSS 5.3
Missing Authorization vulnerability in jjlemstra Whydonate wp-whydonate allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Whydonate: from n/a through <= 4.0.15.
Authentication Bypass
-
CVE-2025-49377
MEDIUM
CVSS 6.3
Missing Authorization vulnerability in Themefic Hydra Booking hydra-booking allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Hydra Booking: from n/a through <= 1.1.9.
Authentication Bypass
-
CVE-2025-49376
MEDIUM
CVSS 5.3
Missing Authorization vulnerability in DELUCKS DELUCKS SEO delucks-seo allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects DELUCKS SEO: from n/a through <= 2.5.9.
Authentication Bypass
-
CVE-2025-49374
MEDIUM
CVSS 5.4
Server-Side Request Forgery (SSRF) vulnerability in captcha.eu Captcha.eu captcha-eu allows Server Side Request Forgery.This issue affects Captcha.eu: from n/a through <= 1.0.61.
SSRF
-
CVE-2025-49373
MEDIUM
CVSS 4.3
Cross-Site Request Forgery (CSRF) vulnerability in Evergreen Content Poster Evergreen Content Poster evergreen-content-poster allows Cross Site Request Forgery.This issue affects Evergreen Content Poster: from n/a through <= 1.4.5.
CSRF
-
CVE-2025-48096
MEDIUM
CVSS 6.5
Missing Authorization vulnerability in FRESHFACE Custom CSS custom-css-editor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Custom CSS: from n/a through <= 1.4.0.
Authentication Bypass
-
CVE-2025-24934
MEDIUM
CVSS 5.4
FreeBSD kernel fails to properly validate socket connection state when adding sockets to SO_REUSEPORT_LB load-balancing groups, allowing connected sockets to receive packets from arbitrary hosts instead of only from their connected peer. This breaks the fundamental contract of the connect(2) system call and sendto(2), creating a spoofing vulnerability where applications believe they are receiving authenticated peer traffic but may actually receive unsolicited packets from any host. The vulnerability affects remote attackers with user-level privileges on systems running vulnerable FreeBSD versions.
Information Disclosure
-
CVE-2025-11824
MEDIUM
CVSS 6.4
Stored cross-site scripting in Cinza Grid WordPress plugin versions up to 1.2.1 allows authenticated contributors and above to inject arbitrary JavaScript into pages via the 'cgrid_skin_content' post meta field, which executes when other users view the affected pages. The vulnerability stems from missing input sanitization and output escaping in backend processing functions. CVSS 6.4 reflects moderate impact with network-accessible attack surface, though exploitation requires valid WordPress contributor-level credentials.
WordPress
XSS
-
CVE-2025-11809
MEDIUM
CVSS 6.4
Stored Cross-Site Scripting in WP-Force Images Download WordPress plugin versions up to 1.8 allows authenticated contributors and above to inject arbitrary JavaScript via the 'class' attribute of the 'wpfid' shortcode due to insufficient input sanitization and output escaping. The vulnerability executes malicious scripts in the browser of any user viewing an affected page, potentially enabling account compromise, malware distribution, or defacement with CVSS 6.4 (medium severity). No public exploit code or confirmed active exploitation has been identified at time of analysis.
WordPress
XSS
-
CVE-2025-10047
MEDIUM
CVSS 4.9
SQL injection in Email Tracker plugin for WordPress (versions up to 5.3.15) allows authenticated administrators to extract sensitive database information via the 'orderby' parameter due to insufficient escaping and query preparation. CVSS 4.9 reflects high confidentiality impact but requires high-privilege authenticated access; no public exploit code or active exploitation confirmed at analysis time.
WordPress
SQLi