Privilege escalation in FantasticPlugins SUMO Memberships for WooCommerce (versions ≤7.8.0) allows authenticated users with low-level privileges to elevate permissions and gain unauthorized high-level access to WordPress site functions. The vulnerability stems from incorrect privilege assignment (CWE-266), enabling attackers to bypass intended access controls. With CVSS 8.8 (High) severity, the flaw permits complete compromise of confidentiality, integrity, and availability. EPSS probability is low (0.06%, 17th percentile), and no public exploit identified at time of analysis, though Patchstack has published advisory details.
Privilege escalation in N-Media Simple User Registration (WordPress plugin) through version 6.8 allows authenticated low-privilege users to elevate their access to administrator-level permissions via incorrect privilege assignment. With EPSS at 0.06% (17th percentile) and no public exploit identified at time of analysis, real-world exploitation risk remains low despite the high CVSS score. The vulnerability requires low-privilege authentication (PR:L) but has low attack complexity (AC:L) and no user interaction (UI:N), making it straightforward to exploit once an attacker has basic user credentials.
Authentication Bypass Using an Alternate Path or Channel vulnerability in Iulia Cazan Emails Catch All emails-catch-all allows Password Recovery Exploitation.This issue affects Emails Catch All: from n/a through <= 3.5.3.
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in ThimPress WP Pipes wp-pipes allows Path Traversal.This issue affects WP Pipes: from n/a through <= 1.4.3.
Missing Authorization vulnerability in MultiVendorX MultiVendorX dc-woocommerce-multi-vendor allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects MultiVendorX: from n/a through <= 4.2.23.
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Themefic Hydra Booking hydra-booking allows SQL Injection.This issue affects Hydra Booking: from n/a through <= 1.1.10.
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Alexander AnyComment anycomment allows SQL Injection.This issue affects AnyComment: from n/a through <= 0.3.6.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeMove Businext businext allows PHP Local File Inclusion.This issue affects Businext: from n/a through < 2.4.4.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeMove SmilePure smilepure allows PHP Local File Inclusion.This issue affects SmilePure: from n/a through < 1.8.5.
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in AmentoTech Workreap (theme's plugin) workreap allows Path Traversal.This issue affects Workreap (theme's plugin): from n/a through <= 3.3.5.
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in AmentoTech Taskbot taskbot allows Path Traversal.This issue affects Taskbot: from n/a through <= 6.4.
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in ypromo PT Luxa Addons pt-luxa-addons allows Path Traversal.This issue affects PT Luxa Addons: from n/a through <= 1.2.2.
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Josh Kohlbach Advanced Coupons for WooCommerce Coupons advanced-coupons-for-woocommerce-free.This issue affects Advanced Coupons for WooCommerce Coupons: from n/a through <= 4.6.8.
Local file inclusion in Crocoblock JetReviews plugin versions through 3.0.0 allows authenticated attackers with low-level privileges to read arbitrary files on the WordPress server via PHP file inclusion flaws. With EPSS at 0.13% (33rd percentile), exploitation likelihood is currently low. No active exploitation confirmed (not in CISA KEV), but Patchstack has cataloged the vulnerability indicating professional security research attention. Attackers can access sensitive configuration files, credentials, and potentially chain with other vulnerabilities for code execution.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in xtemos WoodMart woodmart allows PHP Local File Inclusion.This issue affects WoodMart: from n/a through < 8.3.2.
Missing Authorization vulnerability in VibeThemes WPLMS wplms_plugin allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects WPLMS: from n/a through <= 1.9.9.7.
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Kevon Adonis WP Abstracts wp-abstracts-manuscripts-manager allows PHP Local File Inclusion.This issue affects WP Abstracts: from n/a through <= 2.7.4.
Missing Authorization vulnerability in Essekia Tablesome Table Premium tablesome-premium allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Tablesome Table Premium: from n/a through <= 1.1.23.
Missing Authorization vulnerability in BuddyPress BuddyPress buddypress.This issue affects BuddyPress: from n/a through <= 14.3.4.
Code injection in WP Last Modified Info plugin versions ≤1.9.4 allows authenticated attackers with low-level privileges to execute arbitrary code remotely via vulnerable code generation controls. The CVSS 7.4 rating reflects network accessibility, low attack complexity, and scope change enabling cross-boundary impact. EPSS probability is minimal (0.05%, 15th percentile), no active exploitation confirmed (not in CISA KEV), and no public exploit code identified at time of analysis, suggesting limited real-world exploitation activity despite the critical vulnerability class.
Improper Control of Generation of Code ('Code Injection') vulnerability in Laborator Kalium kalium allows Code Injection.This issue affects Kalium: from n/a through <= 3.25.
Privilege escalation in Dokan (WordPress multi-vendor marketplace plugin) versions up to 4.1.3 allows high-privileged users to elevate their permissions beyond intended role boundaries. Reported by Patchstack audit team with EPSS exploitation probability of 0.08% (24th percentile), indicating low real-world exploitation likelihood. No confirmed active exploitation (not in CISA KEV) or public proof-of-concept identified at time of analysis.
Missing authorization in the Billingo WordPress plugin (versions ≤4.3.0) enables authenticated high-privilege users to escalate privileges through unprotected API endpoints. CVSS 7.2 indicates network-accessible exploitation requiring high-privilege authentication with high impact across confidentiality, integrity, and availability. EPSS score of 0.06% (18th percentile) suggests low observed exploitation probability. No CISA KEV listing or public exploit identified at time of analysis, though Patchstack vulnerability database confirms the vulnerability class as both authentication bypass and privilege escalation.
Incorrect Privilege Assignment vulnerability in Josh Kohlbach Wholesale Suite woocommerce-wholesale-prices allows Privilege Escalation.This issue affects Wholesale Suite: from n/a through <= 2.2.4.2.
Reflected cross-site scripting (XSS) in the Contact Form by Supsystic WordPress plugin (versions through 1.7.36) allows unauthenticated remote attackers to execute malicious JavaScript in victims' browsers via crafted URLs. The vulnerability enables session hijacking, credential theft, and malicious actions performed in the context of the victim's authenticated session. EPSS probability indicates low exploitation likelihood (0.07%, 22nd percentile) with no public exploit identified at time of analysis.
Reflected Cross-Site Scripting (XSS) in WordPress plugin oik-privacy-policy versions ≤1.4.10 allows remote attackers to execute arbitrary JavaScript in victims' browsers. Exploitation requires user interaction (victim must click malicious link). EPSS probability is low (0.07%, 22nd percentile), and no active exploitation is confirmed. Reported by Patchstack security audit team, indicating professional vulnerability disclosure.
Reflected cross-site scripting (XSS) in Crocoblock JetSearch WordPress plugin versions through 3.5.10 allows unauthenticated remote attackers to execute arbitrary JavaScript in victim browsers via maliciously crafted URLs. The vulnerability requires user interaction (clicking a malicious link) but carries a changed scope, meaning successful exploitation can impact resources beyond the vulnerable component. EPSS probability is low (0.07%, 22nd percentile), indicating minimal observed exploitation attempts, and no public exploit code or CISA KEV listing exists at time of analysis.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Bob Likert Survey Master likert-survey-master allows Reflected XSS.This issue affects Likert Survey Master: from n/a through <= 0.8.0.1.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Globalis MultiSite Clone Duplicator multisite-clone-duplicator allows Reflected XSS.This issue affects MultiSite Clone Duplicator: from n/a through <= 1.5.3.
Reflected cross-site scripting in NextMove Lite (WordPress thank-you page plugin) versions ≤2.24.0 allows unauthenticated remote attackers to execute malicious JavaScript in victim browsers via crafted URLs. The vulnerability requires user interaction (clicking a malicious link) but achieves scope change per CVSS vector, enabling session hijacking, credential theft, or malicious actions under victim's WordPress session. EPSS score of 0.03% (8th percentile) indicates low probability of mass exploitation, though XSS vulnerabilities are commonly used in targeted social engineering campaigns against WordPress site administrators.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ERA404 CropRefine croprefine allows Reflected XSS.This issue affects CropRefine: from n/a through <= 1.2.1.
Reflected cross-site scripting in bbPress Notify plugin versions up to 2.19.5 allows unauthenticated remote attackers to execute malicious JavaScript in victim browsers through crafted URLs. The vulnerability stems from improper input sanitization during web page generation (CWE-79). With CVSS 7.1 and changed scope (S:C), successful exploitation enables session hijacking, credential theft, and malicious actions in the victim's context. EPSS score of 0.03% (8th percentile) indicates low observed exploitation probability, and no active exploitation is confirmed (not in CISA KEV), though Patchstack has publicly documented the vulnerability.
Reflected cross-site scripting in Robokassa payment gateway for WooCommerce (versions ≤1.8.5) allows remote attackers to execute malicious JavaScript in victim browsers through specially crafted URLs. The scope-change CVSS flag indicates attackers can impact resources beyond the vulnerable plugin itself, potentially compromising WooCommerce admin sessions or customer payment data. EPSS probability is low (0.03%, 8th percentile), and no active exploitation or public POC has been identified at time of analysis.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in themebon Easy Woocommerce Customizer easy-woocommerce-customizer allows Reflected XSS.This issue affects Easy Woocommerce Customizer: from n/a through <= 1.0.2.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Basix NEX-Forms LITE nex-forms-lite allows Reflected XSS.This issue affects NEX-Forms LITE: from n/a through < 8.2.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Arevico WP Tactical Popup wp-tactical-popup allows Reflected XSS.This issue affects WP Tactical Popup: from n/a through <= 1.1.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Munzir Author: Munzir myshouts-shoutbox allows Reflected XSS.This issue affects Author: Munzir: from n/a through <= 0.9.
Cross-Site Request Forgery (CSRF) vulnerability in FantasticPlugins SUMO Memberships for WooCommerce sumomemberships allows Cross Site Request Forgery.This issue affects SUMO Memberships for WooCommerce: from n/a through < 7.8.0.
Cross-Site Request Forgery (CSRF) vulnerability in johnh10 Video Blogster Lite video-blogster-lite allows Stored XSS.This issue affects Video Blogster Lite: from n/a through <= 1.2.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Toast Plugins Toast Mobile Menu toast-responsive-menu allows Stored XSS.This issue affects Toast Mobile Menu: from n/a through <= 1.0.8.
Reflected cross-site scripting in Email Attachment by Order Status & Products WordPress plugin versions ≤1.0.1 allows remote unauthenticated attackers to execute arbitrary JavaScript in victim browsers through low-complexity attacks requiring user interaction. The vulnerability enables cross-site scope impact (S:C), allowing attackers to compromise confidentiality, integrity, and availability at a low level across security boundaries. No active exploitation or public POC is confirmed at time of analysis, with EPSS data unavailable for this recently published CVE.