Skip to main content
CVE-2025-49939 MEDIUM This Month

Stored cross-site scripting (XSS) in Crocoblock JetElements For Elementor plugin through version 2.7.8 allows authenticated users with low privileges to inject malicious scripts that execute in the browsers of site visitors, potentially compromising site integrity and user sessions. The vulnerability requires user interaction (UI:R) and affects authenticated users (PR:L), limiting immediate blast radius but posing persistent risk to WordPress installations using this Elementor extension.

WordPress PHP XSS
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-49938 MEDIUM This Month

Stored XSS in Crocoblock JetEngine WordPress plugin versions 3.7.3 and earlier allows authenticated users with limited privileges to inject malicious scripts that execute in the browsers of other users, including administrators. The vulnerability requires user interaction (UI:R) to trigger and affects confidentiality, integrity, and availability with limited scope. With EPSS at 0.07% and no KEV status indicating active exploitation, this represents a low-probability but real risk requiring patching in multi-user WordPress environments.

WordPress PHP XSS
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-49933 MEDIUM This Month

Reflected cross-site scripting (XSS) in Crocoblock JetBlog WordPress plugin through version 2.4.4 allows authenticated users to inject malicious scripts that execute in other users' browsers when they interact with crafted links. The vulnerability requires user interaction (UI:R) and authenticated access (PR:L), limiting but not eliminating real-world risk; EPSS score of 0.07% indicates low exploitation probability despite the moderate CVSS 6.5 rating.

WordPress PHP XSS
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-49932 MEDIUM This Month

Stored Cross-Site Scripting (XSS) in Crocoblock JetBlog WordPress plugin through version 2.4.4.1 allows authenticated users with low privileges to inject malicious scripts that persist in web pages and execute in the browsers of other site visitors, potentially compromising session tokens, stealing sensitive data, or performing unauthorized actions. EPSS score of 0.07% and lack of public exploit code indicate low real-world exploitation probability despite the moderate CVSS 6.5 score.

WordPress PHP XSS
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-49928 MEDIUM This Month

DOM-based cross-site scripting (XSS) in Crocoblock JetWooBuilder plugin through version 2.1.20 allows authenticated users with low privileges to inject malicious scripts that execute in other users' browsers when they interact with affected pages. The vulnerability requires user interaction (UI:R per CVSS) and affects the plugin's web page generation functions. No public exploit code or active exploitation has been confirmed, though the issue carries a moderate CVSS score of 6.5 and low EPSS probability (0.07%, 22nd percentile) suggesting limited real-world attack incentive despite the authentication requirement being relatively low-barrier for WordPress environments.

WordPress PHP XSS
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-49927 MEDIUM This Month

Stored XSS vulnerability in Crocoblock JetWooBuilder WordPress plugin versions up to 2.1.20.1 allows authenticated users with low privileges to inject malicious scripts that execute in the browsers of other users viewing affected pages, potentially leading to session hijacking, credential theft, or defacement. The vulnerability requires user interaction (UI:R) from victims and affects the confidentiality, integrity, and availability of website content. No public exploit code or active exploitation has been confirmed at time of analysis.

WordPress PHP XSS
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-49934 MEDIUM This Month

Stored cross-site scripting (XSS) in Crocoblock JetBlocks For Elementor plugin versions up to 1.3.18 allows authenticated users with low privileges to inject malicious scripts that execute in the browsers of other site visitors. The vulnerability requires user interaction (UI:R) and affects confidentiality and integrity, with an EPSS score of 0.06% indicating very low real-world exploitation likelihood despite the moderate CVSS 5.4 rating.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-49952 MEDIUM This Month

Authorization bypass in Houzez WordPress theme versions up to 4.2.5 allows authenticated users to access or modify resources they should not have permission to reach through insecure direct object reference (IDOR) vulnerabilities. An authenticated attacker with low privileges can exploit inadequately configured access controls to view or modify data belonging to other users, achieving limited information disclosure and integrity compromise. The vulnerability is not confirmed as actively exploited, though the attack vector is network-based with low complexity.

Authentication Bypass
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-53421 MEDIUM This Month

Missing Authorization vulnerability in PickPlugins Accordion accordions allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Accordion: from n/a through <= 2.3.14.

Authentication Bypass
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-49961 MEDIUM This Month

Missing Authorization vulnerability in Breeze Team Breeze Checkout breeze-checkout allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Breeze Checkout: from n/a through <= 1.4.0.

Authentication Bypass
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-53424 MEDIUM This Month

Missing Authorization vulnerability in vanquish WooCommerce Orders & Customers Exporter woocommerce-orders-ei allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WooCommerce Orders & Customers Exporter: from n/a through <= 5.4.

WordPress Authentication Bypass
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-52738 MEDIUM This Month

Missing Authorization vulnerability in Wikimedia Foundation Wikipedia Preview wikipedia-preview allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Wikipedia Preview: from n/a through <= 1.15.0.

Authentication Bypass
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-48096 MEDIUM This Month

Missing Authorization vulnerability in FRESHFACE Custom CSS custom-css-editor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Custom CSS: from n/a through <= 1.4.0.

Authentication Bypass
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-52757 MEDIUM This Month

Unauthenticated attackers can bypass access controls in SUMO Memberships for WooCommerce versions below 7.8.0 to perform unauthorized actions including content modification and deletion through incorrectly configured membership level enforcement. The vulnerability requires user interaction (UI:R) but affects confidentiality, integrity, and availability of protected content. No public exploit code or active exploitation has been confirmed.

WordPress Authentication Bypass
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-11824 MEDIUM This Month

Stored cross-site scripting in Cinza Grid WordPress plugin versions up to 1.2.1 allows authenticated contributors and above to inject arbitrary JavaScript into pages via the 'cgrid_skin_content' post meta field, which executes when other users view the affected pages. The vulnerability stems from missing input sanitization and output escaping in backend processing functions. CVSS 6.4 reflects moderate impact with network-accessible attack surface, though exploitation requires valid WordPress contributor-level credentials.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-11809 MEDIUM This Month

Stored Cross-Site Scripting in WP-Force Images Download WordPress plugin versions up to 1.8 allows authenticated contributors and above to inject arbitrary JavaScript via the 'class' attribute of the 'wpfid' shortcode due to insufficient input sanitization and output escaping. The vulnerability executes malicious scripts in the browser of any user viewing an affected page, potentially enabling account compromise, malware distribution, or defacement with CVSS 6.4 (medium severity). No public exploit code or confirmed active exploitation has been identified at time of analysis.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-49377 MEDIUM This Month

Missing Authorization vulnerability in Themefic Hydra Booking hydra-booking allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Hydra Booking: from n/a through <= 1.1.9.

Authentication Bypass
NVD
CVSS 3.1
6.3
EPSS
0.0%
CVE-2025-58970 MEDIUM This Month

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in AmentoTech Doctreat doctreat allows Code Injection.This issue affects Doctreat: from n/a through <= 1.6.7.

XSS
NVD
CVSS 3.1
6.3
EPSS
0.0%
CVE-2025-60131 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Zoefff Werk aan de Muur werk-aan-de-muur allows Stored XSS.This issue affects Werk aan de Muur: from n/a through <= 1.5.

XSS
NVD
CVSS 3.1
5.9
EPSS
0.0%
CVE-2025-59593 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Extend Themes Colibri Page Builder colibri-page-builder allows Stored XSS.This issue affects Colibri Page Builder: from n/a through < 1.0.334.

XSS
NVD
CVSS 3.1
5.9
EPSS
0.0%
CVE-2025-49923 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Craig Hewitt Seriously Simple Podcasting seriously-simple-podcasting allows DOM-Based XSS.This issue affects Seriously Simple Podcasting: from n/a through <= 3.11.1.

XSS
NVD
CVSS 3.1
5.9
EPSS
0.0%
CVE-2025-62062 MEDIUM This Month

Insertion of Sensitive Information Into Sent Data vulnerability in ThemeRuby Easy Post Submission easy-post-submission allows Retrieve Embedded Sensitive Data.This issue affects Easy Post Submission: from n/a through <= 1.7.0.

Information Disclosure
NVD
CVSS 3.1
5.5
EPSS
0.0%
CVE-2025-49374 MEDIUM This Month

Server-Side Request Forgery (SSRF) vulnerability in captcha.eu Captcha.eu captcha-eu allows Server Side Request Forgery.This issue affects Captcha.eu: from n/a through <= 1.0.61.

SSRF
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-62048 MEDIUM This Month

Missing Authorization vulnerability in WPMU DEV - Your All-in-One WordPress Platform SmartCrawl smartcrawl-seo.This issue affects SmartCrawl: from n/a through <= 3.14.3.

WordPress Authentication Bypass
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-62006 MEDIUM This Month

Missing Authorization vulnerability in VeronaLabs WP SMS wp-sms.This issue affects WP SMS: from n/a through <= 7.0.1.

Authentication Bypass
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-49920 MEDIUM This Month

Missing Authorization vulnerability in accessiBe Web Accessibility By accessiBe accessibe allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Web Accessibility By accessiBe: from n/a through <= 2.10.

Authentication Bypass
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-24934 MEDIUM This Month

FreeBSD kernel fails to properly validate socket connection state when adding sockets to SO_REUSEPORT_LB load-balancing groups, allowing connected sockets to receive packets from arbitrary hosts instead of only from their connected peer. This breaks the fundamental contract of the connect(2) system call and sendto(2), creating a spoofing vulnerability where applications believe they are receiving authenticated peer traffic but may actually receive unsolicited packets from any host. The vulnerability affects remote attackers with user-level privileges on systems running vulnerable FreeBSD versions.

Information Disclosure
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-49949 MEDIUM This Month

Missing Authorization vulnerability in templazee Templazee templazee allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Templazee: from n/a through <= 1.0.2.

Authentication Bypass
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-49376 MEDIUM This Month

Missing Authorization vulnerability in DELUCKS DELUCKS SEO delucks-seo allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects DELUCKS SEO: from n/a through <= 2.5.9.

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-49913 MEDIUM This Month

Missing Authorization vulnerability in CoSchedule CoSchedule coschedule-by-todaymade allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects CoSchedule: from n/a through <= 3.4.0.

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-49906 MEDIUM This Month

Missing Authorization vulnerability in StellarWP WPComplete wpcomplete allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects WPComplete: from n/a through <= 2.9.5.3.

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-49903 MEDIUM This Month

Missing Authorization vulnerability in bdthemes ZoloBlocks zoloblocks allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ZoloBlocks: from n/a through <= 2.3.11.

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-49899 MEDIUM This Month

Missing Authorization vulnerability in jjlemstra Whydonate wp-whydonate allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Whydonate: from n/a through <= 4.0.15.

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-59575 MEDIUM This Month

Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Stylemix MasterStudy LMS masterstudy-lms-learning-management-system allows Retrieve Embedded Sensitive Data.This issue affects MasterStudy LMS: from n/a through <= 3.6.20.

Information Disclosure
NVD
CVSS 3.1
4.9
EPSS
0.0%
CVE-2025-10047 MEDIUM This Month

SQL injection in Email Tracker plugin for WordPress (versions up to 5.3.15) allows authenticated administrators to extract sensitive database information via the 'orderby' parameter due to insufficient escaping and query preparation. CVSS 4.9 reflects high confidentiality impact but requires high-privilege authenticated access; no public exploit code or active exploitation confirmed at analysis time.

WordPress SQLi
NVD
CVSS 3.1
4.9
EPSS
0.0%
CVE-2025-49922 MEDIUM This Month

Missing Authorization vulnerability in etruel WPeMatico RSS Feed Fetcher wpematico allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WPeMatico RSS Feed Fetcher: from n/a through <= 2.8.3.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.1%
CVE-2025-62073 MEDIUM This Month

Missing Authorization vulnerability in Sovlix MeetingHub meetinghub.This issue affects MeetingHub: from n/a through <= 1.23.9.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-62072 MEDIUM This Month

Missing Authorization vulnerability in Rustaurius Front End Users front-end-only-users.This issue affects Front End Users: from n/a through <= 3.2.33.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-62071 MEDIUM This Month

Missing Authorization vulnerability in Repuso Social proof testimonials and reviews by Repuso social-testimonials-and-reviews-widget.This issue affects Social proof testimonials and reviews by Repuso: from n/a through <= 5.29.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-62070 MEDIUM This Month

Missing Authorization vulnerability in WPXPO WowRevenue revenue.This issue affects WowRevenue: from n/a through <= 1.2.13.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-62052 MEDIUM This Month

Missing Authorization vulnerability in Horea Radu One Page Express Companion one-page-express-companion.This issue affects One Page Express Companion: from n/a through <= 1.6.43.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-62021 MEDIUM This Month

Missing Authorization vulnerability in Made Neat Acknowledgify acknowledgify.This issue affects Acknowledgify: from n/a through <= 1.1.3.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-62013 MEDIUM This Month

Missing Authorization vulnerability in POSIMYTH UiChemy uichemy.This issue affects UiChemy: from n/a through <= 4.0.0.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-49937 MEDIUM This Month

Missing Authorization vulnerability in Syed Balkhi Smash Balloon Social Post Feed custom-facebook-feed allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Smash Balloon Social Post Feed: from n/a through <= 4.3.2.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-49907 MEDIUM This Month

Missing Authorization vulnerability in RealMag777 MDTF wp-meta-data-filter-and-taxonomy-filter allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects MDTF: from n/a through <= 1.3.3.9.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-60134 MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in John James Jacoby WP Media Categories wp-media-categories allows Cross Site Request Forgery.This issue affects WP Media Categories: from n/a through <= 2.1.0.

CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-62061 MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in impleCode Product Catalog Simple post-type-x.This issue affects Product Catalog Simple: from n/a through <= 1.8.4.

CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-62009 MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in Dmitry V. (CEO of "UKR Solution") UPC/EAN/GTIN Code Generator upc-ean-barcode-generator allows Cross Site Request Forgery.This issue affects UPC/EAN/GTIN Code Generator: from n/a through <= 2.0.2.

CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-49373 MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in Evergreen Content Poster Evergreen Content Poster evergreen-content-poster allows Cross Site Request Forgery.This issue affects Evergreen Content Poster: from n/a through <= 1.4.5.

CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy