32 CVEs tracked today. 2 Critical, 15 High, 14 Medium, 0 Low.
-
CVE-2025-62959
CRITICAL
CVSS 9.1
Remote code execution in the VideoWhisper Paid Videochat Turnkey Site WordPress plugin (versions up to 7.3.23) allows authenticated administrators to inject and execute arbitrary code through code injection vulnerabilities. The CVSS 9.1 severity reflects scope change and high impact across confidentiality, integrity, and availability. EPSS exploitation probability is low at 0.04% (13th percentile), and no public exploit identified at time of analysis, suggesting this remains a theoretical high-severity issue requiring privileged access rather than an imminent mass-exploitation threat.
WordPress
PHP
Code Injection
RCE
-
CVE-2025-62919
CRITICAL
CVSS 9.1
Unauthenticated remote attackers can bypass authorization controls in TS Demo Importer plugin for WordPress (versions ≤0.1.3), enabling high-impact integrity and availability compromise through misconfigured access control. EPSS scoring at 7th percentile (0.07%) suggests low observed exploitation probability. No CISA KEV listing indicates no confirmed active exploitation at time of analysis, though the authentication bypass tag and critical CVSS 9.1 rating warrant immediate attention for exposed WordPress installations.
WordPress
PHP
Authentication Bypass
-
CVE-2025-62964
HIGH
CVSS 8.1
Broken access control in RealMag777 MDTF (WordPress Meta Data Filter and Taxonomy Filter) plugin versions up to 1.3.6 allows low-privileged authenticated users to bypass authorization controls and access or modify sensitive metadata and taxonomy filter configurations. While rated CVSS 8.1 (High), real-world exploitation risk remains moderate with EPSS at 0.03% (9th percentile) and no confirmed active exploitation or public exploit code identified at time of analysis. This authentication bypass vulnerability was disclosed by Patchstack's security audit team.
WordPress
PHP
Authentication Bypass
-
CVE-2025-62954
HIGH
CVSS 8.8
Broken access control in Revive Old Posts (tweet-old-post) WordPress plugin through version 9.3.3 allows authenticated attackers with low-level privileges to escalate permissions and execute high-impact operations including data exfiltration, modification, and service disruption. EPSS score of 0.05% (15th percentile) indicates low probability of mass exploitation, though the 8.8 CVSS score reflects significant potential damage once low-privilege access is obtained. No public exploit identified at time of analysis, and no CISA KEV listing exists.
WordPress
PHP
Authentication Bypass
-
CVE-2025-62953
HIGH
CVSS 8.8
Broken access control in Welcart e-Commerce WordPress plugin through version 2.11.24 allows authenticated users to bypass authorization checks and perform unauthorized actions with elevated privileges. This authentication bypass vulnerability (CWE-862) enables low-privileged authenticated attackers to access, modify, or delete data beyond their permission level, potentially compromising store operations, customer data, and site integrity. EPSS score of 0.05% (15th percentile) suggests low immediate exploitation probability, though no public exploit has been identified at time of analysis.
WordPress
PHP
Authentication Bypass
-
CVE-2025-62952
HIGH
CVSS 8.8
Broken access control in QuantumCloud ChatBot plugin for WordPress through version 7.7.3 allows authenticated attackers with low privileges to exploit misconfigured authorization checks, potentially leading to high-impact data breaches, unauthorized modifications, and service disruption. EPSS scoring indicates low exploitation probability (0.05%, 15th percentile), and no public exploit identified at time of analysis. The vulnerability stems from missing authorization controls (CWE-862), requiring only network access and low-privilege credentials with no user interaction, making it readily exploitable once an account is compromised.
Information Disclosure
-
CVE-2025-62947
HIGH
CVSS 7.5
Sensitive data exposure in the Publitio WordPress plugin (versions ≤2.2.5) allows unauthenticated remote attackers to retrieve embedded sensitive information through network requests. The vulnerability exposes confidential data with high impact to confidentiality (CVSS C:H), though exploitation probability remains low (EPSS 3rd percentile). No public exploit identified at time of analysis, and exploitation requires no privileges or user interaction (PR:N/UI:N), making it trivially exploitable if targeted.
Information Disclosure
-
CVE-2025-62935
HIGH
CVSS 8.1
Missing authorization controls in the Open Close WooCommerce Store plugin (versions ≤4.9.9) allow authenticated low-privileged users to bypass access restrictions and perform unauthorized high-impact operations, potentially modifying store configuration or accessing sensitive data. With CVSS 8.1 (High severity) but only 0.03% EPSS (9th percentile), this represents a significant vulnerability for affected WordPress/WooCommerce sites, though no public exploit or active exploitation (CISA KEV) has been identified at time of analysis. The authentication requirement (PR:L) substantially limits attack surface compared to unauthenticated vulnerabilities.
WordPress
Woocommerce
PHP
Authentication Bypass
-
CVE-2025-62932
HIGH
CVSS 8.8
WordPress Table Block by RioVizual plugin versions through 3.0.0 contains a broken access control vulnerability allowing authenticated attackers with low privileges to bypass authorization checks and perform high-impact actions including data theft, modification, and service disruption. The CVSS score of 8.8 reflects network-accessible exploitation with low complexity requiring only minimal authentication. EPSS score of 0.05% (15th percentile) suggests low immediate exploitation probability, with no public exploit identified at time of analysis.
WordPress
PHP
Authentication Bypass
-
CVE-2025-62931
HIGH
CVSS 8.8
Broken access control in MSN Partner Hub WordPress plugin allows authenticated attackers with low privileges to bypass authorization controls and gain unauthorized access to high-privilege functions. This CWE-862 missing authorization flaw affects versions through 2.9, enabling authenticated users to execute actions beyond their intended permission level. EPSS score of 0.05% (15th percentile) indicates low observed exploitation probability, and no public exploit code or CISA KEV listing exists at time of analysis.
Microsoft
Authentication Bypass
-
CVE-2025-62925
HIGH
CVSS 8.1
Broken access control in Conversios.io WooCommerce analytics plugin (versions ≤7.2.13) allows authenticated low-privilege users to access or modify high-sensitivity data without proper authorization checks. The vulnerability enables privilege escalation where any authenticated user can bypass intended access restrictions to read confidential information or alter plugin settings/data. EPSS score of 0.03% (9th percentile) indicates low predicted exploitation probability; no public exploit identified at time of analysis.
WordPress
Woocommerce
PHP
Authentication Bypass
-
CVE-2025-62918
HIGH
CVSS 8.8
Broken access control in IgnitionDeck WordPress plugin (versions ≤2.0.15) enables authenticated users to bypass authorization checks and perform unauthorized actions with elevated privileges. The vulnerability requires low-privilege authentication but has low attack complexity (CVSS 8.8, AV:N/AC:L/PR:L), allowing compromise of confidentiality, integrity, and availability. EPSS probability is low (0.05%, 15th percentile), and no public exploit is identified at time of analysis, suggesting limited active targeting despite the high severity rating.
WordPress
PHP
Authentication Bypass
-
CVE-2025-62916
HIGH
CVSS 8.8
Broken access control in WP Flights & Hotels Booking WP Plugin (adiaha-hotel) versions ≤3.1 allows authenticated users with low privileges to bypass authorization checks and gain unauthorized access to high-impact functionality. Attackers can achieve complete compromise of confidentiality, integrity, and availability within the plugin's scope. EPSS score of 0.05% (15th percentile) indicates low observed exploitation probability, and no public exploit code or active exploitation (CISA KEV) has been identified at time of analysis.
WordPress
PHP
Authentication Bypass
-
CVE-2025-62902
HIGH
CVSS 7.5
Sensitive system information disclosure in ThemeHunk WP Popup Builder plugin for WordPress (versions ≤1.3.8) allows unauthenticated remote attackers to retrieve embedded sensitive data without authentication. The vulnerability presents a CVSS 7.5 HIGH severity with confirmed network-based exploitation requiring no user interaction. EPSS score of 0.03% (10th percentile) indicates minimal observed exploitation activity, and no public exploit identified at time of analysis. The flaw stems from improper exposure of sensitive information to unauthorized control spheres (CWE-497).
WordPress
PHP
Information Disclosure
Wp Popup Builder
-
CVE-2025-62895
HIGH
CVSS 7.5
Sensitive data exposure in Atarim Visual Collaboration WordPress plugin (versions through 4.2.1) allows unauthenticated remote attackers to retrieve embedded confidential information via network-accessible endpoints. The vulnerability enables direct extraction of sensitive data with no authentication required and low attack complexity. EPSS score of 0.03% (10th percentile) indicates minimal current exploitation probability, and no public exploit code or CISA KEV listing exists at time of analysis.
WordPress
PHP
Information Disclosure
-
CVE-2025-62889
HIGH
CVSS 8.8
Broken access control in King Addons for Elementor (WordPress plugin) versions through 51.1.61 allows authenticated attackers with low privileges to bypass authorization checks and gain unauthorized access to high-privilege functionality. The CVSS 8.8 score reflects potential for full compromise (high confidentiality, integrity, and availability impact), though the EPSS score of 0.05% (15th percentile) indicates minimal real-world exploitation observed. No public exploit code or CISA KEV listing identified at time of analysis. The vulnerability stems from improperly configured access control security levels (CWE-862: Missing Authorization), enabling privilege escalation by low-privileged users.
WordPress
PHP
Authentication Bypass
-
CVE-2025-62886
HIGH
CVSS 8.8
Cross-Site Request Forgery (CSRF) vulnerability in wpdevart Pricing Table builder WordPress plugin (versions up to 1.5.3) enables stored Cross-Site Scripting (XSS) attacks through social engineering. Unauthenticated remote attackers can trick administrators into executing malicious actions that inject persistent JavaScript code into the WordPress site. EPSS score of 0.02% (4th percentile) indicates minimal observed exploitation activity, with no CISA KEV listing or public exploit identified at time of analysis. The CVSS score of 8.8 reflects the high impact potential when user interaction succeeds, though real-world risk depends heavily on social engineering effectiveness.
WordPress
PHP
CSRF
XSS
-
CVE-2025-62977
MEDIUM
CVSS 5.3
Missing authorization controls in the Baidu SEO Collection WordPress plugin versions up to 2.1.4 allow unauthenticated remote attackers to access restricted functionality and retrieve sensitive information without proper permission checks. The vulnerability affects the plugin's core access control mechanisms, enabling unauthorized information disclosure with a CVSS score of 5.3. EPSS exploitation probability is low at 0.03%, and no active exploitation has been confirmed.
WordPress
PHP
Authentication Bypass
-
CVE-2025-62971
MEDIUM
CVSS 6.5
Stored cross-site scripting (XSS) in CrestaProject Attesa Extra WordPress plugin versions 1.4.7 and earlier allows authenticated users with low privileges to inject malicious scripts that execute in the browsers of other site visitors, potentially compromising session tokens, stealing sensitive data, or performing unauthorized actions. The vulnerability requires user interaction (clicking a malicious link) to trigger the payload, affects confidentiality, integrity, and availability, and carries a moderate CVSS score of 6.5 despite very low EPSS exploitation probability (0.02%, 7th percentile), suggesting limited real-world weaponization despite the vector permitting network-based attacks.
XSS
WordPress
PHP
-
CVE-2025-62970
MEDIUM
CVSS 5.3
Link Whisper Free WordPress plugin through version 0.9.2 allows unauthenticated remote attackers to read sensitive information via missing authorization checks on API endpoints. The vulnerability enables bypassing access controls to retrieve data that should be restricted, confirmed with CVSS 5.3 and EPSS 0.03% exploitation probability. No public exploit code or active exploitation has been identified at time of analysis.
WordPress
PHP
Authentication Bypass
-
CVE-2025-62969
MEDIUM
CVSS 6.5
Stored cross-site scripting (XSS) in XLPlugins NextMove Lite WordPress plugin versions through 2.23.0 allows authenticated users with low privileges to inject malicious scripts into thank-you pages, affecting site visitors with escalated impact in multi-site contexts. The vulnerability requires user interaction (page visit) and leverages the plugin's improper input sanitization on web page generation. EPSS exploitation probability is low (0.02%), and no confirmed active exploitation has been reported; however, the stored nature and authenticated attack vector make it a meaningful risk for WordPress sites with untrusted user roles.
WordPress
PHP
XSS
Nextmove
-
CVE-2025-62967
MEDIUM
CVSS 6.5
DOM-based cross-site scripting (XSS) in Designinvento DirectoryPress WordPress plugin through version 3.6.25 allows authenticated attackers with low privileges to inject malicious scripts that execute in the context of other users' browsers when they view affected pages. The vulnerability requires user interaction (clicking a malicious link) and can affect website visitors across the entire site, potentially leading to session hijacking, credential theft, or malware distribution. EPSS score of 0.02% indicates low exploitation probability despite the publicly available vulnerability details.
WordPress
PHP
XSS
-
CVE-2025-62963
MEDIUM
CVSS 6.5
DOM-based cross-site scripting (XSS) in Estatik WordPress plugin through version 4.3.0 allows authenticated attackers with low privileges to inject malicious scripts that execute in the browsers of other users, potentially compromising session tokens, stealing sensitive data, or performing unauthorized actions with a victim's permissions. The vulnerability requires user interaction (clicking a malicious link) and affects the entire web application context. No public exploit code or active exploitation has been identified at the time of analysis, though the low EPSS score (0.02%) suggests limited real-world exploitation despite the moderate CVSS rating.
XSS
-
CVE-2025-62951
MEDIUM
CVSS 6.5
Stored cross-site scripting (XSS) in icc0rz H5P WordPress plugin versions 1.16.0 and earlier allows authenticated users with limited privileges to inject malicious scripts that execute in the browsers of other users viewing affected content. The vulnerability stems from improper input sanitization during web page generation and requires user interaction (UI:R) to trigger, affecting confidentiality, integrity, and availability with a CVSS score of 6.5. Despite the moderate CVSS rating, the EPSS score of 0.02% indicates very low real-world exploitation probability at time of analysis, with no public exploit code or active exploitation confirmed.
XSS
-
CVE-2025-62930
MEDIUM
CVSS 6.1
DOM-based cross-site scripting (XSS) in RomanCode MapSVG WordPress plugin versions up to 8.7.22 allows remote attackers to inject malicious scripts into web pages viewed by other users. The vulnerability requires user interaction (UI:R) and affects the confidentiality and integrity of web sessions. Although the CVSS score is 6.1 (medium), the EPSS exploitation probability is very low at 0.02%, and no public exploit code or active exploitation has been identified; this suggests the practical attack likelihood is minimal despite the moderate CVSS rating.
WordPress
PHP
XSS
-
CVE-2025-62923
MEDIUM
CVSS 6.1
DOM-based cross-site scripting (XSS) in Marquee Addons for Elementor WordPress plugin versions through 3.8.2 allows remote attackers to inject malicious scripts through improper input neutralization during web page generation. The vulnerability requires user interaction (UI:R) and affects the confidentiality and integrity of affected websites. While CVSS scores 6.1 (medium), the 0.02% EPSS percentile indicates low real-world exploitation probability despite public awareness.
WordPress
PHP
XSS
-
CVE-2025-62903
MEDIUM
CVSS 5.4
Stored cross-site scripting (XSS) in WPClever WPC Smart Messages for WooCommerce plugin versions up to 4.2.8 allows authenticated users with limited privileges to inject malicious scripts that execute in the browsers of other site visitors. The vulnerability requires user interaction (UI:R) and affects confidentiality and integrity through script injection, with a CVSS score of 5.4 reflecting moderate risk; however, the 0.02% EPSS score indicates minimal real-world exploitation probability at time of analysis, and no public exploit code or active exploitation has been confirmed.
WordPress
PHP
XSS
Woocommerce
-
CVE-2025-62897
MEDIUM
CVSS 4.7
Improper neutralization of HTML script tags in WP Recipe Maker through version 10.0.x enables reflected cross-site scripting (XSS) attacks against users. The vulnerability affects the Brecht WP Recipe Maker WordPress plugin and requires user interaction (clicking a malicious link) to exploit. An attacker can inject arbitrary JavaScript into the page context, achieving code execution in the victim's browser with potential to steal session tokens or perform actions on behalf of authenticated users. The vulnerability has low real-world exploitation probability (EPSS 0.02%) and does not appear to be actively exploited in the wild.
WordPress
PHP
XSS
Code Injection
-
CVE-2025-62887
MEDIUM
CVSS 5.4
DOM-based cross-site scripting (XSS) in King Addons for Elementor plugin versions up to 51.1.61 allows authenticated users with low privileges to inject malicious scripts that execute in other users' browsers when they interact with affected pages. The vulnerability requires user interaction (clicking a link) and affects the confidentiality and integrity of website content, with an EPSS score of 0.02% indicating low real-world exploitation probability despite the moderate CVSS rating of 5.4.
WordPress
PHP
XSS
-
CVE-2025-62885
MEDIUM
CVSS 6.5
DOM-based cross-site scripting (XSS) in RexTheme WP VR WordPress plugin up to version 8.5.48 allows authenticated users with low privileges to inject malicious scripts that execute in other users' browsers with site-wide scope. The vulnerability requires user interaction (UI:R) and affects confidentiality, integrity, and availability equally. Exploitation requires valid WordPress account credentials but carries moderate real-world risk given the low EPSS score (0.02%) and authenticated requirement despite the CVSS 6.5 rating.
WordPress
PHP
XSS
-
CVE-2025-62884
MEDIUM
CVSS 5.3
Missing authorization in RelyWP Coupon Affiliates plugin (versions up to 7.2.0) allows unauthenticated remote attackers to access restricted functionality and read sensitive data due to inadequate access control list (ACL) enforcement. The vulnerability requires no authentication and has low attack complexity, enabling attackers to bypass WordPress permission checks and retrieve coupon-related information not intended for public access.
WordPress
PHP
Authentication Bypass
-
CVE-2025-48088
None
Stored Cross-Site Scripting (XSS) in Ultimate Addons for WPBakery Page Builder allows unauthenticated attackers to inject malicious scripts into web pages through improper input neutralization. The vulnerability affects versions prior to 3.21.1, enabling attackers to execute arbitrary JavaScript in the browsers of site visitors, potentially leading to session hijacking, credential theft, or malware distribution. No public exploit code has been identified at the time of analysis, and real-world exploitation probability is minimal (EPSS 0.02%).
WordPress
PHP
XSS