Skip to main content
CVE-2025-62899 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in THRIVE - Web Design Gold Coast Photospace Responsive photospace-responsive allows Stored XSS.This issue affects Photospace Responsive: from n/a through <= 2.2.0.

XSS
NVD
CVSS 3.1
5.9
EPSS
0.0%
CVE-2025-62965 MEDIUM This Month

Missing Authorization vulnerability in wpseek Admin Management Xtended admin-management-xtended allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Admin Management Xtended : from n/a through <= 2.5.1.

Authentication Bypass
NVD
CVSS 3.1
5.5
EPSS
0.1%
CVE-2025-12277 MEDIUM This Month

A flaw has been found in Abdullah-Hasan-Sajjad Online-School up to f09dda77b4c29aa083ff57f4b1eb991b98b68883. This affects an unknown part of the file /studentLogin.php. This manipulation of the argument Email causes sql injection. The attack is possible to be carried out remotely. The exploit has been published and may be used. This product adopts a rolling release strategy to maintain continuous delivery The vendor was contacted early about this disclosure but did not respond in any way.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2025-12248 MEDIUM This Month

A security vulnerability has been detected in CLTPHP 3.0. The affected element is an unknown function of the file /home/search.html. Such manipulation of the argument keyword leads to sql injection. The attack may be performed from remote. The exploit has been disclosed publicly and may be used.

SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2025-62919 MEDIUM This Month

Unauthenticated remote attackers can bypass authorization controls in TS Demo Importer plugin for WordPress (versions ≤0.1.3), enabling high-impact integrity and availability compromise through misconfigured access control. EPSS scoring at 7th percentile (0.07%) suggests low observed exploitation probability. No CISA KEV listing indicates no confirmed active exploitation at time of analysis, though the authentication bypass tag and critical CVSS 9.1 rating warrant immediate attention for exposed WordPress installations.

Authentication Bypass
NVD
CVSS 3.1
5.4
EPSS
0.1%
CVE-2025-62980 MEDIUM This Month

Missing Authorization vulnerability in MDZ Persian Admnin Fonts persian-admin-fonts allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Persian Admnin Fonts: from n/a through <= 4.1.03.

Authentication Bypass
NVD
CVSS 3.1
5.4
EPSS
0.1%
CVE-2025-62918 MEDIUM This Month

Broken access control in IgnitionDeck WordPress plugin (versions ≤2.0.15) enables authenticated users to bypass authorization checks and perform unauthorized actions with elevated privileges. The vulnerability requires low-privilege authentication but has low attack complexity (CVSS 8.8, AV:N/AC:L/PR:L), allowing compromise of confidentiality, integrity, and availability. EPSS probability is low (0.05%, 15th percentile), and no public exploit is identified at time of analysis, suggesting limited active targeting despite the high severity rating.

Authentication Bypass
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-62916 MEDIUM This Month

Broken access control in WP Flights & Hotels Booking WP Plugin (adiaha-hotel) versions ≤3.1 allows authenticated users with low privileges to bypass authorization checks and gain unauthorized access to high-impact functionality. Attackers can achieve complete compromise of confidentiality, integrity, and availability within the plugin's scope. EPSS score of 0.05% (15th percentile) indicates low observed exploitation probability, and no public exploit code or active exploitation (CISA KEV) has been identified at time of analysis.

Authentication Bypass
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-62966 MEDIUM This Month

Missing Authorization vulnerability in Apiki GoCache gocache-cdn allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects GoCache: from n/a through <= 1.3.6.

Authentication Bypass
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-62925 MEDIUM This Month

Broken access control in Conversios.io WooCommerce analytics plugin (versions ≤7.2.13) allows authenticated low-privilege users to access or modify high-sensitivity data without proper authorization checks. The vulnerability enables privilege escalation where any authenticated user can bypass intended access restrictions to read confidential information or alter plugin settings/data. EPSS score of 0.03% (9th percentile) indicates low predicted exploitation probability; no public exploit identified at time of analysis.

WordPress Authentication Bypass
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-61795 MEDIUM PATCH CISA This Month

Denial of service in Apache Tomcat occurs when multipart upload errors leave temporary disk files uncleaned, allowing attackers to exhaust disk space faster than garbage collection reclaims it. Affected versions 8.5.0-8.5.100 (EOL), 9.0.0-M1-9.0.109, 10.1.0-M1-10.1.46, and 11.0.0-M1-11.0.11 require authenticated access (PR:L) and high attack complexity, making real-world exploitation limited despite the medium CVSS score.

Apache Tomcat Information Disclosure Red Hat Suse
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-62944 MEDIUM This Month

Missing Authorization vulnerability in Mark O'Donnell MSTW CSV EXPORTER mstw-csv-exporter allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects MSTW CSV EXPORTER: from n/a through <= 1.4.

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-62946 MEDIUM This Month

Missing Authorization vulnerability in everestthemes Everest Backup everest-backup allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Everest Backup: from n/a through <= 2.3.8.

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-62892 MEDIUM This Month

Missing Authorization vulnerability in sunshinephotocart Sunshine Photo Cart sunshine-photo-cart allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Sunshine Photo Cart: from n/a through <= 3.5.3.

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-62976 MEDIUM This Month

Missing Authorization vulnerability in Joovii Sendle Shipping official-sendle-shipping-method allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Sendle Shipping: from n/a through <= 6.02.

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-62922 MEDIUM This Month

Missing Authorization vulnerability in Shambhu Patnaik Export Categories export-categories allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Export Categories: from n/a through <= 1.0.

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-62902 MEDIUM This Month

Sensitive system information disclosure in ThemeHunk WP Popup Builder plugin for WordPress (versions ≤1.3.8) allows unauthenticated remote attackers to retrieve embedded sensitive data without authentication. The vulnerability presents a CVSS 7.5 HIGH severity with confirmed network-based exploitation requiring no user interaction. EPSS score of 0.03% (10th percentile) indicates minimal observed exploitation activity, and no public exploit identified at time of analysis. The flaw stems from improper exposure of sensitive information to unauthorized control spheres (CWE-497).

Information Disclosure
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-62895 MEDIUM This Month

Sensitive data exposure in Atarim Visual Collaboration WordPress plugin (versions through 4.2.1) allows unauthenticated remote attackers to retrieve embedded confidential information via network-accessible endpoints. The vulnerability enables direct extraction of sensitive data with no authentication required and low attack complexity. EPSS score of 0.03% (10th percentile) indicates minimal current exploitation probability, and no public exploit code or CISA KEV listing exists at time of analysis.

Information Disclosure
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-62977 MEDIUM This Month

Missing authorization controls in the Baidu SEO Collection WordPress plugin versions up to 2.1.4 allow unauthenticated remote attackers to access restricted functionality and retrieve sensitive information without proper permission checks. The vulnerability affects the plugin's core access control mechanisms, enabling unauthorized information disclosure with a CVSS score of 5.3. EPSS exploitation probability is low at 0.03%, and no active exploitation has been confirmed.

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-62970 MEDIUM This Month

Link Whisper Free WordPress plugin through version 0.9.2 allows unauthenticated remote attackers to read sensitive information via missing authorization checks on API endpoints. The vulnerability enables bypassing access controls to retrieve data that should be restricted, confirmed with CVSS 5.3 and EPSS 0.03% exploitation probability. No public exploit code or active exploitation has been identified at time of analysis.

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-62964 MEDIUM This Month

Broken access control in RealMag777 MDTF (WordPress Meta Data Filter and Taxonomy Filter) plugin versions up to 1.3.6 allows low-privileged authenticated users to bypass authorization controls and access or modify sensitive metadata and taxonomy filter configurations. While rated CVSS 8.1 (High), real-world exploitation risk remains moderate with EPSS at 0.03% (9th percentile) and no confirmed active exploitation or public exploit code identified at time of analysis. This authentication bypass vulnerability was disclosed by Patchstack's security audit team.

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-62884 MEDIUM This Month

Missing authorization in RelyWP Coupon Affiliates plugin (versions up to 7.2.0) allows unauthenticated remote attackers to access restricted functionality and read sensitive data due to inadequate access control list (ACL) enforcement. The vulnerability requires no authentication and has low attack complexity, enabling attackers to bypass WordPress permission checks and retrieve coupon-related information not intended for public access.

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-62897 MEDIUM This Month

Improper neutralization of HTML script tags in WP Recipe Maker through version 10.0.x enables reflected cross-site scripting (XSS) attacks against users. The vulnerability affects the Brecht WP Recipe Maker WordPress plugin and requires user interaction (clicking a malicious link) to exploit. An attacker can inject arbitrary JavaScript into the page context, achieving code execution in the victim's browser with potential to steal session tokens or perform actions on behalf of authenticated users. The vulnerability has low real-world exploitation probability (EPSS 0.02%) and does not appear to be actively exploited in the wild.

XSS
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-62947 MEDIUM This Month

Sensitive data exposure in the Publitio WordPress plugin (versions ≤2.2.5) allows unauthenticated remote attackers to retrieve embedded sensitive information through network requests. The vulnerability exposes confidential data with high impact to confidentiality (CVSS C:H), though exploitation probability remains low (EPSS 3rd percentile). No public exploit identified at time of analysis, and exploitation requires no privileges or user interaction (PR:N/UI:N), making it trivially exploitable if targeted.

Information Disclosure
NVD
CVSS 3.1
5.0
EPSS
0.0%
CVE-2025-62988 MEDIUM This Month

Server-Side Request Forgery (SSRF) vulnerability in Codeless Slider Templates slider-templates allows Server Side Request Forgery.This issue affects Slider Templates: from n/a through <= 1.0.3.

SSRF
NVD
CVSS 3.1
4.9
EPSS
0.0%
CVE-2025-62981 MEDIUM This Month

URL Redirection to Untrusted Site ('Open Redirect') vulnerability in CRM Perks WP Gravity Forms Zoho CRM and Bigin gf-zoho allows Phishing.This issue affects WP Gravity Forms Zoho CRM and Bigin: from n/a through <= 1.2.8.

Open Redirect
NVD
CVSS 3.1
4.7
EPSS
0.0%
CVE-2025-62928 MEDIUM This Month

Missing Authorization vulnerability in Joby Joseph SEO Meta Description Updater seo-meta-description-updater allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects SEO Meta Description Updater: from n/a through <= 1.2.0.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.1%
CVE-2025-62915 MEDIUM This Month

Missing Authorization vulnerability in clicksend SMS Contact Form 7 Notifications by ClickSend clicksend-contactform7 allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects SMS Contact Form 7 Notifications by ClickSend: from n/a through <= 1.4.0.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.1%
CVE-2025-62906 MEDIUM This Month

Missing Authorization vulnerability in epiphanyit321 Referral Link Tracker referral-link-tracker allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Referral Link Tracker: from n/a through <= 1.1.4.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.1%
CVE-2025-62954 MEDIUM This Month

Broken access control in Revive Old Posts (tweet-old-post) WordPress plugin through version 9.3.3 allows authenticated attackers with low-level privileges to escalate permissions and execute high-impact operations including data exfiltration, modification, and service disruption. EPSS score of 0.05% (15th percentile) indicates low probability of mass exploitation, though the 8.8 CVSS score reflects significant potential damage once low-privilege access is obtained. No public exploit identified at time of analysis, and no CISA KEV listing exists.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-62953 MEDIUM This Month

Broken access control in Welcart e-Commerce WordPress plugin through version 2.11.24 allows authenticated users to bypass authorization checks and perform unauthorized actions with elevated privileges. This authentication bypass vulnerability (CWE-862) enables low-privileged authenticated attackers to access, modify, or delete data beyond their permission level, potentially compromising store operations, customer data, and site integrity. EPSS score of 0.05% (15th percentile) suggests low immediate exploitation probability, though no public exploit has been identified at time of analysis.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-62952 MEDIUM This Month

Broken access control in QuantumCloud ChatBot plugin for WordPress through version 7.7.3 allows authenticated attackers with low privileges to exploit misconfigured authorization checks, potentially leading to high-impact data breaches, unauthorized modifications, and service disruption. EPSS scoring indicates low exploitation probability (0.05%, 15th percentile), and no public exploit identified at time of analysis. The vulnerability stems from missing authorization controls (CWE-862), requiring only network access and low-privilege credentials with no user interaction, making it readily exploitable once an account is compromised.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-62932 MEDIUM This Month

WordPress Table Block by RioVizual plugin versions through 3.0.0 contains a broken access control vulnerability allowing authenticated attackers with low privileges to bypass authorization checks and perform high-impact actions including data theft, modification, and service disruption. The CVSS score of 8.8 reflects network-accessible exploitation with low complexity requiring only minimal authentication. EPSS score of 0.05% (15th percentile) suggests low immediate exploitation probability, with no public exploit identified at time of analysis.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-62931 MEDIUM This Month

Broken access control in MSN Partner Hub WordPress plugin allows authenticated attackers with low privileges to bypass authorization controls and gain unauthorized access to high-privilege functions. This CWE-862 missing authorization flaw affects versions through 2.9, enabling authenticated users to execute actions beyond their intended permission level. EPSS score of 0.05% (15th percentile) indicates low observed exploitation probability, and no public exploit code or CISA KEV listing exists at time of analysis.

Microsoft Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-62938 MEDIUM This Month

Missing Authorization vulnerability in Reoon Technology Reoon Email Verifier reoon-email-verifier allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Reoon Email Verifier: from n/a through <= 2.0.1.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-62909 MEDIUM This Month

Missing Authorization vulnerability in mrityunjay Smart WeTransfer smart-wetransfer allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Smart WeTransfer: from n/a through <= 1.3.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-62978 MEDIUM This Month

Missing Authorization vulnerability in Kiotviet KiotViet Sync kiotvietsync allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects KiotViet Sync: from n/a through <= 1.8.5.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-62972 MEDIUM This Month

Missing Authorization vulnerability in WPWebinarSystem WebinarPress wp-webinarsystem allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WebinarPress: from n/a through <= 1.33.28.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-62882 MEDIUM This Month

Missing Authorization vulnerability in Craig Hewitt Seriously Simple Podcasting seriously-simple-podcasting allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Seriously Simple Podcasting: from n/a through <= 3.13.0.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-62881 MEDIUM This Month

Missing Authorization vulnerability in WP Lab WP-Lister Lite for eBay wp-lister-for-ebay allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP-Lister Lite for eBay: from n/a through <= 3.8.3.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-62935 MEDIUM This Month

Missing authorization controls in the Open Close WooCommerce Store plugin (versions ≤4.9.9) allow authenticated low-privileged users to bypass access restrictions and perform unauthorized high-impact operations, potentially modifying store configuration or accessing sensitive data. With CVSS 8.1 (High severity) but only 0.03% EPSS (9th percentile), this represents a significant vulnerability for affected WordPress/WooCommerce sites, though no public exploit or active exploitation (CISA KEV) has been identified at time of analysis. The authentication requirement (PR:L) substantially limits attack surface compared to unauthenticated vulnerabilities.

WordPress Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-62936 MEDIUM This Month

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Jthemes xSmart xsmart allows Code Injection.This issue affects xSmart: from n/a through <= 1.2.9.4.

XSS
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-62958 MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in Clifton Griffin Simple Content Templates for Blog Posts &amp; Pages simple-post-template allows Cross Site Request Forgery.This issue affects Simple Content Templates for Blog Posts &amp; Pages: from n/a through <= 2.2.61.

CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-62891 MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in Jory Hogeveen Off-Canvas Sidebars & Menus (Slidebars) off-canvas-sidebars allows Cross Site Request Forgery.This issue affects Off-Canvas Sidebars & Menus (Slidebars): from n/a through <= 0.5.8.5.

CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-62890 MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in Premmerce Premmerce Brands for WooCommerce premmerce-woocommerce-brands allows Cross Site Request Forgery.This issue affects Premmerce Brands for WooCommerce: from n/a through <= 1.2.13.

WordPress CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-62975 MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in raychat Raychat raychat allows Cross Site Request Forgery.This issue affects Raychat: from n/a through <= 2.2.1.

CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-58918 MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in Waituk Entrada entrada allows Cross Site Request Forgery.This issue affects Entrada: from n/a through <= 5.7.7.

CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
Prev Page 2 of 2

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy