248 CVEs tracked today. 26 Critical, 142 High, 68 Medium, 2 Low.
-
CVE-2025-62016
CRITICAL
CVSS 9.9
Unrestricted Upload of File with Dangerous Type vulnerability in hogash Kallyas kallyas.22.0. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
File Upload
-
CVE-2025-60235
CRITICAL
CVSS 10.0
Unrestricted Upload of File with Dangerous Type vulnerability in Plugify Helpdesk Support Ticket System for WooCommerce support-ticket-system-for-woocommerce allows Using Malicious Files.1.0. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
WordPress
File Upload
-
CVE-2025-60195
CRITICAL
CVSS 9.8
Incorrect Privilege Assignment vulnerability in Vito Peleg Atarim atarim-visual-collaboration allows Privilege Escalation.2. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Privilege Escalation
-
CVE-2025-52773
CRITICAL
CVSS 9.3
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in hiecor HieCOR Payment Gateway Plugin hcv4-payment-gateway allows SQL Injection.5.11. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
SQLi
-
CVE-2025-48089
CRITICAL
CVSS 9.3
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Rainbow-Themes Education WordPress Theme | HiStudy histudy allows SQL Injection.1.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
WordPress
SQLi
-
CVE-2025-47588
CRITICAL
CVSS 9.1
Improper Control of Generation of Code ('Code Injection') vulnerability in acowebs Dynamic Pricing With Discount Rules for WooCommerce aco-woo-dynamic-pricing allows Code Injection.5.9. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
WordPress
RCE
Code Injection
-
CVE-2025-32222
CRITICAL
CVSS 9.9
Improper Control of Generation of Code ('Code Injection') vulnerability in Widgetlogic.org Widget Logic widget-logic allows Code Injection.0.5. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
RCE
Code Injection
-
CVE-2025-27918
CRITICAL
CVSS 9.8
An issue was discovered in AnyDesk for Windows before 9.0.5, AnyDesk for macOS before 9.0.1, AnyDesk for Linux before 7.0.0, AnyDesk for iOS before 7.1.2, and AnyDesk for Android before 8.0.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Windows
Buffer Overflow
Google
Integer Overflow
Apple
-
CVE-2025-62065
CRITICAL
CVSS 9.9
Unrestricted Upload of File with Dangerous Type vulnerability in Rometheme RTMKit rometheme-for-elementor.6.5. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
File Upload
-
CVE-2025-62064
CRITICAL
CVSS 9.8
Authentication Bypass Using an Alternate Path or Channel vulnerability in Elated-Themes Search & Go search-and-go allows Password Recovery Exploitation.7. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Authentication Bypass
-
CVE-2025-62047
CRITICAL
CVSS 9.9
Unrestricted Upload of File with Dangerous Type vulnerability in Case-Themes Case Addons case-addons.3.0. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
File Upload
-
CVE-2025-60245
CRITICAL
CVSS 9.8
Deserialization of Untrusted Data vulnerability in WP User Manager WP User Manager wp-user-manager allows Object Injection.9.12. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Deserialization
-
CVE-2025-60243
CRITICAL
CVSS 9.8
Incorrect Privilege Assignment vulnerability in Holest Engineering Selling Commander for WooCommerce selling-commander-connector allows Privilege Escalation.2.46. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
PHP
WordPress
Privilege Escalation
-
CVE-2025-60207
CRITICAL
CVSS 10.0
Unrestricted Upload of File with Dangerous Type vulnerability in Addify Custom User Registration Fields for WooCommerce user-registration-plugin-for-woocommerce allows Upload a Web Shell to a Web. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
PHP
WordPress
File Upload
-
CVE-2025-58998
CRITICAL
CVSS 9.8
Deserialization of Untrusted Data vulnerability in Cristián Lávaque s2Member s2member allows Object Injection. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Deserialization
-
CVE-2025-58996
CRITICAL
CVSS 9.1
Unrestricted Upload of File with Dangerous Type vulnerability in Helmut Wandl Advanced Settings advanced-settings allows Upload a Web Shell to a Web Server.1.1. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
File Upload
-
CVE-2025-58636
CRITICAL
CVSS 9.8
Deserialization of Untrusted Data vulnerability in CRM Perks WP Gravity Forms Keap/Infusionsoft gf-infusionsoft allows Object Injection.2.3. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Deserialization
-
CVE-2025-58627
CRITICAL
CVSS 9.8
Authorization Bypass Through User-Controlled Key vulnerability in kamleshyadav Miraculous Core Plugin miraculouscore allows Exploiting Incorrectly Configured Access Control Security Levels.0.9. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Authentication Bypass
-
CVE-2025-53283
CRITICAL
CVSS 10.0
Unrestricted Upload of File with Dangerous Type vulnerability in borisolhor Drop Uploader for CF7 - Drag&Drop File Uploader Addon drop-uploader-for-contact-form-7-dragdrop-file-uploader-addon allows. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
File Upload
-
CVE-2025-53242
CRITICAL
CVSS 9.8
Deserialization of Untrusted Data vulnerability in VictorThemes Seil seil allows Object Injection.7.1. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Deserialization
-
CVE-2025-49393
CRITICAL
CVSS 9.8
Deserialization of Untrusted Data vulnerability in Fetch Designs Sign-up Sheets sign-up-sheets allows Object Injection.3.2. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Deserialization
-
CVE-2025-49372
CRITICAL
CVSS 10.0
Improper Control of Generation of Code ('Code Injection') vulnerability in VillaTheme HAPPY happy-helpdesk-support-ticket-system allows Remote Code Inclusion.0.7. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
RCE
Code Injection
-
CVE-2025-12488
CRITICAL
CVSS 9.8
oobabooga text-generation-webui trust_remote_code Reliance on Untrusted Inputs Remote Code Execution Vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
RCE
-
CVE-2025-12487
CRITICAL
CVSS 9.8
oobabooga text-generation-webui trust_remote_code Reliance on Untrusted Inputs Remote Code Execution Vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
RCE
-
CVE-2025-6327
CRITICAL
CVSS 10.0
Unrestricted Upload of File with Dangerous Type vulnerability in KingAddons.com King Addons for Elementor king-addons allows Upload a Web Shell to a Web Server.1.36. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
File Upload
-
CVE-2025-6325
CRITICAL
CVSS 9.8
Incorrect Privilege Assignment vulnerability in KingAddons.com King Addons for Elementor king-addons allows Privilege Escalation.1.36. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Privilege Escalation
-
CVE-2025-64287
HIGH
CVSS 8.1
Local file inclusion in Alloggio - Hotel Booking WordPress theme through version 1.8 allows remote attackers to read arbitrary files on the server and potentially execute code by manipulating PHP include/require statements. The vulnerability stems from improper filename validation in file inclusion operations, enabling attackers to traverse directories and access sensitive files or configuration data. Exploitation probability is low (EPSS 0.07%, 22nd percentile) with no confirmed active exploitation or public proof-of-concept at time of analysis.
PHP
Information Disclosure
LFI
-
CVE-2025-64232
HIGH
CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in icopydoc Import from YML import-from-yml allows Reflected XSS.1.17. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
XSS
-
CVE-2025-64224
HIGH
CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeGoods Grand Conference Theme Custom Post Type grandconference-custom-post allows Reflected. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
XSS
Grand Conference
-
CVE-2025-64198
HIGH
CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in appscreo Easy Social Share Buttons easy-social-share-buttons3 allows Reflected XSS.7.1. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
XSS
-
CVE-2025-64196
HIGH
CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Pluggabl Booster for WooCommerce woocommerce-jetpack allows Reflected XSS.2.5. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
PHP
WordPress
XSS
Booster For Woocommerce
-
CVE-2025-64178
HIGH
CVSS 8.9
Jellysweep is a cleanup tool for the Jellyfin media server. Rated high severity (CVSS 8.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
SSRF
-
CVE-2025-64173
HIGH
CVSS 7.5
Apollo Router Core is a configurable graph router written in Rust to run a federated supergraph using Apollo Federation 2. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Information Disclosure
-
CVE-2025-64171
HIGH
CVSS 8.7
MARIN3R is a lightweight, CRD based envoy control plane for kubernetes. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Authentication Bypass
Kubernetes
Red Hat
-
CVE-2025-64164
HIGH
CVSS 8.9
Dataease is an open source data visualization analysis tool. Rated high severity (CVSS 8.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Java
Deserialization
Oracle
Dataease
-
CVE-2025-64163
HIGH
CVSS 8.9
DataEase is an open source data visualization analysis tool. Rated high severity (CVSS 8.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
SSRF
Dataease
-
CVE-2025-63589
HIGH
CVSS 7.1
A reflected XSS vulnerability exists in CMSimple_XH 1.8's index.php router when attacker-controlled path segments are not sanitized or encoded before being inserted into the generated HTML. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
PHP
XSS
Cmsimple Xh
-
CVE-2025-63588
HIGH
CVSS 7.1
An unauthenticated reflected cross-site scripting vulnerability in the query handling of CMSimpleXH allows remote attackers to inject and execute arbitrary JavaScript in a victim's browser via a. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
XSS
Cmsimple Xh
-
CVE-2025-63560
HIGH
CVSS 7.5
An issue in KiloView Dual Channel 4k HDMI & 3G-SDI HEVC Video Encoder Firmware v.1.20.0006 allows a remote attacker to cause a denial of service via the systemctrl API System/reFactory component. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Denial Of Service
E3 Firmware
-
CVE-2025-63551
HIGH
CVSS 7.5
A Server-Side Request Forgery (SSRF) vulnerability, achievable through an XML External Entity (XXE) injection, exists in MetInfo Content Management System (CMS) thru 8.1. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
SSRF
XXE
Metinfo
-
CVE-2025-63307
HIGH
CVSS 8.1
alexusmai laravel-file-manager 3.3.1 is vulnerable to Cross Site Scripting (XSS). Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
XSS
Laravel File Manager
-
CVE-2025-62630
HIGH
CVSS 8.7
Due to insufficient sanitization, an attacker can upload a specially crafted configuration file to traverse directories and achieve remote code execution with system-level permissions. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
RCE
Path Traversal
Deviceon Iedge
-
CVE-2025-62596
HIGH
CVSS 7.3
Youki is a container runtime written in Rust. Rated high severity (CVSS 7.3), this vulnerability is low attack complexity.
Information Disclosure
Youki
-
CVE-2025-62161
HIGH
CVSS 7.3
Youki is a container runtime written in Rust. Rated high severity (CVSS 7.3), this vulnerability is low attack complexity.
Information Disclosure
Youki
-
CVE-2025-62076
HIGH
CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ido Kobelkowsky Simple Payment simple-payment.4.6. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
XSS
-
CVE-2025-62075
HIGH
CVSS 7.5
Local File Inclusion (LFI) in Simple Payment WordPress plugin versions ≤2.4.6 allows remote attackers to include and execute arbitrary local files via PHP file inclusion flaws. Attack requires high complexity (AC:H) and user interaction (UI:R), suggesting exploitation depends on specific conditions like attacker-controllable parameters combined with victim action. EPSS score of 0.04% (13th percentile) indicates low observed exploitation probability in the wild. No CISA KEV listing or public exploit code identified at time of analysis, limiting immediate threat surface despite 7.5 CVSS score.
PHP
Information Disclosure
LFI
-
CVE-2025-62074
HIGH
CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Amauri WPMobile.App wpappninja.App: from n/a through <= 11.71. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
XSS
-
CVE-2025-62067
HIGH
CVSS 8.1
Remote file inclusion in Elated-Themes Savory WordPress theme through version 2.5 allows network-based attackers to execute arbitrary PHP code by manipulating file inclusion statements. Despite a CVSS score of 8.1, real-world exploitation risk appears low with an EPSS probability of 0.03% (8th percentile) and no evidence of active exploitation or public proof-of-concept code. The vulnerability classification as CWE-98 combined with conflicting tags (both RFI and LFI referenced) requires clarification - the attack complexity rating of High (AC:H) suggests non-trivial prerequisites for successful exploitation despite the network attack vector.
PHP
Information Disclosure
LFI
-
CVE-2025-62066
HIGH
CVSS 7.5
Local file inclusion in Revolution theme versions before 2.5.8 allows authenticated attackers with low privileges to include and execute arbitrary PHP files on the server via manipulated file paths. The vulnerability exploits improper validation of file inclusion parameters, enabling remote code execution when combined with file upload or log poisoning. EPSS score of 0.05% suggests low probability of mass exploitation, and no public POC or active exploitation (non-KEV) is confirmed at time of analysis.
PHP
Information Disclosure
LFI
-
CVE-2025-62059
HIGH
CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Brainstorm Force SureRank surerank.3.2. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
XSS
-
CVE-2025-62057
HIGH
CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in favethemes Houzez Theme - Functionality houzez-theme-functionality.2.0. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
XSS
-
CVE-2025-62055
HIGH
CVSS 8.1
Local file inclusion in WordPress Academist theme versions prior to 1.3 enables remote attackers to include arbitrary PHP files from the server filesystem, leading to potential information disclosure, code execution, and full site compromise. The vulnerability stems from improper filename validation in PHP include/require statements. Despite a CVSS score of 8.1, the EPSS probability is only 0.05% (16th percentile), suggesting attackers have not widely adopted this technique, though the attack complexity is rated high. No confirmed active exploitation or public exploit code identified at time of analysis.
PHP
Information Disclosure
LFI
-
CVE-2025-62053
HIGH
CVSS 8.1
Local file inclusion in Houzez WordPress theme versions before 4.2.0 allows remote unauthenticated attackers to include and execute arbitrary PHP files through improper filename control in include/require statements. The vulnerability carries high CVSS severity (8.1) due to potential for remote code execution, though EPSS probability remains low (0.06%, 20th percentile) indicating limited observed exploitation attempts. No active exploitation confirmed by CISA KEV at time of analysis.
PHP
Information Disclosure
LFI
-
CVE-2025-62045
HIGH
CVSS 8.1
Local file inclusion in TheGem Theme Elements (for WPBakery) plugin versions ≤5.10.5.1 allows remote attackers to include and execute arbitrary PHP files without authentication. Despite the high CVSS 8.1 score and network attack vector, the 'AC:H' (high complexity) rating and extremely low EPSS (0.05%, 16th percentile) indicate this requires specific conditions to exploit. No active exploitation has been confirmed - CISA KEV does not list this vulnerability, and EPSS data suggests minimal real-world targeting. The vulnerability stems from improper validation of file paths in PHP include/require statements (CWE-98), a common WordPress plugin weakness.
PHP
Information Disclosure
LFI
-
CVE-2025-62041
HIGH
CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CodexThemes TheGem (Elementor) thegem-elementor.10.5.1. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
XSS
-
CVE-2025-62040
HIGH
CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in YOP YOP Poll yop-poll.5.37. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
XSS
-
CVE-2025-62039
HIGH
CVSS 7.5
Insertion of Sensitive Information Into Sent Data vulnerability in Ays Pro AI ChatBot with ChatGPT and Content Generator by AYS ays-chatgpt-assistant allows Retrieve Embedded Sensitive Data.6.6. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Information Disclosure
-
CVE-2025-62036
HIGH
CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in uxper Togo togo.0.4. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
XSS
-
CVE-2025-62035
HIGH
CVSS 8.8
Deserialization of Untrusted Data vulnerability in uxper Togo togo.0.4. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Deserialization
-
CVE-2025-62034
HIGH
CVSS 8.8
Incorrect Privilege Assignment vulnerability in uxper Togo togo.0.4. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Information Disclosure
-
CVE-2025-62031
HIGH
CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in tagDiv tagDiv Composer td-composer.4.1. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
XSS
-
CVE-2025-62014
HIGH
CVSS 8.1
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ApusTheme ITok itok.1.42. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
PHP
Information Disclosure
LFI
-
CVE-2025-62010
HIGH
CVSS 8.1
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ApusTheme Famita famita allows PHP Local File Inclusion.54. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
PHP
Information Disclosure
LFI
-
CVE-2025-60541
HIGH
CVSS 7.3
A Server-Side Request Forgery (SSRF) in the /api/proxy/ component of linshenkx prompt-optimizer v1.3.0 to v1.4.2 allows attackers to scan internal resources via a crafted request. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
SSRF
Prompt Optimizer
-
CVE-2025-60248
HIGH
CVSS 7.5
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in WPClever WPC Product Options for WooCommerce wpc-product-options allows PHP. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.
PHP
WordPress
Information Disclosure
LFI
-
CVE-2025-60244
HIGH
CVSS 7.1
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in RealMag777 TableOn posts-table-filterable allows Code Injection.0.4.2. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
XSS
-
CVE-2025-60242
HIGH
CVSS 7.5
Path traversal in Download Counter WordPress plugin through version 1.4 allows unauthenticated remote attackers to read arbitrary files from the web server. The vulnerability enables confidentiality breach through directory traversal sequences. EPSS score of 0.09% indicates low observed exploitation probability. No active exploitation confirmed via CISA KEV, though Patchstack database listing suggests security researcher awareness and potential for weaponization.
Path Traversal
-
CVE-2025-60241
HIGH
CVSS 7.5
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Premmerce Premmerce premmerce allows PHP Local File Inclusion.3.19. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
PHP
Information Disclosure
LFI
-
CVE-2025-60240
HIGH
CVSS 7.5
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Alexander AnyComment anycomment allows PHP Local File Inclusion.3.6. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
PHP
Information Disclosure
LFI
-
CVE-2025-60239
HIGH
CVSS 8.5
Blind SQL injection in CoSchool LMS WordPress plugin through version 1.4.3 allows authenticated attackers with low-level privileges to extract sensitive database contents and potentially cause service disruption. The vulnerability is exploitable remotely with low attack complexity and enables scope escalation beyond the plugin's intended permissions. Currently showing low exploitation probability (EPSS 6th percentile), with no confirmed active exploitation or public exploit code.
SQLi
-
CVE-2025-60204
HIGH
CVSS 7.5
Local file inclusion in WooCommerce Store Toolkit plugin versions up to 2.4.3 allows network-based attackers to read arbitrary files from the WordPress server via improper filename control in PHP include/require statements. Despite network-based attack vector (AV:N), the vulnerability requires high attack complexity and user interaction (AC:H/UI:R), limiting exploitation scenarios. EPSS score of 0.08% (23rd percentile) suggests low likelihood of widespread exploitation in the wild. No CISA KEV listing or public POC identified at time of analysis, though Patchstack has documented the vulnerability.
PHP
WordPress
Information Disclosure
LFI
-
CVE-2025-60203
HIGH
CVSS 7.5
Local file inclusion in Store Exporter (WooCommerce plugin) through version 2.7.6 allows remote attackers with user interaction to read arbitrary files and potentially execute code via PHP file inclusion. Despite the 7.5 CVSS score, exploitation requires high attack complexity and user interaction, with an EPSS probability of only 0.08% (23rd percentile), indicating limited real-world exploitation likelihood. No active exploitation or public POC identified at time of analysis.
PHP
WordPress
Information Disclosure
LFI
-
CVE-2025-60202
HIGH
CVSS 7.5
Local File Inclusion in WordPress Favorites plugin versions through 2.3.6 enables network-based attackers to read arbitrary files from the server's filesystem through crafted PHP include statements. Despite the CWE-98 classification suggesting remote file inclusion, the vulnerability title and tags confirm this is actually an LFI attack requiring user interaction (UI:R) and high attack complexity (AC:H). EPSS score of 0.08% (23rd percentile) indicates low probability of mass exploitation, and no active exploitation or public POC has been identified at time of analysis.
PHP
Information Disclosure
LFI
-
CVE-2025-60201
HIGH
CVSS 7.5
Local File Inclusion in WP Customer Area plugin version 8.2.7 and earlier allows remote attackers to read arbitrary files on the server through improper validation of file paths in PHP include/require statements. The attack requires high complexity and user interaction (CVSS AC:H/UI:R), limiting widespread exploitation. EPSS score of 0.08% indicates low observed exploitation probability. No active exploitation confirmed in CISA KEV, though Patchstack has cataloged this vulnerability in their WordPress security database.
PHP
Information Disclosure
LFI
-
CVE-2025-60200
HIGH
CVSS 7.5
Local file inclusion (LFI) in LearnPress Export Import plugin ≤4.0.9 allows remote attackers to read arbitrary files on the server through manipulated PHP include/require statements. Despite CVSS 7.5 severity, real-world risk appears moderate: attack complexity is HIGH (AC:H), requires user interaction (UI:R), and EPSS probability is low (0.08%, 23rd percentile). No active exploitation confirmed and no CISA KEV listing. Patchstack database documents this as an information disclosure vector via LFI, suggesting attackers can access sensitive configuration files, credentials, or application source code.
PHP
Information Disclosure
LFI
-
CVE-2025-60199
HIGH
CVSS 8.1
Local file inclusion in InHype WordPress Theme versions up to 1.5.2 allows remote attackers to read arbitrary server files and potentially execute PHP code without authentication. Despite a high CVSS score of 8.1, the vulnerability has a low EPSS score (0.08%, 23rd percentile) and requires high attack complexity (AC:H), suggesting exploitation requires specific conditions or configuration knowledge. No active exploitation confirmed via CISA KEV, but Patchstack audit team has documented the vulnerability, increasing likelihood of public awareness and attempted exploitation.
PHP
WordPress
Information Disclosure
LFI
-
CVE-2025-60198
HIGH
CVSS 8.1
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in dedalx Saxon - Viral Content Blog & Magazine Marketing WordPress Theme saxon. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
PHP
WordPress
Information Disclosure
LFI
-
CVE-2025-60197
HIGH
CVSS 8.1
Local File Inclusion in Simple Contact Forms WordPress plugin (versions ≤1.6.4) allows remote unauthenticated attackers to include arbitrary PHP files from the server's local filesystem via improper filename validation in include/require statements. CVSS rates this 8.1 (High) with high attack complexity (AC:H), but EPSS indicates only 0.08% exploitation probability (23rd percentile), suggesting low real-world targeting. Patchstack classified this as an LFI vulnerability with information disclosure potential, though successful exploitation could escalate to code execution if combined with file upload or log poisoning techniques.
PHP
Information Disclosure
LFI
-
CVE-2025-60196
HIGH
CVSS 7.5
Local file inclusion in Clearblue Ovulation Calculator WordPress plugin versions through 1.2.4 allows remote attackers to read arbitrary files from the webserver. Despite the CWE-98 classification suggesting remote file inclusion, available intelligence confirms this is an LFI vulnerability requiring user interaction and high attack complexity (CVSS AC:H/UI:R). No active exploitation confirmed via CISA KEV. EPSS score of 0.22% indicates low probability of widespread exploitation attempts, though a Patchstack database entry suggests security researchers have documented the flaw.
PHP
Information Disclosure
LFI
-
CVE-2025-60194
HIGH
CVSS 7.5
Local file inclusion in Premmerce Product Search for WooCommerce plugin versions ≤2.2.4 enables remote attackers to read arbitrary files on the server through improper filename control in PHP include/require statements. Exploitation requires high attack complexity and user interaction (AV:N/AC:H/UI:R), suggesting social engineering or specific application state needed to trigger the vulnerability. No active exploitation confirmed (EPSS 0.07%, not in CISA KEV), but represents significant risk for WordPress/WooCommerce sites running this plugin given potential exposure of sensitive configuration files, database credentials, and user data.
PHP
WordPress
Information Disclosure
LFI
-
CVE-2025-60193
HIGH
CVSS 7.5
Local file inclusion in Premmerce User Roles WordPress plugin ≤1.0.13 allows remote attackers to read arbitrary files and potentially execute code via improper validation of include/require file paths. Attack requires high complexity and user interaction (CVSS AC:H/UI:R), limiting practical exploitation. EPSS score of 0.07% (22nd percentile) indicates very low observed exploitation probability in the wild. No CISA KEV listing or public POC identified. Patchstack security audit disclosed this vulnerability, affecting all versions up to 1.0.13.
PHP
Information Disclosure
LFI
-
CVE-2025-60192
HIGH
CVSS 7.5
Local File Inclusion in Premmerce Wholesale Pricing for WooCommerce plugin (versions ≤1.1.10) allows remote attackers to read arbitrary files and potentially execute PHP code through improper filename validation. Despite the CVSS 7.5 score, real-world risk is moderate: attack complexity is high (AC:H) and requires user interaction (UI:R), limiting opportunistic exploitation. EPSS score of 0.07% (22nd percentile) suggests low probability of widespread exploitation. No active exploitation confirmed (not in CISA KEV) and public exploit code has not been identified at time of analysis.
PHP
WordPress
Information Disclosure
LFI
-
CVE-2025-60191
HIGH
CVSS 7.5
Local file inclusion in Premmerce Wishlist for WooCommerce plugin ≤1.1.10 enables network attackers to read arbitrary PHP files and potentially execute code through crafted include/require statements. The vulnerability requires high attack complexity and user interaction (CVSS AC:H/UI:R), limiting practical exploitability. EPSS score of 0.07% (22nd percentile) indicates low likelihood of mass exploitation, and no active exploitation is documented in CISA KEV. Patchstack has documented this vulnerability, suggesting security researcher disclosure rather than in-the-wild discovery.
PHP
WordPress
Information Disclosure
LFI
-
CVE-2025-60190
HIGH
CVSS 8.1
Local File Inclusion in Immocaster WordPress Plugin versions through 1.3.6 enables remote attackers to read arbitrary files on the server or potentially execute code by manipulating file inclusion parameters. Despite the high CVSS score of 8.1, EPSS data indicates only 0.08% exploitation probability (23rd percentile), suggesting limited active targeting. No active exploitation confirmed by CISA KEV, though Patchstack's disclosure indicates researcher awareness. Attack complexity is rated High (AC:H), requiring specific server configurations or precise timing to exploit successfully.
PHP
WordPress
Information Disclosure
LFI
-
CVE-2025-60189
HIGH
CVSS 7.5
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in PoloPag PoloPag – Pix Automático para Woocommerce wc-polo-payments. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
PHP
WordPress
Information Disclosure
LFI
-
CVE-2025-60188
HIGH
CVSS 7.5
Sensitive data exposure in Atarim WordPress plugin versions ≤4.2 allows remote unauthenticated attackers to retrieve embedded confidential information through network requests. Publicly available exploit code exists. EPSS score of 5.50% (90th percentile) indicates elevated real-world exploitation likelihood compared to most vulnerabilities, though CISA KEV does not yet list active exploitation. The CVSS vector shows network-accessible information disclosure requiring no authentication or user interaction, making this a high-priority remediation target for sites running affected versions.
Information Disclosure
-
CVE-2025-60074
HIGH
CVSS 7.5
Local file inclusion (LFI) in Lazy Load Optimizer WordPress plugin (versions through 1.4.7) allows remote unauthenticated attackers to read arbitrary files from the web server through improper PHP include/require statement handling. Despite the 7.5 CVSS score, exploitation requires high attack complexity and user interaction (AV:N/AC:H/PR:N/UI:R), limiting practical weaponization. EPSS score of 0.07% (22nd percentile) indicates very low probability of widespread exploitation. No active exploitation confirmed via CISA KEV, and no public exploit code identified at time of analysis.
PHP
Information Disclosure
LFI
-
CVE-2025-60073
HIGH
CVSS 7.5
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Processby Responsive Sidebar responsive-sidebar allows PHP Local File. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
PHP
Information Disclosure
LFI
-
CVE-2025-59556
HIGH
CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in skygroup GoStore gostore allows Reflected XSS.6.4. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
XSS
-
CVE-2025-59171
HIGH
CVSS 8.7
Due to insufficient sanitization, an attacker can upload a specially crafted configuration file to traverse directories and achieve remote code execution with system-level permissions. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
RCE
Path Traversal
Deviceon Iedge
-
CVE-2025-58995
HIGH
CVSS 8.1
Local File Inclusion (LFI) in Leblix WordPress theme versions up to 2.4 allows remote unauthenticated attackers to include and execute arbitrary local files through improper filename control in PHP include/require statements. Despite the network attack vector (AV:N), exploitation requires high complexity conditions (AC:H), potentially involving specific configuration states or input validation bypasses. EPSS score of 0.04% (11th percentile) indicates low observed exploitation probability in the wild, and no CISA KEV listing confirms this remains a theoretical rather than actively exploited vulnerability. The vulnerability permits information disclosure through file content exposure and potentially code execution if attackers can chain LFI with other weaknesses like log poisoning or PHP wrapper abuse.
PHP
Information Disclosure
LFI
-
CVE-2025-58994
HIGH
CVSS 8.1
Local file inclusion vulnerability in Greenify WordPress theme (versions through 2.2) enables remote attackers to read arbitrary files from the web server filesystem, potentially exposing sensitive configuration files, credentials, and application source code. Exploitation requires specific conditions despite the network attack vector, reflected in the high attack complexity (AC:H) rating. EPSS score of 0.08% (23rd percentile) suggests low probability of mass exploitation, and no active exploitation has been confirmed via CISA KEV, though Patchstack has documented the vulnerability details.
PHP
Information Disclosure
LFI
-
CVE-2025-58972
HIGH
CVSS 7.2
Path Traversal: '.../...//' vulnerability in Dmitry V. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Path Traversal
-
CVE-2025-58964
HIGH
CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in skygroup Enzy enzy allows Reflected XSS.6.4. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
XSS
-
CVE-2025-58638
HIGH
CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in e-plugins Institutions Directory institutions-directory allows Reflected XSS.3.3. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
XSS
-
CVE-2025-58629
HIGH
CVSS 7.5
Remote unauthenticated attackers can cause high-impact availability disruption in the Miraculous WordPress theme through arbitrary content deletion. The vulnerability allows exploitation of misconfigured access control in versions before 2.0.9, requiring no authentication or user interaction. EPSS score of 0.06% (18th percentile) indicates very low observed exploitation probability, with no public exploit code or CISA KEV listing at time of analysis. Despite CVSS 7.5 severity, the purely availability-focused impact (C:N/I:N/A:H) suggests this is a denial-of-service vector rather than a data breach risk.
Authentication Bypass
-
CVE-2025-58619
HIGH
CVSS 8.8
Deserialization of Untrusted Data vulnerability in sbouey Falang multilanguage falang allows Object Injection.3.65. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Deserialization
-
CVE-2025-58592
HIGH
CVSS 8.1
Deserialization of Untrusted Data vulnerability in Cozmoslabs TranslatePress translatepress-multilingual allows Object Injection.10.2. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Deserialization
-
CVE-2025-58423
HIGH
CVSS 8.7
Due to insufficient sanitization, an attacker can upload a specially crafted configuration file to cause a denial-of-service condition, traverse directories, or read/write files, within the context. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Path Traversal
Deviceon Iedge
-
CVE-2025-58207
HIGH
CVSS 8.2
Unauthenticated attackers can modify WordPress media library image alt text and potentially disrupt site availability through broken access control in Ai Image Alt Text Generator for WP plugin versions up to 1.1.5. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms remote exploitation without authentication, though the low 0.06% EPSS score (17th percentile) suggests minimal observed exploitation activity. Patchstack reported this as an authentication bypass vulnerability allowing unauthorized manipulation of image metadata.
Authentication Bypass
-
CVE-2025-54737
HIGH
CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NooTheme Jobmonster noo-jobmonster allows Reflected XSS.7.8. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
XSS
-
CVE-2025-54722
HIGH
CVSS 7.1
Reflected Cross-Site Scripting (XSS) in WooTour plugin for WordPress versions up to 3.6.3 allows remote unauthenticated attackers to execute malicious JavaScript in victim browsers by tricking users into clicking crafted links. The vulnerability stems from improper neutralization of user input during web page generation. EPSS score of 0.08% indicates low likelihood of mass exploitation, and no active exploitation has been reported by CISA KEV at time of analysis.
XSS
-
CVE-2025-54721
HIGH
CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThimPress Resca resca allows Reflected XSS.0.2. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
XSS
-
CVE-2025-54719
HIGH
CVSS 8.8
Deserialization of Untrusted Data vulnerability in NooTheme Yogi - Health Beauty & Yoga noo-yogi allows Object Injection.9.2. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Deserialization
-
CVE-2025-54718
HIGH
CVSS 7.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in NooTheme Yogi - Health Beauty & Yoga noo-yogi allows Reflected XSS.9.2. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
XSS
-
CVE-2025-54711
HIGH
CVSS 7.1
Broken access control in Info Cards WordPress plugin 1.0.11 and earlier allows authenticated users to access administrative functions without proper authorization checks. Authenticated low-privilege users can exploit missing ACLs to perform unauthorized modifications or cause denial of service conditions. Reported by Patchstack audit team with authentication bypass classification. EPSS score of 0.05% (16th percentile) indicates low observed exploitation probability, with no CISA KEV listing or public exploit code identified at time of analysis.
Authentication Bypass
-
CVE-2025-53586
HIGH
CVSS 8.8
PHP object injection in NooTheme WeMusic WordPress theme version ≤1.9.1 allows authenticated attackers with low privileges to execute arbitrary code or manipulate application logic through unsafe deserialization of untrusted data. Reported by Patchstack audit team. EPSS exploitation probability is low (0.10%, 27th percentile), indicating limited observed attacker interest despite the critical CVSS 8.8 rating. No active exploitation confirmed by CISA KEV at time of analysis.
Deserialization
-
CVE-2025-53585
HIGH
CVSS 7.1
Reflected cross-site scripting (XSS) in the WeMusic WordPress theme versions up to 1.9.1 allows remote attackers to execute arbitrary JavaScript in victims' browsers when they visit a specially crafted URL. The vulnerability requires user interaction (CVSS UI:R) but no authentication (PR:N), enabling attacks via social engineering such as phishing emails or malicious links. With EPSS exploitation probability of only 0.07% (20th percentile) and no CISA KEV listing, this represents a moderate theoretical risk but limited observed exploitation activity. Patchstack's reporting suggests responsible disclosure, though patch availability has not been independently confirmed.
XSS
-
CVE-2025-53574
HIGH
CVSS 7.1
Reflected cross-site scripting (XSS) in Doliconnect WordPress plugin versions up to 9.3.2 allows remote attackers to execute arbitrary JavaScript in victims' browsers through malicious links. The vulnerability requires user interaction (clicking a crafted link) but needs no authentication, enabling session hijacking, credential theft, or malicious actions in the context of the victim's WordPress session. EPSS score of 0.05% indicates very low observed exploitation probability, and no active exploitation or public proof-of-concept has been identified at time of analysis.
XSS
-
CVE-2025-53573
HIGH
CVSS 7.1
Reflected cross-site scripting (XSS) in Epic Review WordPress plugin through version 1.0.2 allows remote attackers to execute malicious JavaScript in victim browsers when users click specially crafted links. The vulnerability stems from improper neutralization of user input during HTML generation. EPSS exploitation probability is low (0.07%, 21st percentile) with no public exploit code or active exploitation confirmed at time of analysis. WordPress site administrators should upgrade immediately as the network attack vector (AV:N) and changed scope (S:C) enable attacks across site boundaries.
XSS
-
CVE-2025-53349
HIGH
CVSS 7.1
Reflected cross-site scripting (XSS) in Kalium WordPress theme versions through 3.18.3 enables remote attackers to inject malicious scripts into web pages viewed by victims. Exploitation requires user interaction (clicking a crafted link) but no authentication, with changed scope indicating potential session hijacking or actions on behalf of victims across the theme's context. EPSS score of 0.05% (17th percentile) suggests low observed exploitation activity. No active exploitation confirmed via CISA KEV or public exploit code at time of analysis.
XSS
-
CVE-2025-53324
HIGH
CVSS 7.1
Stored cross-site scripting (XSS) in Gutenify WordPress plugin versions through 1.5.7 allows remote attackers to inject malicious scripts into site content. Successfully exploited, attackers can execute arbitrary JavaScript in victim browsers when authenticated administrators or editors view the compromised content. EPSS exploitation probability is minimal (0.02%, 6th percentile), and no active exploitation or public POC is confirmed. While CVSS assigns high (7.1) severity due to changed scope, real-world risk is moderate given the requirement for user interaction and the narrow attack surface of a WordPress block editor plugin.
XSS
-
CVE-2025-53316
HIGH
CVSS 7.1
Stored cross-site scripting in WP GDPR Cookie Consent plugin versions up to 1.0.0 can be triggered via cross-site request forgery (CSRF) attack, allowing remote attackers to inject malicious JavaScript into the WordPress site without authentication but requiring victim administrator interaction. The chained CSRF-to-XSS vulnerability enables attackers to execute JavaScript in administrator contexts, potentially leading to site takeover. EPSS probability is low (0.03%), no public exploit confirmed, and no known active exploitation at time of analysis.
XSS
CSRF
-
CVE-2025-53286
HIGH
CVSS 7.1
Reflected cross-site scripting in Dropify wc-dropi-integration plugin (WordPress) through version 4.6.9 allows remote attackers to execute arbitrary JavaScript in victim browsers via maliciously crafted URLs. Attack requires user interaction (victim must click malicious link) but no authentication, enabling phishing campaigns and session hijacking. EPSS score of 0.05% (17th percentile) indicates low widespread exploitation probability, with no CISA KEV listing or public proof-of-concept identified at time of analysis.
XSS
-
CVE-2025-53252
HIGH
CVSS 7.5
Local File Inclusion vulnerability in Zegen WordPress theme versions up to 1.1.9 allows authenticated remote attackers with low privileges to read arbitrary files on the server. Exploitation requires high attack complexity (AC:H), suggesting specific configuration or timing conditions must be met. EPSS score of 0.22% (45th percentile) indicates low probability of widespread exploitation. No public exploit code or active exploitation confirmed at time of analysis.
PHP
Information Disclosure
LFI
-
CVE-2025-53245
HIGH
CVSS 7.1
Stored cross-site scripting (XSS) in WP Logo Changer WordPress plugin versions 1.2 and earlier allows remote attackers to inject malicious scripts that execute in victim browsers. The vulnerability exploits improper input sanitization during web page generation, enabling attackers to inject persistent malicious code. EPSS indicates 0.05% exploitation probability (16th percentile), suggesting low opportunistic targeting risk. No active exploitation confirmed via CISA KEV at time of analysis.
XSS
-
CVE-2025-53239
HIGH
CVSS 7.1
Reflected cross-site scripting in User Registration Aide WordPress plugin versions through 1.5.3.8 allows remote attackers to execute arbitrary JavaScript in victims' browsers via crafted URLs. Users must click a malicious link to trigger the attack. EPSS score of 0.05% (17th percentile) indicates very low probability of exploitation in the wild, and no active exploitation or public exploits are confirmed. Patchstack security team identified this flaw, which carries CVSS 7.1 with changed scope, meaning successful exploitation impacts resources beyond the vulnerable component.
XSS
-
CVE-2025-52881
HIGH
CVSS 7.3
runc is a CLI tool for spawning and running containers according to the OCI specification. Rated high severity (CVSS 7.3), this vulnerability is low attack complexity. Public exploit code available.
Information Disclosure
Docker
Red Hat
Suse
Runc
-
CVE-2025-52764
HIGH
CVSS 7.1
Reflected cross-site scripting in flexoslider WordPress plugin versions through 1.0004 allows unauthenticated remote attackers to execute arbitrary JavaScript in victim browsers when targets click a malicious link. Successful exploitation requires user interaction but no authentication. The vulnerability has a low EPSS score (0.05%, 17th percentile) indicating minimal observed exploitation activity in the wild, though the scope change in CVSS indicates potential for impact beyond the vulnerable component.
XSS
-
CVE-2025-52565
HIGH
CVSS 8.4
runc is a CLI tool for spawning and running containers according to the OCI specification. Rated high severity (CVSS 8.4), this vulnerability is no authentication required, low attack complexity. Public exploit code available.
Denial Of Service
Red Hat
Suse
Runc
-
CVE-2025-49909
HIGH
CVSS 7.1
Reflected cross-site scripting in Penci Bookmark & Follow WordPress plugin (versions before 2.4) allows remote attackers to execute arbitrary JavaScript in victim browsers via crafted URLs. The vulnerability requires user interaction but no authentication, enabling attackers to steal session tokens, perform actions as the victim, or deliver phishing content. EPSS score of 0.02% (6th percentile) indicates low observed exploitation activity, with no CISA KEV listing or public exploit code identified at time of analysis.
XSS
-
CVE-2025-49905
HIGH
CVSS 7.1
Reflected cross-site scripting in Range Slider Addon for Gravity Forms (versions ≤1.1.6) allows remote attackers to execute arbitrary JavaScript in victim browsers via crafted URLs. The vulnerability requires user interaction (clicking a malicious link) but no authentication. EPSS probability is low (0.05%, 17th percentile), and no active exploitation or public POC has been identified. This is a WordPress plugin affecting sites using Gravity Forms with the range slider extension.
XSS
-
CVE-2025-49904
HIGH
CVSS 7.1
Reflected cross-site scripting in Booking and Rental Manager for WooCommerce (versions 2.5.3 and earlier) allows unauthenticated remote attackers to inject malicious scripts into web page responses via user-supplied input. Successful exploitation requires victim interaction with a crafted link. EPSS score of 0.05% (17th percentile) suggests minimal current exploitation activity, and no CISA KEV listing or public exploit code has been identified. Changed scope (S:C) elevates risk beyond typical reflected XSS by enabling potential cross-domain attacks or WooCommerce session hijacking.
WordPress
XSS
-
CVE-2025-49900
HIGH
CVSS 8.8
Incorrect Privilege Assignment vulnerability in bPlugins Advanced scrollbar advanced-scrollbar allows Privilege Escalation.1.8. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Privilege Escalation
-
CVE-2025-49394
HIGH
CVSS 7.1
Broken access control in WordPress Image Gallery block plugin (bPlugins 3d-image-gallery) versions ≤1.0.7 allows authenticated low-privilege users to bypass authorization checks and access administrative functions, enabling unauthorized modification of gallery settings (low integrity impact) or triggering denial of service conditions (high availability impact). Reported by Patchstack with 0.07% EPSS score, indicating minimal active exploitation probability. No active exploitation confirmed via CISA KEV.
Authentication Bypass
-
CVE-2025-49390
HIGH
CVSS 7.1
Stored cross-site scripting in Cookie Notice & Consent plugin (versions ≤1.6.4) allows remote attackers to inject malicious JavaScript that executes in victim browsers. Exploitation requires user interaction to trigger the stored payload. EPSS score of 0.05% (16th percentile) suggests low probability of mass exploitation, though stored XSS often enables account takeover and privilege escalation in WordPress environments. No active exploitation (CISA KEV) or public POC identified at time of analysis.
XSS
-
CVE-2025-49386
HIGH
CVSS 8.8
PHP object injection in WordPress plugin Preserve Code Formatting 4.0.1 and earlier enables authenticated attackers to execute arbitrary code or manipulate application state. Remote attackers with low-privilege WordPress accounts (Contributor-level or above) can inject malicious serialized objects through unsafe deserialization, achieving high impact to confidentiality, integrity, and availability. EPSS score of 0.10% indicates minimal widespread exploitation activity, though the vulnerability requires only low-complexity exploitation with no user interaction once authenticated access is obtained.
Deserialization
-
CVE-2025-48330
HIGH
CVSS 7.5
Local file inclusion in Real Time Validation for Gravity Forms WordPress plugin (versions ≤1.7.0) enables remote attackers to read arbitrary files from the web server, potentially exposing sensitive configuration data, credentials, and source code. Despite the 7.5 CVSS score, real-world risk is moderate: the attack requires high complexity and user interaction (CVSS:AV:N/AC:H/UI:R), and EPSS probability is low at 0.14% (35th percentile). Patchstack vulnerability database confirms the flaw but no CISA KEV listing or public POC has been identified at time of analysis.
PHP
Information Disclosure
LFI
-
CVE-2025-48290
HIGH
CVSS 8.1
Local File Inclusion in Kinsley WordPress theme versions ≤3.4.4 enables remote attackers to read arbitrary server files and potentially execute code through improper filename control in PHP include/require statements. The vulnerability requires high attack complexity (AC:H) but needs no authentication (PR:N), allowing unauthenticated remote exploitation under specific conditions. EPSS score of 0.22% indicates low predicted exploitation probability, with no CISA KEV listing or public exploit code identified at time of analysis.
PHP
Information Disclosure
LFI
-
CVE-2025-48090
HIGH
CVSS 8.1
Path traversal in Blanka WordPress theme versions before 1.5 enables unauthenticated remote attackers to include arbitrary PHP files from the server filesystem via malformed directory sequences ('.../...//'). Despite high CVSS 8.1, real-world exploitation requires specific server conditions (attack complexity high). EPSS score of 0.07% (20th percentile) indicates low observed exploitation likelihood. No CISA KEV listing or public POC identified at time of analysis, suggesting limited active targeting despite theoretical severity.
PHP
WordPress
Path Traversal
-
CVE-2025-48085
HIGH
CVSS 7.1
Cross-Site Request Forgery in Simple Stripe WordPress plugin versions through 0.9.17 enables attackers to execute stored cross-site scripting attacks. Remote unauthenticated attackers can trick authenticated administrators into submitting malicious requests that inject persistent JavaScript code into the site. EPSS exploitation probability is extremely low at 0.02% (4th percentile), indicating minimal real-world targeting to date. No active exploitation confirmed by CISA KEV, though the CSRF-to-XSS chain represents a realistic threat to WordPress sites using this payment plugin.
XSS
CSRF
-
CVE-2025-48083
HIGH
CVSS 7.1
Cross-Site Request Forgery in WordPress wpNamedUsers plugin (versions ≤0.5) enables attackers to inject persistent malicious scripts by tricking authenticated administrators into submitting crafted requests. Patchstack identified this vulnerability chain where CSRF bypasses lack of request validation, allowing stored XSS payload injection into the WordPress database. With EPSS probability at 0.02% (4th percentile) and no CISA KEV listing, this represents a lower immediate exploitation risk despite the 7.1 CVSS score, though the changed scope (S:C) indicates potential cross-domain impact if exploited.
XSS
CSRF
-
CVE-2025-48078
HIGH
CVSS 7.1
Cross-Site Request Forgery in the Slick Google Map WordPress plugin version 0.3 and earlier enables stored XSS attacks. An attacker can trick authenticated WordPress administrators into executing malicious requests that inject persistent JavaScript into the site, achieving cross-site scripting with changed scope impact. EPSS exploitation probability is low (0.02%, 4th percentile), and no public exploit or active exploitation has been identified at time of analysis.
XSS
Google
CSRF
-
CVE-2025-48077
HIGH
CVSS 7.1
Cross-site request forgery (CSRF) in Block Country WordPress plugin versions up to 1.0 enables attackers to trick authenticated administrators into executing malicious requests that inject stored XSS payloads. This chained vulnerability allows unauthenticated remote attackers to achieve persistent code execution in victim browsers by combining CSRF with stored cross-site scripting, requiring only that an admin interact with a crafted link or page. EPSS probability is minimal (0.02%, 4th percentile) with no active exploitation identified, but the attack chain is straightforward given user interaction occurs.
XSS
CSRF
-
CVE-2025-39468
HIGH
CVSS 8.1
Remote file inclusion in Modal Survey WordPress plugin through version 2.0.2.0.1 allows unauthenticated attackers to include and execute arbitrary PHP files via manipulated include/require statements. Exploitation requires complex conditions (AC:H) but no authentication, potentially leading to complete site compromise. EPSS score of 0.14% (35th percentile) suggests low probability of mass exploitation. Patchstack security audit identified this vulnerability as exploitable for both remote file inclusion and local file inclusion.
PHP
Information Disclosure
LFI
-
CVE-2025-39467
HIGH
CVSS 8.1
Path traversal vulnerability in Wanderland WordPress theme versions ≤1.7.1 enables remote unauthenticated PHP local file inclusion through crafted '.../...//' patterns. Successful exploitation allows reading arbitrary PHP files on the server, potentially exposing database credentials, configuration secrets, or achieving remote code execution if writable paths exist. EPSS score of 0.05% (17th percentile) indicates relatively low probability of mass exploitation, and no evidence of active exploitation in CISA KEV. Attack complexity is rated High (AC:H), suggesting exploitation requires specific timing, configuration conditions, or race conditions despite the remote unauthenticated attack vector.
PHP
Path Traversal
-
CVE-2025-39466
HIGH
CVSS 8.1
Local file inclusion in Dør WordPress theme versions ≤2.4 allows remote attackers to read arbitrary files on the server and potentially achieve code execution through PHP wrapper manipulation. Despite the vulnerability title mentioning 'Remote File Inclusion', the CWE-98 classification and 'PHP Local File Inclusion' description indicate the actual vulnerability enables local file reads. Reported by Patchstack audit team with CVSS 8.1 severity, though EPSS probability of 0.14% (35th percentile) suggests limited observed exploitation activity. No CISA KEV listing indicating no confirmed widespread active exploitation at time of analysis.
PHP
Information Disclosure
LFI
-
CVE-2025-39463
HIGH
CVSS 7.5
Local file inclusion in the Dessau WordPress theme (versions up to 1.8) enables authenticated attackers with low-level privileges to read arbitrary files from the server filesystem via manipulated file inclusion paths. With attack complexity rated high (AC:H), successful exploitation requires specific conditions but grants access to sensitive configuration files, credentials, and potentially enables further attacks including remote code execution if combined with log poisoning or file upload capabilities. EPSS exploitation probability is low (0.14%, 35th percentile) with no confirmed active exploitation or public proof-of-concept code identified at time of analysis.
PHP
Information Disclosure
LFI
-
CVE-2025-37735
HIGH
CVSS 7.0
Improper preservation of permissions in Elastic Defend on Windows hosts can lead to arbitrary files on the system being deleted by the Defend service running as SYSTEM. Rated high severity (CVSS 7.0). No vendor patch available.
Windows
Privilege Escalation
Microsoft
Elastic
-
CVE-2025-34242
HIGH
CVSS 8.6
Advantech WebAccess/VPN versions prior to 1.1.5 contain a SQL injection vulnerability in AjaxNetworkController.ajaxAction() that allows an authenticated low-privileged observer user to inject SQL via. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
SQLi
Webaccess Vpn
-
CVE-2025-34240
HIGH
CVSS 8.6
Advantech WebAccess/VPN versions prior to 1.1.5 contain a SQL injection vulnerability in AppManagementController.appUpgradeAction() that allows an authenticated low-privileged observer user to inject. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
SQLi
Webaccess Vpn
-
CVE-2025-34239
HIGH
CVSS 8.6
Advantech WebAccess/VPN versions prior to 1.1.5 contain a command injection vulnerability in AppManagementController.appUpgradeAction() that allows an authenticated system administrator to execute. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Command Injection
Webaccess Vpn
-
CVE-2025-31133
HIGH
CVSS 7.3
runc is a CLI tool for spawning and running containers according to the OCI specification. Rated high severity (CVSS 7.3), this vulnerability is low attack complexity.
Denial Of Service
Information Disclosure
Red Hat
Suse
Runc
-
CVE-2025-31029
HIGH
CVSS 7.1
Stored cross-site scripting in the replyMail WordPress plugin (versions ≤1.2.0) enables remote attackers to inject malicious scripts that execute in victims' browsers when viewing compromised pages. The changed scope (S:C) in the CVSS vector indicates the injected payload can affect resources beyond the vulnerable component's security scope, potentially compromising other WordPress users or administrators. EPSS score of 0.02% suggests low probability of mass exploitation, though the no-authentication requirement (PR:N) lowers the barrier for opportunistic attacks. Patchstack has documented this vulnerability but patch availability remains unconfirmed.
XSS
-
CVE-2025-28953
HIGH
CVSS 8.5
SQL injection in axiomthemes smartSEO WordPress theme versions up to 4.0 enables authenticated attackers to extract sensitive database information and potentially cause service disruption. Exploitation requires low-privilege authenticated access but can impact resources beyond the vulnerable component (scope change). EPSS score of 0.05% indicates low observed exploitation probability, with no CISA KEV listing or public POC identified at time of analysis.
SQLi
-
CVE-2025-27919
HIGH
CVSS 8.2
An issue was discovered in AnyDesk through 9.0.4. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Authentication Bypass
Anydesk
-
CVE-2025-27917
HIGH
CVSS 7.5
An issue was discovered in AnyDesk for Windows before 9.0.5, AnyDesk for macOS before 9.0.1, AnyDesk for Linux before 7.0.0, AnyDesk for iOS before 7.1.2, and AnyDesk for Android before 8.0.0. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Windows
Denial Of Service
Deserialization
Google
Null Pointer Dereference
-
CVE-2025-27916
HIGH
CVSS 7.5
An issue was discovered in AnyDesk for Windows before 9.0.6 and AnyDesk for Android before 8.0.0. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Windows
Authentication Bypass
Google
Microsoft
Android
-
CVE-2025-12790
HIGH
CVSS 7.4
A flaw was found in Rubygem MQTT. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Information Disclosure
Red Hat
-
CVE-2025-12636
HIGH
CVSS 7.1
The Ubia camera ecosystem fails to adequately secure API credentials, potentially enabling an attacker to connect to backend services. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Authentication Bypass
-
CVE-2025-12556
HIGH
CVSS 8.7
An argument injection vulnerability exists in the affected product that could allow an attacker to execute arbitrary code within the context of the host machine. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
RCE
-
CVE-2025-12490
HIGH
CVSS 8.8
Netgate pfSense CE Suricata Path Traversal Remote Code Execution Vulnerability. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Epss exploitation probability 26.7% and no vendor patch available.
RCE
Path Traversal
-
CVE-2025-12489
HIGH
CVSS 7.8
evernote-mcp-server openBrowser Command Injection Privilege Escalation Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.
Privilege Escalation
RCE
Command Injection
-
CVE-2025-12486
HIGH
CVSS 8.8
Heimdall Data Database Proxy Cross-Site Scripting Remote Code Execution Vulnerability. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
XSS
RCE
-
CVE-2025-12485
HIGH
CVSS 8.8
Improper privilege management during pre-MFA cookie handling in Devolutions Server allows a low-privileged authenticated user to impersonate another account by replaying the pre-MFA cookie.This does. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Privilege Escalation
Devolutions Server
-
CVE-2025-12036
HIGH
CVSS 8.8
Out of bounds memory access in V8 in Google Chrome prior to 141.0.7390.122 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Buffer Overflow
Information Disclosure
Chrome
Google
Red Hat
-
CVE-2025-11956
HIGH
CVSS 8.9
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Proliz Software Ltd. Rated high severity (CVSS 8.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
XSS
-
CVE-2025-11756
HIGH
CVSS 8.8
Use after free in Safe Browsing in Google Chrome prior to 141.0.7390.107 allowed a remote attacker who had compromised the renderer process to potentially perform out of bounds memory access via a. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Denial Of Service
Chrome
Google
Use After Free
Memory Corruption
-
CVE-2025-11460
HIGH
CVSS 8.8
Use after free in Storage in Google Chrome prior to 141.0.7390.65 allowed a remote attacker to execute arbitrary code via a crafted video file. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
RCE
Denial Of Service
Chrome
Google
Use After Free
-
CVE-2025-11458
HIGH
CVSS 8.1
Heap buffer overflow in Sync in Google Chrome prior to 141.0.7390.65 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Buffer Overflow
Chrome
Google
Heap Overflow
Red Hat
-
CVE-2025-11211
HIGH
CVSS 7.5
Out of bounds read in Media in Google Chrome prior to 141.0.7390.54 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Buffer Overflow
Information Disclosure
Chrome
Google
Red Hat
-
CVE-2025-11209
HIGH
CVSS 8.2
Inappropriate implementation in Omnibox in Google Chrome on Android prior to 141.0.7390.54 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Authentication Bypass
Chrome
Google
Android
Suse
-
CVE-2025-11206
HIGH
CVSS 7.1
Heap buffer overflow in Video in Google Chrome prior to 141.0.7390.54 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Buffer Overflow
Chrome
Google
Heap Overflow
Red Hat
-
CVE-2025-11205
HIGH
CVSS 8.8
Heap buffer overflow in WebGPU in Google Chrome prior to 141.0.7390.54 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Buffer Overflow
Chrome
Google
Heap Overflow
Red Hat
-
CVE-2025-10885
HIGH
CVSS 7.8
A maliciously crafted file, when executed on the victim's machine, can lead to privilege escalation to NT AUTHORITY/SYSTEM due to an insufficient validation of loaded binaries. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Privilege Escalation
Installer
-
CVE-2025-9338
HIGH
CVSS 7.3
A improper restriction of operations within the bounds of a memory buffer exists in AsIO3.sys driver. Rated high severity (CVSS 7.3), this vulnerability is low attack complexity. No vendor patch available.
Buffer Overflow
-
CVE-2024-25621
HIGH
CVSS 7.3
containerd is an open-source container runtime. Rated high severity (CVSS 7.3), this vulnerability is low attack complexity.
Information Disclosure
Red Hat
Suse
Containerd
-
CVE-2024-12125
HIGH
CVSS 7.5
A flaw was found in the 3scale Developer Portal. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Information Disclosure
Red Hat
-
CVE-2025-64327
MEDIUM
CVSS 5.3
ThinkDashboard is a self-hosted bookmark dashboard built with Go and vanilla JavaScript. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
SSRF
Thinkdashboard
-
CVE-2025-64302
MEDIUM
CVSS 5.3
Insufficient input sanitization in the dashboard label or path can allow an attacker to trigger a device error causing information disclosure or data manipulation. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
XSS
Information Disclosure
Deviceon Iedge
-
CVE-2025-64179
MEDIUM
CVSS 5.3
lakeFS is an open-source tool that transforms object storage into a Git-like repositories. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Authentication Bypass
Information Disclosure
-
CVE-2025-64177
MEDIUM
CVSS 5.4
ThinkDashboard is a self-hosted bookmark dashboard built with Go and vanilla JavaScript. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
XSS
Thinkdashboard
-
CVE-2025-64176
MEDIUM
CVSS 5.3
ThinkDashboard is a self-hosted bookmark dashboard built with Go and vanilla JavaScript. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
XSS
Thinkdashboard
-
CVE-2025-64174
MEDIUM
CVSS 4.6
Magento-lts is a long-term support alternative to Magento Community Edition (CE). Rated medium severity (CVSS 4.6), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
PHP
XSS
Adobe
Magento
-
CVE-2025-64114
MEDIUM
CVSS 6.5
ClipBucket v5 is an open source video sharing platform. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
SQLi
Clipbucket
-
CVE-2025-62950
MEDIUM
CVSS 4.3
Cross-Site Request Forgery (CSRF) vulnerability in Wasiliy Strecker / ContestGallery developer Contest Gallery contest-gallery allows Cross Site Request Forgery.0.0. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
CSRF
-
CVE-2025-62914
MEDIUM
CVSS 6.5
Missing Authorization vulnerability in anibalwainstein Effect Maker effect-maker allows Exploiting Incorrectly Configured Access Control Security Levels.2.1. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Authentication Bypass
-
CVE-2025-62051
MEDIUM
CVSS 6.5
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in AndonDesign UDesign Core u-design-core.14.1. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
XSS
-
CVE-2025-62049
MEDIUM
CVSS 6.5
Missing Authorization vulnerability in Stylemix Cost Calculator Builder cost-calculator-builder.5.32. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Authentication Bypass
-
CVE-2025-62046
MEDIUM
CVSS 6.5
Missing Authorization vulnerability in CodexThemes TheGem Demo Import (for WPBakery) thegem-importer.10.5. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Authentication Bypass
-
CVE-2025-62044
MEDIUM
CVSS 6.5
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CodexThemes TheGem Theme Elements (for WPBakery) thegem-elements.10.5.1. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
XSS
-
CVE-2025-62038
MEDIUM
CVSS 6.5
Insertion of Sensitive Information Into Sent Data vulnerability in Sovlix MeetingHub meetinghub allows Retrieve Embedded Sensitive Data.23.9. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Information Disclosure
-
CVE-2025-62037
MEDIUM
CVSS 6.5
Missing Authorization vulnerability in uxper Togo togo.0.4. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Authentication Bypass
-
CVE-2025-62033
MEDIUM
CVSS 6.5
Missing Authorization vulnerability in uxper Togo togo.0.4. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Authentication Bypass
-
CVE-2025-62032
MEDIUM
CVSS 6.5
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in tagDiv tagDiv Cloud Library td-cloud-library allows DOM-Based XSS.9.2. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
XSS
-
CVE-2025-62030
MEDIUM
CVSS 6.5
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in tagDiv tagDiv Composer td-composer.4.1. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
XSS
-
CVE-2025-62028
MEDIUM
CVSS 4.3
Missing Authorization vulnerability in ThemeNectar Salient salient.4.0. Rated medium severity (CVSS 4.3), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Authentication Bypass
-
CVE-2025-62018
MEDIUM
CVSS 5.3
Missing Authorization vulnerability in hogash Kallyas kallyas.22.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Authentication Bypass
-
CVE-2025-62017
MEDIUM
CVSS 5.4
Missing Authorization vulnerability in hogash Kallyas kallyas.22.0. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Authentication Bypass
-
CVE-2025-62012
MEDIUM
CVSS 6.5
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CodexThemes TheGem (Elementor) thegem-elementor.10.5. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
XSS
-
CVE-2025-62011
MEDIUM
CVSS 6.5
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CodexThemes TheGem thegem.10.5. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
XSS
-
CVE-2025-61994
MEDIUM
CVSS 4.8
Cross-site scripting vulnerability exists in GROWI prior to v7.2.10. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
XSS
-
CVE-2025-60247
MEDIUM
CVSS 6.5
Missing Authorization vulnerability in Bux Bux Woocommerce bux-woocommerce allows Accessing Functionality Not Properly Constrained by ACLs.2.3. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
WordPress
Authentication Bypass
-
CVE-2025-60187
MEDIUM
CVSS 4.8
Unrestricted Upload of File with Dangerous Type vulnerability in Vito Peleg Atarim atarim-visual-collaboration allows Using Malicious Files.2. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
File Upload
-
CVE-2025-59392
MEDIUM
CVSS 6.8
On Elspec G5 devices through 1.2.2.19, a person with physical access to the device can reset the Admin password by inserting a USB drive (containing a publicly documented reset string) into a USB. Rated medium severity (CVSS 6.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Information Disclosure
G5Dfr Firmware
-
CVE-2025-58986
MEDIUM
CVSS 6.5
Missing Authorization vulnerability in ganddser Jock On Air Now (JOAN) joan allows Exploiting Incorrectly Configured Access Control Security Levels.0.4. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Authentication Bypass
-
CVE-2025-58595
MEDIUM
CVSS 5.3
Authentication Bypass by Spoofing vulnerability in Saad Iqbal All In One Login change-wp-admin-login allows Identity Spoofing.0.8. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Authentication Bypass
-
CVE-2025-58243
MEDIUM
CVSS 5.3
Missing Authorization vulnerability in Jthemes imEvent imevent allows Accessing Functionality Not Properly Constrained by ACLs.4.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Authentication Bypass
-
CVE-2025-53246
MEDIUM
CVSS 6.5
Missing Authorization vulnerability in Gaurav Aggarwal Backup and Move backup-and-move allows Exploiting Incorrectly Configured Access Control Security Levels.1. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Authentication Bypass
-
CVE-2025-53214
MEDIUM
CVSS 6.5
Missing Authorization vulnerability in sertifier Sertifier Certificate & Badge Maker sertifier-certificates-open-badges allows Exploiting Incorrectly Configured Access Control Security Levels.21. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Authentication Bypass
-
CVE-2025-49398
MEDIUM
CVSS 6.5
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Easy Appointments Easy Appointments easy-appointments allows Code Injection.12.14. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
XSS
-
CVE-2025-48086
MEDIUM
CVSS 5.5
Deserialization of Untrusted Data vulnerability in wpdreams Ajax Search Lite ajax-search-lite allows Object Injection.13.3. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Deserialization
-
CVE-2025-39465
MEDIUM
CVSS 4.3
Missing Authorization vulnerability in flippercode Advanced Google Maps wp-google-map-gold allows Exploiting Incorrectly Configured Access Control Security Levels.8.4. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Authentication Bypass
Google
-
CVE-2025-36054
MEDIUM
CVSS 6.1
IBM Business Automation Workflow containers 24.0.0 through 24.0.0-IF006, 24.0.1 through 24.0.1-IF004, 25.0.0 through 25.0.0-IF001 and IBM Business Automation Workflow traditional with Process. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.
XSS
IBM
Business Automation Workflow
Process Federation Server
-
CVE-2025-34247
MEDIUM
CVSS 5.1
Advantech WebAccess/VPN versions prior to 1.1.5 contain a SQL injection vulnerability in NetworksController.addNetworkAction() that allows an authenticated low-privileged observer user to inject SQL. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
SQLi
Webaccess Vpn
-
CVE-2025-34246
MEDIUM
CVSS 5.3
Advantech WebAccess/VPN versions prior to 1.1.5 contain a SQL injection vulnerability in AjaxPrevalidationController.ajaxAction() that allows an authenticated low-privileged observer user to inject. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
SQLi
Webaccess Vpn
-
CVE-2025-34245
MEDIUM
CVSS 5.3
Advantech WebAccess/VPN versions prior to 1.1.5 contain a SQL injection vulnerability in AjaxStandaloneVpnClientsController.ajaxAction() that allows an authenticated low-privileged observer user to. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
SQLi
Webaccess Vpn
-
CVE-2025-34244
MEDIUM
CVSS 5.3
Advantech WebAccess/VPN versions prior to 1.1.5 contain a SQL injection vulnerability in AjaxFwRulesController.ajaxDeviceFwRulesAction() that allows an authenticated low-privileged observer user to. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
SQLi
Webaccess Vpn
-
CVE-2025-34243
MEDIUM
CVSS 5.3
Advantech WebAccess/VPN versions prior to 1.1.5 contain a SQL injection vulnerability in AjaxFwRulesController.ajaxNetworkFwRulesAction() that allows an authenticated low-privileged observer user to. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
SQLi
Webaccess Vpn
-
CVE-2025-34241
MEDIUM
CVSS 5.3
Advantech WebAccess/VPN versions prior to 1.1.5 contain a SQL injection vulnerability in AjaxDeviceController.ajaxDeviceAction() that allows an authenticated low-privileged observer user to inject. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
SQLi
Webaccess Vpn
-
CVE-2025-34238
MEDIUM
CVSS 6.9
Advantech WebAccess/VPN versions prior to 1.1.5 contain an absolute path traversal via AjaxStandaloneVpnClientsController.ajaxDownloadRoadWarriorConfigFileAction() that allows an authenticated. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Path Traversal
Webaccess Vpn
-
CVE-2025-34237
MEDIUM
CVSS 6.3
Advantech WebAccess/VPN versions prior to 1.1.5 contain a stored cross-site scripting (XSS) vulnerability via StandaloneVpnClientsController.addStandaloneVpnClientAction(). Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
XSS
Webaccess Vpn
-
CVE-2025-34236
MEDIUM
CVSS 6.2
Advantech WebAccess/VPN versions prior to 1.1.5 contain a stored cross-site scripting (XSS) vulnerability via NetworksController.addNetworkAction(). Rated medium severity (CVSS 6.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
XSS
Webaccess Vpn
-
CVE-2025-33110
MEDIUM
CVSS 5.4
IBM OpenPages 9.1, and 9.0 with Watson is vulnerable to HTML injection. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
XSS
IBM
Openpages
-
CVE-2025-22397
MEDIUM
CVSS 6.7
Dell Integrated Dell Remote Access Controller 9, 14G versions prior to 7.00.00.181, 15G and 16G versions 6.10.80.00 through 7.20.10.50 and Dell Integrated Dell Remote Access Controller 10, 17G. Rated medium severity (CVSS 6.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Authentication Bypass
Path Traversal
Dell
Idrac9 Firmware
Idrac10 Firmware
-
CVE-2025-22288
MEDIUM
CVSS 4.1
Path Traversal: '.../...//' vulnerability in WPMU DEV - Your All-in-One WordPress Platform Smush Image Compression and Optimization wp-smushit allows Path Traversal.17.0. Rated medium severity (CVSS 4.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
PHP
WordPress
Path Traversal
-
CVE-2025-12815
MEDIUM
CVSS 5.3
An ownership verification issue in the Virtual Desktop preview page in the Research and Engineering Studio (RES) on AWS before version 2025.09 may allow an authenticated remote user to view another. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Information Disclosure
-
CVE-2025-12808
MEDIUM
CVSS 6.5
Improper access control in Devolutions allows a View-only user to retrieve sensitive third-level nested fields, such as password lists custom values, resulting in password disclosure.3.2.0 through. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Authentication Bypass
Devolutions Server
-
CVE-2025-12563
MEDIUM
CVSS 4.3
The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to limited file upload due to an incorrect capability check on theuploadVideo() function in all versions up to,. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
PHP
WordPress
Authentication Bypass
File Upload
-
CVE-2025-12560
MEDIUM
CVSS 4.3
The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 8.6.0 via the getFullContent() function. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
WordPress
SSRF
-
CVE-2025-12471
MEDIUM
CVSS 6.1
The Hubbub Lite - Fast, free social sharing and follow buttons plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'dpsp_list_attention_search' parameter in all versions up. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
PHP
WordPress
XSS
-
CVE-2025-12360
MEDIUM
CVSS 4.3
The Better Find and Replace - AI-Powered Suggestions plugin for WordPress is vulnerable to unauthorized API usage due to a missing capability check on the rtafar_ajax() function in all versions up. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
PHP
WordPress
Authentication Bypass
-
CVE-2025-11271
MEDIUM
CVSS 5.3
The Easy Digital Downloads plugin for WordPress is vulnerable to Order Manipulation in all versions up to, and including, 3.5.2 due to an order verification bypass. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
PHP
WordPress
Authentication Bypass
-
CVE-2025-11268
MEDIUM
CVSS 4.3
The Strong Testimonials plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 3.2.16. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
PHP
WordPress
XSS
-
CVE-2025-11216
MEDIUM
CVSS 6.3
Inappropriate implementation in Storage in Google Chrome on Mac prior to 141.0.7390.54 allowed a remote attacker to perform domain spoofing via a crafted video file. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Information Disclosure
Chrome
Google
Suse
-
CVE-2025-11215
MEDIUM
CVSS 4.3
Off by one error in V8 in Google Chrome prior to 141.0.7390.54 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Information Disclosure
Chrome
Google
Red Hat
Suse
-
CVE-2025-11213
MEDIUM
CVSS 6.3
Inappropriate implementation in Omnibox in Google Chrome on Android prior to 141.0.7390.54 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform domain spoofing. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Information Disclosure
Chrome
Google
Android
Suse
-
CVE-2025-11212
MEDIUM
CVSS 6.3
Inappropriate implementation in Media in Google Chrome on Windows prior to 141.0.7390.54 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform domain spoofing. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Windows
Information Disclosure
Chrome
Google
Microsoft
-
CVE-2025-11210
MEDIUM
CVSS 5.4
Side-channel information leakage in Tab in Google Chrome prior to 141.0.7390.54 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Information Disclosure
Chrome
Google
Red Hat
Suse
-
CVE-2025-11208
MEDIUM
CVSS 6.3
Inappropriate implementation in Media in Google Chrome prior to 141.0.7390.54 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Information Disclosure
Chrome
Google
Red Hat
Suse
-
CVE-2025-11207
MEDIUM
CVSS 6.5
Side-channel information leakage in Storage in Google Chrome prior to 141.0.7390.54 allowed a remote attacker to perform arbitrary read/write via a crafted HTML page. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Information Disclosure
Chrome
Google
Red Hat
Suse
-
CVE-2025-10955
MEDIUM
CVSS 6.1
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Netcad Software Inc. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
XSS
-
CVE-2025-10691
MEDIUM
CVSS 4.3
The Easy Email Subscription plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
PHP
WordPress
CSRF
-
CVE-2025-10683
MEDIUM
CVSS 4.9
The Easy Email Subscription plugin for WordPress is vulnerable to SQL Injection via the 'uid' parameter in all versions up to, and including, 1.3 due to insufficient escaping on the user supplied. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
PHP
WordPress
SQLi
-
CVE-2025-10259
MEDIUM
CVSS 5.3
Improper Validation of Specified Quantity in Input vulnerability in TCP Communication Function on Mitsubishi Electric Corporation MELSEC iQ-F Series CPU module allows a remote attacker to disconnect. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Information Disclosure
-
CVE-2025-5803
MEDIUM
CVSS 5.3
Missing Authorization vulnerability in e4jvikwp VikBooking Hotel Booking Engine & PMS vikbooking.8.2. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Authentication Bypass
-
CVE-2025-64480
None
Rejected reason: Not used. No vendor patch available.
Information Disclosure
-
CVE-2025-64479
None
Rejected reason: Not used. No vendor patch available.
Information Disclosure
-
CVE-2025-64478
None
Rejected reason: Not used. No vendor patch available.
Information Disclosure
-
CVE-2025-64477
None
Rejected reason: Not used. No vendor patch available.
Information Disclosure
-
CVE-2025-64476
None
Rejected reason: Not used. No vendor patch available.
Information Disclosure
-
CVE-2025-64475
None
Rejected reason: Not used. No vendor patch available.
Information Disclosure
-
CVE-2025-64474
None
Rejected reason: Not used. No vendor patch available.
Information Disclosure
-
CVE-2025-64473
None
Rejected reason: Not used. No vendor patch available.
Information Disclosure
-
CVE-2025-64472
None
Rejected reason: Not used. No vendor patch available.
Information Disclosure
-
CVE-2025-64326
LOW
CVSS 2.6
Weblate is a web based localization tool. Rated low severity (CVSS 2.6), this vulnerability is remotely exploitable.
Information Disclosure
Weblate
-
CVE-2025-59396
None
Rejected reason: Not a security vulnerability. No vendor patch available.
Information Disclosure
-
CVE-2025-11219
LOW
CVSS 3.1
Use after free in V8 in Google Chrome prior to 141.0.7390.54 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page. Rated low severity (CVSS 3.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Denial Of Service
Chrome
Google
Use After Free
Memory Corruption