Skip to main content
CVE-2025-60188 HIGH POC This Week

Sensitive data exposure in Atarim WordPress plugin versions ≤4.2 allows remote unauthenticated attackers to retrieve embedded confidential information through network requests. Publicly available exploit code exists. EPSS score of 5.50% (90th percentile) indicates elevated real-world exploitation likelihood compared to most vulnerabilities, though CISA KEV does not yet list active exploitation. The CVSS vector shows network-accessible information disclosure requiring no authentication or user interaction, making this a high-priority remediation target for sites running affected versions.

Information Disclosure
NVD GitHub Exploit-DB VulDB
CVSS 3.1
7.5
EPSS
5.5%
CVE-2025-52565 HIGH POC PATCH This Week

runc is a CLI tool for spawning and running containers according to the OCI specification. Rated high severity (CVSS 8.4), this vulnerability is no authentication required, low attack complexity. Public exploit code available.

Denial Of Service Runc Red Hat Suse
NVD GitHub
CVSS 4.0
8.4
EPSS
0.0%
CVE-2022-50596 CRITICAL Act Now

D-Link DIR-1260 Wi-Fi router firmware versions up to and including v1.20B05 contain a command injection vulnerability within the web management interface that allows for unauthenticated attackers to. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 13.2% and no vendor patch available.

D-Link Command Injection Dir 1260 Firmware
NVD
CVSS 4.0
9.3
EPSS
13.2%
CVE-2025-63560 HIGH POC This Week

An issue in KiloView Dual Channel 4k HDMI & 3G-SDI HEVC Video Encoder Firmware v.1.20.0006 allows a remote attacker to cause a denial of service via the systemctrl API System/reFactory component. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service E3 Firmware
NVD GitHub
CVSS 3.1
7.5
EPSS
0.3%
CVE-2025-62039 HIGH POC This Week

Insertion of Sensitive Information Into Sent Data vulnerability in Ays Pro AI ChatBot with ChatGPT and Content Generator by AYS ays-chatgpt-assistant allows Retrieve Embedded Sensitive Data.6.6. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-52881 HIGH POC PATCH This Week

runc is a CLI tool for spawning and running containers according to the OCI specification. Rated high severity (CVSS 7.3), this vulnerability is low attack complexity. Public exploit code available.

Docker Information Disclosure Runc Red Hat Suse
NVD GitHub
CVSS 4.0
7.3
EPSS
0.0%
CVE-2025-31133 HIGH POC PATCH This Week

runc is a CLI tool for spawning and running containers according to the OCI specification. Rated high severity (CVSS 7.3), this vulnerability is low attack complexity.

Denial Of Service Information Disclosure Runc Red Hat Suse
NVD GitHub
CVSS 4.0
7.3
EPSS
0.0%
CVE-2025-60235 CRITICAL Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in Plugify Helpdesk Support Ticket System for WooCommerce support-ticket-system-for-woocommerce allows Using Malicious Files.1.0. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

File Upload WordPress
NVD
CVSS 3.1
10.0
EPSS
0.1%
CVE-2025-62016 CRITICAL Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in hogash Kallyas kallyas.22.0. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

File Upload
NVD
CVSS 3.1
9.9
EPSS
0.1%
CVE-2025-32222 CRITICAL Act Now

Improper Control of Generation of Code ('Code Injection') vulnerability in Widgetlogic.org Widget Logic widget-logic allows Code Injection.0.5. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Code Injection
NVD
CVSS 3.1
9.9
EPSS
0.1%
CVE-2025-60195 CRITICAL Act Now

Incorrect Privilege Assignment vulnerability in Vito Peleg Atarim atarim-visual-collaboration allows Privilege Escalation.2. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Privilege Escalation
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2022-50593 CRITICAL Act Now

Advantech iView versions prior to v5.7.04 build 6425 contain a vulnerability within the SNMP management tool that allows for remote attackers to bypass authentication checks and reach a SQL injection. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi RCE Iview
NVD
CVSS 4.0
9.3
EPSS
0.4%
CVE-2022-50595 CRITICAL Act Now

Advantech iView versions prior to v5.7.04 build 6425 contain a vulnerability within the SNMP management tool that allows for remote attackers to bypass authentication checks and reach a SQL injection. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi RCE Iview
NVD
CVSS 4.0
9.3
EPSS
0.4%
CVE-2022-50592 CRITICAL Act Now

Advantech iView versions prior to v5.7.04 build 6425 contain a vulnerability within the SNMP management tool that allows for remote attackers to bypass authentication checks and reach a SQL injection. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi RCE Iview
NVD
CVSS 4.0
9.3
EPSS
0.4%
CVE-2022-50589 CRITICAL Act Now

SuiteCRM versions prior to 7.12.6 contain a SQL injection vulnerability within the processing of the ‘uid’ parameter within the ‘export’ functionality. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi RCE Suitecrm
NVD
CVSS 4.0
9.3
EPSS
0.3%
CVE-2025-52773 CRITICAL Act Now

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in hiecor HieCOR Payment Gateway Plugin hcv4-payment-gateway allows SQL Injection.5.11. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi
NVD
CVSS 3.1
9.3
EPSS
0.0%
CVE-2025-48089 CRITICAL Act Now

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Rainbow-Themes Education WordPress Theme | HiStudy histudy allows SQL Injection.1.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress SQLi
NVD
CVSS 3.1
9.3
EPSS
0.0%
CVE-2025-47588 CRITICAL Act Now

Improper Control of Generation of Code ('Code Injection') vulnerability in acowebs Dynamic Pricing With Discount Rules for WooCommerce aco-woo-dynamic-pricing allows Code Injection.5.9. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

WordPress RCE Code Injection
NVD
CVSS 3.1
9.1
EPSS
0.1%
CVE-2025-11956 HIGH This Week

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Proliz Software Ltd. Rated high severity (CVSS 8.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS
NVD VulDB
CVSS 3.1
8.9
EPSS
0.1%
CVE-2022-50591 HIGH This Week

Advantech iView versions prior to v5.7.04 build 6425 contain a vulnerability within the SNMP management tool that allows for remote attackers to bypass authentication checks and reach a SQL injection. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi Iview
NVD
CVSS 4.0
8.8
EPSS
0.2%
CVE-2022-50594 HIGH This Week

Advantech iView versions prior to v5.7.04 build 6425 contain a vulnerability within the SNMP management tool that allows for remote attackers to bypass authentication checks and reach a SQL injection. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi Iview
NVD
CVSS 4.0
8.8
EPSS
0.2%
CVE-2025-53586 HIGH This Week

PHP object injection in NooTheme WeMusic WordPress theme version ≤1.9.1 allows authenticated attackers with low privileges to execute arbitrary code or manipulate application logic through unsafe deserialization of untrusted data. Reported by Patchstack audit team. EPSS exploitation probability is low (0.10%, 27th percentile), indicating limited observed attacker interest despite the critical CVSS 8.8 rating. No active exploitation confirmed by CISA KEV at time of analysis.

Deserialization
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-49386 HIGH This Week

PHP object injection in WordPress plugin Preserve Code Formatting 4.0.1 and earlier enables authenticated attackers to execute arbitrary code or manipulate application state. Remote attackers with low-privilege WordPress accounts (Contributor-level or above) can inject malicious serialized objects through unsafe deserialization, achieving high impact to confidentiality, integrity, and availability. EPSS score of 0.10% indicates minimal widespread exploitation activity, though the vulnerability requires only low-complexity exploitation with no user interaction once authenticated access is obtained.

Deserialization
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2022-50590 HIGH This Week

SuiteCRM versions prior to 7.12.6 contain a type confusion vulnerability within the processing of the ‘module’ parameter within the ‘deleteAttachment’ functionality. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Memory Corruption Information Disclosure Suitecrm
NVD
CVSS 4.0
8.8
EPSS
0.0%
CVE-2025-60239 HIGH This Week

Blind SQL injection in CoSchool LMS WordPress plugin through version 1.4.3 allows authenticated attackers with low-level privileges to extract sensitive database contents and potentially cause service disruption. The vulnerability is exploitable remotely with low attack complexity and enables scope escalation beyond the plugin's intended permissions. Currently showing low exploitation probability (EPSS 6th percentile), with no confirmed active exploitation or public exploit code.

SQLi
NVD
CVSS 3.1
8.5
EPSS
0.1%
CVE-2025-28953 HIGH This Week

SQL injection in axiomthemes smartSEO WordPress theme versions up to 4.0 enables authenticated attackers to extract sensitive database information and potentially cause service disruption. Exploitation requires low-privilege authenticated access but can impact resources beyond the vulnerable component (scope change). EPSS score of 0.05% indicates low observed exploitation probability, with no CISA KEV listing or public POC identified at time of analysis.

SQLi
NVD
CVSS 3.1
8.5
EPSS
0.0%
CVE-2025-58207 HIGH This Week

Unauthenticated attackers can modify WordPress media library image alt text and potentially disrupt site availability through broken access control in Ai Image Alt Text Generator for WP plugin versions up to 1.1.5. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms remote exploitation without authentication, though the low 0.06% EPSS score (17th percentile) suggests minimal observed exploitation activity. Patchstack reported this as an authentication bypass vulnerability allowing unauthorized manipulation of image metadata.

Authentication Bypass
NVD
CVSS 3.1
8.2
EPSS
0.1%
CVE-2025-48290 HIGH This Week

Local File Inclusion in Kinsley WordPress theme versions ≤3.4.4 enables remote attackers to read arbitrary server files and potentially execute code through improper filename control in PHP include/require statements. The vulnerability requires high attack complexity (AC:H) but needs no authentication (PR:N), allowing unauthenticated remote exploitation under specific conditions. EPSS score of 0.22% indicates low predicted exploitation probability, with no CISA KEV listing or public exploit code identified at time of analysis.

LFI PHP Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-39468 HIGH This Week

Remote file inclusion in Modal Survey WordPress plugin through version 2.0.2.0.1 allows unauthenticated attackers to include and execute arbitrary PHP files via manipulated include/require statements. Exploitation requires complex conditions (AC:H) but no authentication, potentially leading to complete site compromise. EPSS score of 0.14% (35th percentile) suggests low probability of mass exploitation. Patchstack security audit identified this vulnerability as exploitable for both remote file inclusion and local file inclusion.

LFI PHP Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.1%
CVE-2025-39466 HIGH This Week

Local file inclusion in Dør WordPress theme versions ≤2.4 allows remote attackers to read arbitrary files on the server and potentially achieve code execution through PHP wrapper manipulation. Despite the vulnerability title mentioning 'Remote File Inclusion', the CWE-98 classification and 'PHP Local File Inclusion' description indicate the actual vulnerability enables local file reads. Reported by Patchstack audit team with CVSS 8.1 severity, though EPSS probability of 0.14% (35th percentile) suggests limited observed exploitation activity. No CISA KEV listing indicating no confirmed widespread active exploitation at time of analysis.

LFI PHP Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.1%
CVE-2025-60199 HIGH This Week

Local file inclusion in InHype WordPress Theme versions up to 1.5.2 allows remote attackers to read arbitrary server files and potentially execute PHP code without authentication. Despite a high CVSS score of 8.1, the vulnerability has a low EPSS score (0.08%, 23rd percentile) and requires high attack complexity (AC:H), suggesting exploitation requires specific conditions or configuration knowledge. No active exploitation confirmed via CISA KEV, but Patchstack audit team has documented the vulnerability, increasing likelihood of public awareness and attempted exploitation.

WordPress LFI PHP Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.1%
CVE-2025-60197 HIGH This Week

Local File Inclusion in Simple Contact Forms WordPress plugin (versions ≤1.6.4) allows remote unauthenticated attackers to include arbitrary PHP files from the server's local filesystem via improper filename validation in include/require statements. CVSS rates this 8.1 (High) with high attack complexity (AC:H), but EPSS indicates only 0.08% exploitation probability (23rd percentile), suggesting low real-world targeting. Patchstack classified this as an LFI vulnerability with information disclosure potential, though successful exploitation could escalate to code execution if combined with file upload or log poisoning techniques.

LFI PHP Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.1%
CVE-2025-60190 HIGH This Week

Local File Inclusion in Immocaster WordPress Plugin versions through 1.3.6 enables remote attackers to read arbitrary files on the server or potentially execute code by manipulating file inclusion parameters. Despite the high CVSS score of 8.1, EPSS data indicates only 0.08% exploitation probability (23rd percentile), suggesting limited active targeting. No active exploitation confirmed by CISA KEV, though Patchstack's disclosure indicates researcher awareness. Attack complexity is rated High (AC:H), requiring specific server configurations or precise timing to exploit successfully.

WordPress LFI PHP Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.1%
CVE-2025-58994 HIGH This Week

Local file inclusion vulnerability in Greenify WordPress theme (versions through 2.2) enables remote attackers to read arbitrary files from the web server filesystem, potentially exposing sensitive configuration files, credentials, and application source code. Exploitation requires specific conditions despite the network attack vector, reflected in the high attack complexity (AC:H) rating. EPSS score of 0.08% (23rd percentile) suggests low probability of mass exploitation, and no active exploitation has been confirmed via CISA KEV, though Patchstack has documented the vulnerability details.

LFI PHP Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.1%
CVE-2025-64287 HIGH This Week

Local file inclusion in Alloggio - Hotel Booking WordPress theme through version 1.8 allows remote attackers to read arbitrary files on the server and potentially execute code by manipulating PHP include/require statements. The vulnerability stems from improper filename validation in file inclusion operations, enabling attackers to traverse directories and access sensitive files or configuration data. Exploitation probability is low (EPSS 0.07%, 22nd percentile) with no confirmed active exploitation or public proof-of-concept at time of analysis.

LFI PHP Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.1%
CVE-2025-48090 HIGH This Week

Path traversal in Blanka WordPress theme versions before 1.5 enables unauthenticated remote attackers to include arbitrary PHP files from the server filesystem via malformed directory sequences ('.../...//'). Despite high CVSS 8.1, real-world exploitation requires specific server conditions (attack complexity high). EPSS score of 0.07% (20th percentile) indicates low observed exploitation likelihood. No CISA KEV listing or public POC identified at time of analysis, suggesting limited active targeting despite theoretical severity.

WordPress Path Traversal PHP
NVD
CVSS 3.1
8.1
EPSS
0.1%
CVE-2025-62053 HIGH This Week

Local file inclusion in Houzez WordPress theme versions before 4.2.0 allows remote unauthenticated attackers to include and execute arbitrary PHP files through improper filename control in include/require statements. The vulnerability carries high CVSS severity (8.1) due to potential for remote code execution, though EPSS probability remains low (0.06%, 20th percentile) indicating limited observed exploitation attempts. No active exploitation confirmed by CISA KEV at time of analysis.

LFI PHP Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.1%
CVE-2025-39467 HIGH This Week

Path traversal vulnerability in Wanderland WordPress theme versions ≤1.7.1 enables remote unauthenticated PHP local file inclusion through crafted '.../...//' patterns. Successful exploitation allows reading arbitrary PHP files on the server, potentially exposing database credentials, configuration secrets, or achieving remote code execution if writable paths exist. EPSS score of 0.05% (17th percentile) indicates relatively low probability of mass exploitation, and no evidence of active exploitation in CISA KEV. Attack complexity is rated High (AC:H), suggesting exploitation requires specific timing, configuration conditions, or race conditions despite the remote unauthenticated attack vector.

Path Traversal PHP
NVD
CVSS 3.1
8.1
EPSS
0.1%
CVE-2025-62055 HIGH This Week

Local file inclusion in WordPress Academist theme versions prior to 1.3 enables remote attackers to include arbitrary PHP files from the server filesystem, leading to potential information disclosure, code execution, and full site compromise. The vulnerability stems from improper filename validation in PHP include/require statements. Despite a CVSS score of 8.1, the EPSS probability is only 0.05% (16th percentile), suggesting attackers have not widely adopted this technique, though the attack complexity is rated high. No confirmed active exploitation or public exploit code identified at time of analysis.

LFI PHP Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.1%
CVE-2025-62045 HIGH This Week

Local file inclusion in TheGem Theme Elements (for WPBakery) plugin versions ≤5.10.5.1 allows remote attackers to include and execute arbitrary PHP files without authentication. Despite the high CVSS 8.1 score and network attack vector, the 'AC:H' (high complexity) rating and extremely low EPSS (0.05%, 16th percentile) indicate this requires specific conditions to exploit. No active exploitation has been confirmed - CISA KEV does not list this vulnerability, and EPSS data suggests minimal real-world targeting. The vulnerability stems from improper validation of file paths in PHP include/require statements (CWE-98), a common WordPress plugin weakness.

LFI PHP Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.1%
CVE-2025-58995 HIGH This Week

Local File Inclusion (LFI) in Leblix WordPress theme versions up to 2.4 allows remote unauthenticated attackers to include and execute arbitrary local files through improper filename control in PHP include/require statements. Despite the network attack vector (AV:N), exploitation requires high complexity conditions (AC:H), potentially involving specific configuration states or input validation bypasses. EPSS score of 0.04% (11th percentile) indicates low observed exploitation probability in the wild, and no CISA KEV listing confirms this remains a theoretical rather than actively exploited vulnerability. The vulnerability permits information disclosure through file content exposure and potentially code execution if attackers can chain LFI with other weaknesses like log poisoning or PHP wrapper abuse.

LFI PHP Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.0%
CVE-2025-62067 HIGH This Week

Remote file inclusion in Elated-Themes Savory WordPress theme through version 2.5 allows network-based attackers to execute arbitrary PHP code by manipulating file inclusion statements. Despite a CVSS score of 8.1, real-world exploitation risk appears low with an EPSS probability of 0.03% (8th percentile) and no evidence of active exploitation or public proof-of-concept code. The vulnerability classification as CWE-98 combined with conflicting tags (both RFI and LFI referenced) requires clarification - the attack complexity rating of High (AC:H) suggests non-trivial prerequisites for successful exploitation despite the network attack vector.

LFI PHP Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.0%
CVE-2025-53252 HIGH This Week

Local File Inclusion vulnerability in Zegen WordPress theme versions up to 1.1.9 allows authenticated remote attackers with low privileges to read arbitrary files on the server. Exploitation requires high attack complexity (AC:H), suggesting specific configuration or timing conditions must be met. EPSS score of 0.22% (45th percentile) indicates low probability of widespread exploitation. No public exploit code or active exploitation confirmed at time of analysis.

LFI PHP Information Disclosure
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2025-60248 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in WPClever WPC Product Options for WooCommerce wpc-product-options allows PHP. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.

WordPress LFI PHP Information Disclosure
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2025-60196 HIGH This Week

Local file inclusion in Clearblue Ovulation Calculator WordPress plugin versions through 1.2.4 allows remote attackers to read arbitrary files from the webserver. Despite the CWE-98 classification suggesting remote file inclusion, available intelligence confirms this is an LFI vulnerability requiring user interaction and high attack complexity (CVSS AC:H/UI:R). No active exploitation confirmed via CISA KEV. EPSS score of 0.22% indicates low probability of widespread exploitation attempts, though a Patchstack database entry suggests security researchers have documented the flaw.

LFI PHP Information Disclosure
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2025-60189 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in PoloPag PoloPag – Pix Automático para Woocommerce wc-polo-payments. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

WordPress LFI PHP Information Disclosure
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2025-48330 HIGH This Week

Local file inclusion in Real Time Validation for Gravity Forms WordPress plugin (versions ≤1.7.0) enables remote attackers to read arbitrary files from the web server, potentially exposing sensitive configuration data, credentials, and source code. Despite the 7.5 CVSS score, real-world risk is moderate: the attack requires high complexity and user interaction (CVSS:AV:N/AC:H/UI:R), and EPSS probability is low at 0.14% (35th percentile). Patchstack vulnerability database confirms the flaw but no CISA KEV listing or public POC has been identified at time of analysis.

LFI PHP Information Disclosure
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-39463 HIGH This Week

Local file inclusion in the Dessau WordPress theme (versions up to 1.8) enables authenticated attackers with low-level privileges to read arbitrary files from the server filesystem via manipulated file inclusion paths. With attack complexity rated high (AC:H), successful exploitation requires specific conditions but grants access to sensitive configuration files, credentials, and potentially enables further attacks including remote code execution if combined with log poisoning or file upload capabilities. EPSS exploitation probability is low (0.14%, 35th percentile) with no confirmed active exploitation or public proof-of-concept code identified at time of analysis.

LFI PHP Information Disclosure
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-60242 HIGH This Week

Path traversal in Download Counter WordPress plugin through version 1.4 allows unauthenticated remote attackers to read arbitrary files from the web server. The vulnerability enables confidentiality breach through directory traversal sequences. EPSS score of 0.09% indicates low observed exploitation probability. No active exploitation confirmed via CISA KEV, though Patchstack database listing suggests security researcher awareness and potential for weaponization.

Path Traversal
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-60204 HIGH This Week

Local file inclusion in WooCommerce Store Toolkit plugin versions up to 2.4.3 allows network-based attackers to read arbitrary files from the WordPress server via improper filename control in PHP include/require statements. Despite network-based attack vector (AV:N), the vulnerability requires high attack complexity and user interaction (AC:H/UI:R), limiting exploitation scenarios. EPSS score of 0.08% (23rd percentile) suggests low likelihood of widespread exploitation in the wild. No CISA KEV listing or public POC identified at time of analysis, though Patchstack has documented the vulnerability.

WordPress LFI PHP Information Disclosure
NVD
CVSS 3.1
7.5
EPSS
0.1%
Page 1 of 6 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy