Local file inclusion in Store Exporter (WooCommerce plugin) through version 2.7.6 allows remote attackers with user interaction to read arbitrary files and potentially execute code via PHP file inclusion. Despite the 7.5 CVSS score, exploitation requires high attack complexity and user interaction, with an EPSS probability of only 0.08% (23rd percentile), indicating limited real-world exploitation likelihood. No active exploitation or public POC identified at time of analysis.
Local File Inclusion in WordPress Favorites plugin versions through 2.3.6 enables network-based attackers to read arbitrary files from the server's filesystem through crafted PHP include statements. Despite the CWE-98 classification suggesting remote file inclusion, the vulnerability title and tags confirm this is actually an LFI attack requiring user interaction (UI:R) and high attack complexity (AC:H). EPSS score of 0.08% (23rd percentile) indicates low probability of mass exploitation, and no active exploitation or public POC has been identified at time of analysis.
Local File Inclusion in WP Customer Area plugin version 8.2.7 and earlier allows remote attackers to read arbitrary files on the server through improper validation of file paths in PHP include/require statements. The attack requires high complexity and user interaction (CVSS AC:H/UI:R), limiting widespread exploitation. EPSS score of 0.08% indicates low observed exploitation probability. No active exploitation confirmed in CISA KEV, though Patchstack has cataloged this vulnerability in their WordPress security database.
Local file inclusion (LFI) in LearnPress Export Import plugin ≤4.0.9 allows remote attackers to read arbitrary files on the server through manipulated PHP include/require statements. Despite CVSS 7.5 severity, real-world risk appears moderate: attack complexity is HIGH (AC:H), requires user interaction (UI:R), and EPSS probability is low (0.08%, 23rd percentile). No active exploitation confirmed and no CISA KEV listing. Patchstack database documents this as an information disclosure vector via LFI, suggesting attackers can access sensitive configuration files, credentials, or application source code.
Local file inclusion in Premmerce Product Search for WooCommerce plugin versions ≤2.2.4 enables remote attackers to read arbitrary files on the server through improper filename control in PHP include/require statements. Exploitation requires high attack complexity and user interaction (AV:N/AC:H/UI:R), suggesting social engineering or specific application state needed to trigger the vulnerability. No active exploitation confirmed (EPSS 0.07%, not in CISA KEV), but represents significant risk for WordPress/WooCommerce sites running this plugin given potential exposure of sensitive configuration files, database credentials, and user data.
Local file inclusion in Premmerce User Roles WordPress plugin ≤1.0.13 allows remote attackers to read arbitrary files and potentially execute code via improper validation of include/require file paths. Attack requires high complexity and user interaction (CVSS AC:H/UI:R), limiting practical exploitation. EPSS score of 0.07% (22nd percentile) indicates very low observed exploitation probability in the wild. No CISA KEV listing or public POC identified. Patchstack security audit disclosed this vulnerability, affecting all versions up to 1.0.13.
Local File Inclusion in Premmerce Wholesale Pricing for WooCommerce plugin (versions ≤1.1.10) allows remote attackers to read arbitrary files and potentially execute PHP code through improper filename validation. Despite the CVSS 7.5 score, real-world risk is moderate: attack complexity is high (AC:H) and requires user interaction (UI:R), limiting opportunistic exploitation. EPSS score of 0.07% (22nd percentile) suggests low probability of widespread exploitation. No active exploitation confirmed (not in CISA KEV) and public exploit code has not been identified at time of analysis.
Local file inclusion in Premmerce Wishlist for WooCommerce plugin ≤1.1.10 enables network attackers to read arbitrary PHP files and potentially execute code through crafted include/require statements. The vulnerability requires high attack complexity and user interaction (CVSS AC:H/UI:R), limiting practical exploitability. EPSS score of 0.07% (22nd percentile) indicates low likelihood of mass exploitation, and no active exploitation is documented in CISA KEV. Patchstack has documented this vulnerability, suggesting security researcher disclosure rather than in-the-wild discovery.
Local file inclusion (LFI) in Lazy Load Optimizer WordPress plugin (versions through 1.4.7) allows remote unauthenticated attackers to read arbitrary files from the web server through improper PHP include/require statement handling. Despite the 7.5 CVSS score, exploitation requires high attack complexity and user interaction (AV:N/AC:H/PR:N/UI:R), limiting practical weaponization. EPSS score of 0.07% (22nd percentile) indicates very low probability of widespread exploitation. No active exploitation confirmed via CISA KEV, and no public exploit code identified at time of analysis.
Remote unauthenticated attackers can cause high-impact availability disruption in the Miraculous WordPress theme through arbitrary content deletion. The vulnerability allows exploitation of misconfigured access control in versions before 2.0.9, requiring no authentication or user interaction. EPSS score of 0.06% (18th percentile) indicates very low observed exploitation probability, with no public exploit code or CISA KEV listing at time of analysis. Despite CVSS 7.5 severity, the purely availability-focused impact (C:N/I:N/A:H) suggests this is a denial-of-service vector rather than a data breach risk.
Local file inclusion in Revolution theme versions before 2.5.8 allows authenticated attackers with low privileges to include and execute arbitrary PHP files on the server via manipulated file paths. The vulnerability exploits improper validation of file inclusion parameters, enabling remote code execution when combined with file upload or log poisoning. EPSS score of 0.05% suggests low probability of mass exploitation, and no public POC or active exploitation (non-KEV) is confirmed at time of analysis.
Local File Inclusion (LFI) in Simple Payment WordPress plugin versions ≤2.4.6 allows remote attackers to include and execute arbitrary local files via PHP file inclusion flaws. Attack requires high complexity (AC:H) and user interaction (UI:R), suggesting exploitation depends on specific conditions like attacker-controllable parameters combined with victim action. EPSS score of 0.04% (13th percentile) indicates low observed exploitation probability in the wild. No CISA KEV listing or public exploit code identified at time of analysis, limiting immediate threat surface despite 7.5 CVSS score.
Reflected Cross-Site Scripting (XSS) in WooTour plugin for WordPress versions up to 3.6.3 allows remote unauthenticated attackers to execute malicious JavaScript in victim browsers by tricking users into clicking crafted links. The vulnerability stems from improper neutralization of user input during web page generation. EPSS score of 0.08% indicates low likelihood of mass exploitation, and no active exploitation has been reported by CISA KEV at time of analysis.
Broken access control in WordPress Image Gallery block plugin (bPlugins 3d-image-gallery) versions ≤1.0.7 allows authenticated low-privilege users to bypass authorization checks and access administrative functions, enabling unauthorized modification of gallery settings (low integrity impact) or triggering denial of service conditions (high availability impact). Reported by Patchstack with 0.07% EPSS score, indicating minimal active exploitation probability. No active exploitation confirmed via CISA KEV.
Reflected cross-site scripting (XSS) in Epic Review WordPress plugin through version 1.0.2 allows remote attackers to execute malicious JavaScript in victim browsers when users click specially crafted links. The vulnerability stems from improper neutralization of user input during HTML generation. EPSS exploitation probability is low (0.07%, 21st percentile) with no public exploit code or active exploitation confirmed at time of analysis. WordPress site administrators should upgrade immediately as the network attack vector (AV:N) and changed scope (S:C) enable attacks across site boundaries.
Reflected cross-site scripting (XSS) in the WeMusic WordPress theme versions up to 1.9.1 allows remote attackers to execute arbitrary JavaScript in victims' browsers when they visit a specially crafted URL. The vulnerability requires user interaction (CVSS UI:R) but no authentication (PR:N), enabling attacks via social engineering such as phishing emails or malicious links. With EPSS exploitation probability of only 0.07% (20th percentile) and no CISA KEV listing, this represents a moderate theoretical risk but limited observed exploitation activity. Patchstack's reporting suggests responsible disclosure, though patch availability has not been independently confirmed.
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in RealMag777 TableOn posts-table-filterable allows Code Injection.0.4.2. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Reflected cross-site scripting (XSS) in Doliconnect WordPress plugin versions up to 9.3.2 allows remote attackers to execute arbitrary JavaScript in victims' browsers through malicious links. The vulnerability requires user interaction (clicking a crafted link) but needs no authentication, enabling session hijacking, credential theft, or malicious actions in the context of the victim's WordPress session. EPSS score of 0.05% indicates very low observed exploitation probability, and no active exploitation or public proof-of-concept has been identified at time of analysis.
Reflected cross-site scripting (XSS) in Kalium WordPress theme versions through 3.18.3 enables remote attackers to inject malicious scripts into web pages viewed by victims. Exploitation requires user interaction (clicking a crafted link) but no authentication, with changed scope indicating potential session hijacking or actions on behalf of victims across the theme's context. EPSS score of 0.05% (17th percentile) suggests low observed exploitation activity. No active exploitation confirmed via CISA KEV or public exploit code at time of analysis.
Reflected cross-site scripting in Dropify wc-dropi-integration plugin (WordPress) through version 4.6.9 allows remote attackers to execute arbitrary JavaScript in victim browsers via maliciously crafted URLs. Attack requires user interaction (victim must click malicious link) but no authentication, enabling phishing campaigns and session hijacking. EPSS score of 0.05% (17th percentile) indicates low widespread exploitation probability, with no CISA KEV listing or public proof-of-concept identified at time of analysis.
Reflected cross-site scripting in User Registration Aide WordPress plugin versions through 1.5.3.8 allows remote attackers to execute arbitrary JavaScript in victims' browsers via crafted URLs. Users must click a malicious link to trigger the attack. EPSS score of 0.05% (17th percentile) indicates very low probability of exploitation in the wild, and no active exploitation or public exploits are confirmed. Patchstack security team identified this flaw, which carries CVSS 7.1 with changed scope, meaning successful exploitation impacts resources beyond the vulnerable component.
Reflected cross-site scripting in flexoslider WordPress plugin versions through 1.0004 allows unauthenticated remote attackers to execute arbitrary JavaScript in victim browsers when targets click a malicious link. Successful exploitation requires user interaction but no authentication. The vulnerability has a low EPSS score (0.05%, 17th percentile) indicating minimal observed exploitation activity in the wild, though the scope change in CVSS indicates potential for impact beyond the vulnerable component.
Reflected cross-site scripting in Range Slider Addon for Gravity Forms (versions ≤1.1.6) allows remote attackers to execute arbitrary JavaScript in victim browsers via crafted URLs. The vulnerability requires user interaction (clicking a malicious link) but no authentication. EPSS probability is low (0.05%, 17th percentile), and no active exploitation or public POC has been identified. This is a WordPress plugin affecting sites using Gravity Forms with the range slider extension.
Reflected cross-site scripting in Booking and Rental Manager for WooCommerce (versions 2.5.3 and earlier) allows unauthenticated remote attackers to inject malicious scripts into web page responses via user-supplied input. Successful exploitation requires victim interaction with a crafted link. EPSS score of 0.05% (17th percentile) suggests minimal current exploitation activity, and no CISA KEV listing or public exploit code has been identified. Changed scope (S:C) elevates risk beyond typical reflected XSS by enabling potential cross-domain attacks or WooCommerce session hijacking.
Stored cross-site scripting (XSS) in WP Logo Changer WordPress plugin versions 1.2 and earlier allows remote attackers to inject malicious scripts that execute in victim browsers. The vulnerability exploits improper input sanitization during web page generation, enabling attackers to inject persistent malicious code. EPSS indicates 0.05% exploitation probability (16th percentile), suggesting low opportunistic targeting risk. No active exploitation confirmed via CISA KEV at time of analysis.
Stored cross-site scripting in Cookie Notice & Consent plugin (versions ≤1.6.4) allows remote attackers to inject malicious JavaScript that executes in victim browsers. Exploitation requires user interaction to trigger the stored payload. EPSS score of 0.05% (16th percentile) suggests low probability of mass exploitation, though stored XSS often enables account takeover and privilege escalation in WordPress environments. No active exploitation (CISA KEV) or public POC identified at time of analysis.
Broken access control in Info Cards WordPress plugin 1.0.11 and earlier allows authenticated users to access administrative functions without proper authorization checks. Authenticated low-privilege users can exploit missing ACLs to perform unauthorized modifications or cause denial of service conditions. Reported by Patchstack audit team with authentication bypass classification. EPSS score of 0.05% (16th percentile) indicates low observed exploitation probability, with no CISA KEV listing or public exploit code identified at time of analysis.
Stored cross-site scripting in WP GDPR Cookie Consent plugin versions up to 1.0.0 can be triggered via cross-site request forgery (CSRF) attack, allowing remote attackers to inject malicious JavaScript into the WordPress site without authentication but requiring victim administrator interaction. The chained CSRF-to-XSS vulnerability enables attackers to execute JavaScript in administrator contexts, potentially leading to site takeover. EPSS probability is low (0.03%), no public exploit confirmed, and no known active exploitation at time of analysis.
Stored cross-site scripting (XSS) in Gutenify WordPress plugin versions through 1.5.7 allows remote attackers to inject malicious scripts into site content. Successfully exploited, attackers can execute arbitrary JavaScript in victim browsers when authenticated administrators or editors view the compromised content. EPSS exploitation probability is minimal (0.02%, 6th percentile), and no active exploitation or public POC is confirmed. While CVSS assigns high (7.1) severity due to changed scope, real-world risk is moderate given the requirement for user interaction and the narrow attack surface of a WordPress block editor plugin.
Reflected cross-site scripting in Penci Bookmark & Follow WordPress plugin (versions before 2.4) allows remote attackers to execute arbitrary JavaScript in victim browsers via crafted URLs. The vulnerability requires user interaction but no authentication, enabling attackers to steal session tokens, perform actions as the victim, or deliver phishing content. EPSS score of 0.02% (6th percentile) indicates low observed exploitation activity, with no CISA KEV listing or public exploit code identified at time of analysis.
Stored cross-site scripting in the replyMail WordPress plugin (versions ≤1.2.0) enables remote attackers to inject malicious scripts that execute in victims' browsers when viewing compromised pages. The changed scope (S:C) in the CVSS vector indicates the injected payload can affect resources beyond the vulnerable component's security scope, potentially compromising other WordPress users or administrators. EPSS score of 0.02% suggests low probability of mass exploitation, though the no-authentication requirement (PR:N) lowers the barrier for opportunistic attacks. Patchstack has documented this vulnerability but patch availability remains unconfirmed.
Cross-Site Request Forgery in Simple Stripe WordPress plugin versions through 0.9.17 enables attackers to execute stored cross-site scripting attacks. Remote unauthenticated attackers can trick authenticated administrators into submitting malicious requests that inject persistent JavaScript code into the site. EPSS exploitation probability is extremely low at 0.02% (4th percentile), indicating minimal real-world targeting to date. No active exploitation confirmed by CISA KEV, though the CSRF-to-XSS chain represents a realistic threat to WordPress sites using this payment plugin.
Cross-Site Request Forgery in WordPress wpNamedUsers plugin (versions ≤0.5) enables attackers to inject persistent malicious scripts by tricking authenticated administrators into submitting crafted requests. Patchstack identified this vulnerability chain where CSRF bypasses lack of request validation, allowing stored XSS payload injection into the WordPress database. With EPSS probability at 0.02% (4th percentile) and no CISA KEV listing, this represents a lower immediate exploitation risk despite the 7.1 CVSS score, though the changed scope (S:C) indicates potential cross-domain impact if exploited.
Cross-Site Request Forgery in the Slick Google Map WordPress plugin version 0.3 and earlier enables stored XSS attacks. An attacker can trick authenticated WordPress administrators into executing malicious requests that inject persistent JavaScript into the site, achieving cross-site scripting with changed scope impact. EPSS exploitation probability is low (0.02%, 4th percentile), and no public exploit or active exploitation has been identified at time of analysis.
Cross-site request forgery (CSRF) in Block Country WordPress plugin versions up to 1.0 enables attackers to trick authenticated administrators into executing malicious requests that inject stored XSS payloads. This chained vulnerability allows unauthenticated remote attackers to achieve persistent code execution in victim browsers by combining CSRF with stored cross-site scripting, requiring only that an admin interact with a crafted link or page. EPSS probability is minimal (0.02%, 4th percentile) with no active exploitation identified, but the attack chain is straightforward given user interaction occurs.
Missing Authorization vulnerability in Gaurav Aggarwal Backup and Move backup-and-move allows Exploiting Incorrectly Configured Access Control Security Levels.1. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Missing Authorization vulnerability in Bux Bux Woocommerce bux-woocommerce allows Accessing Functionality Not Properly Constrained by ACLs.2.3. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Easy Appointments Easy Appointments easy-appointments allows Code Injection.12.14. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Missing Authorization vulnerability in anibalwainstein Effect Maker effect-maker allows Exploiting Incorrectly Configured Access Control Security Levels.2.1. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Missing Authorization vulnerability in CodexThemes TheGem Demo Import (for WPBakery) thegem-importer.10.5. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Missing Authorization vulnerability in ganddser Jock On Air Now (JOAN) joan allows Exploiting Incorrectly Configured Access Control Security Levels.0.4. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Missing Authorization vulnerability in sertifier Sertifier Certificate & Badge Maker sertifier-certificates-open-badges allows Exploiting Incorrectly Configured Access Control Security Levels.21. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Insertion of Sensitive Information Into Sent Data vulnerability in Sovlix MeetingHub meetinghub allows Retrieve Embedded Sensitive Data.23.9. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Missing Authorization vulnerability in Stylemix Cost Calculator Builder cost-calculator-builder.5.32. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Missing Authorization vulnerability in uxper Togo togo.0.4. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Missing Authorization vulnerability in uxper Togo togo.0.4. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Netcad Software Inc. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Deserialization of Untrusted Data vulnerability in wpdreams Ajax Search Lite ajax-search-lite allows Object Injection.13.3. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Missing Authorization vulnerability in hogash Kallyas kallyas.22.0. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
An ownership verification issue in the Virtual Desktop preview page in the Research and Engineering Studio (RES) on AWS before version 2025.09 may allow an authenticated remote user to view another. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.