Skip to main content
CVE-2025-54722 HIGH This Week

Reflected Cross-Site Scripting (XSS) in WooTour plugin for WordPress versions up to 3.6.3 allows remote unauthenticated attackers to execute malicious JavaScript in victim browsers by tricking users into clicking crafted links. The vulnerability stems from improper neutralization of user input during web page generation. EPSS score of 0.08% indicates low likelihood of mass exploitation, and no active exploitation has been reported by CISA KEV at time of analysis.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-49394 HIGH This Week

Broken access control in WordPress Image Gallery block plugin (bPlugins 3d-image-gallery) versions ≤1.0.7 allows authenticated low-privilege users to bypass authorization checks and access administrative functions, enabling unauthorized modification of gallery settings (low integrity impact) or triggering denial of service conditions (high availability impact). Reported by Patchstack with 0.07% EPSS score, indicating minimal active exploitation probability. No active exploitation confirmed via CISA KEV.

Authentication Bypass
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-53573 HIGH This Week

Reflected cross-site scripting (XSS) in Epic Review WordPress plugin through version 1.0.2 allows remote attackers to execute malicious JavaScript in victim browsers when users click specially crafted links. The vulnerability stems from improper neutralization of user input during HTML generation. EPSS exploitation probability is low (0.07%, 21st percentile) with no public exploit code or active exploitation confirmed at time of analysis. WordPress site administrators should upgrade immediately as the network attack vector (AV:N) and changed scope (S:C) enable attacks across site boundaries.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-53585 HIGH This Week

Reflected cross-site scripting (XSS) in the WeMusic WordPress theme versions up to 1.9.1 allows remote attackers to execute arbitrary JavaScript in victims' browsers when they visit a specially crafted URL. The vulnerability requires user interaction (CVSS UI:R) but no authentication (PR:N), enabling attacks via social engineering such as phishing emails or malicious links. With EPSS exploitation probability of only 0.07% (20th percentile) and no CISA KEV listing, this represents a moderate theoretical risk but limited observed exploitation activity. Patchstack's reporting suggests responsible disclosure, though patch availability has not been independently confirmed.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-60244 HIGH This Week

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in RealMag777 TableOn posts-table-filterable allows Code Injection.0.4.2. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-53574 HIGH This Week

Reflected cross-site scripting (XSS) in Doliconnect WordPress plugin versions up to 9.3.2 allows remote attackers to execute arbitrary JavaScript in victims' browsers through malicious links. The vulnerability requires user interaction (clicking a crafted link) but needs no authentication, enabling session hijacking, credential theft, or malicious actions in the context of the victim's WordPress session. EPSS score of 0.05% indicates very low observed exploitation probability, and no active exploitation or public proof-of-concept has been identified at time of analysis.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-53349 HIGH This Week

Reflected cross-site scripting (XSS) in Kalium WordPress theme versions through 3.18.3 enables remote attackers to inject malicious scripts into web pages viewed by victims. Exploitation requires user interaction (clicking a crafted link) but no authentication, with changed scope indicating potential session hijacking or actions on behalf of victims across the theme's context. EPSS score of 0.05% (17th percentile) suggests low observed exploitation activity. No active exploitation confirmed via CISA KEV or public exploit code at time of analysis.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-53286 HIGH This Week

Reflected cross-site scripting in Dropify wc-dropi-integration plugin (WordPress) through version 4.6.9 allows remote attackers to execute arbitrary JavaScript in victim browsers via maliciously crafted URLs. Attack requires user interaction (victim must click malicious link) but no authentication, enabling phishing campaigns and session hijacking. EPSS score of 0.05% (17th percentile) indicates low widespread exploitation probability, with no CISA KEV listing or public proof-of-concept identified at time of analysis.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-53239 HIGH This Week

Reflected cross-site scripting in User Registration Aide WordPress plugin versions through 1.5.3.8 allows remote attackers to execute arbitrary JavaScript in victims' browsers via crafted URLs. Users must click a malicious link to trigger the attack. EPSS score of 0.05% (17th percentile) indicates very low probability of exploitation in the wild, and no active exploitation or public exploits are confirmed. Patchstack security team identified this flaw, which carries CVSS 7.1 with changed scope, meaning successful exploitation impacts resources beyond the vulnerable component.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-52764 HIGH This Week

Reflected cross-site scripting in flexoslider WordPress plugin versions through 1.0004 allows unauthenticated remote attackers to execute arbitrary JavaScript in victim browsers when targets click a malicious link. Successful exploitation requires user interaction but no authentication. The vulnerability has a low EPSS score (0.05%, 17th percentile) indicating minimal observed exploitation activity in the wild, though the scope change in CVSS indicates potential for impact beyond the vulnerable component.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-49905 HIGH This Week

Reflected cross-site scripting in Range Slider Addon for Gravity Forms (versions ≤1.1.6) allows remote attackers to execute arbitrary JavaScript in victim browsers via crafted URLs. The vulnerability requires user interaction (clicking a malicious link) but no authentication. EPSS probability is low (0.05%, 17th percentile), and no active exploitation or public POC has been identified. This is a WordPress plugin affecting sites using Gravity Forms with the range slider extension.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-49904 HIGH This Week

Reflected cross-site scripting in Booking and Rental Manager for WooCommerce (versions 2.5.3 and earlier) allows unauthenticated remote attackers to inject malicious scripts into web page responses via user-supplied input. Successful exploitation requires victim interaction with a crafted link. EPSS score of 0.05% (17th percentile) suggests minimal current exploitation activity, and no CISA KEV listing or public exploit code has been identified. Changed scope (S:C) elevates risk beyond typical reflected XSS by enabling potential cross-domain attacks or WooCommerce session hijacking.

WordPress XSS
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-53245 HIGH This Week

Stored cross-site scripting (XSS) in WP Logo Changer WordPress plugin versions 1.2 and earlier allows remote attackers to inject malicious scripts that execute in victim browsers. The vulnerability exploits improper input sanitization during web page generation, enabling attackers to inject persistent malicious code. EPSS indicates 0.05% exploitation probability (16th percentile), suggesting low opportunistic targeting risk. No active exploitation confirmed via CISA KEV at time of analysis.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-49390 HIGH This Week

Stored cross-site scripting in Cookie Notice & Consent plugin (versions ≤1.6.4) allows remote attackers to inject malicious JavaScript that executes in victim browsers. Exploitation requires user interaction to trigger the stored payload. EPSS score of 0.05% (16th percentile) suggests low probability of mass exploitation, though stored XSS often enables account takeover and privilege escalation in WordPress environments. No active exploitation (CISA KEV) or public POC identified at time of analysis.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-54711 HIGH This Week

Broken access control in Info Cards WordPress plugin 1.0.11 and earlier allows authenticated users to access administrative functions without proper authorization checks. Authenticated low-privilege users can exploit missing ACLs to perform unauthorized modifications or cause denial of service conditions. Reported by Patchstack audit team with authentication bypass classification. EPSS score of 0.05% (16th percentile) indicates low observed exploitation probability, with no CISA KEV listing or public exploit code identified at time of analysis.

Authentication Bypass
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-53316 HIGH This Week

Stored cross-site scripting in WP GDPR Cookie Consent plugin versions up to 1.0.0 can be triggered via cross-site request forgery (CSRF) attack, allowing remote attackers to inject malicious JavaScript into the WordPress site without authentication but requiring victim administrator interaction. The chained CSRF-to-XSS vulnerability enables attackers to execute JavaScript in administrator contexts, potentially leading to site takeover. EPSS probability is low (0.03%), no public exploit confirmed, and no known active exploitation at time of analysis.

XSS CSRF
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-53324 HIGH This Week

Stored cross-site scripting (XSS) in Gutenify WordPress plugin versions through 1.5.7 allows remote attackers to inject malicious scripts into site content. Successfully exploited, attackers can execute arbitrary JavaScript in victim browsers when authenticated administrators or editors view the compromised content. EPSS exploitation probability is minimal (0.02%, 6th percentile), and no active exploitation or public POC is confirmed. While CVSS assigns high (7.1) severity due to changed scope, real-world risk is moderate given the requirement for user interaction and the narrow attack surface of a WordPress block editor plugin.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-49909 HIGH This Week

Reflected cross-site scripting in Penci Bookmark & Follow WordPress plugin (versions before 2.4) allows remote attackers to execute arbitrary JavaScript in victim browsers via crafted URLs. The vulnerability requires user interaction but no authentication, enabling attackers to steal session tokens, perform actions as the victim, or deliver phishing content. EPSS score of 0.02% (6th percentile) indicates low observed exploitation activity, with no CISA KEV listing or public exploit code identified at time of analysis.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-31029 HIGH This Week

Stored cross-site scripting in the replyMail WordPress plugin (versions ≤1.2.0) enables remote attackers to inject malicious scripts that execute in victims' browsers when viewing compromised pages. The changed scope (S:C) in the CVSS vector indicates the injected payload can affect resources beyond the vulnerable component's security scope, potentially compromising other WordPress users or administrators. EPSS score of 0.02% suggests low probability of mass exploitation, though the no-authentication requirement (PR:N) lowers the barrier for opportunistic attacks. Patchstack has documented this vulnerability but patch availability remains unconfirmed.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-48085 HIGH This Week

Cross-Site Request Forgery in Simple Stripe WordPress plugin versions through 0.9.17 enables attackers to execute stored cross-site scripting attacks. Remote unauthenticated attackers can trick authenticated administrators into submitting malicious requests that inject persistent JavaScript code into the site. EPSS exploitation probability is extremely low at 0.02% (4th percentile), indicating minimal real-world targeting to date. No active exploitation confirmed by CISA KEV, though the CSRF-to-XSS chain represents a realistic threat to WordPress sites using this payment plugin.

XSS CSRF
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-48083 HIGH This Week

Cross-Site Request Forgery in WordPress wpNamedUsers plugin (versions ≤0.5) enables attackers to inject persistent malicious scripts by tricking authenticated administrators into submitting crafted requests. Patchstack identified this vulnerability chain where CSRF bypasses lack of request validation, allowing stored XSS payload injection into the WordPress database. With EPSS probability at 0.02% (4th percentile) and no CISA KEV listing, this represents a lower immediate exploitation risk despite the 7.1 CVSS score, though the changed scope (S:C) indicates potential cross-domain impact if exploited.

XSS CSRF
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-48078 HIGH This Week

Cross-Site Request Forgery in the Slick Google Map WordPress plugin version 0.3 and earlier enables stored XSS attacks. An attacker can trick authenticated WordPress administrators into executing malicious requests that inject persistent JavaScript into the site, achieving cross-site scripting with changed scope impact. EPSS exploitation probability is low (0.02%, 4th percentile), and no public exploit or active exploitation has been identified at time of analysis.

Google XSS CSRF
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-48077 HIGH This Week

Cross-site request forgery (CSRF) in Block Country WordPress plugin versions up to 1.0 enables attackers to trick authenticated administrators into executing malicious requests that inject stored XSS payloads. This chained vulnerability allows unauthenticated remote attackers to achieve persistent code execution in victim browsers by combining CSRF with stored cross-site scripting, requiring only that an admin interact with a crafted link or page. EPSS probability is minimal (0.02%, 4th percentile) with no active exploitation identified, but the attack chain is straightforward given user interaction occurs.

XSS CSRF
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-62630 HIGH This Month

Due to insufficient sanitization, an attacker can upload a specially crafted configuration file to traverse directories and achieve remote code execution with system-level permissions. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal RCE Deviceon Iedge
NVD GitHub
CVSS 4.0
8.7
EPSS
0.2%
CVE-2025-59171 HIGH This Month

Due to insufficient sanitization, an attacker can upload a specially crafted configuration file to traverse directories and achieve remote code execution with system-level permissions. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Path Traversal RCE Deviceon Iedge
NVD GitHub
CVSS 4.0
8.7
EPSS
0.1%
CVE-2025-58423 HIGH This Month

Due to insufficient sanitization, an attacker can upload a specially crafted configuration file to cause a denial-of-service condition, traverse directories, or read/write files, within the context. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Path Traversal Deviceon Iedge
NVD GitHub
CVSS 4.0
8.7
EPSS
0.1%
CVE-2025-12636 HIGH This Month

The Ubia camera ecosystem fails to adequately secure API credentials, potentially enabling an attacker to connect to backend services. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass
NVD GitHub
CVSS 4.0
7.1
EPSS
0.1%
CVE-2025-12036 HIGH PATCH This Month

Out of bounds memory access in V8 in Google Chrome prior to 141.0.7390.122 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Google Buffer Overflow Information Disclosure Chrome Red Hat +1
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-11756 HIGH PATCH This Month

Use after free in Safe Browsing in Google Chrome prior to 141.0.7390.107 allowed a remote attacker who had compromised the renderer process to potentially perform out of bounds memory access via a. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Memory Corruption Google Denial Of Service Use After Free Chrome +2
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-11460 HIGH PATCH This Month

Use after free in Storage in Google Chrome prior to 141.0.7390.65 allowed a remote attacker to execute arbitrary code via a crafted video file. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Google RCE Memory Corruption Denial Of Service Use After Free +3
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-11458 HIGH PATCH This Month

Heap buffer overflow in Sync in Google Chrome prior to 141.0.7390.65 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Google Buffer Overflow Heap Overflow Chrome Red Hat +1
NVD
CVSS 3.1
8.1
EPSS
0.0%
CVE-2025-64178 HIGH PATCH This Month

Jellysweep is a cleanup tool for the Jellyfin media server. Rated high severity (CVSS 8.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SSRF
NVD GitHub
CVSS 4.0
8.9
EPSS
0.1%
CVE-2025-11211 HIGH PATCH This Month

Out of bounds read in Media in Google Chrome prior to 141.0.7390.54 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Google Buffer Overflow Information Disclosure Chrome Red Hat +1
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-11209 HIGH PATCH This Month

Inappropriate implementation in Omnibox in Google Chrome on Android prior to 141.0.7390.54 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Google Authentication Bypass Chrome Android Suse
NVD
CVSS 3.1
8.2
EPSS
0.0%
CVE-2025-11206 HIGH PATCH This Month

Heap buffer overflow in Video in Google Chrome prior to 141.0.7390.54 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Google Buffer Overflow Heap Overflow Chrome Red Hat +1
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-11205 HIGH PATCH This Month

Heap buffer overflow in WebGPU in Google Chrome prior to 141.0.7390.54 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Google Buffer Overflow Heap Overflow Chrome Red Hat +1
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2024-12125 HIGH This Month

A flaw was found in the 3scale Developer Portal. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Red Hat
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-64173 HIGH PATCH This Month

Apollo Router Core is a configurable graph router written in Rust to run a federated supergraph using Apollo Federation 2. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-12790 HIGH PATCH This Month

A flaw was found in Rubygem MQTT. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure Red Hat
NVD GitHub
CVSS 3.1
7.4
EPSS
0.1%
CVE-2025-12489 HIGH This Month

evernote-mcp-server openBrowser Command Injection Privilege Escalation Vulnerability. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Command Injection RCE Privilege Escalation
NVD GitHub
CVSS 3.0
7.8
EPSS
0.1%
CVE-2025-12486 HIGH This Month

Heimdall Data Database Proxy Cross-Site Scripting Remote Code Execution Vulnerability. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE XSS
NVD
CVSS 3.0
8.8
EPSS
0.4%
CVE-2025-34242 HIGH This Month

Advantech WebAccess/VPN versions prior to 1.1.5 contain a SQL injection vulnerability in AjaxNetworkController.ajaxAction() that allows an authenticated low-privileged observer user to inject SQL via. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi Webaccess Vpn
NVD
CVSS 4.0
8.6
EPSS
0.0%
CVE-2025-34240 HIGH This Month

Advantech WebAccess/VPN versions prior to 1.1.5 contain a SQL injection vulnerability in AppManagementController.appUpgradeAction() that allows an authenticated low-privileged observer user to inject. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi Webaccess Vpn
NVD
CVSS 4.0
8.6
EPSS
0.0%
CVE-2025-34239 HIGH This Month

Advantech WebAccess/VPN versions prior to 1.1.5 contain a command injection vulnerability in AppManagementController.appUpgradeAction() that allows an authenticated system administrator to execute. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Command Injection Webaccess Vpn
NVD
CVSS 4.0
8.6
EPSS
0.3%
CVE-2025-12490 HIGH This Month

Netgate pfSense CE Suricata Path Traversal Remote Code Execution Vulnerability. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Epss exploitation probability 26.7% and no vendor patch available.

Path Traversal RCE
NVD GitHub
CVSS 3.0
8.8
EPSS
26.7%
CVE-2025-63551 HIGH POC This Month

A Server-Side Request Forgery (SSRF) vulnerability, achievable through an XML External Entity (XXE) injection, exists in MetInfo Content Management System (CMS) thru 8.1. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XXE SSRF Metinfo
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-60541 HIGH POC This Month

A Server-Side Request Forgery (SSRF) in the /api/proxy/ component of linshenkx prompt-optimizer v1.3.0 to v1.4.2 allows attackers to scan internal resources via a crafted request. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SSRF Prompt Optimizer
NVD GitHub
CVSS 3.1
7.3
EPSS
0.1%
CVE-2024-25621 HIGH PATCH This Month

containerd is an open-source container runtime. Rated high severity (CVSS 7.3), this vulnerability is low attack complexity.

Information Disclosure Containerd Red Hat Suse
NVD GitHub
CVSS 3.1
7.3
EPSS
0.0%
CVE-2025-27919 HIGH POC This Week

An issue was discovered in AnyDesk through 9.0.4. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Anydesk
NVD
CVSS 3.1
8.2
EPSS
0.1%
CVE-2025-27917 HIGH POC This Month

An issue was discovered in AnyDesk for Windows before 9.0.5, AnyDesk for macOS before 9.0.1, AnyDesk for Linux before 7.0.0, AnyDesk for iOS before 7.1.2, and AnyDesk for Android before 8.0.0. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Deserialization Google Apple Null Pointer Dereference Microsoft +6
NVD
CVSS 3.1
7.5
EPSS
0.5%
Prev Page 2 of 3 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy