THREAT ALERT

Daily vulnerability intelligence for defenders – fresh CVEs with exploitability signals, patch status, and action-oriented priorities from 17 sources.

CVEs published

Track vulnerabilities that matter to your stack

Personalized alerts, dashboards, and weekly digests – free.

Trending Now

Critical Watch

Attack Technique Trend

Prediction based on ZDI Disclosures & CVE data · 30 days

Analytics

Vendor Today – Quick Filter

Techniques

results

Sort:

Base Score

Vector String

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

Integrity (I)

Availability (A)

0 | 3.9| 6.9| 8.9| 10

NONE LOW MEDIUM HIGH CRITICAL

CVSS Filter – CVEs match

No CVEs match the selected criteria

Browse older vulnerabilities in Archive

Live Feed auto-refresh 60s

Vulnerability Intelligence — December 09, 2025

39 CVEs tracked today. 0 Critical, 6 High, 33 Medium, 0 Low.

CVE-2025-66631 HIGH CVSS 7.2
A critical remote code execution vulnerability exists in CSLA .NET framework versions 5.5.4 and below due to insecure deserialization when using WcfProxy with the obsolete NetDataContractSerializer. This vulnerability allows unauthenticated remote attackers to execute arbitrary code on affected systems without user interaction, potentially leading to complete system compromise. While no active exploitation has been reported in CISA KEV and no public POC is mentioned, the vulnerability's network-exposed nature and low attack complexity make it a high-priority security concern.

RCE Deserialization
CVE-2025-66622 HIGH CVSS 7.5
A serialization bug in matrix-sdk-base allows remote attackers to cause denial-of-service by sending rooms with custom m.room.join_rules values, which stalls the sync process and prevents all room processing. The vulnerability affects matrix-sdk-base versions 0.14.1 and prior and has a high availability impact (CVSS 7.5) with a patch available in version 0.16.0. With a low EPSS score of 0.06% and no KEV listing, this represents a moderate real-world risk primarily concerning service availability rather than active exploitation.

Denial Of Service Deserialization Python Matrix Rust Sdk
CVE-2025-63074 HIGH CVSS 7.5
Local File Inclusion in Dream-Theme's The7 WordPress theme (versions prior to 12.8.1.1) allows authenticated attackers with low privileges to read arbitrary server files through improper filename validation in PHP include statements. With a 0.17% EPSS score and no confirmed active exploitation, this represents a moderate risk primarily in shared hosting environments where authenticated users exist. The 7.5 CVSS score reflects high confidentiality and integrity impact, though exploitation requires high attack complexity and authenticated access.

WordPress PHP Lfi
CVE-2025-63057 HIGH CVSS 8.2
DOM-based cross-site scripting in WordPress plugin WP Ultimate Review versions ≤2.3.7 allows remote attackers to execute malicious JavaScript in victims' browsers via crafted input that is improperly sanitized during client-side page rendering. The vulnerability requires user interaction (CVSS UI:R) but no authentication (PR:N), enabling attacks via social engineering or malicious links. Exploitation probability is low (EPSS 0.04%, 14th percentile), with no public exploit identified at time of analysis and no confirmed active exploitation (not in CISA KEV).

WordPress PHP XSS
CVE-2025-63030 HIGH CVSS 7.1
Cross-Site Request Forgery in WordPress New User Approve plugin (versions ≤3.2.3) enables unauthenticated remote attackers to trick authenticated administrators into executing unauthorized actions via crafted requests. With EPSS probability of 0.02% (5th percentile) and no evidence of active exploitation (not in CISA KEV), this represents a moderate real-world risk despite a CVSS 7.1 score. The vulnerability requires user interaction (UI:R) but no attacker privileges (PR:N), making it viable through social engineering tactics like phishing emails containing malicious links.

WordPress PHP CSRF
CVE-2025-62152 HIGH CVSS 8.8
Missing access control in ConveyThis WordPress plugin through version 269.2 allows authenticated users with low-level privileges to execute unauthorized actions with high confidentiality, integrity, and availability impact. The vulnerability stems from improper enforcement of authorization checks (CWE-862), enabling privilege escalation by exploiting misconfigured access control security levels. No public exploit identified at time of analysis, with EPSS score of 0.06% indicating low predicted exploitation probability.

Information Disclosure
CVE-2025-67583 MEDIUM CVSS 5.3
Missing authorization controls in IDonate WordPress plugin through version 2.1.15 allows unauthenticated remote attackers to access sensitive information due to incorrectly configured access control security levels. The vulnerability has a low EPSS score (0.04%, 13th percentile) and no public exploit code or active exploitation is documented, indicating limited real-world attack incentive despite network-accessible attack surface.

Information Disclosure Idonate
CVE-2025-67570 MEDIUM CVSS 5.3
WPForms Google Sheet Connector plugin through version 4.0.0 allows unauthenticated remote attackers to modify data by exploiting missing authorization checks on access control mechanisms. The vulnerability enables unauthorized manipulation of form submissions and Google Sheet integrations without proper permission validation, affecting WordPress installations using this plugin.

WordPress PHP Authentication Bypass
CVE-2025-67535 MEDIUM CVSS 6.5
Deserialization of untrusted data in WP Maps WordPress plugin versions up to 4.8.6 allows high-privileged authenticated users to inject and instantiate arbitrary PHP objects, potentially leading to code execution or privilege escalation. While the CVSS score of 6.5 reflects high confidentiality and integrity impact, the requirement for administrator-level privileges (PR:H) and user interaction (UI:R) significantly constrains real-world exploitability. EPSS score of 0.04% indicates minimal observed exploitation likelihood despite the vulnerability's technical severity.

WordPress PHP Deserialization
CVE-2025-63077 MEDIUM CVSS 4.3
Happy Addons for Elementor through version 3.20.3 allows authenticated users to access functionality they should not have permission to use due to missing authorization checks on API endpoints or admin functions. The vulnerability requires valid user authentication and results in information disclosure, with a CVSS score of 4.3 and an extremely low EPSS exploitation probability of 0.04%, suggesting minimal real-world attack incentive despite the access control flaw.

WordPress PHP Authentication Bypass
CVE-2025-63075 MEDIUM CVSS 6.5
DOM-based cross-site scripting (XSS) in muffingroup Betheme WordPress theme versions up to 28.2 allows authenticated attackers with low privileges to inject malicious scripts that execute in the context of other users' browsers. The vulnerability requires user interaction (UI:R) and affects the confidentiality, integrity, and availability of affected installations; EPSS exploitation probability is low at 0.04%, and no public exploit code or active exploitation has been confirmed.

WordPress PHP XSS
CVE-2025-63073 MEDIUM CVSS 6.5
DOM-based cross-site scripting in Dream-Theme The7 WordPress theme versions before 12.9.0 allows authenticated users to inject malicious scripts that execute in the context of other users' browsers via improperly sanitized input during web page generation. The vulnerability requires user interaction (UI:R) and authenticated access (PR:L), limiting real-world exploitability despite a moderate CVSS score of 6.5. EPSS exploitation probability is low at 0.04th percentile, and no public exploit code or active exploitation has been reported.

WordPress PHP XSS
CVE-2025-63071 MEDIUM CVSS 5.3
Insertion of sensitive information into sent data in auxin-elements WordPress plugin versions up to 2.17.15 allows unauthenticated remote attackers to retrieve embedded sensitive data through network-accessible responses. The vulnerability exposes information with low confidentiality impact and affects the Shortcodes and extra features for Phlox theme plugin across all versions through 2.17.15, with EPSS scoring indicating 0.04% likelihood of exploitation.

WordPress PHP Information Disclosure
CVE-2025-63068 MEDIUM CVSS 5.3
Improper HTML tag neutralization in sevenspark Contact Form 7 - Dynamic Text Extension through version 5.0.5 allows unauthenticated remote attackers to inject malicious scripts via a network-based attack with no user interaction required, resulting in confidentiality compromise through information disclosure. The vulnerability is classified as cross-site scripting (XSS) with low exploitability probability (EPSS 0.06%, percentile 18%), suggesting limited real-world attack incentive despite the network-accessible attack vector.

WordPress PHP XSS Code Injection
CVE-2025-63067 MEDIUM CVSS 4.3
Porto Theme - Functionality plugin for WordPress (versions before 3.7.3) allows authenticated users to access sensitive information through broken access control, enabling privilege escalation or information disclosure without proper authorization checks. While the vulnerability requires valid WordPress credentials and has low CVSS severity (4.3), the confirmed patch availability and authentication requirement reduce immediate risk. No public exploit code or active exploitation has been identified at the time of analysis.

WordPress PHP Authentication Bypass
CVE-2025-63066 MEDIUM CVSS 6.5
Stored cross-site scripting (XSS) in Porto Theme - Functionality plugin for WordPress allows authenticated users with low privileges to inject malicious scripts into web pages that execute in the browsers of other site visitors. The vulnerability affects Porto Theme - Functionality versions below 3.7.3 and has a low exploitation probability (EPSS 0.01%), but requires user interaction and authenticated access to exploit, limiting immediate risk to well-managed WordPress installations with access controls.

WordPress PHP XSS
CVE-2025-63065 MEDIUM CVSS 5.4
Media Library Assistant WordPress plugin through version 3.29 allows authenticated users to bypass authorization controls and access or modify content they should not have permission to reach via user-controlled keys in access control mechanisms. The vulnerability requires an authenticated user with limited privileges (PR:L) and affects confidentiality and integrity of stored media library data, though with relatively low exploitation probability (EPSS 0.04%) and no confirmed active exploitation at time of analysis.

WordPress PHP Authentication Bypass
CVE-2025-63061 MEDIUM CVSS 6.5
DOM-Based Cross-Site Scripting (XSS) in KALLYAS WordPress theme versions below 4.25.0 allows authenticated users with low privileges to inject malicious scripts that execute in the browsers of other users, potentially stealing session cookies, credentials, or performing unauthorized actions on their behalf. The vulnerability requires user interaction (clicking a malicious link) and affects the theme's web page generation routines. EPSS probability is 0.01% (very low), suggesting minimal real-world exploitation likelihood despite the moderate CVSS score of 6.5.

XSS
CVE-2025-63060 MEDIUM CVSS 4.3
Cross-site request forgery in KALLYAS WordPress theme versions before 4.25.0 allows authenticated attackers to perform unauthorized actions on behalf of legitimate users without their knowledge or consent. The vulnerability requires user interaction (UI:N indicates no additional user interaction beyond authentication) and affects only confidentiality with low impact. While CVSS scores 4.3 (medium severity), the EPSS score of 0.02% (5th percentile) indicates minimal real-world exploitation likelihood despite public awareness.

CSRF
CVE-2025-63058 MEDIUM CVSS 4.4
Custom Field Template WordPress plugin through version 2.7.6 exposes sensitive system information to high-privilege local users via embedded data retrieval, allowing administrators to access confidential data they should not have access to. The vulnerability requires high administrative privileges and local access, limiting real-world exploitation risk despite the complete confidentiality impact. EPSS probability is minimal at 0.02%, indicating low likelihood of opportunistic exploitation.

WordPress PHP Information Disclosure
CVE-2025-63056 MEDIUM CVSS 4.3
Authenticated users can access sensitive contact form data and functionality they should not have permission to view or modify due to missing authorization checks in Contact Form by BestWebSoft plugin versions up to 4.3.6. The vulnerability allows logged-in attackers with low-level privileges to bypass access controls and view contact information or modify form settings with only network access and no additional user interaction required. This is not actively exploited according to available intelligence, though the access control bypass pattern is a common attack vector.

WordPress PHP Authentication Bypass
CVE-2025-63055 MEDIUM CVSS 6.5
Stored cross-site scripting (XSS) in Master Addons for Elementor through version 2.0.9.9.4 allows authenticated users with limited privileges to inject malicious scripts that execute in the browsers of other site visitors, potentially compromising administrator accounts or stealing sensitive data. The vulnerability requires user interaction (UI:R) and affects the plugin's input sanitization during web page generation. With an EPSS score of 0.04% and no confirmed active exploitation, this represents a lower real-world risk despite the moderate CVSS base score of 6.5.

WordPress PHP XSS
CVE-2025-63054 MEDIUM CVSS 5.3
Missing authorization in ExpressTech Systems Quiz And Survey Master WordPress plugin through version 10.3.2 allows unauthenticated remote attackers to read sensitive quiz and survey data by exploiting incorrectly configured access control security levels. The vulnerability is assigned CVSS 5.3 (moderate), affects the plugin across multiple versions, and enables unauthorized information disclosure without requiring authentication or user interaction.

WordPress PHP Authentication Bypass
CVE-2025-63052 MEDIUM CVSS 6.5
Stored cross-site scripting (XSS) in SimpLy Gallery WordPress plugin (versions up to 3.3.2.1) allows authenticated users with low privileges to inject malicious scripts that execute in the browsers of other site visitors, potentially leading to session hijacking, credential theft, or site defacement. The vulnerability requires user interaction (UI:R) and affects confidentiality, integrity, and availability. No public exploit code or active exploitation has been confirmed; EPSS score of 0.04% indicates low real-world exploitation probability despite the moderate CVSS rating.

WordPress PHP XSS
CVE-2025-63033 MEDIUM CVSS 5.9
Stored XSS in Make Section & Column Clickable For Elementor WordPress plugin (versions through 2.4) allows authenticated users with high privileges to inject malicious scripts that execute in other users' browsers. The vulnerability requires user interaction (UI:R) and affects site confidentiality, integrity, and availability with limited scope. EPSS score of 0.04% indicates low exploitation probability despite the presence of a public vulnerability disclosure.

WordPress PHP XSS
CVE-2025-63025 MEDIUM CVSS 4.3
Xagio SEO WordPress plugin through version 7.1.0.35 contains a missing authorization vulnerability that allows authenticated users to perform unauthorized actions due to incorrectly configured access control security levels. The vulnerability has a CVSS score of 4.3 with low real-world exploitation probability (EPSS 0.04%), affecting authenticated users who can bypass intended access restrictions to modify plugin functionality or settings.

WordPress PHP Authentication Bypass
CVE-2025-63023 MEDIUM CVSS 5.3
Missing authorization in Easy Payment Payment Gateway for PayPal (woo-paypal-gateway) WordPress plugin versions up to 9.0.53 allows unauthenticated remote attackers to access sensitive payment gateway data through improper access control configuration. The vulnerability enables unauthorized information disclosure with low confidentiality impact. EPSS score of 0.04% indicates minimal observed exploitation probability despite network accessibility and no authentication requirement.

WordPress Woocommerce PHP Authentication Bypass
CVE-2025-63015 MEDIUM CVSS 4.3
Paysera WooCommerce Payment Gateway plugin through version 3.10.0 contains a missing authorization flaw allowing authenticated users with lower privilege levels to access or perform actions intended for higher-privilege roles, resulting in limited information disclosure. The vulnerability stems from incorrectly configured access control checks and has an EPSS score of 0.04% (11th percentile), indicating low real-world exploitation probability despite the CVSS 4.3 rating and authenticated attack vector.

WordPress Woocommerce PHP Authentication Bypass
CVE-2025-63012 MEDIUM CVSS 4.3
Cross-site request forgery in ThimPress WP Hotel Booking plugin version 2.2.8 and earlier allows unauthenticated remote attackers to perform unauthorized actions on behalf of authenticated users through crafted requests. The vulnerability requires user interaction (clicking a malicious link) and results in limited information disclosure, with a CVSS score of 4.3. Exploitation probability is very low per EPSS (0.02% percentile 5%), suggesting this is a lower-priority vulnerability despite public researcher disclosure.

WordPress PHP CSRF
CVE-2025-63011 MEDIUM CVSS 5.9
DOM-based cross-site scripting (XSS) in ThimPress WP Hotel Booking plugin versions up to 2.2.8 allows authenticated users with high privileges to inject malicious scripts that execute in the context of other users' browsers. The vulnerability requires user interaction (UI:R) and high administrator privileges (PR:H), limiting its real-world impact despite a moderate CVSS score of 5.9. EPSS exploitation probability is very low at 0.04%, indicating minimal practical attack likelihood.

WordPress PHP XSS
CVE-2025-62999 MEDIUM CVSS 5.4
Missing authorization in themezaa Litho Addons for WordPress (versions through 3.5) allows authenticated users to bypass access controls and gain unauthorized read/write access to sensitive data. The vulnerability stems from incorrectly configured access control security levels that fail to properly validate user permissions before exposing functionality. With an EPSS score of 0.04% and CVSS 5.4, exploitation requires valid authentication but no advanced attack complexity; this represents a moderate privilege escalation risk for multi-user WordPress installations.

WordPress PHP Authentication Bypass
CVE-2025-62993 MEDIUM CVSS 4.3
Missing authorization controls in the Notification for Telegram WordPress plugin through version 3.5 allow authenticated users to modify notification settings they should not have access to, resulting in limited integrity impact. The vulnerability requires valid user credentials (PR:L in CVSS vector) and affects the plugin's access control enforcement rather than authentication bypass. With an EPSS score of 0.04% and no confirmed active exploitation, this represents a low-probability real-world risk despite the authentication bypass tag.

WordPress PHP Authentication Bypass
CVE-2025-62870 MEDIUM CVSS 5.3
Missing authorization in Eupago Gateway For Woocommerce allows unauthenticated remote attackers to modify data via incorrectly configured access control, affecting versions up to 4.7.1. The vulnerability enables integrity compromise without requiring authentication or user interaction, though with low attack complexity. EPSS scoring of 0.04% indicates minimal real-world exploitation probability despite moderate CVSS severity.

WordPress Woocommerce PHP Authentication Bypass
CVE-2025-62867 MEDIUM CVSS 4.3
Ergonet Cache plugin versions up to 1.0.13 allows authenticated users to bypass access control checks and modify unauthorized data due to missing authorization validation. The vulnerability requires user authentication (PR:L) but has low real-world risk per EPSS (0.04%), though it can lead to unauthorized content modification in affected WordPress installations.

Information Disclosure
CVE-2025-62740 MEDIUM CVSS 5.3
Missing authorization controls in Mario Peshev WP-CRM System plugin up to version 3.4.6 allow unauthenticated remote attackers to modify data through incorrectly configured access control security levels. The CVSS 5.3 score reflects low integrity impact with no confidentiality or availability consequences, but the vulnerability exposes the plugin to unauthorized data manipulation attacks without authentication.

WordPress PHP Authentication Bypass
CVE-2025-62734 MEDIUM CVSS 4.3
Cross-site request forgery (CSRF) in WordPress Media Library Downloader plugin versions up to 1.4.0 allows unauthenticated attackers to perform unauthorized actions on behalf of logged-in site administrators or users via crafted web requests. The vulnerability requires user interaction (UI:R) and has limited scope-affecting only integrity (I:L) with no confidentiality or availability impact. EPSS exploitation probability is very low at 0.02% (5th percentile), indicating minimal real-world exploitation likelihood despite the public disclosure.

WordPress PHP CSRF
CVE-2025-62086 MEDIUM CVSS 5.4
Missing authorization in Яндекс Доставка (Boxberry) WordPress plugin version 2.34 and earlier allows authenticated users to access or modify resources they should not be permitted to via incorrectly configured access control. An attacker with valid credentials can exploit broken access control mechanisms to view or modify sensitive data without proper privilege validation, though the CVSS 5.4 score reflects limited direct impact (confidentiality and integrity), and the 0.04% EPSS score indicates low real-world exploitation probability.

Authentication Bypass Privilege Escalation
CVE-2025-62085 MEDIUM CVSS 5.3
Bertha AI WordPress plugin through version 1.13 allows unauthenticated attackers to modify content via incorrectly configured access control, enabling unauthorized changes to website data without authentication. The vulnerability stems from missing authorization checks on sensitive operations, classified as CWE-862 (Missing Authorization). While CVSS scores 5.3 (medium severity), EPSS exploitation probability is minimal at 0.04%, indicating low real-world attack likelihood despite the straightforward attack vector.

AI / ML Authentication Bypass
CVE-2025-62082 MEDIUM CVSS 6.5
Stored cross-site scripting (XSS) in Generic Elements for Elementor plugin versions 1.2.9 and earlier allows authenticated users with limited privileges to inject malicious scripts that execute in the context of other users' browsers, potentially leading to session hijacking, credential theft, or malware distribution. The vulnerability requires user interaction (clicking a malicious link) and affects WordPress installations using this plugin. EPSS exploitation probability is low at 0.04%, and no public exploit code or active exploitation has been identified.

WordPress PHP XSS

Today's Vulnerabilities Vulnerabilities