Skip to main content
CVE-2025-65427 MEDIUM POC This Month

Unauthenticated remote brute-force of the Dbit N300 T1 Pro wireless router (firmware V1.0.0) is trivially achievable because the /api/login endpoint imposes no rate limiting, account lockout, or throttling of any kind. Any attacker with network access to the management interface can attempt unlimited password guesses until admin credentials are found. A publicly available proof-of-concept exploit exists on GitHub; however, EPSS at 0.29% (21st percentile) and absence from CISA KEV suggest exploitation remains limited in practice, likely constrained by the product's small market footprint.

Information Disclosure Dbit N300 T1 Pro Firmware
NVD GitHub
CVSS 3.1
6.5
EPSS
0.3%
CVE-2023-53899 MEDIUM POC This Month

PodcastGenerator 3.2.9 contains a blind server-side request forgery vulnerability that allows attackers to inject XML in the episode upload form. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SSRF Podcast Generator
NVD GitHub Exploit-DB
CVSS 4.0
5.1
EPSS
0.2%
CVE-2023-53900 MEDIUM POC This Month

Spip 4.1.10 contains a file upload vulnerability that allows attackers to upload malicious SVG files with embedded external links. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS File Upload Spip
NVD Exploit-DB
CVSS 4.0
4.8
EPSS
0.1%
CVE-2025-68079 MEDIUM This Month

Stored cross-site scripting (XSS) in ThemeNectar Salient Shortcodes WordPress plugin through version 1.5.4 allows authenticated users with low privileges to inject malicious scripts that execute in the context of higher-privileged administrators or other site visitors. The vulnerability requires user interaction (UI:R in CVSS vector) and affects the shortcode generation functionality, enabling persistence of malicious payloads in page content. EPSS score of 0.06% indicates low real-world exploitation probability despite the moderate CVSS 6.5 rating.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-68070 MEDIUM This Month

Stored cross-site scripting (XSS) in VK Google Job Posting Manager WordPress plugin versions up to 1.2.22 allows authenticated users with low privileges to inject malicious scripts that execute in the context of other users' browsers, potentially compromising site administrators. The vulnerability requires user interaction (clicking a link or viewing a malicious page) to trigger payload execution and affects the plugin's web page generation functionality. EPSS probability of exploitation is notably low at 0.04%, suggesting this is primarily a theoretical risk without documented active exploitation.

WordPress PHP XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-67912 MEDIUM This Month

Stored cross-site scripting (XSS) in Premio Stars Testimonials WordPress plugin versions 3.3.4 and below allows authenticated users to inject malicious scripts that execute in the context of other users' browsers, potentially compromising site administrators or visitors. The vulnerability requires user interaction (UI:R) and authenticated access (PR:L), limiting immediate risk, but the stored nature means injected payloads persist and affect multiple users. No public exploit code or active KEV status is documented, though the 6.5 CVSS score reflects moderate severity when considering cross-site impact.

WordPress PHP XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-68071 MEDIUM This Month

Authorization bypass in Essential Real Estate WordPress plugin versions through 5.2.9 allows authenticated users to access sensitive real estate data they should not have permission to view through user-controlled key manipulation. The vulnerability exploits incorrectly configured access control at the application level, enabling privilege escalation from a standard user account to view confidential information such as property details or pricing. No public exploit code has been identified, and the EPSS score of 0.04% indicates low exploitation probability despite the CVSS 6.5 severity rating.

Authentication Bypass
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-14777 MEDIUM PATCH This Month

Keycloak's admin API endpoints for authorization resource management contain an IDOR vulnerability allowing authenticated administrators with fine-grained permissions for one client to delete or modify resources belonging to other clients within the same realm. The flaw exists in ResourceSetService and PermissionTicketService where authorization checks validate the resourceServer (client) ID from the API request, but backend database operations use only the resourceId, creating a permission bypass. Affected administrators can exploit this with standard HTTP requests to cross-client resource boundaries; no public exploit code identified at time of analysis.

Privilege Escalation Authentication Bypass Red Hat
NVD
CVSS 3.1
6.0
EPSS
0.0%
CVE-2025-67986 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Barn2 Plugins Document Library Lite document-library-lite allows DOM-Based XSS.This issue affects Document Library Lite: from n/a through <= 1.1.7.

XSS
NVD
CVSS 3.1
5.9
EPSS
0.1%
CVE-2025-67989 MEDIUM This Month

Server-Side Request Forgery (SSRF) vulnerability in LMPixels Kerge kerge allows Server Side Request Forgery.This issue affects Kerge: from n/a through <= 4.1.3.

SSRF
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-68085 MEDIUM This Month

Authenticated users with limited privileges can modify plugin settings and access functionality they should not have access to via missing authorization checks in Buttoner for Elementor through version 1.0.6. The vulnerability requires valid WordPress user credentials but no administrative role, allowing privilege escalation within the plugin's configuration interface. EPSS score of 0.05% indicates low exploitation probability despite network accessibility.

Authentication Bypass
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-68084 MEDIUM This Month

Missing Authorization vulnerability in Nitesh Ultimate Auction ultimate-auction allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ultimate Auction : from n/a through <= 4.3.3.

Authentication Bypass
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-66134 MEDIUM This Month

Missing authorization in NinjaTeam FileBird Pro WordPress plugin versions up to 6.5.1 allows authenticated users to access and modify files they should not have permission to view or edit due to incorrectly configured access control security levels. The vulnerability requires valid user credentials but can lead to disclosure and modification of sensitive files within the plugin's file management interface. EPSS exploitation probability is low at 0.04%, and no public exploit code has been identified at the time of analysis.

Authentication Bypass
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-68083 MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in Meks Meks Quick Plugin Disabler meks-quick-plugin-disabler allows Cross Site Request Forgery.This issue affects Meks Quick Plugin Disabler: from n/a through <= 1.0.

CSRF
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-68082 MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in SEMrush CY LTD Semrush Content Toolkit semrush-contentshake allows Cross Site Request Forgery.This issue affects Semrush Content Toolkit: from n/a through <= 1.1.32.

CSRF
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-64634 MEDIUM This Month

Broken access control in ThemeFusion Avada WordPress theme through version 7.13.2 allows authenticated attackers with low privileges to access functionality improperly constrained by access control lists, potentially achieving full site compromise. With CVSS 8.8 (High) due to network-based access requiring only low-privilege authentication, attackers can achieve high confidentiality, integrity, and availability impact. EPSS probability remains low at 0.06% (18th percentile), and no public exploit identified at time of analysis, suggesting limited immediate exploitation risk despite the critical CVSS rating.

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-66126 MEDIUM This Month

Insertion of Sensitive Information Into Sent Data vulnerability in wowpress.host Fix Media Library wow-media-library-fix allows Retrieve Embedded Sensitive Data.This issue affects Fix Media Library: from n/a through <= 2.0.

Information Disclosure
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-67985 MEDIUM This Month

Authorization Bypass Through User-Controlled Key vulnerability in Barn2 Plugins Document Library Lite document-library-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Document Library Lite: from n/a through <= 1.1.7.

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-67965 MEDIUM This Month

Missing Authorization vulnerability in favethemes Homey Core homey-core allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Homey Core: from n/a through <= 2.4.3.

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-66133 MEDIUM This Month

Missing Authorization vulnerability in WP Legal Pages WP Cookie Notice for GDPR, CCPA & ePrivacy Consent gdpr-cookie-consent allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Cookie Notice for GDPR, CCPA & ePrivacy Consent: from n/a through <= 4.0.7.

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-66128 MEDIUM This Month

Missing Authorization vulnerability in Brevo Sendinblue for WooCommerce woocommerce-sendinblue-newsletter-subscription allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Sendinblue for WooCommerce: from n/a through <= 4.0.49.

WordPress Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-66121 MEDIUM This Month

Missing Authorization vulnerability in SiteGround SiteGround Security sg-security allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects SiteGround Security: from n/a through <= 1.5.8.

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-66120 MEDIUM This Month

Missing Authorization vulnerability in CatFolders CatFolders catfolders allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects CatFolders: from n/a through <= 2.5.3.

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-64638 MEDIUM This Month

Missing Authorization vulnerability in OnPay.io OnPay.io for WooCommerce onpay-io-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects OnPay.io for WooCommerce: from n/a through <= 1.0.47.

WordPress Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-64249 MEDIUM This Month

Missing Authorization vulnerability in WP-EXPERTS.IN Protect WP Admin protect-wp-admin allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Protect WP Admin: from n/a through <= 4.1.

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-66122 MEDIUM This Month

Missing Authorization vulnerability in Design Stylish Price List stylish-price-list allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Stylish Price List: from n/a through <= 7.2.2.

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-64635 MEDIUM This Month

Missing Authorization vulnerability in Syed Balkhi Feeds for YouTube feeds-for-youtube allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Feeds for YouTube: from n/a through <= 2.4.0.

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-66131 MEDIUM This Month

Broken access control in Yaad Sarig Payment Gateway for WooCommerce (versions ≤2.2.11) allows unauthenticated remote attackers to bypass authorization checks and gain unauthorized access to payment gateway functions. With CVSS 9.1 (Critical) scoring reflecting network-accessible exploitation requiring no privileges or user interaction, attackers can read or modify sensitive payment data. EPSS score of 0.04% (14th percentile) suggests low observed exploitation probability despite severity. No public exploit identified at time of analysis, though the authentication bypass tag indicates potential for unauthorized transaction manipulation or data exposure in WordPress e-commerce environments.

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-66124 MEDIUM This Month

Unauthenticated remote attackers can bypass access controls in ZEEN101 Leaky Paywall WordPress plugin versions up to 4.22.6, gaining unauthorized access to restricted content through incorrectly configured security levels. The vulnerability requires no user interaction and can be exploited over the network, though it is limited to information disclosure (CVSS 5.3, EPSS 0.04%). No public exploit code or active exploitation has been identified at time of analysis.

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-64639 MEDIUM This Month

Missing authorization in WP Compress for MainWP plugin versions up to 6.50.17 allows unauthenticated remote attackers to modify plugin settings due to incorrectly configured access control, affecting integrity of compressed content and plugin configuration without requiring authentication or user interaction.

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-64632 MEDIUM This Month

Unauthenticated remote attackers can access sensitive sitemap data in Google XML Sitemaps WordPress plugin versions through 4.1.22 due to missing authorization checks on sitemap endpoints. The vulnerability allows unauthorized information disclosure of site structure and indexed pages without requiring authentication or user interaction. While the CVSS score is moderate (5.3), real-world exploitation probability is very low (EPSS 0.04th percentile), suggesting this is primarily an information disclosure risk rather than an active threat.

Authentication Bypass Google
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-66132 MEDIUM This Month

Authorization bypass in FAPI Member WordPress plugin through version 2.2.29 allows unauthenticated remote attackers to access or modify resources via insecure direct object references (IDOR) exploiting misconfigured access control security levels. The vulnerability requires no authentication, low attack complexity, and results in confidentiality and integrity impact without availability compromise. EPSS score of 0.04% indicates minimal real-world exploitation probability despite the moderate CVSS score.

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-66127 MEDIUM This Month

Missing authorization in g5theme Essential Real Estate WordPress plugin version 5.2.9 and earlier allows authenticated users to access or modify restricted resources by exploiting inadequately configured access controls. An attacker with low-privilege WordPress account credentials can leverage the broken access control to view sensitive information and make unauthorized modifications without requiring administrative approval. No public exploit code is currently identified, though the vulnerability is documented in the Patchstack security database.

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-67929 MEDIUM This Month

Missing Authorization vulnerability in templateinvaders TI WooCommerce Wishlist ti-woocommerce-wishlist allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects TI WooCommerce Wishlist: from n/a through <= 2.10.0.

WordPress Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-64630 MEDIUM This Month

Missing Authorization vulnerability in Strategy11 Team Business Directory business-directory-plugin allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Business Directory: from n/a through <= 6.4.19.

Authentication Bypass
NVD
CVSS 3.1
4.9
EPSS
0.1%
CVE-2025-64631 MEDIUM This Month

WCFM Marketplace plugin through version 3.7.1 fails to properly enforce authorization controls, allowing authenticated users with limited privileges to cause denial of service or access functionality they should not have. The vulnerability affects the WordPress plugin across all installations through the specified version, exploiting incorrectly configured access control security levels via network-accessible endpoints. With an EPSS score of 0.05% and low real-world exploitation probability, this represents a privilege escalation risk primarily for multi-vendor marketplace administrators.

Authentication Bypass
NVD
CVSS 3.1
4.9
EPSS
0.1%
CVE-2025-64251 MEDIUM This Month

Missing Authorization vulnerability in azzaroco Ultimate Learning Pro indeed-learning-pro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ultimate Learning Pro: from n/a through <= 3.9.3.

Authentication Bypass
NVD
CVSS 3.1
4.9
EPSS
0.0%
CVE-2025-64250 MEDIUM This Month

Open redirect vulnerability in wpWax Directorist WordPress plugin versions up to 8.6.6 allows unauthenticated remote attackers to redirect users to arbitrary external websites via crafted URL parameters, enabling phishing attacks. The vulnerability requires user interaction (clicking a malicious link) but has a network attack vector with low complexity. EPSS exploitation probability is very low at 0.04%, and no active exploitation or public proof-of-concept has been identified.

Open Redirect
NVD
CVSS 3.1
4.7
EPSS
0.0%
CVE-2025-64243 MEDIUM This Month

Missing Authorization vulnerability in e-plugins Directory Pro directory-pro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Directory Pro: from n/a through <= 2.5.6.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.1%
CVE-2025-59001 MEDIUM This Month

Missing Authorization vulnerability in ThemeNectar Salient Core salient-core allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Salient Core: from n/a through <= 3.0.8.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.1%
CVE-2025-64246 MEDIUM This Month

Missing Authorization vulnerability in netopsae Accessibility by AudioEye accessibility-by-audioeye allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Accessibility by AudioEye: from n/a through <= 1.0.49.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-64245 MEDIUM This Month

Missing Authorization vulnerability in ryanpcmcquen Import external attachments import-external-attachments allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Import external attachments: from n/a through <= 1.5.12.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-64244 MEDIUM This Month

Missing Authorization vulnerability in Codexpert, Inc Restrict Elementor Widgets, Columns and Sections restrict-elementor-widgets allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Restrict Elementor Widgets, Columns and Sections: from n/a through <= 1.12.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-64241 MEDIUM This Month

Missing Authorization vulnerability in Imtiaz Rayhan WP Coupons and Deals wp-coupons-and-deals allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Coupons and Deals: from n/a through <= 3.2.4.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-64238 MEDIUM This Month

Missing Authorization vulnerability in NicolasKulka WPS Bidouille wps-bidouille allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WPS Bidouille: from n/a through <= 1.33.1.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-54005 MEDIUM This Month

Missing Authorization vulnerability in sonalsinha21 SKT Page Builder skt-builder allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects SKT Page Builder: from n/a through <= 4.9.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-64247 MEDIUM This Month

Missing authorization in the WordPress Read More & Accordion plugin (expand-maker) versions 3.5.5.1 and earlier allows authenticated users to access restricted functionality through incorrectly configured access controls, potentially revealing sensitive information. The vulnerability requires user authentication and network access but carries a CVSS score of 6.5 due to high confidentiality impact, though real-world exploitation probability remains low at 0.04% EPSS. No public exploit code or active exploitation has been identified at time of analysis.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-64242 MEDIUM This Month

Inadequately configured access control in Easy Property Listings WordPress plugin versions 3.5.21 and earlier allows authenticated users to access sensitive information they should not be authorized to view. An authenticated attacker with user-level privileges can bypass authorization checks to read property listing data or other restricted content due to missing authorization validation on API endpoints or functionality. EPSS exploitation probability is very low at 0.04%, and no public exploit code has been identified, indicating limited real-world threat despite the authentication-bypass tag.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-54045 MEDIUM This Month

Authenticated users with limited privileges can access search and replace functionality in CM On Demand Search And Replace WordPress plugin (versions up to 1.5.5) due to missing authorization checks on restricted features. An attacker with basic user credentials can perform privileged actions intended only for administrators, affecting data confidentiality through unauthorized content access. This is confirmed as an authentication bypass vulnerability with low real-world exploitation probability (EPSS 0.04%) despite the missing authorization flaw.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-64239 MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in Yoav Farhi RTL Tester rtl-tester allows Cross Site Request Forgery.This issue affects RTL Tester: from n/a through <= 1.2.

CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
Page 1 of 2 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy