Skip to main content
CVE-2025-62095 MEDIUM This Month

Stored cross-site scripting (XSS) vulnerability in Bootstrap Modals WordPress plugin versions up to 1.3.2 allows authenticated attackers to inject and execute arbitrary JavaScript code that persists in the database and executes for all site visitors. The vulnerability stems from improper input neutralization during web page generation, enabling attackers with plugin-relevant permissions to compromise user sessions and steal sensitive data from administrators and site visitors.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-63032 MEDIUM This Month

Stored cross-site scripting in thinkupthemes Consulting WordPress theme versions through 1.5.0 enables authenticated users or malicious admins to inject persistent JavaScript payloads that execute in the browsers of other site visitors or administrators. The vulnerability allows arbitrary script execution within the context of the affected WordPress installation, potentially leading to account compromise, malware distribution, or session hijacking. No public exploit code or active exploitation has been confirmed at time of analysis.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-62991 MEDIUM This Month

Stored cross-site scripting (XSS) in thinkupthemes Minamaze WordPress theme versions up to 1.10.1 allows authenticated users to inject malicious scripts that persist in the database and execute in the browsers of site visitors. The vulnerability has an EPSS score of 0.01% (3rd percentile), indicating minimal likelihood of exploitation in practice, though it represents a privilege-escalation pathway for authenticated attackers with contributor-level access or higher.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-62757 MEDIUM This Month

DOM-based cross-site scripting (XSS) in WebMan Amplifier WordPress plugin through version 1.5.12 allows attackers to inject malicious scripts that execute in users' browsers. The vulnerability stems from improper neutralization of user input during web page generation, enabling stored or reflected XSS attacks depending on the specific injection vector. With an EPSS score of 0.01% (3rd percentile) and no evidence of active exploitation, this represents a low real-world risk despite the XSS classification, though remediation is still recommended for all affected installations.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-62756 MEDIUM This Month

DOM-based cross-site scripting (XSS) in The Moneytizer WordPress plugin up to version 10.0.9 allows attackers to inject malicious scripts into web pages through improper input neutralization. The vulnerability affects WordPress sites running the vulnerable plugin versions and could enable session hijacking, credential theft, or malware distribution targeting site administrators and visitors. No public exploit code or active exploitation has been confirmed at this time, though the EPSS score of 0.01% suggests minimal real-world exploitation probability.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-62752 MEDIUM This Month

DOM-based cross-site scripting (XSS) in Kalender.digital WordPress plugin through version 1.0.13 allows unauthenticated attackers to inject malicious scripts via improper input neutralization during web page generation. The vulnerability affects all versions up to and including 1.0.13, with an EPSS score of 0.01% indicating very low exploitation likelihood in practice despite the high-severity CWE-79 classification.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-62749 MEDIUM This Month

DOM-based cross-site scripting (XSS) in Bainternet User Specific Content WordPress plugin versions 1.0.6 and earlier allows attackers to inject malicious scripts into web pages viewed by other users. The vulnerability stems from improper input neutralization during web page generation, enabling attackers to execute arbitrary JavaScript in victims' browsers without authentication. While no public exploit code or active exploitation has been confirmed, the extremely low EPSS score (0.01%) and lack of CVSS vector data suggest limited real-world exploitability or specificity to attack scenarios, despite the XSS classification.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-62748 MEDIUM This Month

DOM-based cross-site scripting (XSS) in Genetech Products Web and WooCommerce Addons for WPBakery Builder (vc-addons-by-bit14) plugin versions up to 1.5 allows unauthenticated attackers to inject malicious scripts that execute in the context of affected user sessions. The vulnerability stems from improper neutralization of user-supplied input during web page generation. EPSS scoring (0.01%, percentile 3%) indicates very low real-world exploitation probability despite the nature of the flaw, and no public exploit code or active exploitation has been confirmed.

WordPress XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-62135 MEDIUM This Month

DOM-based cross-site scripting (XSS) vulnerability in the Responsive Block Control WordPress plugin through version 1.3.0 allows attackers to inject malicious scripts that execute in users' browsers. Exploitation requires user interaction with a malicious link or form, but once triggered, the vulnerability enables session hijacking, credential theft, or defacement. The vulnerability has an exceptionally low EPSS score (0.01th percentile) suggesting minimal real-world exploitation likelihood despite public disclosure.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-49358 MEDIUM This Month

DOM-based cross-site scripting (XSS) vulnerability in Ruhul Amin Content Fetcher WordPress plugin versions 1.1 and earlier allows authenticated attackers to inject arbitrary JavaScript code into web pages, potentially compromising site integrity and user sessions. The vulnerability resides in improper input neutralization during web page generation, enabling malicious scripts to execute in the context of affected websites. EPSS exploitation probability is extremely low at 0.01% (3rd percentile), indicating minimal real-world attack likelihood despite the XSS vector.

XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-62992 MEDIUM This Month

Cross-Site Request Forgery (CSRF) in Everest Backup WordPress plugin versions ≤2.3.11 enables unauthenticated attackers to manipulate backup file paths via path traversal, potentially exposing sensitive files or altering backup integrity. The vulnerability requires user interaction (CVSS UI:R) and carries no authentication requirement (PR:N), allowing remote exploitation through social engineering. EPSS probability of 0.01% (1st percentile) indicates minimal observed exploitation activity in the wild, and no public exploit identified at time of analysis. Despite CVSS 8.1 severity reflecting high confidentiality and integrity impact, real-world risk remains moderate given the user-interaction dependency and absence of active exploitation indicators.

CSRF Path Traversal
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-15391 LOW POC Monitor

Command injection in the SSDP Request Handler (ssdpcgi_main function) of D-Link DIR-806A firmware 100CNb11 allows remote authenticated attackers to execute arbitrary commands with low integrity and availability impact. Publicly available exploit code exists, but the vulnerability affects only end-of-life firmware with minimal real-world exploitation probability (EPSS 0.11%) due to low privilege requirements and limited scope of impact.

Command Injection D-Link Dir 806A Firmware
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2025-15393 LOW POC Monitor

A security vulnerability has been detected in Kohana KodiCMS up to 13.82.135. This impacts the function Save of the file cms/modules/kodicms/classes/kodicms/model/file.php of the component Layout API Endpoint. The manipulation of the argument content leads to code injection. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

PHP Information Disclosure Kodicms
NVD VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2025-15375 LOW POC Monitor

A flaw has been found in EyouCMS up to 1.7.7. The impacted element is the function unserialize of the file application/api/controller/Ajax.php of the component arcpagelist Handler. Executing a manipulation of the argument attstr can lead to deserialization. The attack can be launched remotely. The exploit has been published and may be used. The vendor is "[a]cknowledging the existence of the vulnerability, we have completed the fix and will release a new version, v1.7.8".

PHP Deserialization Eyoucms
NVD VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2025-15373 LOW POC Monitor

Server-side request forgery (SSRF) in EyouCMS versions up to 1.7.7 allows authenticated remote attackers to manipulate the saveRemote function in application/function.php, enabling arbitrary HTTP requests from the server. The vulnerability carries low confidentiality, integrity, and availability impact but is publicly exploitable with proof-of-concept code available. Vendor has acknowledged the flaw and committed to releasing patched version 1.7.8.

PHP SSRF Eyoucms
NVD VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2025-15390 LOW POC Monitor

Missing authorization in PHPGurukul Small CRM 4.0's /admin/edit-user.php endpoint allows authenticated users to perform unauthorized administrative actions via remote network access. The vulnerability enables privilege escalation or lateral movement by bypassing access controls on user management functions. While publicly available exploit code exists and CVSS indicates network accessibility, the low EPSS score (0.02%, 4th percentile) and requirement for prior authentication suggest limited real-world exploitation despite proof-of-concept availability.

PHP Authentication Bypass Small Crm
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2025-15223 LOW POC Monitor

A vulnerability was found in Philipinho Simple-PHP-Blog up to 94b5d3e57308bce5dfbc44c3edafa9811893d958. Impacted is an unknown function of the file /login.php. Performing manipulation of the argument Username results in cross site scripting. The attack is possible to be carried out remotely. The exploit has been made public and could be used. This product adopts a rolling release strategy to maintain continuous delivery. Therefore, version details for affected or updated releases cannot be specified. The vendor was contacted early about this disclosure and makes clear that the product is "[f]or educational purposes only".

PHP XSS Simple Php Blog
NVD VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2025-15394 LOW POC Monitor

Code injection in iCMS up to version 8.0.0 allows remote attackers with high privileges to inject arbitrary code via the config POST parameter in the ConfigAdmincp.php component. The vulnerability affects the Save function's parameter handling and has publicly available exploit code, though the extremely low CVSS score (2.0) reflects the requirement for high-privileged authenticated access, limiting real-world risk despite public exploit availability.

PHP Code Injection Icms
NVD VulDB
CVSS 4.0
2.0
EPSS
0.1%
CVE-2025-15374 LOW POC Monitor

A vulnerability was detected in EyouCMS up to 1.7.7. The affected element is an unknown function of the file application/home/model/Ask.php of the component Ask Module. Performing a manipulation of the argument content results in cross site scripting. The attack can be initiated remotely. The exploit is now public and may be used. The vendor is "[a]cknowledging the existence of the vulnerability, we have completed the fix and will release a new version, v1.7.8".

PHP XSS Eyoucms
NVD VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2025-15372 LOW POC Monitor

A weakness has been identified in youlaitech vue3-element-admin up to 3.4.0. This issue affects some unknown processing of the file src/views/system/notice/index.vue of the component Notice Handler. This manipulation causes cross site scripting. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way.

XSS Vue3 Element Admin
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2025-62989 MEDIUM This Month

Stored cross-site scripting (XSS) in Gora Tech Cooked WordPress plugin versions up to 1.11.3 allows authenticated users to inject malicious scripts that execute in the context of other users' browsers. The vulnerability persists in the plugin's database and is triggered when affected content is viewed, enabling account compromise, session hijacking, or malware distribution to site visitors. This is a low-probability exploitation risk (EPSS 0.04%) but represents a meaningful concern for multi-user WordPress installations where contributor or editor-level accounts are delegated.

XSS
NVD
CVSS 3.1
5.9
EPSS
0.0%
CVE-2025-59135 MEDIUM This Month

Stored cross-site scripting (XSS) in the eleopard Behance Portfolio Manager WordPress plugin versions 1.7.5 and earlier allows authenticated users to inject malicious scripts that execute in the browsers of other users visiting affected pages. The vulnerability stems from improper input sanitization during portfolio content generation, enabling attackers with contributor-level access or higher to compromise site visitors. No public exploit code or active exploitation has been reported, though the vulnerability carries a low EPSS score (0.04%, percentile 13%) suggesting limited real-world exploitation likelihood at time of analysis.

XSS
NVD
CVSS 3.1
5.9
EPSS
0.0%
CVE-2025-49355 MEDIUM This Month

Stored XSS vulnerability in ikaes Accessibility Press plugin (ilogic-accessibility) versions through 1.0.2 allows authenticated attackers to inject arbitrary JavaScript that executes in the browsers of other site visitors, potentially compromising user sessions, stealing credentials, or defacing content. The vulnerability stems from improper input sanitization during web page generation and carries a low exploitation probability (EPSS 0.04th percentile) with no confirmed active exploitation.

XSS
NVD
CVSS 3.1
5.9
EPSS
0.0%
CVE-2025-49337 MEDIUM This Month

Stored cross-site scripting (XSS) in Dashboard Beacon WordPress plugin versions up to 1.2.0 allows authenticated attackers to inject malicious scripts that execute in the browsers of other users, including administrators. The vulnerability stems from improper input neutralization during web page generation, enabling persistent payload storage and execution across user sessions. No public exploit code or active exploitation has been confirmed.

XSS
NVD
CVSS 3.1
5.9
EPSS
0.0%
CVE-2025-62750 MEDIUM This Month

DOM-based cross-site scripting (XSS) in WooCommerce Parcelas WordPress plugin versions up to 1.3.5 allows attackers to inject malicious scripts into web pages viewed by users. The vulnerability stems from improper neutralization of user input during page generation, enabling attackers to execute arbitrary JavaScript in victims' browsers without authentication. While EPSS scoring indicates low exploitation probability (0.01%), the DOM-based nature and lack of authentication barriers make this a persistent client-side threat in environments where the vulnerable plugin remains deployed.

WordPress XSS
NVD
CVSS 3.1
5.9
EPSS
0.0%
CVE-2025-62149 MEDIUM This Month

Stored cross-site scripting (XSS) vulnerability in SaifuMak Add Custom Codes WordPress plugin versions 4.80 and earlier allows authenticated attackers to inject malicious JavaScript that persists in the database and executes in the browsers of site administrators and other users. The vulnerability stems from improper input sanitization when storing custom code, enabling attackers with plugin access to compromise site integrity and steal administrative credentials or sessions.

XSS
NVD
CVSS 3.1
5.9
EPSS
0.0%
CVE-2025-62142 MEDIUM This Month

Stored cross-site scripting (XSS) in nicashmu Post Video Players WordPress plugin through version 1.163 allows authenticated attackers to inject malicious scripts that persist in the database and execute in the browsers of site visitors. The vulnerability exists in the video-playlist-and-gallery-plugin and affects all versions up to and including 1.163; no public exploit code has been identified, but the low EPSS score (0.01%) suggests limited real-world exploitation likelihood despite the vulnerability's persistent nature.

XSS
NVD
CVSS 3.1
5.9
EPSS
0.0%
CVE-2025-62140 MEDIUM This Month

Stored cross-site scripting (XSS) in plainware Locatoraid Store Locator WordPress plugin versions up to 3.9.68 allows attackers to inject malicious scripts into web pages viewed by other users. The vulnerability affects the plugin's input handling during web page generation, enabling persistent XSS attacks. With an EPSS score of 0.01% and no active exploitation confirmed, this represents a low-probability but persistent risk requiring plugin updates.

XSS
NVD
CVSS 3.1
5.9
EPSS
0.0%
CVE-2025-62124 MEDIUM This Month

Stored cross-site scripting (XSS) in Soli WP Post Signature plugin through version 0.4.1 allows authenticated users to inject malicious scripts into post signatures, which execute in the browsers of administrators and other site visitors viewing affected posts. The vulnerability requires user interaction or administrative access to inject the payload but poses a risk to site integrity and user data. EPSS exploitation probability is minimal at 0.01%, suggesting low real-world attack likelihood despite the vulnerability class.

XSS
NVD
CVSS 3.1
5.9
EPSS
0.0%
CVE-2025-62121 MEDIUM This Month

Stored cross-site scripting (XSS) in Imran Emu Logo Slider WordPress plugin versions 1.8.1 and earlier allows attackers to inject malicious scripts that persist in the database and execute in the browsers of site visitors. The vulnerability affects the Logo Slider, Logo Carousel, Logo Showcase, and Client Logo plugin variants. An attacker with sufficient privileges to inject content (such as a contributor or compromised admin account) can embed arbitrary JavaScript to steal session tokens, deface pages, or redirect users to malicious sites. EPSS score of 0.01% indicates low exploitation probability in the wild, though the stored nature of the XSS elevates the persistence risk once injected.

XSS
NVD
CVSS 3.1
5.9
EPSS
0.0%
CVE-2025-62119 MEDIUM This Month

DOM-based cross-site scripting in the ViitorCloud Technologies Add Featured Image Custom Link WordPress plugin (versions up to 2.0.0) allows unauthenticated attackers to inject arbitrary JavaScript into web pages through improper input sanitization. The vulnerability affects the custom URL handling mechanism for featured images, enabling malicious actors to steal session cookies, perform account takeover, or redirect users to phishing sites. EPSS score of 0.01% indicates minimal real-world exploitation probability despite the XSS classification.

XSS
NVD
CVSS 3.1
5.9
EPSS
0.0%
CVE-2025-59003 MEDIUM This Month

ColorWay WordPress theme through version 4.2.3 embeds sensitive information in sent data, allowing unauthenticated attackers to retrieve embedded data without authentication. The vulnerability has an exceptionally low exploitation probability (EPSS 0.03%, 9th percentile) despite being information disclosure in nature, suggesting the sensitive data exposure requires specific conditions or limited practical impact. No active exploitation or public exploit code is documented at time of analysis.

Information Disclosure
NVD
CVSS 3.1
5.8
EPSS
0.0%
CVE-2025-66148 MEDIUM This Month

Missing authorization controls in Conformer for Elementor WordPress plugin version 1.0.7 and earlier allow attackers to exploit incorrectly configured access control security levels, potentially enabling unauthorized access to plugin functionality. The vulnerability stems from broken access control (CWE-862) without explicit authentication requirements, affecting all users of the plugin through version 1.0.7. While EPSS score is minimal at 0.05%, the nature of access control bypasses warrants assessment in WordPress environments where the plugin is deployed.

Authentication Bypass
NVD
CVSS 3.1
5.4
EPSS
0.1%
CVE-2025-66146 MEDIUM This Month

Missing authorization in merkulove Logger for Elementor plugin through version 1.0.9 allows attackers to bypass access controls and exploit incorrectly configured security levels. Unauthenticated or low-privileged users can access protected functionality due to absent or insufficient authorization checks. The vulnerability has low exploitation probability (EPSS 0.05%) and no confirmed public exploit code or active exploitation reported.

Authentication Bypass
NVD
CVSS 3.1
5.4
EPSS
0.1%
CVE-2025-66145 MEDIUM This Month

Missing authorization in Worker for WPBakery plugin versions through 1.1.1 allows attackers to exploit incorrectly configured access control, enabling unauthorized actions through broken access control mechanisms. The vulnerability affects WordPress installations running this plugin and could allow unauthenticated or low-privileged users to bypass security restrictions, though the specific attack surface and impact are limited by low EPSS probability (0.05%) and minimal public awareness.

Authentication Bypass
NVD
CVSS 3.1
5.4
EPSS
0.1%
CVE-2025-66144 MEDIUM This Month

Missing authorization controls in the merkulove Worker for Elementor WordPress plugin (versions through 1.0.10) allow unauthenticated or low-privileged users to exploit incorrectly configured access control mechanisms. The vulnerability stems from CWE-862 (Missing Authorization) and enables attackers to perform unauthorized actions without proper privilege verification, potentially affecting sites running vulnerable plugin versions.

Authentication Bypass
NVD
CVSS 3.1
5.4
EPSS
0.1%
CVE-2025-66153 MEDIUM This Month

Missing authorization controls in Headinger for Elementor plugin (versions up to 1.1.4) permit unauthenticated or insufficiently privileged attackers to bypass access control restrictions and perform unauthorized actions. The vulnerability stems from incorrectly configured security levels that fail to validate user permissions before granting access to sensitive functionality, enabling attackers to exploit the plugin's features beyond their intended authorization scope.

Authentication Bypass
NVD
CVSS 3.1
5.4
EPSS
0.1%
CVE-2025-66152 MEDIUM This Month

Criptopayer for Elementor WordPress plugin through version 1.0.1 contains a missing authorization vulnerability allowing unauthenticated attackers to exploit incorrectly configured access control security levels and bypass authentication mechanisms. The vulnerability stems from insufficient validation of user permissions, enabling unauthorized access to sensitive plugin functionality. With an EPSS score of 0.05% (17th percentile), real-world exploitation probability is currently low, and no active exploitation or public proof-of-concept code has been reported.

Authentication Bypass
NVD
CVSS 3.1
5.4
EPSS
0.1%
CVE-2025-66151 MEDIUM This Month

Missing authorization in merkulove Countdowner for Elementor plugin (versions up to 1.0.4) allows unauthenticated attackers to exploit incorrectly configured access control security levels, potentially enabling unauthorized access to plugin functionality. With an EPSS score of 0.05% (17th percentile), this vulnerability represents low real-world exploitation probability despite the authorization bypass classification.

Authentication Bypass
NVD
CVSS 3.1
5.4
EPSS
0.1%
CVE-2025-66150 MEDIUM This Month

Missing authorization in the merkulove Appender WordPress plugin versions through 1.1.1 allows authenticated attackers to bypass access control checks and exploit incorrectly configured security levels, potentially gaining unauthorized access to restricted functionality or data. EPSS probability is minimal at 0.05%, and no public exploit code or active exploitation has been reported.

Authentication Bypass
NVD
CVSS 3.1
5.4
EPSS
0.1%
CVE-2025-66149 MEDIUM This Month

Missing authorization in merkulove UnGrabber WordPress plugin version 3.1.3 and earlier allows unauthenticated attackers to exploit incorrectly configured access control to bypass security restrictions. The vulnerability stems from CWE-862 (Missing Authorization) and has been identified in the plugin's access control implementation, potentially enabling attackers to perform unauthorized actions without proper privilege verification.

Authentication Bypass
NVD
CVSS 3.1
5.4
EPSS
0.1%
CVE-2025-62888 MEDIUM This Month

Missing authorization in Marco Milesi WP Attachments WordPress plugin through version 5.2 allows unauthenticated or low-privileged attackers to bypass access control restrictions and exploit incorrectly configured security levels to access protected attachments. The vulnerability stems from broken access control validation (CWE-862) and carries a low exploitation probability (EPSS 0.05%, 17th percentile), with no confirmed public exploit code or active exploitation documented at analysis time.

Authentication Bypass
NVD
CVSS 3.1
5.4
EPSS
0.1%
CVE-2025-62108 MEDIUM This Month

Missing authorization in SaifuMak Add Custom Codes WordPress plugin through version 4.80 allows unauthenticated or low-privileged attackers to exploit incorrectly configured access controls to perform unauthorized actions. The vulnerability stems from broken access control mechanisms (CWE-862) that fail to properly validate user permissions before granting access to sensitive functionality. Despite a low EPSS score (0.05%, percentile 17%), the authentication bypass tag indicates potential for account takeover or privilege escalation.

Authentication Bypass
NVD
CVSS 3.1
5.4
EPSS
0.1%
CVE-2025-62098 MEDIUM This Month

Missing authorization controls in totalsoft Portfolio Gallery WordPress plugin versions through 1.4.8 allow unauthenticated attackers to exploit incorrectly configured access control security levels, potentially exposing sensitive gallery content and administrative functionality to unauthorized access. The vulnerability stems from broken access control mechanisms rather than authentication bypass, meaning authenticated users may also access resources beyond their privilege level. With an EPSS score of 0.05% (17th percentile) and no CVSS severity data, real-world exploitation appears limited despite the theoretical exposure.

Authentication Bypass
NVD
CVSS 3.1
5.4
EPSS
0.1%
CVE-2025-62091 MEDIUM This Month

Broken access control in Vollstart Serial Codes Generator and Validator with WooCommerce Support plugin through version 2.8.2 allows unauthenticated attackers to exploit misconfigured security levels and bypass authorization checks to access or manipulate serial code functionality. The vulnerability stems from missing authorization validation on security-sensitive operations, enabling attackers to perform actions without proper privilege verification. No public exploit code or active exploitation has been identified at time of analysis, though the low EPSS score (0.05%) suggests limited real-world exploitation probability despite the access control weakness.

WordPress Authentication Bypass
NVD
CVSS 3.1
5.4
EPSS
0.1%
CVE-2025-62144 MEDIUM This Month

Missing authorization checks in Mohammed Kaludi Core Web Vitals & PageSpeed Booster WordPress plugin through version 1.0.28 allows unauthenticated attackers to exploit incorrectly configured access control to perform unauthorized actions. The vulnerability stems from broken access control (CWE-862), enabling attackers to bypass security restrictions and access sensitive functionality without proper authentication or privilege verification.

Authentication Bypass
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-62134 MEDIUM This Month

Cross-Site Request Forgery vulnerability in A WP Life Contact Form Widget plugin version 1.5.1 and earlier allows unauthenticated attackers to perform unauthorized actions on behalf of authenticated users by crafting malicious requests. The vulnerability lacks a CVSS score and public exploit code, but is assigned low exploitation probability (EPSS 0.02%) and categorized under CWE-352 (CSRF). No active exploitation has been reported.

CSRF
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-62120 MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in OpenHook WordPress plugin version 4.3.1 and earlier allows attackers to perform unauthorized actions on behalf of authenticated users by tricking them into visiting malicious web pages. The vulnerability affects the popular thesis-openhook plugin and could enable unauthorized configuration changes or administrative actions without explicit user consent. With an EPSS score of 0.02% (5th percentile) and no CVSS severity assigned, this represents a low probability of exploitation in practice, though CSRF vulnerabilities remain a concern in WordPress ecosystem plugins.

CSRF
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-62117 MEDIUM This Month

Cross-site request forgery (CSRF) in Jayce53 EasyIndex WordPress plugin versions up to 1.1.1704 allows unauthenticated attackers to perform unauthorized actions on behalf of authenticated administrators by inducing them to visit malicious web pages. The vulnerability affects all versions from the earliest tracked through 1.1.1704. No public exploit code or confirmed active exploitation has been identified; EPSS probability is minimal at 0.02% (5th percentile), suggesting low real-world exploitation likelihood despite the CSRF vector.

CSRF
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-66159 MEDIUM This Month

Missing authorization in Walker for Elementor plugin (versions through 1.1.6) allows unauthenticated attackers to exploit improperly configured access controls to bypass intended security restrictions and access unauthorized functionality. The vulnerability stems from inadequate permission validation in the plugin's WordPress implementation, enabling attackers to interact with protected features without proper authentication or role-based authorization checks.

Authentication Bypass
NVD
CVSS 3.1
5.4
EPSS
0.0%
Prev Page 2 of 4 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy