Skip to main content
CVE-2025-66158 MEDIUM This Month

Gmaper for Elementor plugin versions up to 1.0.9 contains a missing authorization vulnerability (CWE-862) that allows attackers to exploit incorrectly configured access control security levels, potentially bypassing authentication mechanisms to access restricted functionality. The vulnerability carries a 0.02% EPSS score (percentile 4%), indicating minimal real-world exploitation risk at present, with no public exploit code or active exploitation currently identified.

Authentication Bypass
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-66157 MEDIUM This Month

Missing authorization in merkulove Sliper for Elementor plugin versions up to 1.0.10 allows attackers to bypass access control restrictions and exploit incorrectly configured security levels. The vulnerability stems from insufficient access control validation (CWE-862), enabling unauthenticated or low-privileged users to perform actions they should not be authorized to execute. With an EPSS score of 0.02% (4th percentile) indicating very low real-world exploitation likelihood, this issue represents a lower-priority authorization flaw compared to actively exploited vulnerabilities.

Authentication Bypass
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-66156 MEDIUM This Month

Missing authorization in merkulove Watcher for Elementor plugin (versions up to 1.0.9) allows unauthenticated attackers to bypass access controls and exploit incorrectly configured security levels, potentially enabling unauthorized access to sensitive functionality or data. The vulnerability carries an EPSS score of 0.02% (percentile 4%), indicating very low observed exploitation probability, with no public exploit code or active exploitation confirmed at the time of analysis.

Authentication Bypass
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-66155 MEDIUM This Month

Missing authorization controls in merkulove Questionar for Elementor plugin versions up to 1.1.7 allow attackers to exploit improperly configured access control mechanisms, potentially enabling unauthorized access to questionnaire data or administrative functions. The vulnerability stems from inadequate privilege validation and affects all users of the vulnerable plugin versions. With an EPSS score of 0.02% and no CVSS severity assigned, real-world exploitation likelihood is currently minimal, though the authentication bypass nature of the flaw warrants patching.

Authentication Bypass
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-66154 MEDIUM This Month

Missing authorization in Merkulove Couponer for Elementor plugin versions up to 1.1.7 allows unauthenticated attackers to bypass access controls and exploit incorrectly configured security levels, potentially gaining unauthorized access to sensitive coupon management functionality. The vulnerability carries low real-world exploitation probability (EPSS 0.02%) despite being classified as an authentication bypass, suggesting limited practical attack surface or requirement for specific configuration conditions.

Authentication Bypass
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-66160 MEDIUM This Month

Missing authorization in Select Graphist for Elementor WordPress plugin versions up to 1.2.10 allows unauthenticated attackers to exploit incorrectly configured access controls to perform unauthorized actions. The vulnerability stems from broken access control mechanisms that fail to properly validate user permissions before granting access to sensitive functionality. With an EPSS score of 0.01% and no confirmed active exploitation, this represents a low-probability attack despite the authorization flaw.

Authentication Bypass
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-62088 MEDIUM This Month

Server-Side Request Forgery (SSRF) in the WordPress & WooCommerce Scraper Plugin (wp_scraper) versions up to 1.0.7 allows unauthenticated attackers to make arbitrary HTTP requests from the affected WordPress server. The vulnerability exists in the plugin's core scraping functionality, which fails to properly validate or restrict the target URLs that can be requested. An attacker can exploit this to scan internal networks, access internal services, exfiltrate data from backend systems, or perform reconnaissance against the hosting infrastructure. No public exploit code has been identified at time of analysis, and EPSS risk is minimal at 0.01%, but the vulnerability affects all installations of the vulnerable plugin versions.

WordPress SSRF
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-62122 MEDIUM This Month

Missing authorization in the Trash Duplicate and 301 Redirect WordPress plugin through version 1.9.1 allows unauthenticated attackers to exploit incorrectly configured access control security levels, potentially bypassing authentication checks to access or modify restricted functionality. The vulnerability stems from improper enforcement of WordPress capability checks (CWE-862), and while no public exploit code has been identified, the low EPSS score (0.06%) suggests limited real-world exploitation likelihood despite the authorization flaw.

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-62755 MEDIUM This Month

Missing authorization controls in GS Portfolio for Envato WordPress plugin versions up to 1.4.2 allow unauthenticated attackers to bypass access restrictions and exploit incorrectly configured security levels to access protected functionality or data. The vulnerability stems from inadequate access control validation, enabling attackers to manipulate requests to resources that should be restricted. No public exploit code has been identified, and the low EPSS score of 0.04% suggests limited real-world exploitation likelihood, though the missing CVSS vector prevents definitive severity assessment.

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-62747 MEDIUM This Month

Missing authorization checks in Aum Watcharapon Featured Image Generator WordPress plugin versions up to 1.3.4 allow unauthenticated or low-privileged attackers to bypass access controls and exploit incorrectly configured security levels, potentially enabling unauthorized access to sensitive plugin functionality. The EPSS score of 0.04% indicates low exploitation probability in practice despite the authorization flaw.

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-62129 MEDIUM This Month

Missing authorization controls in RestroPress WordPress plugin versions through 3.2.7 allow unauthenticated attackers to bypass access restrictions and access functionality intended to be restricted by security-configured access levels. The vulnerability stems from improper validation of user permissions, enabling attackers to exploit incorrectly configured access control mechanisms. No public exploit code or active exploitation has been confirmed, though the low EPSS score (0.04%) suggests minimal real-world exploitation likelihood despite the authorization bypass nature.

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-62116 MEDIUM This Month

Missing authorization checks in quadlayers AI Copilot WordPress plugin versions up to 1.5.2 allow unauthenticated or inadequately privileged users to bypass access control restrictions and perform unauthorized actions. The vulnerability stems from improperly configured security levels that fail to enforce proper permission validation, enabling attackers to exploit the authentication bypass to access or manipulate protected functionality without proper credentials.

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-62092 MEDIUM This Month

Missing authorization controls in the Wiremo woo-reviews-by-wiremo WordPress plugin through version 1.4.99 allow attackers to bypass access restrictions and exploit incorrectly configured security levels, potentially enabling unauthorized data access or modification of review functionality. The vulnerability stems from broken access control (CWE-862) and carries an EPSS score of 0.04% (13th percentile), indicating low real-world exploitation probability despite the authentication bypass tag.

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-62079 MEDIUM This Month

WP Export Categories & Taxonomies WordPress plugin through version 1.0.3 fails to enforce authorization checks on sensitive functionality, allowing unauthenticated or low-privileged users to exploit misconfigured access controls. The vulnerability stems from improper implementation of WordPress capabilities checks, potentially enabling unauthorized users to export or manipulate site taxonomy data. No public exploit code or active exploitation has been confirmed at the time of analysis.

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-49338 MEDIUM This Month

Flowbox WordPress plugin through version 1.1.6 fails to enforce proper access control, allowing attackers to exploit misconfigured security levels and bypass authorization checks. The vulnerability enables unauthorized access to functionality that should require elevated permissions, affecting all installations of the vulnerable plugin versions without authentication requirements.

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-49334 MEDIUM This Month

Authorization bypass in MyD Delivery WordPress plugin through version 1.7.1 allows unauthenticated attackers to manipulate user-controlled keys to access resources without proper permission validation, exploiting misconfigured access control security levels. The vulnerability carries low exploitation probability (EPSS 0.04%) but represents a fundamental authorization flaw affecting the plugin's core access control mechanism.

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-63053 MEDIUM This Month

Authorization bypass in Master Addons for Elementor through version 2.0.9.9.4 allows attackers to exploit incorrectly configured access control via user-controlled keys, enabling unauthorized access to protected functionality without proper privilege validation. The vulnerability affects WordPress installations using the vulnerable plugin versions and carries low exploitation probability (EPSS 0.04%) with no confirmed active exploitation or public exploit code available.

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-63031 MEDIUM This Month

Missing authorization controls in WP Grids EasyTest plugin versions up to 1.0.1 allow unauthenticated attackers to bypass access restrictions and perform unauthorized actions due to incorrectly configured access control security levels. The vulnerability enables exploitation of broken access control without authentication, though real-world exploitation probability remains low at 0.04% EPSS. No public exploit code or active exploitation has been identified.

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-63022 MEDIUM This Month

Simple Like Page WordPress plugin versions 1.5.3 and earlier allows unauthenticated attackers to bypass access controls and perform unauthorized actions through incorrectly configured authentication checks, enabling exploitation of missing authorization enforcement in plugin functionality. The vulnerability affects the widely-deployed Simple Like Page plugin and has low estimated exploitation probability (EPSS 0.04%) but represents a classic access control weakness that could permit unauthorized modification of plugin data or settings.

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-63016 MEDIUM This Month

Missing authorization in QuadLayers TikTok Feed WordPress plugin versions through 4.6.5 allows unauthenticated attackers to bypass access control restrictions and exploit incorrectly configured security levels. The vulnerability stems from improper validation of user permissions, enabling unauthorized access to protected functionality or data. While EPSS scoring indicates low exploitation probability (0.04th percentile), the authentication bypass classification suggests potential for privilege escalation or unauthorized administrative actions if discovered by an attacker.

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-63001 MEDIUM This Month

Missing authorization controls in nicdark Hotel Booking WordPress plugin versions 3.8 and earlier allow unauthenticated attackers to bypass access restrictions through incorrectly configured security levels, potentially exposing sensitive booking and administrative functionality. The vulnerability has low exploitation probability (EPSS 0.04%) and no public exploit code has been identified, making it a lower-priority issue despite the high-impact CWE classification.

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-62147 MEDIUM This Month

Missing authorization controls in nikmelnik Realbig media WordPress plugin versions up to 1.1.3 allow unauthenticated attackers to bypass access control restrictions and exploit misconfigured security levels, potentially exposing restricted content or functionality. The vulnerability is classified as a broken access control issue (CWE-862) with low exploitation probability (EPSS 0.04%) and no public exploit code identified at the time of analysis.

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-62145 MEDIUM This Month

Missing authorization controls in NewClarity DMCA Protection Badge WordPress plugin versions up to 2.2.0 allow unauthenticated attackers to exploit incorrectly configured access control security levels, potentially exposing sensitive functionality or data protected by the badge mechanism. The vulnerability stems from insufficient permission validation (CWE-862) and presents an authentication bypass risk, though real-world exploitation likelihood is low based on EPSS scoring (0.04%, 13th percentile).

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-62141 MEDIUM This Month

Missing authorization in Wawp automation-web-platform through version 4.4 allows unauthenticated or low-privileged attackers to exploit incorrectly configured access control security levels, potentially bypassing intended access restrictions. The vulnerability is tracked as CWE-862 (Missing Authorization) and has an EPSS score of 0.04% (13th percentile), indicating very low real-world exploitation probability despite the access control nature of the flaw.

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-62081 MEDIUM This Month

Missing authorization in Channelize.io Team Live Shopping & Shoppable Videos For WooCommerce plugin (versions up to 2.2.0) allows unauthenticated or low-privilege users to exploit incorrectly configured access controls to perform unauthorized actions. The vulnerability stems from broken access control (CWE-862) where endpoint-level authorization checks are insufficient or absent, potentially allowing attackers to bypass intended security restrictions on sensitive functionality. No public exploit code or active exploitation has been confirmed; EPSS score of 0.04% indicates low real-world exploitation probability at time of analysis.

WordPress Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-49349 MEDIUM This Month

Reuters Direct WordPress plugin through version 3.0.0 contains a missing authorization vulnerability allowing attackers to bypass access control restrictions and access protected functionality without proper authentication. The vulnerability stems from incorrectly configured access control security levels in the plugin, potentially enabling unauthenticated users to interact with sensitive features intended for authorized administrators or subscribers. With an EPSS score of 0.04% and low real-world exploitation signals, this issue presents minimal immediate risk but should be addressed through plugin updates.

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-62138 MEDIUM This Month

Missing authorization controls in cedcommerce WP Advanced PDF plugin versions up to 1.1.7 allow attackers to bypass access restrictions and exploit incorrectly configured security levels. The vulnerability enables unauthenticated access to functionalities that should require proper authorization checks, potentially exposing sensitive PDF generation or management features to unauthorized users. No CVSS vector or active exploitation data is available, but the low EPSS score (0.04%) suggests minimal real-world attack activity.

Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-62114 MEDIUM This Month

Download Media Library WordPress plugin through version 0.2.1 exposes sensitive system information to unauthorized users via embedded data retrieval. The vulnerability allows unauthenticated attackers to access restricted system details without proper access controls, though real-world exploitation probability remains low (EPSS 0.04%). No public exploit code or active exploitation has been confirmed.

Information Disclosure
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-62139 MEDIUM This Month

The Terms descriptions WordPress plugin versions 3.4.10 and earlier expose sensitive data through embedded information in sent data, allowing unauthenticated attackers to retrieve embedded sensitive information. This information disclosure vulnerability (CWE-201) affects all installations of the plugin up to version 3.4.10. No public exploit code has been identified, and the EPSS score of 0.04% indicates minimal real-world exploitation probability, though the vulnerability remains a concern for sites storing sensitive term metadata.

Information Disclosure
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-34467 MEDIUM This Month

Resource lock poisoning in ZwiiCMS prior to 13.7.00 allows authenticated low-privilege users to deny administrators access to administrative functionality by exploiting a race between lock acquisition and authorization. The application incorrectly acquires and binds a temporary resource lock to the requesting session before completing the authorization check - meaning even a request that ultimately returns 404 holds the lock until the attacker's session is cleared. No public exploit has been identified and the vulnerability is not listed in CISA KEV; real-world risk is bounded by the requirement for a pre-existing authenticated session.

Information Disclosure Zwiicms
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.2%
CVE-2025-59138 MEDIUM This Month

Server-Side Request Forgery (SSRF) in Jthemes Genemy WordPress theme versions up to 1.6.6 allows unauthenticated remote attackers to make arbitrary HTTP requests from the affected server, potentially accessing internal resources, cloud metadata endpoints, or services restricted to localhost. No CVSS score is assigned in official databases; EPSS probability is extremely low at 0.01%, and no public exploit code or active exploitation has been identified. The vulnerability was reported by Patchstack's security audit team.

SSRF
NVD
CVSS 3.1
4.9
EPSS
0.0%
CVE-2025-62132 MEDIUM This Month

Missing authorization controls in Strategy11 Team Tasty Recipes Lite WordPress plugin through version 1.1.5 allow unauthenticated attackers to bypass access control restrictions and exploit incorrectly configured security levels. The vulnerability stems from insufficient validation of user permissions before executing sensitive operations, enabling unauthorized access to protected functionality. No public exploit code or active exploitation has been identified at the time of analysis.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.1%
CVE-2025-62751 MEDIUM This Month

Missing authorization in the Vireo WordPress theme (versions up to 1.0.24) enables authenticated attackers with low privileges to bypass access controls and execute high-impact operations including data exfiltration, integrity compromise, and availability disruption. The vulnerability affects a specific WordPress theme product from extendthemes with CVSS 8.8 severity. While EPSS probability is low (0.04%, 13th percentile), the low attack complexity and network attack vector warrant attention for sites using this theme. No public exploit identified at time of analysis, and not listed in CISA KEV.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-62143 MEDIUM This Month

Post Video Players WordPress plugin through version 1.163 exposes sensitive embedded data to unauthorized users via improper information disclosure mechanisms. The vulnerability allows attackers to retrieve sensitive system information that should be restricted from public access, affecting the plugin's core video playlist and gallery functionality. With an extremely low EPSS score of 0.04%, active exploitation appears minimal despite the information disclosure risk.

Information Disclosure
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-63004 MEDIUM This Month

Missing authorization controls in All in One Accessibility WordPress plugin versions 1.15 and earlier allow unauthenticated attackers to bypass access control restrictions and exploit incorrectly configured security levels. The vulnerability stems from CWE-862 (Missing Authorization) and enables attackers to access or modify functionality that should be restricted, though exploitation probability is low (EPSS 0.04%). No public exploit code or active exploitation has been identified at the time of analysis.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-62154 MEDIUM This Month

Missing authorization in the AI Content Writing Assistant WordPress plugin (versions up to 1.1.7) allows unauthenticated or low-privileged users to access restricted functionality through incorrectly configured access controls. The vulnerability exploits broken access control logic (CWE-862) that fails to properly validate user permissions before granting access to sensitive operations. While EPSS scoring indicates low exploitation probability (0.04th percentile), the authentication bypass nature of the flaw creates a direct pathway for unauthorized feature access.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-62150 MEDIUM This Month

Missing authorization controls in themesawesome History Timeline WordPress plugin versions through 1.0.6 permit exploitation of incorrectly configured access control, allowing unauthenticated or low-privileged users to bypass security restrictions and access protected functionality. The vulnerability stems from improper enforcement of access control checks (CWE-862), classified as a broken access control flaw. No public exploit code or active exploitation has been confirmed, though the low EPSS score (0.04%) suggests limited practical exploitation likelihood in real-world deployments.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-62131 MEDIUM This Month

Broken access control in Strategy11 Team Tasty Recipes Lite WordPress plugin through version 1.1.5 allows unauthenticated attackers to exploit incorrectly configured security levels to access or modify protected functionality. The vulnerability stems from missing authorization checks that fail to properly validate user permissions before exposing sensitive operations. EPSS exploitation probability is low at 0.04%, and no public exploit code or confirmed active exploitation has been identified.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-62130 MEDIUM This Month

Missing authorization controls in WordPress Accordion Slider Gallery plugin version 2.7 and earlier allow unauthenticated or low-privileged users to bypass access restrictions and exploit misconfigured security levels. The vulnerability stems from improper access control validation (CWE-862) that fails to enforce authentication checks on sensitive plugin functions, potentially enabling unauthorized users to access restricted functionality or administrative features.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-62087 MEDIUM This Month

Missing authorization in Sticky Notes for WP Dashboard plugin (versions up to 1.2.4) allows attackers to bypass access controls and exploit incorrectly configured security levels. The vulnerability stems from improper enforcement of authorization checks (CWE-862), potentially enabling unauthorized users to access or manipulate sticky notes functionality. With an EPSS score of 0.04% (11th percentile), this represents a low real-world exploitation probability despite the authorization flaw, suggesting either limited attack surface or constrained practical utility.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-49356 MEDIUM This Month

Orders Chat for WooCommerce plugin versions up to 1.2.0 fail to properly enforce access controls on chat functionality, allowing attackers to bypass authentication checks and access or manipulate order chat data through incorrectly configured security levels. This broken access control vulnerability (CWE-862) affects WordPress installations using the vulnerable plugin, with no public exploit code identified but confirmed exploitability of authorization bypass mechanics. EPSS probability is low at 0.04%, suggesting limited real-world exploitation likelihood despite the authorization flaw.

WordPress Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-63040 MEDIUM This Month

Cross-site request forgery (CSRF) in the Post Snippets WordPress plugin through version 4.0.11 allows unauthenticated attackers to perform unauthorized administrative actions on vulnerable sites by tricking authenticated administrators into visiting malicious web pages. The vulnerability affects all versions up to and including 4.0.11, though no CVSS vector or EPSS exploitation probability above baseline has been assigned, suggesting limited real-world exploit infrastructure exists at this time.

CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-63014 MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in Gmedia Photo Gallery WordPress plugin through version 1.25.0 allows attackers to perform unauthorized actions on behalf of authenticated users without their knowledge or consent. An unauthenticated remote attacker can craft malicious web pages or emails that, when visited by a logged-in admin or user, execute unwanted operations such as modifying gallery settings, uploading images, or changing plugin configuration. The vulnerability has an extremely low exploitation probability (EPSS 0.02%, 5th percentile) but represents a class of attacks that can bypass user intent entirely when user awareness is low.

CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-62148 MEDIUM This Month

Cross-site request forgery (CSRF) in the Robots.txt Rewrite WordPress plugin (versions up to 1.6.1) allows unauthenticated attackers to perform unauthorized actions on behalf of authenticated administrators by tricking them into visiting a malicious webpage. The vulnerability affects the plugin's administrative functions and carries a low exploitation probability (EPSS 0.02%), with no public exploit code or active exploitation reported at time of analysis.

CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-62133 MEDIUM This Month

FormFacade WordPress plugin version 1.4.1 and earlier contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized actions on behalf of authenticated users without their knowledge or consent. The vulnerability requires user interaction (clicking a malicious link) but can lead to modification of plugin settings or data depending on affected functionality. EPSS exploitation probability is low at 0.02%, and no public exploit code or active exploitation has been identified.

CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-62089 MEDIUM This Month

Cross-site request forgery (CSRF) in MERGADO Mergado Pack WordPress plugin through version 4.2.1 allows unauthenticated attackers to perform unauthorized actions on behalf of authenticated administrators, such as modifying plugin settings or triggering unintended functionality, by tricking them into visiting a malicious webpage. No public exploit code or active exploitation has been reported; EPSS score of 0.02% reflects very low real-world exploitation likelihood.

CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-62084 MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in iNext Woo Pincode Checker WordPress plugin versions up to 2.3.1 allows unauthenticated attackers to perform unauthorized actions on behalf of site administrators or users. The plugin fails to implement proper nonce validation on sensitive operations, enabling an attacker to craft malicious web pages that, when visited by an authenticated user, execute unintended requests against the vulnerable plugin. This is a low-severity finding with an EPSS score of 0.02% (5th percentile), indicating minimal real-world exploitation probability despite the theoretical attack surface.

CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-62080 MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in Channelize.io Team Live Shopping & Shoppable Videos For WooCommerce plugin version 2.2.0 and earlier allows unauthenticated attackers to perform unwanted actions on behalf of authenticated users through forged requests. The vulnerability affects the WordPress plugin used to enable live shopping and shoppable video streams in WooCommerce stores. No public exploit code has been identified, and the EPSS score of 0.02% indicates low exploitation probability despite the CSRF attack vector.

WordPress CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-59130 MEDIUM This Month

Cross-site request forgery vulnerability in Appointify WordPress plugin versions up to 1.0.8 allows unauthenticated attackers to perform unauthorized actions on behalf of authenticated users by crafting malicious requests. The vulnerability affects a WordPress plugin used for appointment scheduling, enabling attackers to manipulate plugin functionality without explicit user consent. With an EPSS score of 0.02% (5th percentile), exploitation likelihood is minimal despite the technical severity classification.

CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-62874 MEDIUM This Month

Missing authorization in the Alexander AnyComment WordPress plugin through version 0.3.6 allows unauthenticated attackers to exploit incorrectly configured access control security levels, resulting in unauthorized access to protected functionality. The vulnerability stems from broken access control mechanisms (CWE-862) rather than authentication bypass, meaning authenticated sessions may also be affected depending on their privilege level. With an EPSS score of 0.02% and no reported active exploitation, this represents a low-probability real-world risk despite the critical nature of access control flaws.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
Prev Page 3 of 4 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy