Skip to main content
CVE-2025-62083 MEDIUM This Month

WP Messiah BoomDevs WordPress Coming Soon plugin through version 1.0.4 exposes sensitive system information to unauthorized access, allowing attackers to retrieve embedded sensitive data without authentication. The vulnerability stems from improper access controls on sensitive data endpoints, classified as CWE-497 (Exposure of Sensitive System Information to an Unauthorized Control Sphere). With an EPSS score of 0.01% (2nd percentile), exploitation likelihood is minimal despite the information disclosure nature of the defect.

WordPress Information Disclosure
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-49340 MEDIUM This Month

Direct Payments WP WordPress plugin through version 1.3.2 exposes embedded sensitive system information to unauthorized parties via CWE-497 exposure mechanisms, allowing attackers to retrieve confidential data without requiring authentication. The vulnerability affects all versions up to and including 1.3.2, with an EPSS score of 0.01% indicating minimal observed exploitation probability despite the information disclosure nature of the flaw.

Information Disclosure
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-63038 MEDIUM This Month

Missing authorization in Northern Beaches Websites WP Custom Admin Interface plugin (versions up to 7.40) allows unauthenticated attackers to bypass access controls and exploit incorrectly configured security levels, potentially gaining unauthorized administrative access or performing privileged actions without proper authentication. The vulnerability affects WordPress installations using this plugin and carries a very low EPSS score (0.01%, 2nd percentile) despite the authorization flaw, suggesting limited real-world exploitation likelihood in practice.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-62115 MEDIUM This Month

Hide Plugins WordPress plugin through version 1.0.4 fails to enforce proper authorization checks, allowing unauthenticated or low-privileged users to access plugin management functions intended for administrators. The missing access control (CWE-862) permits attackers to exploit incorrectly configured security levels, potentially enabling unauthorized plugin visibility or manipulation. While EPSS indicates low real-world exploitation probability (0.01%, 2nd percentile), the vulnerability represents a direct authorization bypass that could escalate privileges in certain WordPress configurations.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-62099 MEDIUM This Month

The Signature Add-On for Gravity Forms plugin (version 1.8.6 and earlier) contains a missing authorization vulnerability that allows attackers to bypass access controls and exploit incorrectly configured security levels. The vulnerability stems from improper implementation of authorization checks, enabling unauthorized users to access protected functionality or data that should be restricted based on user roles and permissions. This authentication bypass affects WordPress installations using the vulnerable plugin versions and is tracked as CWE-862 (Missing Authorization).

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-62078 MEDIUM This Month

Missing authorization in the Easy Upload Files During Checkout WordPress plugin through version 3.0.0 allows unauthenticated attackers to exploit incorrectly configured access controls to bypass security restrictions and upload files. The vulnerability, classified as a broken access control flaw (CWE-862), affects the plugin's core file upload functionality during checkout operations. While EPSS scoring indicates very low exploitation probability (0.01%, 2nd percentile), the absence of CVSS data and patch version information limits quantification of attack complexity and remediation specificity.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-49352 MEDIUM This Month

Authorization bypass in Order Cancellation & Returns for WooCommerce plugin (versions ≤1.1.11) allows unauthenticated or low-privileged users to access and manipulate order cancellation and return functionality through user-controlled parameters. The vulnerability stems from improper access control checks that fail to validate user permissions against the requested resource, enabling attackers to operate on orders belonging to other customers without proper authorization. EPSS score of 0.01% indicates low observed exploitation likelihood despite the straightforward attack vector.

WordPress Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-49339 MEDIUM This Month

Missing authorization in the Direct Payments WP WordPress plugin version 1.3.2 and earlier allows attackers to bypass access control mechanisms and exploit incorrectly configured security levels, potentially gaining unauthorized access to payment functionality. This authentication bypass vulnerability affects all users of the plugin up to version 1.3.2, with an EPSS score of 0.01% indicating very low real-world exploitation probability despite the missing CVSS rating.

Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-62123 MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in inkthemes WP Gmail SMTP plugin through version 1.0.7 allows attackers to perform unauthorized actions on behalf of authenticated administrators without their knowledge or consent. The vulnerability affects the WordPress plugin across all versions up to and including 1.0.7, enabling attackers to potentially modify email configuration settings or other administrative functions via crafted web requests. No public exploit code has been identified at the time of analysis, and the EPSS score of 0.01% indicates minimal real-world exploitation likelihood despite the theoretical attack surface.

CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-62113 MEDIUM This Month

Cross-site request forgery (CSRF) in the Co-marquage service-public.fr WordPress plugin up to version 0.5.77 allows unauthenticated attackers to perform unauthorized actions on behalf of authenticated users by crafting malicious requests. The vulnerability lacks a CVSS score and shows minimal exploitation probability (0.01% EPSS), with no public exploit code or active exploitation indicators identified.

CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-62101 MEDIUM This Month

Cross-site request forgery (CSRF) in Pardakht Delkhah WordPress plugin through version 3.0.0 allows unauthenticated attackers to perform unauthorized actions on behalf of authenticated users by tricking them into visiting malicious pages. The vulnerability affects all versions up to and including 3.0.0, though no CVSS score or public exploit code has been published. This represents a low-probability exploitation risk (EPSS 0.01%) despite the attack vector being network-accessible, likely due to the social engineering requirement inherent to CSRF attacks.

CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-15392 LOW Monitor

A weakness has been identified in Kohana KodiCMS up to 13.82.135. This affects the function like of the file cms/modules/pages/classes/kodicms/model/page.php of the component Search API Endpoint. Executing manipulation of the argument keyword can lead to sql injection. It is possible to launch the attack remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way.

PHP SQLi Kodicms
NVD VulDB
CVSS 4.0
2.1
EPSS
0.0%
Prev Page 4 of 4

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy