Skip to main content
CVE-2025-10484 CRITICAL Act Now

The WooCommerce mobile phone registration plugin has an authentication bypass vulnerability allowing unauthenticated attackers to log in as any user, including administrators, with EPSS 0.42%.

WordPress Authentication Bypass PHP
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2025-15403 CRITICAL Act Now

The RegistrationMagic WordPress plugin up to version 6.0 allows unauthenticated privilege escalation, enabling attackers to create admin accounts and take over WordPress sites.

WordPress Privilege Escalation PHP
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-1059 MEDIUM POC This Month

SQL injection in FeMiner Warehouse Management System's /src/chkuser.php endpoint allows unauthenticated remote attackers to manipulate the Username parameter and execute arbitrary database queries. Public exploit code exists for this vulnerability, and the vendor has not provided patches despite early notification. The flaw affects all versions up to commit 9cad1f1b179a98b9547fd003c23b07c7594775fa and enables attackers to potentially read, modify, or delete sensitive warehouse data.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2025-15532 MEDIUM POC PATCH This Month

A security flaw has been discovered in Open5GS up to 2.7.5. This issue affects some unknown processing of the component Timer Handler. [CVSS 5.3 MEDIUM]

Denial Of Service Open5gs
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.2%
CVE-2025-15531 MEDIUM POC This Month

A vulnerability was identified in Open5GS up to 2.7.5. This vulnerability affects the function sgwc_bearer_add of the file src/sgwc/context.c. [CVSS 5.3 MEDIUM]

Denial Of Service Open5gs
NVD VulDB GitHub
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-15530 MEDIUM POC This Month

A vulnerability was determined in Open5GS up to 2.7.6. This affects the function sgwc_s11_handle_create_indirect_data_forwarding_tunnel_request of the file /src/sgwc/s11-handler.c. [CVSS 5.3 MEDIUM]

Denial Of Service Open5gs
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-14478 HIGH This Week

Demo Importer Plus (WordPress plugin) is affected by improper restriction of xml external entity reference (CVSS 7.5).

WordPress PHP XXE
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-0517 HIGH This Week

Secure Access Server versions before 14.20 are vulnerable to a network-based denial-of-service attack where unauthenticated attackers can crash the server by sending specially crafted packets. This vulnerability requires no user interaction and is easily exploitable over the network, though no patch is currently available. Organizations running affected versions should implement network-level mitigations to restrict access to the vulnerable service.

Denial Of Service Secure Access
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-13725 MEDIUM This Month

The Gutenberg Thim Blocks - Page Builder, Gutenberg Blocks for the Block Editor plugin for WordPress is vulnerable to arbitrary file reads in all versions up to, and including, 1.0.1. This is due to insufficient path validation in the server-side rendering of the thim-blocks/icon block. [CVSS 6.5 MEDIUM]

WordPress PHP
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-14450 MEDIUM This Month

The Wallet System for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'change_wallet_fund_request_status_callback' function in all versions up to, and including, 2.7.2. [CVSS 6.5 MEDIUM]

WordPress PHP
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-0833 MEDIUM This Month

Stored cross-site scripting in the Team Section Block plugin for WordPress through version 2.0.0 allows authenticated contributors and above to inject malicious scripts into pages by manipulating social network link URLs due to improper input sanitization and output escaping. When users visit affected pages, the injected scripts execute in their browsers, potentially compromising site security and user data. An unpatched WordPress installation with this plugin poses a persistent attack vector for authenticated users with lower privilege levels.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-8615 MEDIUM This Month

The CubeWP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's cubewp_shortcode_taxonomy shortcode in all versions up to, and including, 1.1.26 due to insufficient input sanitization and output escaping on user supplied attributes. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-1062 LOW POC Monitor

Teamwork Management System versions up to 2.28.0. is affected by server-side request forgery (ssrf) (CVSS 6.3).

Java SSRF
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2026-1061 LOW POC Monitor

Unrestricted file upload in Teamwork Management System (TMS) versions up to 2.28.0 allows authenticated attackers to upload malicious files by manipulating the filename parameter in the FileController. Public exploit code exists for this vulnerability, and no patch is currently available, creating significant risk for organizations using affected versions.

Java Authentication Bypass File Upload
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-1049 LOW POC Monitor

A security vulnerability has been detected in LigeroSmart up to 6.1.26. The affected element is an unknown function of the file /otrs/index.pl. [CVSS 3.5 LOW]

XSS Ligerosmart
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-1048 LOW POC Monitor

A weakness has been identified in LigeroSmart up to 6.1.26. Impacted is an unknown function of the file /otrs/index.pl?Action=AgentTicketZoom. [CVSS 3.5 LOW]

XSS Ligerosmart
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2025-12002 MEDIUM This Month

Feeds for YouTube Pro (WordPress plugin) versions up to 2.6.0 is affected by path traversal (CVSS 5.9).

WordPress PHP
NVD
CVSS 3.1
5.9
EPSS
0.2%
CVE-2025-12718 MEDIUM This Month

Quick Contact Form (WordPress plugin) versions up to 8.2.6. is affected by improper input validation (CVSS 5.8).

WordPress PHP
NVD
CVSS 3.1
5.8
EPSS
0.1%
CVE-2026-1050 MEDIUM This Month

SQL injection in the REST authentication endpoint of risesoft-y9 Digital-Infrastructure up to version 9.6.7 allows unauthenticated remote attackers to manipulate input parameters and execute arbitrary SQL queries. Public exploit code exists for this vulnerability, and the vendor has not yet released a patch despite early notification. The attack requires no user interaction and can compromise data confidentiality, integrity, and availability.

Java SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2025-14463 MEDIUM This Month

The Payment Button for PayPal plugin for WordPress is vulnerable to unauthorized order creation in all versions up to, and including, 1.2.3.41. This is due to the plugin exposing a public AJAX endpoint (`wppaypalcheckout_ajax_process_order`) that processes checkout results without any authentication or server-side verification of the PayPal transaction. This makes it possible for unauthenticated attackers to create arbitrary orders on the site with any chosen transaction ID, payment status, p...

WordPress PHP
NVD
CVSS 3.1
5.3
EPSS
0.3%
CVE-2025-14078 MEDIUM This Month

The PAYGENT for WooCommerce plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 2.4.6. This is due to missing authorization checks on the paygent_check_webhook function combined with the paygent_permission_callback function unconditionally returning true on line 199. This makes it possible for unauthenticated attackers to manipulate payment callbacks and modify order statuses by sending forged payment notifications via the `/wp-json/paygent/v1/che...

WordPress PHP
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-14029 MEDIUM This Month

The Community Events plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_admin_event_approval() function in all versions up to, and including, 1.5.6. [CVSS 5.3 MEDIUM]

WordPress PHP
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-0808 MEDIUM This Month

The Spin Wheel WordPress plugin through version 2.1.0 fails to validate prize selection on the server side, allowing unauthenticated attackers to manipulate the 'prize_index' parameter and arbitrarily select high-value prizes. This input validation flaw enables attackers to bypass the intended randomization mechanism and consistently win premium rewards. No patch is currently available for affected installations.

WordPress
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-12825 MEDIUM This Month

User Registration Using Contact Form 7 (WordPress plugin) is affected by missing authorization (CVSS 5.3).

WordPress PHP
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-14075 MEDIUM This Month

The WP Hotel Booking plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.2.7. This is due to the plugin exposing the 'hotel_booking_fetch_customer_info' AJAX action to unauthenticated users without proper capability checks, relying only on a nonce for protection. This makes it possible for unauthenticated attackers to retrieve sensitive customer information including full names, addresses, phone numbers, and email addresses by providing...

WordPress Information Disclosure PHP
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-12129 MEDIUM This Month

All-in-One Dynamic Content Framework versions up to 1.1.27 is affected by information exposure (CVSS 5.3).

WordPress Information Disclosure PHP
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-12984 MEDIUM This Month

The Advanced Ads - Ad Manager & AdSense plugin for WordPress is vulnerable to SQL Injection via the 'order' parameter in all versions up to, and including, 2.0.15 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. [CVSS 4.9 MEDIUM]

WordPress SQLi PHP
NVD
CVSS 3.1
4.9
EPSS
0.0%
CVE-2026-0518 MEDIUM This Month

Secure Access versions before 14.20 contain a stored cross-site scripting vulnerability that allows administrators to inject malicious scripts into the console interface. An authenticated admin can exploit this to interfere with other administrators' sessions and potentially steal sensitive information through the compromised console. The vulnerability requires high privileges and user interaction but can impact multiple administrators due to its scope across the application.

XSS Secure Access
NVD
CVSS 3.1
4.8
EPSS
0.0%
CVE-2026-0725 MEDIUM This Month

Stored XSS in the Integrate Dynamics 365 CRM WordPress plugin through version 1.1.1 allows authenticated administrators to inject malicious scripts into plugin settings due to inadequate input sanitization. An attacker with admin privileges can execute arbitrary JavaScript that runs whenever users access affected pages. No patch is currently available.

WordPress Industrial XSS
NVD
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-0691 MEDIUM This Month

The CM E-Mail Blacklist plugin for WordPress through version 1.6.2 contains a stored XSS vulnerability in the 'black_email' parameter due to inadequate input sanitization and output escaping. Authenticated administrators can inject arbitrary JavaScript that executes for all users accessing affected pages, though exploitation is limited to multi-site installations or those with unfiltered_html disabled. No patch is currently available.

WordPress XSS
NVD
CVSS 3.1
4.4
EPSS
0.0%
CVE-2025-14632 MEDIUM This Month

The Filr - Secure document library plugin for WordPress is vulnerable to Stored Cross-Site Scripting via unrestricted file upload in all versions up to, and including, 1.2.11 due to insufficient file type restrictions in the FILR_Uploader class. [CVSS 4.4 MEDIUM]

WordPress XSS PHP
NVD
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-0820 MEDIUM This Month

Authenticated attackers with Subscriber-level privileges can upload malicious signatures to arbitrary orders in the RepairBuddy WordPress plugin (versions up to 4.1116) due to missing capability checks, allowing them to modify order metadata and trigger unauthorized status changes. The vulnerability stems from insufficient access controls on the signature upload handler and requires only basic user authentication to exploit. Patch availability is not currently provided for this integrity-impacting vulnerability.

WordPress Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-12168 MEDIUM This Month

Phrase TMS Integration for WordPress (WordPress plugin) is affected by missing authorization (CVSS 4.3).

WordPress PHP
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-0519 LOW Monitor

Secure Access versions up to 14.20 is affected by insertion of sensitive information into log file (CVSS 3.4).

Information Disclosure Secure Access
NVD
CVSS 3.1
3.4
EPSS
0.0%
CVE-2026-0682 LOW Monitor

The Church Admin plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.0.28 due to insufficient validation of user-supplied URLs in the 'audio_url' parameter. [CVSS 2.2 LOW]

WordPress SSRF
NVD
CVSS 3.1
2.2
EPSS
0.0%
CVE-2026-1066 LOW Monitor

Kodbox versions up to 1.61.10 contain a command injection vulnerability in the compression handler component that allows authenticated remote attackers to execute arbitrary commands with network access. Public exploit code exists for this vulnerability, and no patch is currently available from the vendor.

Command Injection Kodbox
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.3%
CVE-2026-1064 LOW Monitor

Bastillion up to version 4.0.1 contains a command injection vulnerability in the System Management Module that allows remote attackers with high privileges to execute arbitrary commands. Public exploit code exists for this vulnerability, and the vendor has not provided a patch. The impact is limited to low-level confidentiality, integrity, and availability compromise.

Java Command Injection
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.3%
CVE-2026-1063 LOW Monitor

Command injection in Bastillion's public key management system (versions up to 4.0.1) allows remote attackers with high privileges to execute arbitrary commands through the AuthKeysKtrl.java component. Public exploit code exists for this vulnerability, and no patch is currently available from the vendor. The attack requires network access and high-level authentication but carries minimal complexity once access is obtained.

Java Command Injection
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.3%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy