Skip to main content

WordPress

17382 CVEs vendor

Monthly

CVE-2025-14151 HIGH This Week

Stored XSS in SlimStat Analytics for WordPress allows unauthenticated attackers to inject malicious scripts via unsanitized 'outbound_resource' parameter in slimtrack AJAX action (versions ≤5.3.2). Injected scripts execute when any user accesses the compromised page, enabling session hijacking, credential theft, or privilege escalation. Affects all installations with publicly accessible AJAX endpoints. No public exploit identified at time of analysis.

WordPress XSS
NVD
CVSS 3.1
7.2
EPSS
0.2%
CVE-2025-63002 MEDIUM This Month

Sermon Manager for WordPress plugin through version 2.30.0 allows unauthenticated attackers to exploit missing authorization checks to access or modify sermon data due to incorrectly configured access control security levels. The vulnerability stems from CWE-862 (Missing Authorization) and affects all installations running the vulnerable version range. With an EPSS score of 0.04% (13th percentile), real-world exploitation probability is minimal despite the permission-based nature of the flaw.

WordPress Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-64273 MEDIUM This Month

Missing Authorization vulnerability in GetResponse Email marketing for WordPress by GetResponse Official getresponse-official allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Email marketing for WordPress by GetResponse Official: from n/a through <= 1.5.3.

WordPress Authentication Bypass
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-64231 CRITICAL Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in RedefiningTheWeb WordPress Contact Form 7 PDF, Google Sheet & Database rtwwcfp-wordpress-contact-form-7-pdf allows Using Malicious Files.This issue affects WordPress Contact Form 7 PDF, Google Sheet & Database: from n/a through <= 3.0.0.

Google File Upload WordPress
NVD
CVSS 3.1
9.9
EPSS
0.1%
CVE-2025-64222 HIGH This Week

Missing Authorization vulnerability in FantasticPlugins WooCommerce Recover Abandoned Cart rac allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WooCommerce Recover Abandoned Cart: from n/a through <= 24.6.0.

WordPress Authentication Bypass
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-60083 HIGH This Week

Object injection via unsafe deserialization in PDF Invoice Builder for WooCommerce plugin allows authenticated attackers with low privileges to execute arbitrary PHP code, manipulate application objects, or trigger other malicious actions. Affects all versions through 6.5.0. No public exploit identified at time of analysis, with EPSS probability of 0.07% suggesting minimal real-world exploitation activity despite high CVSS score.

WordPress Woocommerce PHP Deserialization
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-60082 HIGH This Week

Object injection via unsafe deserialization in PDF for WPForms plugin (versions ≤6.5.0) enables authenticated attackers to execute arbitrary PHP code or manipulate application state. The CVSS score of 8.8 reflects network-based exploitation with low complexity requiring only low-privileged authentication. EPSS probability of 0.07% (22nd percentile) suggests limited exploitation likelihood. No public exploit code or CISA KEV listing identified at time of analysis, indicating this remains a theoretical risk requiring proactive patching.

WordPress PHP Deserialization
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-60081 HIGH This Week

Object injection via unsafe deserialization in PDF for Contact Form 7 WordPress plugin (versions ≤6.5.0) allows authenticated attackers to execute arbitrary PHP code or manipulate application state. Attack requires low-privileged user credentials but no user interaction, with network-accessible attack vector. EPSS probability remains low (0.07%, 22nd percentile) and no active exploitation confirmed at time of analysis. Publicly available exploit code exists per Patchstack disclosure.

WordPress PHP Deserialization
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-60080 HIGH This Week

PHP object injection in PDF for Gravity Forms + Drag And Drop Template Builder (WordPress plugin) versions up to 6.5.0 allows authenticated attackers with low privileges to execute arbitrary code or manipulate application logic via unsafe deserialization. CVSS 7.5 (High) but EPSS probability of 0.07% (22nd percentile) indicates low observed exploitation likelihood. No public exploit identified at time of analysis, and attack requires high complexity (AC:H) with authenticated access (PR:L).

WordPress PHP Deserialization
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-58951 CRITICAL Act Now

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in smartcms Advance Seat Reservation Management for WooCommerce scw-seat-reservation allows SQL Injection.This issue affects Advance Seat Reservation Management for WooCommerce: from n/a through <= 3.1.

WordPress SQLi
NVD
CVSS 3.1
9.3
EPSS
0.0%
CVE-2025-53436 HIGH This Week

Local File Inclusion (LFI) in BZOTheme Monki WordPress theme versions through 2.0.5 allows unauthenticated remote attackers to include and execute arbitrary PHP files on the server, potentially leading to remote code execution, information disclosure, or complete system compromise. Despite the high 8.1 CVSS score, real-world exploitation probability remains low (EPSS 0.17%, 38th percentile) with no confirmed active exploitation or public exploit code identified at time of analysis. The vulnerability stems from improper filename validation in PHP include/require statements, classified as CWE-98.

WordPress PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-11369 MEDIUM This Month

Gutenberg Essential Blocks plugin for WordPress up to version 5.7.2 allows authenticated authors and above to access sensitive API keys for Instagram, Google Maps, and other external services due to missing capability checks on several callback functions. The vulnerability requires WordPress Author-level or higher privileges and carries a low real-world risk given the constrained attack surface and low EPSS score of 0.04%, though it does expose plaintext credentials to a wider internal threat model than intended.

WordPress Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-68070 MEDIUM This Month

Stored cross-site scripting (XSS) in VK Google Job Posting Manager WordPress plugin versions up to 1.2.22 allows authenticated users with low privileges to inject malicious scripts that execute in the context of other users' browsers, potentially compromising site administrators. The vulnerability requires user interaction (clicking a link or viewing a malicious page) to trigger payload execution and affects the plugin's web page generation functionality. EPSS probability of exploitation is notably low at 0.04%, suggesting this is primarily a theoretical risk without documented active exploitation.

WordPress PHP XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-67929 MEDIUM This Month

Missing Authorization vulnerability in templateinvaders TI WooCommerce Wishlist ti-woocommerce-wishlist allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects TI WooCommerce Wishlist: from n/a through <= 2.10.0.

WordPress Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-67912 MEDIUM This Month

Stored cross-site scripting (XSS) in Premio Stars Testimonials WordPress plugin versions 3.3.4 and below allows authenticated users to inject malicious scripts that execute in the context of other users' browsers, potentially compromising site administrators or visitors. The vulnerability requires user interaction (UI:R) and authenticated access (PR:L), limiting immediate risk, but the stored nature means injected payloads persist and affect multiple users. No public exploit code or active KEV status is documented, though the 6.5 CVSS score reflects moderate severity when considering cross-site impact.

WordPress PHP XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-66128 MEDIUM This Month

Missing Authorization vulnerability in Brevo Sendinblue for WooCommerce woocommerce-sendinblue-newsletter-subscription allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Sendinblue for WooCommerce: from n/a through <= 4.0.49.

WordPress Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-64638 MEDIUM This Month

Missing Authorization vulnerability in OnPay.io OnPay.io for WooCommerce onpay-io-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects OnPay.io for WooCommerce: from n/a through <= 1.0.47.

WordPress Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-54004 LOW Monitor

Missing authorization in WCFM - Frontend Manager for WooCommerce through version 6.7.24 allows authenticated users with limited privileges to bypass access controls via incorrectly configured security levels, enabling read-only disclosure of sensitive information. The vulnerability requires user interaction and has a low EPSS score (0.03%, 10th percentile), indicating minimal real-world exploitation probability despite the authentication requirement.

WordPress Authentication Bypass
NVD
CVSS 3.1
2.7
EPSS
0.0%
CVE-2025-13794 MEDIUM This Month

Authenticated attackers with Contributor-level access or above can delete or generate featured images on posts they do not own in the Auto Featured Image (Auto Post Thumbnail) WordPress plugin through version 4.2.1, due to a missing capability check in the bulk_action_generate_handler function. The vulnerability requires user authentication and has a CVSS score of 4.3; no public exploit code or active exploitation has been confirmed at the time of analysis.

Authentication Bypass WordPress
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-9116 MEDIUM This Month

Reflected cross-site scripting (XSS) in WPS Visitor Counter WordPress plugin through version 1.4.8 allows remote attackers to inject malicious scripts via the REQUEST_URI parameter, which is output without sanitization in HTML attributes. The vulnerability has a CVSS score of 5.8 and requires user interaction (clicking a crafted link), with exploitation limited primarily to older web browsers due to modern XSS protections. No public exploit code or active exploitation has been identified at the time of analysis.

WordPress PHP XSS
NVD WPScan
CVSS 3.1
5.8
EPSS
0.0%
CVE-2025-14581 MEDIUM This Month

The HAPPY Helpdesk Support Ticket System WordPress plugin up to version 1.0.9 allows authenticated attackers with Subscriber-level access to submit replies to arbitrary support tickets by bypassing authorization checks on the 'submit_form_reply' AJAX action. The vulnerability stems from missing capability validation before processing ticket replies, enabling low-privileged users to manipulate the 'happy_topic_id' parameter and interact with tickets they do not own or are not assigned to. While the CVSS score of 4.3 reflects low-to-medium severity with integrity impact only, the EPSS percentile of 13% and absence of evidence of active exploitation suggest this is not an immediate critical priority, though it should be patched to prevent unauthorized ticket interference.

WordPress Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-14476 HIGH This Week

PHP object injection in Doubly Cross Domain Copy Paste plugin (≤1.0.46) allows authenticated attackers with Subscriber-level privileges to execute arbitrary code via deserialized untrusted input from uploaded ZIP archives. Exploitation requires administrators to explicitly enable Subscriber access. Available POP chains enable code execution, file deletion, and sensitive data retrieval. Attack vector requires low privilege (PR:L) authentication with network accessibility and no user interaction. No public exploit identified at time of analysis.

PHP Information Disclosure WordPress RCE Deserialization
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-14447 MEDIUM This Month

Unauthorized data modification in AnnunciFunebri Impresa WordPress plugin through version 4.7.0 allows authenticated subscribers to reset all plugin options via the missing capability check on annfu_reset_options() function. Attackers with Subscriber-level access can delete all 29 plugin configuration options, reverting the plugin to default state without administrative authorization. No public exploit code or active exploitation has been identified at time of analysis.

Authentication Bypass WordPress
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-14446 MEDIUM This Month

Popup Builder (Easy Notify Lite) plugin for WordPress versions up to 1.1.37 allows authenticated attackers with Subscriber-level access to reset plugin settings to default values due to missing capability checks in the easynotify_cp_reset() function. The vulnerability requires user authentication and does not grant elevated privileges or information disclosure, resulting in a CVSS score of 5.4 (medium severity). No public exploit code or active exploitation has been identified at time of analysis, though the issue poses moderate risk to WordPress installations relying on plugin configuration integrity.

WordPress Authentication Bypass
NVD
CVSS 3.1
5.4
EPSS
0.1%
CVE-2025-14440 CRITICAL Act Now

Authentication bypass in JAY Login & Register plugin for WordPress versions ≤2.4.01 allows unauthenticated remote attackers to impersonate any site user, including administrators, by exploiting flawed cookie validation in the user-switching function. Attackers require only knowledge of target user IDs to gain complete account access without credentials. No public exploit identified at time of analysis.

WordPress Authentication Bypass
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-13403 MEDIUM This Month

Authenticated attackers with Subscriber-level access can modify tracking settings in the Employee Spotlight WordPress plugin (versions up to 5.1.3) due to missing authorization checks in the employee_spotlight_check_optin() function. The vulnerability allows privilege escalation to perform account integrity modifications that should require administrator approval, affecting all installations of this plugin without patches applied.

Authentication Bypass WordPress
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-14065 MEDIUM This Month

Simple Bike Rental WordPress plugin versions up to 1.0.6 allow authenticated subscribers to retrieve sensitive customer booking data due to missing capability checks on the 'simpbire_carica_prenotazioni' AJAX action. Attackers with subscriber-level access can exfiltrate personally identifiable information including names, email addresses, and phone numbers from all booking records. CVSS 4.3 reflects the moderate severity of unauthorized information disclosure without requiring administrative access.

Authentication Bypass WordPress
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-14074 MEDIUM This Month

Authenticated attackers with Subscriber-level access can duplicate arbitrary WordPress posts via the PDF for Contact Form 7 + Drag and Drop Template Builder plugin (versions up to 6.3.3) due to missing capability checks in the 'rednumber_duplicate' function. This allows disclosure of sensitive content including password-protected and private posts. The vulnerability requires authentication but exploits insufficient privilege validation, creating a post enumeration and information disclosure risk for multi-user WordPress installations. No public exploit code or active exploitation has been confirmed at the time of analysis.

Authentication Bypass WordPress
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-10583 LOW Monitor

WP Fastest Cache Premium plugin versions up to 1.7.4 contain a Server-Side Request Forgery (SSRF) vulnerability in the 'get_server_time_ajax_request' AJAX action that allows authenticated Subscriber-level users to send arbitrary web requests originating from the server, potentially enabling reconnaissance and manipulation of internal services. The free version is unaffected. No public exploit code has been identified at time of analysis, with a very low EPSS score of 0.04% indicating minimal real-world exploitation likelihood despite the authenticated attack vector.

WordPress SSRF Authentication Bypass
NVD
CVSS 3.1
3.5
EPSS
0.0%
CVE-2025-14467 MEDIUM This Month

Stored Cross-Site Scripting in WP Job Portal plugin for WordPress up to version 2.4.4 allows authenticated attackers with Editor-level access or higher to inject arbitrary JavaScript into job description fields by exploiting explicit whitelisting of the `<script>` tag in the WPJOBPORTAL_ALLOWED_TAGS configuration. The injected scripts execute when users view affected job listings, enabling session hijacking, credential theft, and other malicious activities. Impact is limited to multi-site installations or sites with unfiltered_html disabled. CVSS score of 4.4 reflects the high privilege requirement (PR:H) and high attack complexity (AC:H), though the vulnerability affects a potentially large number of WordPress installations.

WordPress XSS
NVD
CVSS 3.1
4.4
EPSS
0.1%
CVE-2025-14354 MEDIUM This Month

Cross-Site Request Forgery in Resource Library for Logged In Users WordPress plugin (all versions up to 1.5) allows unauthenticated attackers to perform unauthorized administrative actions including creating, editing, and deleting resources and categories by tricking a site administrator into clicking a malicious link. The vulnerability stems from missing nonce validation on multiple administrative functions. With an EPSS score of 0.02% and low real-world exploitation probability despite the CVSS 4.3 score, this represents a lower-priority vulnerability requiring user interaction and administrative privileges on the target site.

WordPress CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-14344 CRITICAL Act Now

Arbitrary file deletion in Multi Uploader for Gravity Forms (WordPress plugin ≤1.1.7) allows unauthenticated remote attackers to delete any file on the server through insufficient path validation in the plupload_ajax_delete_file function. Exploitation requires no credentials or user interaction. CVSS 9.8 Critical severity reflects network-accessible attack with high impact to confidentiality, integrity, and availability. Low observed exploitation activity (EPSS 0.37%). No public exploit identified at time of analysis.

Path Traversal WordPress
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2025-14170 MEDIUM This Month

Authenticated attackers with WordPress Subscriber-level access and above can modify arbitrary plugin settings in the Vimeo SimpleGallery plugin versions up to 0.2 due to missing authorization checks on the vimeogallery_admin function. The vulnerability allows privilege escalation within WordPress, enabling lower-privileged users to alter plugin configurations they should not have access to. No public exploit code or active exploitation has been identified at the time of analysis.

Authentication Bypass WordPress
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-14064 MEDIUM This Month

BuddyTask plugin for WordPress versions up to 1.3.0 fails to enforce capability checks on multiple AJAX endpoints, allowing authenticated subscribers and above to view, create, modify, and delete task boards in any BuddyPress group regardless of membership or group privacy settings. The CVSS 5.4 (Medium) rating reflects confidentiality and integrity impacts limited to group task data with low attack complexity and no user interaction required, though the actual organizational risk depends on BuddyPress deployment scope and task board sensitivity.

Authentication Bypass WordPress
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-14032 MEDIUM This Month

Stored Cross-Site Scripting in Bold Timeline Lite WordPress plugin up to version 1.2.7 allows authenticated attackers with Contributor-level access to inject arbitrary JavaScript via the 'title' parameter of the 'bold_timeline_group' shortcode, executing malicious scripts whenever users view affected pages. CVSS 6.4 reflects moderate impact (confidentiality and integrity compromise across trust boundaries); EPSS 0.04% indicates low real-world exploitation probability. No public exploit code or active exploitation confirmed.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-13972 MEDIUM This Month

Arbitrary file read in WatchTowerHQ WordPress plugin versions up to 3.16.0 allows authenticated administrators with valid access tokens to read sensitive server files via path traversal in the 'wht_download_big_object_origin' parameter. The vulnerability exploits insufficient path validation in the handle_big_object_download_request function, potentially exposing database credentials and authentication keys. No public exploit code or active exploitation has been confirmed at time of analysis.

Path Traversal WordPress
NVD
CVSS 3.1
4.9
EPSS
0.2%
CVE-2025-13840 MEDIUM This Month

Stored Cross-Site Scripting in BUKAZU Search widget plugin for WordPress allows authenticated attackers with Contributor-level access and above to inject arbitrary JavaScript through the 'shortcode' parameter of the 'bukazu_search' shortcode. The vulnerability affects all versions up to and including 3.3.2 and results from insufficient input sanitization and output escaping. Malicious scripts execute in the context of any user accessing affected pages. EPSS score of 0.04% indicates low real-world exploitation probability despite moderate CVSS 6.4 severity.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-13747 MEDIUM This Month

Stored Cross-Site Scripting in NewStatPress WordPress plugin versions up to 1.4.3 allows authenticated attackers with contributor-level or higher privileges to inject arbitrary JavaScript into pages via a regex bypass in the nsp_shortcode function. When site visitors access pages containing the injected malicious shortcode attribute, the attacker's script executes in their browsers, enabling session hijacking, credential theft, or malware distribution. No public exploit code has been identified; EPSS score of 0.04% reflects the requirement for authenticated access and user interaction.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-13440 MEDIUM This Month

Premmerce Wishlist for WooCommerce plugin versions up to 1.1.10 fails to enforce authorization checks on the deleteWishlist() function, allowing authenticated Subscriber-level users to delete arbitrary wishlists belonging to other users. The vulnerability stems from missing capability validation rather than authentication bypass; while the CVSS vector indicates unauthenticated access (PR:N), the description specifies Subscriber-level authentication is required, suggesting the vector may reflect the function's accessibility rather than actual authentication bypass. With EPSS of 0.04% and no public exploit code identified, real-world exploitation risk is minimal despite the authorization flaw.

WordPress Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-13320 MEDIUM This Month

Arbitrary file deletion in WP User Manager plugin versions up to 2.9.12 allows authenticated attackers with Subscriber-level privileges to delete critical files via improper validation of the 'current_user_avatar' parameter when custom avatar functionality is enabled. The vulnerability exploits PHP's filter_input() function's handling of array inputs combined with insufficient path validation, enabling a two-stage attack that can facilitate remote code execution by deleting essential files. No public exploit code has been identified at the time of analysis, though the low EPSS score (0.29%) suggests limited real-world exploitation likelihood despite the moderate CVSS rating.

RCE WordPress
NVD
CVSS 3.1
6.8
EPSS
0.3%
CVE-2025-13314 MEDIUM This Month

Unauthenticated attackers can modify plugin settings and create arbitrary filter options in the Filter Plus plugin for WordPress (versions up to 1.1.6) due to missing capability checks on AJAX actions 'filter_save_settings' and 'add_filter_options'. This allows unauthorized data modification with no confidentiality impact but enables attackers to alter product filtering functionality without authentication. The vulnerability has a low EPSS score (0.08%, 23rd percentile) despite network accessibility, indicating limited real-world exploitation likelihood.

WordPress Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-12968 HIGH This Week

Authenticated arbitrary file upload in Infility Global WordPress plugin versions ≤2.14.42 permits remote code execution. The upload_file function accepts spoofed MIME types without verifying file extensions, while import_data lacks capability checks, allowing subscriber-level users to upload malicious files (e.g., PHP webshells) to the server. CVSS:3.1 score 8.8 (High) reflects network-accessible, low-complexity exploitation requiring only low-privilege authentication. No public exploit identified at time of analysis. EPSS 0.35% indicates low observed exploitation activity.

RCE WordPress File Upload
NVD
CVSS 3.1
8.8
EPSS
0.4%
CVE-2025-12883 MEDIUM This Month

Unauthenticated payment bypass in Campay Woocommerce Payment Gateway plugin (versions up to 1.2.2) allows remote attackers to mark orders as successfully completed without actually processing payment, directly resulting in financial loss. The vulnerability stems from insufficient transaction validation in the payment processing workflow, enabling attackers to manipulate order status through the payment gateway interface.

Authentication Bypass WordPress
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-12834 MEDIUM This Month

Reflected cross-site scripting (XSS) in Accept Stripe Payments Using Contact Form 7 WordPress plugin versions up to 3.1 allows unauthenticated attackers to inject arbitrary JavaScript via the 'failure_message' parameter due to insufficient input sanitization and output escaping. An attacker can craft a malicious link that, when clicked by a victim, executes JavaScript in the victim's browser session with access to sensitive data or session tokens. No public exploit code or active exploitation has been confirmed at the time of analysis.

WordPress XSS
NVD
CVSS 3.1
6.1
EPSS
0.1%
CVE-2025-12830 MEDIUM This Month

Stored cross-site scripting in Better Elementor Addons plugin for WordPress up to version 1.5.5 allows authenticated attackers with contributor-level or higher privileges to inject arbitrary JavaScript through insufficiently sanitized Slider widget attributes, which executes when any user views the affected page. This is a stored XSS vulnerability affecting a widely-deployed WordPress plugin; no public exploit code or active exploitation has been confirmed at time of analysis, but the low CVSS complexity (AC:L) and moderate EPSS exploitation probability make this a practical concern for any WordPress site running the vulnerable plugin versions with user roles permitted to edit pages.

WordPress XSS
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-12783 MEDIUM This Month

Premmerce Brands for WooCommerce plugin versions up to 1.2.13 allow authenticated attackers with Subscriber-level access to modify brand permalink settings due to a missing capability check in the saveBrandsSettings function. The vulnerability requires only network access and low-privilege authentication, enabling unauthorized data modification of WordPress brand configuration without user interaction.

Authentication Bypass WordPress
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-14293 MEDIUM This Month

WP Job Portal plugin for WordPress allows authenticated attackers with Subscriber-level access to read arbitrary files on the server through path traversal in the 'downloadCustomUploadedFile' function, potentially exposing sensitive configuration files, database credentials, or other confidential data. The vulnerability affects all versions up to and including 2.4.0, with CVSS 6.5 reflecting the high confidentiality impact but low attack complexity and requirement only for basic authenticated access.

Path Traversal WordPress
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-67589 MEDIUM This Month

Missing Authorization vulnerability in WP Overnight WooCommerce PDF Invoices & Packing Slips woocommerce-pdf-invoices-packing-slips allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WooCommerce PDF Invoices & Packing Slips: from n/a through <= 4.9.1.

WordPress Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-67580 MEDIUM This Month

Missing Authorization vulnerability in Constant Contact Constant Contact + WooCommerce constant-contact-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Constant Contact + WooCommerce: from n/a through <= 2.4.1.

WordPress Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-67570 MEDIUM This Month

WPForms Google Sheet Connector plugin through version 4.0.0 allows unauthenticated remote attackers to modify data by exploiting missing authorization checks on access control mechanisms. The vulnerability enables unauthorized manipulation of form submissions and Google Sheet integrations without proper permission validation, affecting WordPress installations using this plugin.

WordPress PHP Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-67559 MEDIUM This Month

Missing Authorization vulnerability in vcita Online Booking & Scheduling Calendar for WordPress by vcita meeting-scheduler-by-vcita allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Online Booking & Scheduling Calendar for WordPress by vcita: from n/a through <= 4.5.5.

WordPress Authentication Bypass
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-67557 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Rhys Wynne WP eBay Product Feeds ebay-feeds-for-wordpress allows Stored XSS.This issue affects WP eBay Product Feeds: from n/a through <= 3.4.9.

WordPress XSS
NVD
CVSS 3.1
5.9
EPSS
0.1%
CVE-2025-67535 MEDIUM This Month

Deserialization of untrusted data in WP Maps WordPress plugin versions up to 4.8.6 allows high-privileged authenticated users to inject and instantiate arbitrary PHP objects, potentially leading to code execution or privilege escalation. While the CVSS score of 6.5 reflects high confidentiality and integrity impact, the requirement for administrator-level privileges (PR:H) and user interaction (UI:R) significantly constrains real-world exploitability. EPSS score of 0.04% indicates minimal observed exploitation likelihood despite the vulnerability's technical severity.

WordPress Deserialization Google
NVD
CVSS 3.1
6.6
EPSS
0.0%
CVE-2025-67516 HIGH This Week

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Agile Logix Store Locator WordPress agile-store-locator allows Blind SQL Injection.This issue affects Store Locator WordPress: from n/a through <= 1.6.2.

WordPress SQLi
NVD
CVSS 3.1
8.5
EPSS
0.1%
CVE-2025-67472 MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in vcita Online Booking & Scheduling Calendar for WordPress by vcita meeting-scheduler-by-vcita allows Cross Site Request Forgery.This issue affects Online Booking & Scheduling Calendar for WordPress by vcita: from n/a through <= 4.5.5.

WordPress CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-66528 MEDIUM This Month

Missing Authorization vulnerability in VillaTheme Thank You Page Customizer for WooCommerce woo-thank-you-page-customizer allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Thank You Page Customizer for WooCommerce: from n/a through <= 1.1.8.

WordPress Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.1%
CVE-2025-63075 MEDIUM This Month

DOM-based cross-site scripting (XSS) in muffingroup Betheme WordPress theme versions up to 28.2 allows authenticated attackers with low privileges to inject malicious scripts that execute in the context of other users' browsers. The vulnerability requires user interaction (UI:R) and affects the confidentiality, integrity, and availability of affected installations; EPSS exploitation probability is low at 0.04%, and no public exploit code or active exploitation has been confirmed.

WordPress PHP XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-63074 HIGH This Week

Local File Inclusion in Dream-Theme's The7 WordPress theme (versions prior to 12.8.1.1) allows authenticated attackers with low privileges to read arbitrary server files through improper filename validation in PHP include statements. With a 0.17% EPSS score and no confirmed active exploitation, this represents a moderate risk primarily in shared hosting environments where authenticated users exist. The 7.5 CVSS score reflects high confidentiality and integrity impact, though exploitation requires high attack complexity and authenticated access.

WordPress PHP LFI
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2025-63073 MEDIUM This Month

DOM-based cross-site scripting in Dream-Theme The7 WordPress theme versions before 12.9.0 allows authenticated users to inject malicious scripts that execute in the context of other users' browsers via improperly sanitized input during web page generation. The vulnerability requires user interaction (UI:R) and authenticated access (PR:L), limiting real-world exploitability despite a moderate CVSS score of 6.5. EPSS exploitation probability is low at 0.04th percentile, and no public exploit code or active exploitation has been reported.

WordPress PHP XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-63071 MEDIUM This Month

Insertion of sensitive information into sent data in auxin-elements WordPress plugin versions up to 2.17.15 allows unauthenticated remote attackers to retrieve embedded sensitive data through network-accessible responses. The vulnerability exposes information with low confidentiality impact and affects the Shortcodes and extra features for Phlox theme plugin across all versions through 2.17.15, with EPSS scoring indicating 0.04% likelihood of exploitation.

WordPress PHP Information Disclosure
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-63068 MEDIUM This Month

Improper HTML tag neutralization in sevenspark Contact Form 7 - Dynamic Text Extension through version 5.0.5 allows unauthenticated remote attackers to inject malicious scripts via a network-based attack with no user interaction required, resulting in confidentiality compromise through information disclosure. The vulnerability is classified as cross-site scripting (XSS) with low exploitability probability (EPSS 0.06%, percentile 18%), suggesting limited real-world attack incentive despite the network-accessible attack vector.

WordPress PHP XSS Code Injection
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-63066 MEDIUM This Month

Stored cross-site scripting (XSS) in Porto Theme - Functionality plugin for WordPress allows authenticated users with low privileges to inject malicious scripts into web pages that execute in the browsers of other site visitors. The vulnerability affects Porto Theme - Functionality versions below 3.7.3 and has a low exploitation probability (EPSS 0.01%), but requires user interaction and authenticated access to exploit, limiting immediate risk to well-managed WordPress installations with access controls.

WordPress PHP XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-63055 MEDIUM This Month

Stored cross-site scripting (XSS) in Master Addons for Elementor through version 2.0.9.9.4 allows authenticated users with limited privileges to inject malicious scripts that execute in the browsers of other site visitors, potentially compromising administrator accounts or stealing sensitive data. The vulnerability requires user interaction (UI:R) and affects the plugin's input sanitization during web page generation. With an EPSS score of 0.04% and no confirmed active exploitation, this represents a lower real-world risk despite the moderate CVSS base score of 6.5.

WordPress PHP XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-63052 MEDIUM This Month

Stored cross-site scripting (XSS) in SimpLy Gallery WordPress plugin (versions up to 3.3.2.1) allows authenticated users with low privileges to inject malicious scripts that execute in the browsers of other site visitors, potentially leading to session hijacking, credential theft, or site defacement. The vulnerability requires user interaction (UI:R) and affects confidentiality, integrity, and availability. No public exploit code or active exploitation has been confirmed; EPSS score of 0.04% indicates low real-world exploitation probability despite the moderate CVSS rating.

WordPress PHP XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-63024 MEDIUM This Month

Missing Authorization vulnerability in tychesoftwares Order Delivery Date for WooCommerce order-delivery-date-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Order Delivery Date for WooCommerce: from n/a through <= 4.3.1.

WordPress Authentication Bypass
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-63023 MEDIUM This Month

Missing authorization in Easy Payment Payment Gateway for PayPal (woo-paypal-gateway) WordPress plugin versions up to 9.0.53 allows unauthenticated remote attackers to access sensitive payment gateway data through improper access control configuration. The vulnerability enables unauthorized information disclosure with low confidentiality impact. EPSS score of 0.04% indicates minimal observed exploitation probability despite network accessibility and no authentication requirement.

WordPress Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-63015 MEDIUM This Month

Paysera WooCommerce Payment Gateway plugin through version 3.10.0 contains a missing authorization flaw allowing authenticated users with lower privilege levels to access or perform actions intended for higher-privilege roles, resulting in limited information disclosure. The vulnerability stems from incorrectly configured access control checks and has an EPSS score of 0.04% (11th percentile), indicating low real-world exploitation probability despite the CVSS 4.3 rating and authenticated attack vector.

WordPress Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-63011 MEDIUM This Month

DOM-based cross-site scripting (XSS) in ThimPress WP Hotel Booking plugin versions up to 2.2.8 allows authenticated users with high privileges to inject malicious scripts that execute in the context of other users' browsers. The vulnerability requires user interaction (UI:R) and high administrator privileges (PR:H), limiting its real-world impact despite a moderate CVSS score of 5.9. EPSS exploitation probability is very low at 0.04%, indicating minimal practical attack likelihood.

WordPress PHP XSS
NVD
CVSS 3.1
5.9
EPSS
0.0%
CVE-2025-62870 MEDIUM This Month

Missing authorization in Eupago Gateway For Woocommerce allows unauthenticated remote attackers to modify data via incorrectly configured access control, affecting versions up to 4.7.1. The vulnerability enables integrity compromise without requiring authentication or user interaction, though with low attack complexity. EPSS scoring of 0.04% indicates minimal real-world exploitation probability despite moderate CVSS severity.

WordPress Woocommerce PHP Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-62740 MEDIUM This Month

Missing authorization controls in Mario Peshev WP-CRM System plugin up to version 3.4.6 allow unauthenticated remote attackers to modify data through incorrectly configured access control security levels. The CVSS 5.3 score reflects low integrity impact with no confidentiality or availability consequences, but the vulnerability exposes the plugin to unauthorized data manipulation attacks without authentication.

WordPress PHP Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-62734 MEDIUM This Month

Cross-site request forgery (CSRF) in WordPress Media Library Downloader plugin versions up to 1.4.0 allows unauthenticated attackers to perform unauthorized actions on behalf of logged-in site administrators or users via crafted web requests. The vulnerability requires user interaction (UI:R) and has limited scope-affecting only integrity (I:L) with no confidentiality or availability impact. EPSS exploitation probability is very low at 0.02% (5th percentile), indicating minimal real-world exploitation likelihood despite the public disclosure.

WordPress PHP CSRF
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-62151 MEDIUM This Month

Missing Authorization vulnerability in Virtuaria Virtuaria PagBank / PagSeguro para Woocommerce virtuaria-pagseguro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Virtuaria PagBank / PagSeguro para Woocommerce: from n/a through <= 3.6.3.

WordPress Authentication Bypass
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-62082 MEDIUM This Month

Stored cross-site scripting (XSS) in Generic Elements for Elementor plugin versions 1.2.9 and earlier allows authenticated users with limited privileges to inject malicious scripts that execute in the context of other users' browsers, potentially leading to session hijacking, credential theft, or malware distribution. The vulnerability requires user interaction (clicking a malicious link) and affects WordPress installations using this plugin. EPSS exploitation probability is low at 0.04%, and no public exploit code or active exploitation has been identified.

WordPress PHP XSS
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-13065 HIGH This Week

The Starter Templates plugin for WordPress is vulnerable to arbitrary file upload in all versions up to, and including, 4.4.41. This is due to insufficient file type validation detecting WXR files, allowing double extension files to bypass sanitization while being accepted as a valid WXR file. This makes it possible for authenticated attackers, with author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.

File Upload WordPress RCE PHP
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-12966 HIGH This Week

The All-in-One Video Gallery plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the resolve_import_directory() function in versions 4.5.4 to 4.5.7. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.

File Upload WordPress RCE PHP
NVD
CVSS 3.1
8.8
EPSS
0.4%
CVE-2025-12499 HIGH This Week

The Rich Shortcodes for Google Reviews plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the contents of a Google Review in all versions up to, and including, 6.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. NOTE: This vulnerability was partially patched in version 6.6.2.

WordPress Google XSS PHP
NVD
CVSS 3.1
7.2
EPSS
0.2%
CVE-2025-13748 MEDIUM This Month

A security vulnerability in for WordPress is vulnerable to Insecure Direct Object Reference in all (CVSS 5.3). Remediation should follow standard vulnerability management procedures.

Authentication Bypass WordPress PHP
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-13377 CRITICAL PATCH Act Now

The 10Web Booster - Website speed optimization, Cache & Page Speed optimizer plugin for WordPress is vulnerable to arbitrary folder deletion due to insufficient file path validation in the get_cache_dir_for_page_from_url() function in all versions up to, and including, 2.32.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary folders on the server, which can easily lead to a loss of data or a denial of service condition.

Path Traversal WordPress Denial Of Service 10web Booster PHP
NVD
CVSS 3.1
9.6
EPSS
0.1%
CVE-2025-13907 MEDIUM This Month

The CSS3 Buttons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'button' shortcode in all versions up to, and including, 0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-13899 MEDIUM This Month

The TR Timthumb plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcode attributes in all versions up to, and including, 1.0.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-13898 MEDIUM This Month

The Ultra Skype Button plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'btn_id' parameter of the [ultra_skype] shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-13896 MEDIUM This Month

The Social Feed Gallery Portfolio plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' parameter of the [igp-wp] shortcode in all versions up to, and including, 1.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-13894 MEDIUM This Month

The CSV Sumotto plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` variable in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

WordPress XSS PHP
NVD
CVSS 3.1
6.1
EPSS
0.1%
CVE-2025-13863 MEDIUM This Month

The RevInsite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `token` parameter in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-13857 MEDIUM This Month

The Yet Another WebClap for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'text' parameter of the webclap_button shortcode in all versions up to, and including, 0.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-13856 MEDIUM This Month

The Extra Post Images plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' parameter of the extra-images shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-13666 MEDIUM This Month

A remote code execution vulnerability in for WordPress is vulnerable to Missing Authorization in (CVSS 5.3). Remediation should follow standard vulnerability management procedures.

Authentication Bypass WordPress PHP
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-13656 MEDIUM This Month

The Cute News Ticker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'color' shortcode attribute in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-13629 MEDIUM This Month

The WP Landing Page plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.9.3. This is due to missing nonce validation on the 'wplp_api_update_text' function. This makes it possible for unauthenticated attackers to update arbitrary post meta via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CSRF WordPress PHP
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-13626 MEDIUM This Month

The myLCO plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` parameter in all versions up to, and including, 0.8.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

WordPress XSS PHP
NVD
CVSS 3.1
6.1
EPSS
0.2%
EPSS 0% CVSS 7.2
HIGH This Week

Stored XSS in SlimStat Analytics for WordPress allows unauthenticated attackers to inject malicious scripts via unsanitized 'outbound_resource' parameter in slimtrack AJAX action (versions ≤5.3.2). Injected scripts execute when any user accesses the compromised page, enabling session hijacking, credential theft, or privilege escalation. Affects all installations with publicly accessible AJAX endpoints. No public exploit identified at time of analysis.

WordPress XSS
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Sermon Manager for WordPress plugin through version 2.30.0 allows unauthenticated attackers to exploit missing authorization checks to access or modify sermon data due to incorrectly configured access control security levels. The vulnerability stems from CWE-862 (Missing Authorization) and affects all installations running the vulnerable version range. With an EPSS score of 0.04% (13th percentile), real-world exploitation probability is minimal despite the permission-based nature of the flaw.

WordPress Authentication Bypass
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Missing Authorization vulnerability in GetResponse Email marketing for WordPress by GetResponse Official getresponse-official allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Email marketing for WordPress by GetResponse Official: from n/a through <= 1.5.3.

WordPress Authentication Bypass
NVD
EPSS 0% CVSS 9.9
CRITICAL Act Now

Unrestricted Upload of File with Dangerous Type vulnerability in RedefiningTheWeb WordPress Contact Form 7 PDF, Google Sheet & Database rtwwcfp-wordpress-contact-form-7-pdf allows Using Malicious Files.This issue affects WordPress Contact Form 7 PDF, Google Sheet & Database: from n/a through <= 3.0.0.

Google File Upload WordPress
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Missing Authorization vulnerability in FantasticPlugins WooCommerce Recover Abandoned Cart rac allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WooCommerce Recover Abandoned Cart: from n/a through <= 24.6.0.

WordPress Authentication Bypass
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Object injection via unsafe deserialization in PDF Invoice Builder for WooCommerce plugin allows authenticated attackers with low privileges to execute arbitrary PHP code, manipulate application objects, or trigger other malicious actions. Affects all versions through 6.5.0. No public exploit identified at time of analysis, with EPSS probability of 0.07% suggesting minimal real-world exploitation activity despite high CVSS score.

WordPress Woocommerce PHP +1
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Object injection via unsafe deserialization in PDF for WPForms plugin (versions ≤6.5.0) enables authenticated attackers to execute arbitrary PHP code or manipulate application state. The CVSS score of 8.8 reflects network-based exploitation with low complexity requiring only low-privileged authentication. EPSS probability of 0.07% (22nd percentile) suggests limited exploitation likelihood. No public exploit code or CISA KEV listing identified at time of analysis, indicating this remains a theoretical risk requiring proactive patching.

WordPress PHP Deserialization
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Object injection via unsafe deserialization in PDF for Contact Form 7 WordPress plugin (versions ≤6.5.0) allows authenticated attackers to execute arbitrary PHP code or manipulate application state. Attack requires low-privileged user credentials but no user interaction, with network-accessible attack vector. EPSS probability remains low (0.07%, 22nd percentile) and no active exploitation confirmed at time of analysis. Publicly available exploit code exists per Patchstack disclosure.

WordPress PHP Deserialization
NVD
EPSS 0% CVSS 7.5
HIGH This Week

PHP object injection in PDF for Gravity Forms + Drag And Drop Template Builder (WordPress plugin) versions up to 6.5.0 allows authenticated attackers with low privileges to execute arbitrary code or manipulate application logic via unsafe deserialization. CVSS 7.5 (High) but EPSS probability of 0.07% (22nd percentile) indicates low observed exploitation likelihood. No public exploit identified at time of analysis, and attack requires high complexity (AC:H) with authenticated access (PR:L).

WordPress PHP Deserialization
NVD
EPSS 0% CVSS 9.3
CRITICAL Act Now

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in smartcms Advance Seat Reservation Management for WooCommerce scw-seat-reservation allows SQL Injection.This issue affects Advance Seat Reservation Management for WooCommerce: from n/a through <= 3.1.

WordPress SQLi
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Local File Inclusion (LFI) in BZOTheme Monki WordPress theme versions through 2.0.5 allows unauthenticated remote attackers to include and execute arbitrary PHP files on the server, potentially leading to remote code execution, information disclosure, or complete system compromise. Despite the high 8.1 CVSS score, real-world exploitation probability remains low (EPSS 0.17%, 38th percentile) with no confirmed active exploitation or public exploit code identified at time of analysis. The vulnerability stems from improper filename validation in PHP include/require statements, classified as CWE-98.

WordPress PHP LFI
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Gutenberg Essential Blocks plugin for WordPress up to version 5.7.2 allows authenticated authors and above to access sensitive API keys for Instagram, Google Maps, and other external services due to missing capability checks on several callback functions. The vulnerability requires WordPress Author-level or higher privileges and carries a low real-world risk given the constrained attack surface and low EPSS score of 0.04%, though it does expose plaintext credentials to a wider internal threat model than intended.

WordPress Authentication Bypass
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Stored cross-site scripting (XSS) in VK Google Job Posting Manager WordPress plugin versions up to 1.2.22 allows authenticated users with low privileges to inject malicious scripts that execute in the context of other users' browsers, potentially compromising site administrators. The vulnerability requires user interaction (clicking a link or viewing a malicious page) to trigger payload execution and affects the plugin's web page generation functionality. EPSS probability of exploitation is notably low at 0.04%, suggesting this is primarily a theoretical risk without documented active exploitation.

WordPress PHP XSS
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Missing Authorization vulnerability in templateinvaders TI WooCommerce Wishlist ti-woocommerce-wishlist allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects TI WooCommerce Wishlist: from n/a through <= 2.10.0.

WordPress Authentication Bypass
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Stored cross-site scripting (XSS) in Premio Stars Testimonials WordPress plugin versions 3.3.4 and below allows authenticated users to inject malicious scripts that execute in the context of other users' browsers, potentially compromising site administrators or visitors. The vulnerability requires user interaction (UI:R) and authenticated access (PR:L), limiting immediate risk, but the stored nature means injected payloads persist and affect multiple users. No public exploit code or active KEV status is documented, though the 6.5 CVSS score reflects moderate severity when considering cross-site impact.

WordPress PHP XSS
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Missing Authorization vulnerability in Brevo Sendinblue for WooCommerce woocommerce-sendinblue-newsletter-subscription allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Sendinblue for WooCommerce: from n/a through <= 4.0.49.

WordPress Authentication Bypass
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Missing Authorization vulnerability in OnPay.io OnPay.io for WooCommerce onpay-io-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects OnPay.io for WooCommerce: from n/a through <= 1.0.47.

WordPress Authentication Bypass
NVD
EPSS 0% CVSS 2.7
LOW Monitor

Missing authorization in WCFM - Frontend Manager for WooCommerce through version 6.7.24 allows authenticated users with limited privileges to bypass access controls via incorrectly configured security levels, enabling read-only disclosure of sensitive information. The vulnerability requires user interaction and has a low EPSS score (0.03%, 10th percentile), indicating minimal real-world exploitation probability despite the authentication requirement.

WordPress Authentication Bypass
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Authenticated attackers with Contributor-level access or above can delete or generate featured images on posts they do not own in the Auto Featured Image (Auto Post Thumbnail) WordPress plugin through version 4.2.1, due to a missing capability check in the bulk_action_generate_handler function. The vulnerability requires user authentication and has a CVSS score of 4.3; no public exploit code or active exploitation has been confirmed at the time of analysis.

Authentication Bypass WordPress
NVD
EPSS 0% CVSS 5.8
MEDIUM This Month

Reflected cross-site scripting (XSS) in WPS Visitor Counter WordPress plugin through version 1.4.8 allows remote attackers to inject malicious scripts via the REQUEST_URI parameter, which is output without sanitization in HTML attributes. The vulnerability has a CVSS score of 5.8 and requires user interaction (clicking a crafted link), with exploitation limited primarily to older web browsers due to modern XSS protections. No public exploit code or active exploitation has been identified at the time of analysis.

WordPress PHP XSS
NVD WPScan
EPSS 0% CVSS 4.3
MEDIUM This Month

The HAPPY Helpdesk Support Ticket System WordPress plugin up to version 1.0.9 allows authenticated attackers with Subscriber-level access to submit replies to arbitrary support tickets by bypassing authorization checks on the 'submit_form_reply' AJAX action. The vulnerability stems from missing capability validation before processing ticket replies, enabling low-privileged users to manipulate the 'happy_topic_id' parameter and interact with tickets they do not own or are not assigned to. While the CVSS score of 4.3 reflects low-to-medium severity with integrity impact only, the EPSS percentile of 13% and absence of evidence of active exploitation suggest this is not an immediate critical priority, though it should be patched to prevent unauthorized ticket interference.

WordPress Authentication Bypass
NVD
EPSS 0% CVSS 8.8
HIGH This Week

PHP object injection in Doubly Cross Domain Copy Paste plugin (≤1.0.46) allows authenticated attackers with Subscriber-level privileges to execute arbitrary code via deserialized untrusted input from uploaded ZIP archives. Exploitation requires administrators to explicitly enable Subscriber access. Available POP chains enable code execution, file deletion, and sensitive data retrieval. Attack vector requires low privilege (PR:L) authentication with network accessibility and no user interaction. No public exploit identified at time of analysis.

PHP Information Disclosure WordPress +2
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Unauthorized data modification in AnnunciFunebri Impresa WordPress plugin through version 4.7.0 allows authenticated subscribers to reset all plugin options via the missing capability check on annfu_reset_options() function. Attackers with Subscriber-level access can delete all 29 plugin configuration options, reverting the plugin to default state without administrative authorization. No public exploit code or active exploitation has been identified at time of analysis.

Authentication Bypass WordPress
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Popup Builder (Easy Notify Lite) plugin for WordPress versions up to 1.1.37 allows authenticated attackers with Subscriber-level access to reset plugin settings to default values due to missing capability checks in the easynotify_cp_reset() function. The vulnerability requires user authentication and does not grant elevated privileges or information disclosure, resulting in a CVSS score of 5.4 (medium severity). No public exploit code or active exploitation has been identified at time of analysis, though the issue poses moderate risk to WordPress installations relying on plugin configuration integrity.

WordPress Authentication Bypass
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Authentication bypass in JAY Login & Register plugin for WordPress versions ≤2.4.01 allows unauthenticated remote attackers to impersonate any site user, including administrators, by exploiting flawed cookie validation in the user-switching function. Attackers require only knowledge of target user IDs to gain complete account access without credentials. No public exploit identified at time of analysis.

WordPress Authentication Bypass
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Authenticated attackers with Subscriber-level access can modify tracking settings in the Employee Spotlight WordPress plugin (versions up to 5.1.3) due to missing authorization checks in the employee_spotlight_check_optin() function. The vulnerability allows privilege escalation to perform account integrity modifications that should require administrator approval, affecting all installations of this plugin without patches applied.

Authentication Bypass WordPress
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Simple Bike Rental WordPress plugin versions up to 1.0.6 allow authenticated subscribers to retrieve sensitive customer booking data due to missing capability checks on the 'simpbire_carica_prenotazioni' AJAX action. Attackers with subscriber-level access can exfiltrate personally identifiable information including names, email addresses, and phone numbers from all booking records. CVSS 4.3 reflects the moderate severity of unauthorized information disclosure without requiring administrative access.

Authentication Bypass WordPress
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Authenticated attackers with Subscriber-level access can duplicate arbitrary WordPress posts via the PDF for Contact Form 7 + Drag and Drop Template Builder plugin (versions up to 6.3.3) due to missing capability checks in the 'rednumber_duplicate' function. This allows disclosure of sensitive content including password-protected and private posts. The vulnerability requires authentication but exploits insufficient privilege validation, creating a post enumeration and information disclosure risk for multi-user WordPress installations. No public exploit code or active exploitation has been confirmed at the time of analysis.

Authentication Bypass WordPress
NVD
EPSS 0% CVSS 3.5
LOW Monitor

WP Fastest Cache Premium plugin versions up to 1.7.4 contain a Server-Side Request Forgery (SSRF) vulnerability in the 'get_server_time_ajax_request' AJAX action that allows authenticated Subscriber-level users to send arbitrary web requests originating from the server, potentially enabling reconnaissance and manipulation of internal services. The free version is unaffected. No public exploit code has been identified at time of analysis, with a very low EPSS score of 0.04% indicating minimal real-world exploitation likelihood despite the authenticated attack vector.

WordPress SSRF Authentication Bypass
NVD
EPSS 0% CVSS 4.4
MEDIUM This Month

Stored Cross-Site Scripting in WP Job Portal plugin for WordPress up to version 2.4.4 allows authenticated attackers with Editor-level access or higher to inject arbitrary JavaScript into job description fields by exploiting explicit whitelisting of the `<script>` tag in the WPJOBPORTAL_ALLOWED_TAGS configuration. The injected scripts execute when users view affected job listings, enabling session hijacking, credential theft, and other malicious activities. Impact is limited to multi-site installations or sites with unfiltered_html disabled. CVSS score of 4.4 reflects the high privilege requirement (PR:H) and high attack complexity (AC:H), though the vulnerability affects a potentially large number of WordPress installations.

WordPress XSS
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery in Resource Library for Logged In Users WordPress plugin (all versions up to 1.5) allows unauthenticated attackers to perform unauthorized administrative actions including creating, editing, and deleting resources and categories by tricking a site administrator into clicking a malicious link. The vulnerability stems from missing nonce validation on multiple administrative functions. With an EPSS score of 0.02% and low real-world exploitation probability despite the CVSS 4.3 score, this represents a lower-priority vulnerability requiring user interaction and administrative privileges on the target site.

WordPress CSRF
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Arbitrary file deletion in Multi Uploader for Gravity Forms (WordPress plugin ≤1.1.7) allows unauthenticated remote attackers to delete any file on the server through insufficient path validation in the plupload_ajax_delete_file function. Exploitation requires no credentials or user interaction. CVSS 9.8 Critical severity reflects network-accessible attack with high impact to confidentiality, integrity, and availability. Low observed exploitation activity (EPSS 0.37%). No public exploit identified at time of analysis.

Path Traversal WordPress
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Authenticated attackers with WordPress Subscriber-level access and above can modify arbitrary plugin settings in the Vimeo SimpleGallery plugin versions up to 0.2 due to missing authorization checks on the vimeogallery_admin function. The vulnerability allows privilege escalation within WordPress, enabling lower-privileged users to alter plugin configurations they should not have access to. No public exploit code or active exploitation has been identified at the time of analysis.

Authentication Bypass WordPress
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

BuddyTask plugin for WordPress versions up to 1.3.0 fails to enforce capability checks on multiple AJAX endpoints, allowing authenticated subscribers and above to view, create, modify, and delete task boards in any BuddyPress group regardless of membership or group privacy settings. The CVSS 5.4 (Medium) rating reflects confidentiality and integrity impacts limited to group task data with low attack complexity and no user interaction required, though the actual organizational risk depends on BuddyPress deployment scope and task board sensitivity.

Authentication Bypass WordPress
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in Bold Timeline Lite WordPress plugin up to version 1.2.7 allows authenticated attackers with Contributor-level access to inject arbitrary JavaScript via the 'title' parameter of the 'bold_timeline_group' shortcode, executing malicious scripts whenever users view affected pages. CVSS 6.4 reflects moderate impact (confidentiality and integrity compromise across trust boundaries); EPSS 0.04% indicates low real-world exploitation probability. No public exploit code or active exploitation confirmed.

WordPress XSS
NVD
EPSS 0% CVSS 4.9
MEDIUM This Month

Arbitrary file read in WatchTowerHQ WordPress plugin versions up to 3.16.0 allows authenticated administrators with valid access tokens to read sensitive server files via path traversal in the 'wht_download_big_object_origin' parameter. The vulnerability exploits insufficient path validation in the handle_big_object_download_request function, potentially exposing database credentials and authentication keys. No public exploit code or active exploitation has been confirmed at time of analysis.

Path Traversal WordPress
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in BUKAZU Search widget plugin for WordPress allows authenticated attackers with Contributor-level access and above to inject arbitrary JavaScript through the 'shortcode' parameter of the 'bukazu_search' shortcode. The vulnerability affects all versions up to and including 3.3.2 and results from insufficient input sanitization and output escaping. Malicious scripts execute in the context of any user accessing affected pages. EPSS score of 0.04% indicates low real-world exploitation probability despite moderate CVSS 6.4 severity.

WordPress XSS
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in NewStatPress WordPress plugin versions up to 1.4.3 allows authenticated attackers with contributor-level or higher privileges to inject arbitrary JavaScript into pages via a regex bypass in the nsp_shortcode function. When site visitors access pages containing the injected malicious shortcode attribute, the attacker's script executes in their browsers, enabling session hijacking, credential theft, or malware distribution. No public exploit code has been identified; EPSS score of 0.04% reflects the requirement for authenticated access and user interaction.

WordPress XSS
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Premmerce Wishlist for WooCommerce plugin versions up to 1.1.10 fails to enforce authorization checks on the deleteWishlist() function, allowing authenticated Subscriber-level users to delete arbitrary wishlists belonging to other users. The vulnerability stems from missing capability validation rather than authentication bypass; while the CVSS vector indicates unauthenticated access (PR:N), the description specifies Subscriber-level authentication is required, suggesting the vector may reflect the function's accessibility rather than actual authentication bypass. With EPSS of 0.04% and no public exploit code identified, real-world exploitation risk is minimal despite the authorization flaw.

WordPress Authentication Bypass
NVD
EPSS 0% CVSS 6.8
MEDIUM This Month

Arbitrary file deletion in WP User Manager plugin versions up to 2.9.12 allows authenticated attackers with Subscriber-level privileges to delete critical files via improper validation of the 'current_user_avatar' parameter when custom avatar functionality is enabled. The vulnerability exploits PHP's filter_input() function's handling of array inputs combined with insufficient path validation, enabling a two-stage attack that can facilitate remote code execution by deleting essential files. No public exploit code has been identified at the time of analysis, though the low EPSS score (0.29%) suggests limited real-world exploitation likelihood despite the moderate CVSS rating.

RCE WordPress
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Unauthenticated attackers can modify plugin settings and create arbitrary filter options in the Filter Plus plugin for WordPress (versions up to 1.1.6) due to missing capability checks on AJAX actions 'filter_save_settings' and 'add_filter_options'. This allows unauthorized data modification with no confidentiality impact but enables attackers to alter product filtering functionality without authentication. The vulnerability has a low EPSS score (0.08%, 23rd percentile) despite network accessibility, indicating limited real-world exploitation likelihood.

WordPress Authentication Bypass
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Authenticated arbitrary file upload in Infility Global WordPress plugin versions ≤2.14.42 permits remote code execution. The upload_file function accepts spoofed MIME types without verifying file extensions, while import_data lacks capability checks, allowing subscriber-level users to upload malicious files (e.g., PHP webshells) to the server. CVSS:3.1 score 8.8 (High) reflects network-accessible, low-complexity exploitation requiring only low-privilege authentication. No public exploit identified at time of analysis. EPSS 0.35% indicates low observed exploitation activity.

RCE WordPress File Upload
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Unauthenticated payment bypass in Campay Woocommerce Payment Gateway plugin (versions up to 1.2.2) allows remote attackers to mark orders as successfully completed without actually processing payment, directly resulting in financial loss. The vulnerability stems from insufficient transaction validation in the payment processing workflow, enabling attackers to manipulate order status through the payment gateway interface.

Authentication Bypass WordPress
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

Reflected cross-site scripting (XSS) in Accept Stripe Payments Using Contact Form 7 WordPress plugin versions up to 3.1 allows unauthenticated attackers to inject arbitrary JavaScript via the 'failure_message' parameter due to insufficient input sanitization and output escaping. An attacker can craft a malicious link that, when clicked by a victim, executes JavaScript in the victim's browser session with access to sensitive data or session tokens. No public exploit code or active exploitation has been confirmed at the time of analysis.

WordPress XSS
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored cross-site scripting in Better Elementor Addons plugin for WordPress up to version 1.5.5 allows authenticated attackers with contributor-level or higher privileges to inject arbitrary JavaScript through insufficiently sanitized Slider widget attributes, which executes when any user views the affected page. This is a stored XSS vulnerability affecting a widely-deployed WordPress plugin; no public exploit code or active exploitation has been confirmed at time of analysis, but the low CVSS complexity (AC:L) and moderate EPSS exploitation probability make this a practical concern for any WordPress site running the vulnerable plugin versions with user roles permitted to edit pages.

WordPress XSS
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Premmerce Brands for WooCommerce plugin versions up to 1.2.13 allow authenticated attackers with Subscriber-level access to modify brand permalink settings due to a missing capability check in the saveBrandsSettings function. The vulnerability requires only network access and low-privilege authentication, enabling unauthorized data modification of WordPress brand configuration without user interaction.

Authentication Bypass WordPress
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

WP Job Portal plugin for WordPress allows authenticated attackers with Subscriber-level access to read arbitrary files on the server through path traversal in the 'downloadCustomUploadedFile' function, potentially exposing sensitive configuration files, database credentials, or other confidential data. The vulnerability affects all versions up to and including 2.4.0, with CVSS 6.5 reflecting the high confidentiality impact but low attack complexity and requirement only for basic authenticated access.

Path Traversal WordPress
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Missing Authorization vulnerability in WP Overnight WooCommerce PDF Invoices & Packing Slips woocommerce-pdf-invoices-packing-slips allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WooCommerce PDF Invoices & Packing Slips: from n/a through <= 4.9.1.

WordPress Authentication Bypass
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Missing Authorization vulnerability in Constant Contact Constant Contact + WooCommerce constant-contact-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Constant Contact + WooCommerce: from n/a through <= 2.4.1.

WordPress Authentication Bypass
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

WPForms Google Sheet Connector plugin through version 4.0.0 allows unauthenticated remote attackers to modify data by exploiting missing authorization checks on access control mechanisms. The vulnerability enables unauthorized manipulation of form submissions and Google Sheet integrations without proper permission validation, affecting WordPress installations using this plugin.

WordPress PHP Authentication Bypass
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Missing Authorization vulnerability in vcita Online Booking & Scheduling Calendar for WordPress by vcita meeting-scheduler-by-vcita allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Online Booking & Scheduling Calendar for WordPress by vcita: from n/a through <= 4.5.5.

WordPress Authentication Bypass
NVD
EPSS 0% CVSS 5.9
MEDIUM This Month

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Rhys Wynne WP eBay Product Feeds ebay-feeds-for-wordpress allows Stored XSS.This issue affects WP eBay Product Feeds: from n/a through <= 3.4.9.

WordPress XSS
NVD
EPSS 0% CVSS 6.6
MEDIUM This Month

Deserialization of untrusted data in WP Maps WordPress plugin versions up to 4.8.6 allows high-privileged authenticated users to inject and instantiate arbitrary PHP objects, potentially leading to code execution or privilege escalation. While the CVSS score of 6.5 reflects high confidentiality and integrity impact, the requirement for administrator-level privileges (PR:H) and user interaction (UI:R) significantly constrains real-world exploitability. EPSS score of 0.04% indicates minimal observed exploitation likelihood despite the vulnerability's technical severity.

WordPress Deserialization Google
NVD
EPSS 0% CVSS 8.5
HIGH This Week

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Agile Logix Store Locator WordPress agile-store-locator allows Blind SQL Injection.This issue affects Store Locator WordPress: from n/a through <= 1.6.2.

WordPress SQLi
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in vcita Online Booking & Scheduling Calendar for WordPress by vcita meeting-scheduler-by-vcita allows Cross Site Request Forgery.This issue affects Online Booking & Scheduling Calendar for WordPress by vcita: from n/a through <= 4.5.5.

WordPress CSRF
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Missing Authorization vulnerability in VillaTheme Thank You Page Customizer for WooCommerce woo-thank-you-page-customizer allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Thank You Page Customizer for WooCommerce: from n/a through <= 1.1.8.

WordPress Authentication Bypass
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

DOM-based cross-site scripting (XSS) in muffingroup Betheme WordPress theme versions up to 28.2 allows authenticated attackers with low privileges to inject malicious scripts that execute in the context of other users' browsers. The vulnerability requires user interaction (UI:R) and affects the confidentiality, integrity, and availability of affected installations; EPSS exploitation probability is low at 0.04%, and no public exploit code or active exploitation has been confirmed.

WordPress PHP XSS
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Local File Inclusion in Dream-Theme's The7 WordPress theme (versions prior to 12.8.1.1) allows authenticated attackers with low privileges to read arbitrary server files through improper filename validation in PHP include statements. With a 0.17% EPSS score and no confirmed active exploitation, this represents a moderate risk primarily in shared hosting environments where authenticated users exist. The 7.5 CVSS score reflects high confidentiality and integrity impact, though exploitation requires high attack complexity and authenticated access.

WordPress PHP LFI
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

DOM-based cross-site scripting in Dream-Theme The7 WordPress theme versions before 12.9.0 allows authenticated users to inject malicious scripts that execute in the context of other users' browsers via improperly sanitized input during web page generation. The vulnerability requires user interaction (UI:R) and authenticated access (PR:L), limiting real-world exploitability despite a moderate CVSS score of 6.5. EPSS exploitation probability is low at 0.04th percentile, and no public exploit code or active exploitation has been reported.

WordPress PHP XSS
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Insertion of sensitive information into sent data in auxin-elements WordPress plugin versions up to 2.17.15 allows unauthenticated remote attackers to retrieve embedded sensitive data through network-accessible responses. The vulnerability exposes information with low confidentiality impact and affects the Shortcodes and extra features for Phlox theme plugin across all versions through 2.17.15, with EPSS scoring indicating 0.04% likelihood of exploitation.

WordPress PHP Information Disclosure
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Improper HTML tag neutralization in sevenspark Contact Form 7 - Dynamic Text Extension through version 5.0.5 allows unauthenticated remote attackers to inject malicious scripts via a network-based attack with no user interaction required, resulting in confidentiality compromise through information disclosure. The vulnerability is classified as cross-site scripting (XSS) with low exploitability probability (EPSS 0.06%, percentile 18%), suggesting limited real-world attack incentive despite the network-accessible attack vector.

WordPress PHP XSS +1
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Stored cross-site scripting (XSS) in Porto Theme - Functionality plugin for WordPress allows authenticated users with low privileges to inject malicious scripts into web pages that execute in the browsers of other site visitors. The vulnerability affects Porto Theme - Functionality versions below 3.7.3 and has a low exploitation probability (EPSS 0.01%), but requires user interaction and authenticated access to exploit, limiting immediate risk to well-managed WordPress installations with access controls.

WordPress PHP XSS
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Stored cross-site scripting (XSS) in Master Addons for Elementor through version 2.0.9.9.4 allows authenticated users with limited privileges to inject malicious scripts that execute in the browsers of other site visitors, potentially compromising administrator accounts or stealing sensitive data. The vulnerability requires user interaction (UI:R) and affects the plugin's input sanitization during web page generation. With an EPSS score of 0.04% and no confirmed active exploitation, this represents a lower real-world risk despite the moderate CVSS base score of 6.5.

WordPress PHP XSS
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Stored cross-site scripting (XSS) in SimpLy Gallery WordPress plugin (versions up to 3.3.2.1) allows authenticated users with low privileges to inject malicious scripts that execute in the browsers of other site visitors, potentially leading to session hijacking, credential theft, or site defacement. The vulnerability requires user interaction (UI:R) and affects confidentiality, integrity, and availability. No public exploit code or active exploitation has been confirmed; EPSS score of 0.04% indicates low real-world exploitation probability despite the moderate CVSS rating.

WordPress PHP XSS
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Missing Authorization vulnerability in tychesoftwares Order Delivery Date for WooCommerce order-delivery-date-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Order Delivery Date for WooCommerce: from n/a through <= 4.3.1.

WordPress Authentication Bypass
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Missing authorization in Easy Payment Payment Gateway for PayPal (woo-paypal-gateway) WordPress plugin versions up to 9.0.53 allows unauthenticated remote attackers to access sensitive payment gateway data through improper access control configuration. The vulnerability enables unauthorized information disclosure with low confidentiality impact. EPSS score of 0.04% indicates minimal observed exploitation probability despite network accessibility and no authentication requirement.

WordPress Authentication Bypass
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Paysera WooCommerce Payment Gateway plugin through version 3.10.0 contains a missing authorization flaw allowing authenticated users with lower privilege levels to access or perform actions intended for higher-privilege roles, resulting in limited information disclosure. The vulnerability stems from incorrectly configured access control checks and has an EPSS score of 0.04% (11th percentile), indicating low real-world exploitation probability despite the CVSS 4.3 rating and authenticated attack vector.

WordPress Authentication Bypass
NVD
EPSS 0% CVSS 5.9
MEDIUM This Month

DOM-based cross-site scripting (XSS) in ThimPress WP Hotel Booking plugin versions up to 2.2.8 allows authenticated users with high privileges to inject malicious scripts that execute in the context of other users' browsers. The vulnerability requires user interaction (UI:R) and high administrator privileges (PR:H), limiting its real-world impact despite a moderate CVSS score of 5.9. EPSS exploitation probability is very low at 0.04%, indicating minimal practical attack likelihood.

WordPress PHP XSS
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Missing authorization in Eupago Gateway For Woocommerce allows unauthenticated remote attackers to modify data via incorrectly configured access control, affecting versions up to 4.7.1. The vulnerability enables integrity compromise without requiring authentication or user interaction, though with low attack complexity. EPSS scoring of 0.04% indicates minimal real-world exploitation probability despite moderate CVSS severity.

WordPress Woocommerce PHP +1
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Missing authorization controls in Mario Peshev WP-CRM System plugin up to version 3.4.6 allow unauthenticated remote attackers to modify data through incorrectly configured access control security levels. The CVSS 5.3 score reflects low integrity impact with no confidentiality or availability consequences, but the vulnerability exposes the plugin to unauthorized data manipulation attacks without authentication.

WordPress PHP Authentication Bypass
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-site request forgery (CSRF) in WordPress Media Library Downloader plugin versions up to 1.4.0 allows unauthenticated attackers to perform unauthorized actions on behalf of logged-in site administrators or users via crafted web requests. The vulnerability requires user interaction (UI:R) and has limited scope-affecting only integrity (I:L) with no confidentiality or availability impact. EPSS exploitation probability is very low at 0.02% (5th percentile), indicating minimal real-world exploitation likelihood despite the public disclosure.

WordPress PHP CSRF
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Missing Authorization vulnerability in Virtuaria Virtuaria PagBank / PagSeguro para Woocommerce virtuaria-pagseguro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Virtuaria PagBank / PagSeguro para Woocommerce: from n/a through <= 3.6.3.

WordPress Authentication Bypass
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Stored cross-site scripting (XSS) in Generic Elements for Elementor plugin versions 1.2.9 and earlier allows authenticated users with limited privileges to inject malicious scripts that execute in the context of other users' browsers, potentially leading to session hijacking, credential theft, or malware distribution. The vulnerability requires user interaction (clicking a malicious link) and affects WordPress installations using this plugin. EPSS exploitation probability is low at 0.04%, and no public exploit code or active exploitation has been identified.

WordPress PHP XSS
NVD
EPSS 0% CVSS 8.8
HIGH This Week

The Starter Templates plugin for WordPress is vulnerable to arbitrary file upload in all versions up to, and including, 4.4.41. This is due to insufficient file type validation detecting WXR files, allowing double extension files to bypass sanitization while being accepted as a valid WXR file. This makes it possible for authenticated attackers, with author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.

File Upload WordPress RCE +1
NVD
EPSS 0% CVSS 8.8
HIGH This Week

The All-in-One Video Gallery plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the resolve_import_directory() function in versions 4.5.4 to 4.5.7. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.

File Upload WordPress RCE +1
NVD
EPSS 0% CVSS 7.2
HIGH This Week

The Rich Shortcodes for Google Reviews plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the contents of a Google Review in all versions up to, and including, 6.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. NOTE: This vulnerability was partially patched in version 6.6.2.

WordPress Google XSS +1
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

A security vulnerability in for WordPress is vulnerable to Insecure Direct Object Reference in all (CVSS 5.3). Remediation should follow standard vulnerability management procedures.

Authentication Bypass WordPress PHP
NVD
EPSS 0% CVSS 9.6
CRITICAL PATCH Act Now

The 10Web Booster - Website speed optimization, Cache & Page Speed optimizer plugin for WordPress is vulnerable to arbitrary folder deletion due to insufficient file path validation in the get_cache_dir_for_page_from_url() function in all versions up to, and including, 2.32.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary folders on the server, which can easily lead to a loss of data or a denial of service condition.

Path Traversal WordPress Denial Of Service +2
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

The CSS3 Buttons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'button' shortcode in all versions up to, and including, 0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

WordPress XSS PHP
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

The TR Timthumb plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcode attributes in all versions up to, and including, 1.0.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

WordPress XSS PHP
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

The Ultra Skype Button plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'btn_id' parameter of the [ultra_skype] shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

WordPress XSS PHP
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

The Social Feed Gallery Portfolio plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' parameter of the [igp-wp] shortcode in all versions up to, and including, 1.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

WordPress XSS PHP
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

The CSV Sumotto plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` variable in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

WordPress XSS PHP
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

The RevInsite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `token` parameter in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

WordPress XSS PHP
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

The Yet Another WebClap for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'text' parameter of the webclap_button shortcode in all versions up to, and including, 0.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

WordPress XSS PHP
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

The Extra Post Images plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' parameter of the extra-images shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

WordPress XSS PHP
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

A remote code execution vulnerability in for WordPress is vulnerable to Missing Authorization in (CVSS 5.3). Remediation should follow standard vulnerability management procedures.

Authentication Bypass WordPress PHP
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

The Cute News Ticker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'color' shortcode attribute in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

WordPress XSS PHP
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

The WP Landing Page plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.9.3. This is due to missing nonce validation on the 'wplp_api_update_text' function. This makes it possible for unauthenticated attackers to update arbitrary post meta via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CSRF WordPress PHP
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

The myLCO plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER['PHP_SELF']` parameter in all versions up to, and including, 0.8.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

WordPress XSS PHP
NVD
Prev Page 34 of 194 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy