47
CVEs
16
Critical
20
High
0
KEV
0
PoC
36
Unpatched C/H
0.0%
Patch Rate
0.2%
Avg EPSS
Severity Breakdown
CRITICAL
16
HIGH
20
MEDIUM
9
LOW
1
Monthly CVE Trend
Affected Products (10)
Top Risky CVEs
| CVE | Summary | Severity | CVSS | EPSS | Priority | Signals |
|---|---|---|---|---|---|---|
| CVE-2025-30085 | A remote code execution vulnerability (CVSS 9.2). Critical severity with potential for significant impact on affected systems. | CRITICAL | 9.2 | 0.8% | 47 |
No patch
|
| CVE-2025-24773 | Critical SQL injection vulnerability in the WPCRM plugin (versions up to 3.2.0) for WordPress, affecting deployments integrating Contact Form 7 and WooCommerce. An unauthenticated remote attacker can execute arbitrary SQL commands with high confidence (CVSS 9.3, EPSS score likely elevated) to extract sensitive customer relationship and transaction data, though direct data modification and system availability impacts are limited. Immediate patching is strongly recommended for all affected installations. | CRITICAL | 9.3 | 0.1% | 47 |
No patch
|
| CVE-2025-47573 | Blind SQL injection vulnerability in mojoomla School Management that allows unauthenticated network attackers to extract sensitive data from the application's database without direct visibility of query results. The vulnerability affects School Management versions up to 92.0.0 and carries a CVSS score of 9.3, indicating critical severity. The attack requires no user interaction, no privileges, and low complexity, making it highly exploitable in real-world scenarios. | CRITICAL | 9.3 | 0.1% | 47 |
No patch
|
| CVE-2025-49467 | Critical unauthenticated SQL injection vulnerability in the JEvents component for Joomla that allows remote attackers to execute arbitrary SQL queries through publicly accessible date range filtering actions. The vulnerability affects JEvents versions before 3.6.88 and 3.6.82.1, enabling attackers to extract sensitive database information, modify data, or potentially achieve remote code execution. With a CVSS score of 9.3 and network-based attack vector requiring no privileges or user interaction, this represents a severe risk to all unpatched Joomla installations using vulnerable JEvents versions. | CRITICAL | 9.3 | 0.1% | 47 |
No patch
|
| CVE-2025-32303 | WPCHURCH WordPress plugin (through 2.7.0) has blind SQL injection with scope change, enabling unauthenticated extraction of the full WordPress database. | CRITICAL | 9.3 | 0.0% | 47 |
No patch
|
| CVE-2025-40636 | SQL injection in Joomla mod_vvisit_counter v2.0.4j3. | CRITICAL | 9.3 | 0.0% | 47 |
No patch
|
| CVE-2026-21625 | Arbitrary file upload in Joomla's Easy Discuss component allows authenticated attackers to bypass file validation by spoofing extensions, since the component relies solely on extension checks without verifying MIME types. An attacker with user privileges can upload malicious files to achieve remote code execution on affected systems. No patch is currently available. | HIGH | 8.8 | 0.0% | 44 |
No patch
|
| CVE-2025-49468 | A SQL injection vulnerability (CWE-89) exists in the No Boss Calendar Joomla component versions prior to 5.0.7, allowing authenticated users with high privileges to execute arbitrary SQL commands through the id_module parameter. The vulnerability has a CVSS 4.0 score of 8.6 with high impact on confidentiality, integrity, and availability of the database. While the attack requires high-privilege authenticated access, successful exploitation could lead to complete database compromise, data exfiltration, or system takeover. | HIGH | 8.6 | 0.2% | 43 |
No patch
|
| CVE-2025-39357 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in mojoomla Hospital Management System allows SQL Injection.0(20-11-2023). Rated high severity (CVSS 8.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available. | HIGH | 8.5 | 0.2% | 43 |
No patch
|
| CVE-2025-32465 | RSTickets! component for Joomla versions 1.9.12 through 3.3.0 contains a stored cross-site scripting (XSS) vulnerability that allows authenticated attackers to inject malicious scripts into the application, which are then executed in the browsers of other users who view the affected content. With a CVSS score of 8.5 and requiring low privilege level plus user interaction, this vulnerability poses a significant risk to Joomla installations using vulnerable RSTickets! versions, particularly in multi-user environments where attackers can escalate privileges or steal administrative credentials. | HIGH | 8.5 | 0.1% | 43 |
No patch
|
| CVE-2025-32304 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mojoomla WPCHURCH allows PHP Local File Inclusion.This issue affects WPCHURCH: from n/a through 2.7.0. [CVSS 8.1 HIGH] | HIGH | 8.1 | 0.1% | 41 |
No patch
|
| CVE-2025-32549 | A security vulnerability in mojoomla WPGYM allows PHP Local File Inclusion (CVSS 7.5). High severity vulnerability requiring prompt remediation. | HIGH | 7.5 | 0.2% | 38 |
No patch
|
| CVE-2025-47572 | A security vulnerability in mojoomla School Management allows PHP Local File Inclusion (CVSS 7.5). High severity vulnerability requiring prompt remediation. | HIGH | 7.5 | 0.2% | 38 |
No patch
|
| CVE-2025-39392 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in mojoomla WPAMS allows Reflected XSS.0 (17-08-2023). Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available. | HIGH | 7.1 | 0.2% | 36 |
No patch
|
| CVE-2025-24774 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in mojoomla WPCRM - CRM for Contact form CF7 & WooCommerce allows Reflected XSS. This issue affects WPCRM - CRM for Contact form CF7 & WooCommerce: from n/a through 3.2.0. | HIGH | 7.1 | 0.0% | 36 |
No patch
|