5870
CVEs
379
Critical
1291
High
0
KEV
538
PoC
1499
Unpatched C/H
10.0%
Patch Rate
0.6%
Avg EPSS
Severity Breakdown
CRITICAL
379
HIGH
1291
MEDIUM
3786
LOW
72
Monthly CVE Trend
Affected Products (30)
PHP
3485
Deserialization
103
Woocommerce
39
AI / ML
21
Industrial
19
Open Redirect
17
Ltl Freight Quotes
13
Givewp
9
Ninja Forms
9
Wsdesk
8
Booster For Woocommerce
8
Wp Job Portal
8
Ads Pro
7
Gdpr Cookie Compliance
7
Sureforms
7
Download Manager
7
Everest Forms
6
Forminator Forms
6
Buddyboss Platform
6
Wpbookit
6
Royal Elementor Addons
6
Form Maker
6
Wp Recall
6
School Management System
5
Podlove Podcast Publisher
5
Zoomsounds
5
Profilegrid
5
Wp Project Manager
5
Motors Car Dealer Classifieds Listing
5
Jobcareer
5
Top Risky CVEs
| CVE | Summary | Severity | CVSS | EPSS | Priority | Signals |
|---|---|---|---|---|---|---|
| CVE-2020-36847 | The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulnerability. Attackers can upload PHP files disguised with image extensions and then rename them back to .php using the plugin's built-in rename functionality, bypassing all upload restrictions. | CRITICAL | 9.8 | 86.1% | 155 |
PoC
|
| CVE-2025-2563 | The User Registration & Membership WordPress plugin before version 4.1.2 fails to prevent users from setting their account role when the Membership Addon is enabled. This allows unauthenticated users to register with administrator privileges, bypassing all intended access controls. | HIGH | 8.1 | 83.9% | 144 |
PoC
No patch
|
| CVE-2025-34077 | The Pie Register WordPress plugin versions up to 3.7.1.4 contain an authentication bypass that allows unauthenticated attackers to log in as any user including administrators. By submitting a crafted POST request with social_site=true and a target user_id_social_site value, attackers generate valid WordPress sessions for arbitrary accounts. | CRITICAL | 10.0 | 72.4% | 142 |
PoC
No patch
|
| CVE-2020-36849 | The AIT CSV Import/Export WordPress plugin through version 3.0.3 allows unauthorized arbitrary file uploads without file type validation. The upload handler in upload-handler.php is accessible without authentication, enabling remote attackers to deploy PHP webshells and achieve code execution on the WordPress server. | CRITICAL | 9.8 | 72.2% | 141 |
PoC
No patch
|
| CVE-2025-1661 | The HUSKY Products Filter Professional for WooCommerce plugin through version 1.3.6.5 contains a critical Local File Inclusion vulnerability via the template parameter of the woof_text_search AJAX action. Unauthenticated attackers can include and execute arbitrary PHP files, leading to remote code execution on any WordPress site with the plugin. | CRITICAL | 9.8 | 91.4% | 140 |
|
| CVE-2025-7441 | The StoryChief WordPress plugin through version 1.0.42 contains an unauthenticated arbitrary file upload via the /wp-json/storychief/webhook REST API endpoint. Insufficient file type validation allows attackers to upload executable PHP files, achieving remote code execution on the WordPress server. | CRITICAL | 9.8 | 69.7% | 139 |
PoC
No patch
|
| CVE-2025-3102 | The SureTriggers WordPress plugin through version 1.0.78 contains an authentication bypass due to a missing empty value check on the secret_key in the autheticate_user function. On installations where the plugin API key is not configured, unauthenticated attackers can create administrative accounts and take over the WordPress site. | HIGH | 8.1 | 86.6% | 127 |
No patch
|
| CVE-2025-2294 | The Kubio AI Page Builder WordPress plugin through version 2.5.1 contains an unauthenticated Local File Inclusion via the kubio_hybrid_theme_load_template function. Attackers can include and execute arbitrary PHP files on the server, achieving remote code execution through techniques like PHP filter chains or log poisoning. | CRITICAL | 9.8 | 56.9% | 126 |
PoC
No patch
|
| CVE-2025-13486 | The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Remote Code Execution in versions 0.9.0.5 through 0.9.1.1 via the prepare_form() function. This is due to the function accepting user input and then passing that through call_user_func_array(). This makes it possible for unauthenticated attackers to execute arbitrary code on the server, which can be leveraged to inject backdoors or create new administrative user accounts. | CRITICAL | 9.8 | 75.3% | 124 |
No patch
|
| CVE-2024-11613 | The WordPress File Upload plugin through version 4.24.15 contains critical vulnerabilities in wfu_file_downloader.php enabling remote code execution, arbitrary file read, and arbitrary file deletion. The lack of proper sanitization on the source parameter combined with user-defined directory paths allows unauthenticated attackers to fully compromise the server. | CRITICAL | 9.8 | 66.1% | 115 |
|
| CVE-2020-36848 | The Total Upkeep WordPress backup plugin through version 1.14.9 exposes backup file locations via env-info.php and restore-info.json. Unauthenticated attackers can discover and download complete site backups containing the database, wp-config.php with credentials, and all uploaded files. | HIGH | 7.5 | 56.2% | 114 |
PoC
|
| CVE-2024-8425 | The WooCommerce Ultimate Gift Card plugin through version 2.6.0 contains unauthenticated arbitrary file uploads in the mail preview and cart functions. Insufficient file type validation allows attackers to upload PHP webshells through the gift card functionality, achieving remote code execution on e-commerce sites. | CRITICAL | 9.8 | 63.0% | 112 |
No patch
|
| CVE-2025-2011 | The Depicter Slider & Popup Builder WordPress plugin through version 3.6.1 contains an unauthenticated SQL injection via the 's' search parameter. The insufficient escaping allows attackers to append additional SQL queries, extracting the entire WordPress database without authentication. | HIGH | 7.5 | 52.4% | 110 |
PoC
No patch
|
| CVE-2024-12824 | The Nokri Job Board WordPress theme through version 1.6.2 contains a privilege escalation via account takeover. The password reset handler fails to check for empty token values, allowing unauthenticated attackers to reset any user's password including administrators by submitting an empty verification token. | CRITICAL | 9.8 | 58.7% | 108 |
No patch
|
| CVE-2025-1323 | The WP-Recall - Registration, Profile, Commerce & More plugin for WordPress is vulnerable to SQL Injection via the 'databeat' parameter in all versions up to, and including, 16.26.10 due to. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 53.2%. | HIGH | 7.5 | 53.2% | 91 |
|