Skip to main content

WordPress

Vendor security scorecard – 17379 CVEs in the selected period

Period: 30d 90d 6m 1y All
Risk 70867
17379
CVEs
1202
Critical
3712
High
3
KEV
5479
PoC
4029
Unpatched C/H
20.0%
Patch Rate
2.0%
Avg EPSS

Severity Breakdown

CRITICAL
1202
HIGH
3712
MEDIUM
12264
LOW
187

Monthly CVE Trend

Top Risky CVEs

CVE Summary Severity CVSS EPSS Priority Signals
CVE-2016-10045 The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code by leveraging improper interaction. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 93.4%. CRITICAL 9.8 93.4% 177
PoC
CVE-2023-6553 The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.3.7 via the /includes/backup-heart.php file. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 93.3%. CRITICAL 9.8 93.3% 177
PoC
CVE-2024-5084 The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'file_upload_action' function in all versions up to,. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 93.2%. CRITICAL 9.8 93.2% 177
PoC
CVE-2024-8353 The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.16.1 via deserialization of untrusted input. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 91.9%. CRITICAL 9.8 91.9% 176
PoC
CVE-2020-36847 The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulnerability. Attackers can upload PHP files disguised with image extensions and then rename them back to .php using the plugin's built-in rename functionality, bypassing all upload restrictions. CRITICAL 9.8 86.1% 170
PoC
CVE-2025-11749 The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint when the No-Auth URL feature is enabled. Unauthenticated attackers can extract this token to gain full API access, compromising AI assistant configurations and potentially accessing connected LLM provider API keys. CRITICAL 9.8 85.9% 170
PoC No patch
CVE-2016-1209 The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via crafted serialized values in a POST request. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 80.6%. CRITICAL 9.8 80.6% 165
PoC No patch
CVE-2024-4443 The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based SQL Injection via the ‘listingfields’ parameter in all versions up to, and. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 94.0%. CRITICAL 9.8 94.0% 163
PoC
CVE-2024-1698 SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote attackers to append arbitrary SQL queries via the 'type' parameter and exfiltrate sensitive database contents. Publicly available exploit code exists and the EPSS score of 93.74% (100th percentile) indicates very high probability of exploitation attempts in the wild, though the CVE is not currently listed in CISA KEV. CRITICAL 9.8 93.7% 163
PoC
CVE-2023-6875 The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 93.7%. CRITICAL 9.8 93.7% 163
PoC No patch
CVE-2024-1512 The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union based SQL Injection via the 'user' parameter of the /lms/stm-lms/order/items REST. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 93.6%. CRITICAL 9.8 93.6% 163
PoC No patch
CVE-2024-3495 The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' parameters in versions up to, and including, 2.7.2 due to insufficient escaping on the. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 93.4%. CRITICAL 9.8 93.4% 162
PoC No patch
CVE-2025-3102 The SureTriggers WordPress plugin through version 1.0.78 contains an authentication bypass due to a missing empty value check on the secret_key in the autheticate_user function. On installations where the plugin API key is not configured, unauthenticated attackers can create administrative accounts and take over the WordPress site. HIGH 8.1 86.6% 162
PoC No patch
CVE-2024-4295 The Email Subscribers by Icegram Express plugin for WordPress is vulnerable to SQL Injection via the ‘hash’ parameter in all versions up to, and including, 5.7.20 due to insufficient escaping on the. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 92.9%. CRITICAL 9.8 92.9% 162
PoC
CVE-2024-9989 The Crypto plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.18. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 92.6%. CRITICAL 9.8 92.6% 162
PoC No patch

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy