17379
CVEs
1202
Critical
3712
High
3
KEV
5479
PoC
4029
Unpatched C/H
20.0%
Patch Rate
2.0%
Avg EPSS
Severity Breakdown
CRITICAL
1202
HIGH
3712
MEDIUM
12264
LOW
187
Monthly CVE Trend
Affected Products (30)
PHP
4377
Debian Linux
88
Open Redirect
69
Royal Elementor Addons
44
Download Manager
43
Essential Addons For Elementor
40
Tutor Lms
37
Ninja Forms
36
Givewp
35
Photo Gallery
34
Learnpress
31
Ultimate Member
29
The Plus Addons For Elementor
29
Contest Gallery
28
Premium Addons For Elementor
27
Element Pack
27
Contact Form
27
Website Builder
26
Booster For Woocommerce
26
Quiz And Survey Master
25
Profilepress
25
Mstore Api
25
Happy Addons For Elementor
25
Shortcodes Ultimate
23
Wpbot
23
Beaver Builder
23
Email Subscribers Newsletters
23
Gutenberg Blocks With Ai
22
Wp Fastest Cache
21
Elementor Addon Elements
21
Top Risky CVEs
| CVE | Summary | Severity | CVSS | EPSS | Priority | Signals |
|---|---|---|---|---|---|---|
| CVE-2016-10045 | The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code by leveraging improper interaction. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 93.4%. | CRITICAL | 9.8 | 93.4% | 177 |
PoC
|
| CVE-2023-6553 | The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.3.7 via the /includes/backup-heart.php file. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 93.3%. | CRITICAL | 9.8 | 93.3% | 177 |
PoC
|
| CVE-2024-5084 | The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'file_upload_action' function in all versions up to,. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 93.2%. | CRITICAL | 9.8 | 93.2% | 177 |
PoC
|
| CVE-2024-8353 | The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.16.1 via deserialization of untrusted input. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 91.9%. | CRITICAL | 9.8 | 91.9% | 176 |
PoC
|
| CVE-2020-36847 | The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulnerability. Attackers can upload PHP files disguised with image extensions and then rename them back to .php using the plugin's built-in rename functionality, bypassing all upload restrictions. | CRITICAL | 9.8 | 86.1% | 170 |
PoC
|
| CVE-2025-11749 | The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint when the No-Auth URL feature is enabled. Unauthenticated attackers can extract this token to gain full API access, compromising AI assistant configurations and potentially accessing connected LLM provider API keys. | CRITICAL | 9.8 | 85.9% | 170 |
PoC
No patch
|
| CVE-2016-1209 | The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via crafted serialized values in a POST request. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 80.6%. | CRITICAL | 9.8 | 80.6% | 165 |
PoC
No patch
|
| CVE-2024-4443 | The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based SQL Injection via the ‘listingfields’ parameter in all versions up to, and. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 94.0%. | CRITICAL | 9.8 | 94.0% | 163 |
PoC
|
| CVE-2024-1698 | SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote attackers to append arbitrary SQL queries via the 'type' parameter and exfiltrate sensitive database contents. Publicly available exploit code exists and the EPSS score of 93.74% (100th percentile) indicates very high probability of exploitation attempts in the wild, though the CVE is not currently listed in CISA KEV. | CRITICAL | 9.8 | 93.7% | 163 |
PoC
|
| CVE-2023-6875 | The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 93.7%. | CRITICAL | 9.8 | 93.7% | 163 |
PoC
No patch
|
| CVE-2024-1512 | The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union based SQL Injection via the 'user' parameter of the /lms/stm-lms/order/items REST. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 93.6%. | CRITICAL | 9.8 | 93.6% | 163 |
PoC
No patch
|
| CVE-2024-3495 | The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' parameters in versions up to, and including, 2.7.2 due to insufficient escaping on the. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 93.4%. | CRITICAL | 9.8 | 93.4% | 162 |
PoC
No patch
|
| CVE-2025-3102 | The SureTriggers WordPress plugin through version 1.0.78 contains an authentication bypass due to a missing empty value check on the secret_key in the autheticate_user function. On installations where the plugin API key is not configured, unauthenticated attackers can create administrative accounts and take over the WordPress site. | HIGH | 8.1 | 86.6% | 162 |
PoC
No patch
|
| CVE-2024-4295 | The Email Subscribers by Icegram Express plugin for WordPress is vulnerable to SQL Injection via the ‘hash’ parameter in all versions up to, and including, 5.7.20 due to insufficient escaping on the. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 92.9%. | CRITICAL | 9.8 | 92.9% | 162 |
PoC
|
| CVE-2024-9989 | The Crypto plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.18. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 92.6%. | CRITICAL | 9.8 | 92.6% | 162 |
PoC
No patch
|