2487
CVEs
136
Critical
474
High
0
KEV
31
PoC
596
Unpatched C/H
1.7%
Patch Rate
0.2%
Avg EPSS
Severity Breakdown
CRITICAL
136
HIGH
474
MEDIUM
1593
LOW
14
Monthly CVE Trend
Affected Products (30)
PHP
3485
Deserialization
103
Woocommerce
39
AI / ML
21
Industrial
19
Open Redirect
17
Ltl Freight Quotes
13
Givewp
9
Ninja Forms
9
Wsdesk
8
Booster For Woocommerce
8
Wp Job Portal
8
Ads Pro
7
Gdpr Cookie Compliance
7
Sureforms
7
Download Manager
7
Everest Forms
6
Forminator Forms
6
Buddyboss Platform
6
Wpbookit
6
Royal Elementor Addons
6
Form Maker
6
Wp Recall
6
School Management System
5
Podlove Podcast Publisher
5
Zoomsounds
5
Profilegrid
5
Wp Project Manager
5
Motors Car Dealer Classifieds Listing
5
Jobcareer
5
Top Risky CVEs
| CVE | Summary | Severity | CVSS | EPSS | Priority | Signals |
|---|---|---|---|---|---|---|
| CVE-2025-13486 | The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Remote Code Execution in versions 0.9.0.5 through 0.9.1.1 via the prepare_form() function. This is due to the function accepting user input and then passing that through call_user_func_array(). This makes it possible for unauthenticated attackers to execute arbitrary code on the server, which can be leveraged to inject backdoors or create new administrative user accounts. | CRITICAL | 9.8 | 75.3% | 124 |
No patch
|
| CVE-2025-13390 | The WP Directory Kit plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.4.4 due to incorrect implementation of the authentication algorithm in the "wdk_generate_auto_login_link" function. This is due to the feature using a cryptographically weak token generation mechanism. This makes it possible for unauthenticated attackers to gain administrative access and achieve full site takeover via the auto-login endpoint with a predictable token. | CRITICAL | 10.0 | 0.7% | 71 |
PoC
|
| CVE-2026-22850 | SQL injection in Koko Analytics for WordPress prior to version 2.1.3 allows unauthenticated attackers to inject malicious SQL through the public tracking endpoint, which gets stored unescaped and executed when administrators export and reimport analytics data. Public exploit code exists for this vulnerability, enabling attackers to execute arbitrary SQL commands including database manipulation and potential data destruction. The vulnerability affects WordPress installations using vulnerable versions of the Koko Analytics plugin and requires administrator interaction with a malicious export file to fully exploit. | HIGH | 8.3 | 0.1% | 62 |
PoC
|
| CVE-2026-4896 | Insecure Direct Object Reference in WCFM Frontend Manager for WooCommerce (versions ≤6.7.25) allows authenticated vendors to manipulate arbitrary orders and delete any WordPress posts, products, or pages beyond their ownership scope. Exploitation requires only vendor-level credentials (PR:L) with no user interaction, enabling privilege escalation through unauthorized access to store-wide content. EPSS data not available; no public exploit identified at time of analysis, though the vulnerability's straightforward IDOR nature increases weaponization risk once details are public. | HIGH | 8.1 | 0.0% | 61 |
PoC
No patch
|
| CVE-2021-47866 | GuardTourService contains a vulnerability that allows attackers to potentially execute code with elevated system privileges (CVSS 7.8). | HIGH | 7.8 | 0.0% | 59 |
PoC
No patch
|
| CVE-2025-13000 | The db-access WordPress plugin through 0.8.7 does not have authorization in an AJAX action, allowing any authenticated users, such as subscriber to perform SQLI attacks | HIGH | 7.7 | 0.0% | 59 |
PoC
No patch
|
| CVE-2026-2025 | Unauthenticated disclosure of WordPress user email addresses in Mail Mint plugin versions before 1.19.5 through an unprotected REST API endpoint allows remote attackers to enumerate users without authentication. Public exploit code exists for this vulnerability, and no patch is currently available. This affects all installations of the Mail Mint plugin below the patched version. | HIGH | 7.5 | 0.0% | 58 |
PoC
No patch
|
| CVE-2026-4338 | Improper access control in the ActivityPub WordPress plugin before 8.0.2 exposes draft, scheduled, and pending posts to unauthenticated remote users, resulting in confidentiality breach. This information disclosure vulnerability (CVSS 7.5) allows network-based attackers to access unpublished content without authentication or user interaction. Publicly available exploit code exists, though no confirmed active exploitation (not in CISA KEV). EPSS score of 0.02% (6th percentile) suggests low current exploitation probability despite POC availability, but SSVC framework marks it as automatable with partial technical impact. | HIGH | 7.5 | 0.0% | 58 |
PoC
No patch
|
| CVE-2026-1540 | Remote code execution in Spam Protect for Contact Form 7 WordPress plugin before version 1.2.10 allows authenticated users with editor-level privileges to achieve arbitrary code execution by crafting malicious headers that are logged to a PHP file. The vulnerability is publicly exploitable with proof-of-concept code available, making it a critical risk for WordPress installations using affected plugin versions. | HIGH | 7.2 | 0.0% | 56 |
PoC
No patch
|
| CVE-2025-15433 | The Shared Files WordPress plugin before version 1.7.58 contains a path traversal vulnerability that allows attackers with Contributor-level privileges or higher to download arbitrary files from the web server, including sensitive configuration files such as wp-config.php. A public proof-of-concept exploit is available, making this vulnerability actively exploitable in the wild. This represents a critical information disclosure risk affecting WordPress installations using affected versions of the plugin. | MEDIUM | 6.8 | 0.0% | 54 |
PoC
No patch
|
| CVE-2025-14545 | Remote code execution in YML for Yandex Market WordPress plugin versions before 5.0.26 allows unauthenticated remote attackers to execute arbitrary code through the feed generation process. The vulnerability has a CVSS score of 6.5 and publicly available exploit code exists. Exploitation requires only network access with no user interaction, making it relatively straightforward to weaponize despite the low EPSS score (0.09%), suggesting limited real-world exploitation activity at the time of analysis. | MEDIUM | 6.5 | 0.1% | 53 |
PoC
No patch
|
| CVE-2025-15488 | The Responsive Plus WordPress plugin before version 3.4.3 contains an arbitrary shortcode execution vulnerability that allows unauthenticated attackers to execute malicious shortcodes through the update_responsive_woo_free_shipping_left_shortcode AJAX action. The vulnerability stems from improper validation of the content_rech_data parameter before processing it as a shortcode, effectively enabling remote code execution in the context of the WordPress installation. A public proof-of-concept exploit is available via WPScan, and this vulnerability poses an immediate threat to all unpatched installations of the affected plugin versions. | MEDIUM | 6.5 | 0.0% | 53 |
PoC
No patch
|
| CVE-2026-4432 | Unauthenticated attackers can rename arbitrary wishlists on WordPress sites running YITH WooCommerce Wishlist before version 4.13.0 due to insufficient ownership validation in the save_title() AJAX handler. The vulnerability exploits a publicly exposed nonce in the wishlist page source, allowing attackers to modify wishlist names for any user without authentication. While the CVSS score of 6.5 reflects moderate integrity and confidentiality impact, the EPSS score of 0.02% (percentile 6%) and low real-world exploitation probability suggest this is a niche risk affecting only sites using this specific plugin, though publicly available exploit code exists. | MEDIUM | 6.5 | 0.0% | 53 |
PoC
No patch
|
| CVE-2026-4079 | SQL injection in SQL Chart Builder WordPress plugin before version 2.3.8 allows remote attackers to execute arbitrary SQL queries through the dynamic filter functionality due to improper input escaping. The vulnerability affects all versions before 2.3.8, requires no authentication or user interaction, and carries a moderate CVSS score of 6.5 with low real-world exploitation probability (EPSS 0.02%). Publicly available exploit code exists, though the low EPSS percentile suggests limited active exploitation relative to the attack surface. | MEDIUM | 6.5 | 0.0% | 53 |
PoC
No patch
|
| CVE-2026-1900 | Unauthenticated attackers can modify plugin settings via a publicly accessible REST endpoint in Link Whisper Free WordPress plugin before version 0.9.1, enabling information disclosure and unauthorized configuration changes. The vulnerability has publicly available exploit code and affects all versions prior to 0.9.1. Although the CVSS score is 6.5 (medium), the EPSS score of 0.02% indicates very low real-world exploitation probability despite public POC availability. | MEDIUM | 6.5 | 0.0% | 53 |
PoC
No patch
|