2212
CVEs
119
Critical
481
High
0
KEV
59
PoC
572
Unpatched C/H
3.3%
Patch Rate
0.1%
Avg EPSS
Severity Breakdown
CRITICAL
119
HIGH
481
MEDIUM
1589
LOW
16
Monthly CVE Trend
Affected Products (30)
PHP
2591
Open Redirect
16
Ltl Freight Quotes
13
Industrial
12
AI / ML
12
Ninja Forms
9
Givewp
9
Wsdesk
8
Wp Job Portal
8
Ads Pro
7
Gdpr Cookie Compliance
7
Sureforms
7
Wp Recall
6
Zoomsounds
6
Booster For Woocommerce
6
Royal Elementor Addons
6
Everest Forms
6
Wpbookit
6
Form Maker
6
Forminator Forms
6
Buddyboss Platform
6
Jobcareer
5
Golang
5
School Management System
5
Wp Project Manager
5
Quiz Maker
5
Profilegrid
5
Jupiter X Core
5
Email Subscribers Newsletters
5
Learnpress
5
Top Risky CVEs
| CVE | Summary | Severity | CVSS | EPSS | Priority | Signals |
|---|---|---|---|---|---|---|
| CVE-2025-13486 | The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Remote Code Execution in versions 0.9.0.5 through 0.9.1.1 via the prepare_form() function. This is due to the function accepting user input and then passing that through call_user_func_array(). This makes it possible for unauthenticated attackers to execute arbitrary code on the server, which can be leveraged to inject backdoors or create new administrative user accounts. | CRITICAL | 9.8 | 75.3% | 124 |
No patch
|
| CVE-2025-13390 | The WP Directory Kit plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.4.4 due to incorrect implementation of the authentication algorithm in the "wdk_generate_auto_login_link" function. This is due to the feature using a cryptographically weak token generation mechanism. This makes it possible for unauthenticated attackers to gain administrative access and achieve full site takeover via the auto-login endpoint with a predictable token. | CRITICAL | 10.0 | 0.7% | 71 |
PoC
|
| CVE-2026-3584 | The Kali Forms plugin for WordPress contains a critical remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary code on the server. All versions up to and including 2.4.9 are affected, including the popular 'Kali Forms - Contact Form & Drag-and-Drop Builder' plugin by WPChill. The vulnerability carries a critical CVSS score of 9.8 due to its network-based attack vector, low complexity, and lack of required authentication or user interaction. | CRITICAL | 9.8 | 0.2% | 69 |
PoC
No patch
|
| CVE-2026-3220 | The Autoptimize WordPress plugin before 3.1.15, Clearfy Cache WordPress plugin before 2.4.2, Speed Optimizer WordPress plugin before 7.7.9 are vulne | HIGH | 8.8 | 0.0% | 64 |
PoC
|
| CVE-2026-32834 | Hardcoded authentication bypass in Easy PayPal Events & Tickets plugin allows unauthenticated remote attackers to retrieve sensitive order data by supplying 'test' as the hash parameter to the QR code scanning endpoint. Attackers can access PayPal transaction IDs, customer emails, purchase amounts, and ticket information for any order by enumerating post IDs. Public exploit code exists on GitHub, significantly lowering the exploitation barrier. The plugin was officially closed by WordPress.org on 2026-03-18, leaving installations vulnerable with no future patches. | HIGH | 8.7 | 0.1% | 64 |
PoC
No patch
|
| CVE-2026-4935 | Unauthenticated attackers can exploit SQL injection in OttoKit: All-in-One Automation Platform WordPress plugin versions before 1.1.23 due to improper input sanitization in SQL statement construction. The vulnerability allows remote attackers to extract sensitive data and modify database contents without authentication, though integrity impact is limited. Publicly available exploit code exists, and a patch has been released by the vendor. | HIGH | 8.6 | 0.0% | 63 |
PoC
|
| CVE-2026-3830 | SQL injection in Product Filter for WooCommerce by WBW plugin versions below 3.1.3 allows unauthenticated remote attackers to extract sensitive database contents including user credentials, customer data, and order information. The vulnerability requires no authentication (CVSS PR:N) and has low attack complexity with publicly available exploit code. EPSS data not available, but the combination of unauthenticated access, public POC, and WordPress's large attack surface creates substantial real-world risk for unpatched WooCommerce installations. | HIGH | 8.6 | 0.0% | 63 |
PoC
|
| CVE-2026-6379 | The WP Photo Album Plus WordPress plugin before 9.1.11.001 does not properly sanitize and escape a parameter before using it in a SQL query, allowing | HIGH | 8.6 | 0.0% | 63 |
PoC
|
| CVE-2026-7862 | Unauthenticated refund abuse in the Eupago Gateway for WooCommerce WordPress plugin before 4.7.2 lets remote attackers trigger refunds on arbitrary WooCommerce orders using the merchant's own payment gateway credentials, and for certain payment methods divert the refunded funds to an attacker-controlled bank account. The CVSS 8.6 score reflects the network-reachable, no-auth, no-interaction attack path against a financial workflow; publicly available exploit code exists per WPScan, though there is no public exploit identified at time of analysis confirming active exploitation in CISA KEV. | HIGH | 8.6 | 0.0% | 63 |
PoC
|
| CVE-2026-22850 | SQL injection in Koko Analytics for WordPress prior to version 2.1.3 allows unauthenticated attackers to inject malicious SQL through the public tracking endpoint, which gets stored unescaped and executed when administrators export and reimport analytics data. Public exploit code exists for this vulnerability, enabling attackers to execute arbitrary SQL commands including database manipulation and potential data destruction. The vulnerability affects WordPress installations using vulnerable versions of the Koko Analytics plugin and requires administrator interaction with a malicious export file to fully exploit. | HIGH | 8.3 | 0.1% | 62 |
PoC
|
| CVE-2026-41471 | Unauthenticated attackers can enumerate and exfiltrate all customer order records from Easy PayPal Events & Tickets plugin for WordPress through an exposed QR code scanning endpoint. The scan_qr.php file accepts sequential WordPress post IDs without authentication, enabling complete database harvesting of payment and customer information. Publicly available exploit code exists, but no evidence of active exploitation (not in CISA KEV). The plugin was officially closed and removed from WordPress.org on 2026-03-18, leaving existing installations vulnerable with no official patch path. | HIGH | 8.2 | 0.2% | 61 |
PoC
No patch
|
| CVE-2026-4896 | Insecure Direct Object Reference in WCFM Frontend Manager for WooCommerce (versions ≤6.7.25) allows authenticated vendors to manipulate arbitrary orders and delete any WordPress posts, products, or pages beyond their ownership scope. Exploitation requires only vendor-level credentials (PR:L) with no user interaction, enabling privilege escalation through unauthorized access to store-wide content. EPSS data not available; no public exploit identified at time of analysis, though the vulnerability's straightforward IDOR nature increases weaponization risk once details are public. | HIGH | 8.1 | 0.0% | 61 |
PoC
No patch
|
| CVE-2021-47866 | GuardTourService contains a vulnerability that allows attackers to potentially execute code with elevated system privileges (CVSS 7.8). | HIGH | 7.8 | 0.0% | 59 |
PoC
No patch
|
| CVE-2025-13000 | The db-access WordPress plugin through 0.8.7 does not have authorization in an AJAX action, allowing any authenticated users, such as subscriber to perform SQLI attacks | HIGH | 7.7 | 0.0% | 59 |
PoC
No patch
|
| CVE-2026-2262 | Unauthenticated information disclosure in WordPress Easy Appointments plugin ≤3.12.21 exposes customer appointment data via unprotected REST API endpoint. Remote attackers without authentication can extract full names, email addresses, phone numbers, IP addresses, appointment descriptions, and pricing information through `/wp-json/wp/v2/eablocks/ea_appointments/`. CVSS score 7.5 (High) with EPSS data not yet available. Patch released in version 3.12.22 per WordPress plugin repository changeset. No active exploitation confirmed (not in CISA KEV), but the trivial exploit complexity (AV:N/AC:L/PR:N/UI:N) and privacy impact make this a priority for sites handling sensitive appointment data. | HIGH | 7.5 | 0.0% | 58 |
PoC
No patch
|