459
CVEs
18
Critical
89
High
0
KEV
18
PoC
103
Unpatched C/H
3.1%
Patch Rate
0.0%
Avg EPSS
Severity Breakdown
CRITICAL
18
HIGH
89
MEDIUM
260
LOW
2
Monthly CVE Trend
Affected Products (30)
PHP
3485
Deserialization
103
Woocommerce
39
AI / ML
21
Industrial
19
Open Redirect
17
Ltl Freight Quotes
13
Givewp
9
Ninja Forms
9
Wsdesk
8
Booster For Woocommerce
8
Wp Job Portal
8
Ads Pro
7
Gdpr Cookie Compliance
7
Sureforms
7
Download Manager
7
Everest Forms
6
Forminator Forms
6
Buddyboss Platform
6
Wpbookit
6
Royal Elementor Addons
6
Form Maker
6
Wp Recall
6
School Management System
5
Podlove Podcast Publisher
5
Zoomsounds
5
Profilegrid
5
Wp Project Manager
5
Motors Car Dealer Classifieds Listing
5
Jobcareer
5
Top Risky CVEs
| CVE | Summary | Severity | CVSS | EPSS | Priority | Signals |
|---|---|---|---|---|---|---|
| CVE-2026-4896 | Insecure Direct Object Reference in WCFM Frontend Manager for WooCommerce (versions ≤6.7.25) allows authenticated vendors to manipulate arbitrary orders and delete any WordPress posts, products, or pages beyond their ownership scope. Exploitation requires only vendor-level credentials (PR:L) with no user interaction, enabling privilege escalation through unauthorized access to store-wide content. EPSS data not available; no public exploit identified at time of analysis, though the vulnerability's straightforward IDOR nature increases weaponization risk once details are public. | HIGH | 8.1 | 0.0% | 61 |
PoC
No patch
|
| CVE-2026-4338 | Improper access control in the ActivityPub WordPress plugin before 8.0.2 exposes draft, scheduled, and pending posts to unauthenticated remote users, resulting in confidentiality breach. This information disclosure vulnerability (CVSS 7.5) allows network-based attackers to access unpublished content without authentication or user interaction. Publicly available exploit code exists, though no confirmed active exploitation (not in CISA KEV). EPSS score of 0.02% (6th percentile) suggests low current exploitation probability despite POC availability, but SSVC framework marks it as automatable with partial technical impact. | HIGH | 7.5 | 0.0% | 58 |
PoC
No patch
|
| CVE-2026-1540 | Remote code execution in Spam Protect for Contact Form 7 WordPress plugin before version 1.2.10 allows authenticated users with editor-level privileges to achieve arbitrary code execution by crafting malicious headers that are logged to a PHP file. The vulnerability is publicly exploitable with proof-of-concept code available, making it a critical risk for WordPress installations using affected plugin versions. | HIGH | 7.2 | 0.0% | 56 |
PoC
No patch
|
| CVE-2025-15433 | The Shared Files WordPress plugin before version 1.7.58 contains a path traversal vulnerability that allows attackers with Contributor-level privileges or higher to download arbitrary files from the web server, including sensitive configuration files such as wp-config.php. A public proof-of-concept exploit is available, making this vulnerability actively exploitable in the wild. This represents a critical information disclosure risk affecting WordPress installations using affected versions of the plugin. | MEDIUM | 6.8 | 0.0% | 54 |
PoC
No patch
|
| CVE-2025-14545 | Remote code execution in YML for Yandex Market WordPress plugin versions before 5.0.26 allows unauthenticated remote attackers to execute arbitrary code through the feed generation process. The vulnerability has a CVSS score of 6.5 and publicly available exploit code exists. Exploitation requires only network access with no user interaction, making it relatively straightforward to weaponize despite the low EPSS score (0.09%), suggesting limited real-world exploitation activity at the time of analysis. | MEDIUM | 6.5 | 0.1% | 53 |
PoC
No patch
|
| CVE-2025-15488 | The Responsive Plus WordPress plugin before version 3.4.3 contains an arbitrary shortcode execution vulnerability that allows unauthenticated attackers to execute malicious shortcodes through the update_responsive_woo_free_shipping_left_shortcode AJAX action. The vulnerability stems from improper validation of the content_rech_data parameter before processing it as a shortcode, effectively enabling remote code execution in the context of the WordPress installation. A public proof-of-concept exploit is available via WPScan, and this vulnerability poses an immediate threat to all unpatched installations of the affected plugin versions. | MEDIUM | 6.5 | 0.0% | 53 |
PoC
No patch
|
| CVE-2026-4432 | Unauthenticated attackers can rename arbitrary wishlists on WordPress sites running YITH WooCommerce Wishlist before version 4.13.0 due to insufficient ownership validation in the save_title() AJAX handler. The vulnerability exploits a publicly exposed nonce in the wishlist page source, allowing attackers to modify wishlist names for any user without authentication. While the CVSS score of 6.5 reflects moderate integrity and confidentiality impact, the EPSS score of 0.02% (percentile 6%) and low real-world exploitation probability suggest this is a niche risk affecting only sites using this specific plugin, though publicly available exploit code exists. | MEDIUM | 6.5 | 0.0% | 53 |
PoC
No patch
|
| CVE-2026-4079 | SQL injection in SQL Chart Builder WordPress plugin before version 2.3.8 allows remote attackers to execute arbitrary SQL queries through the dynamic filter functionality due to improper input escaping. The vulnerability affects all versions before 2.3.8, requires no authentication or user interaction, and carries a moderate CVSS score of 6.5 with low real-world exploitation probability (EPSS 0.02%). Publicly available exploit code exists, though the low EPSS percentile suggests limited active exploitation relative to the attack surface. | MEDIUM | 6.5 | 0.0% | 53 |
PoC
No patch
|
| CVE-2026-1900 | Unauthenticated attackers can modify plugin settings via a publicly accessible REST endpoint in Link Whisper Free WordPress plugin before version 0.9.1, enabling information disclosure and unauthorized configuration changes. The vulnerability has publicly available exploit code and affects all versions prior to 0.9.1. Although the CVSS score is 6.5 (medium), the EPSS score of 0.02% indicates very low real-world exploitation probability despite public POC availability. | MEDIUM | 6.5 | 0.0% | 53 |
PoC
No patch
|
| CVE-2025-15363 | The Get Use APIs WordPress plugin before version 2.0.10 contains a Cross-Site Scripting (XSS) vulnerability that arises from unsanitized execution of imported JSON data. This vulnerability allows attackers with contributor-level privileges (a low-level WordPress role) to inject and execute malicious scripts under certain server configurations, potentially compromising site integrity and user data. A public proof-of-concept exploit is available via WPScan, and the vulnerability has been documented in multiple intelligence sources (WPScan, VulDB, and EUVD-2025-208813), indicating active awareness in the security community. | MEDIUM | 5.9 | 0.0% | 50 |
PoC
No patch
|
| CVE-2026-4003 | Arbitrary user metadata modification in Users Manager - PN plugin for WordPress (versions ≤1.1.15) allows unaneticated remote attackers to escalate privileges and hijack accounts. The vulnerability stems from flawed authorization logic in userspn_ajax_nopriv_server() that fails to verify authentication when user_id is supplied, combined with publicly exposed nonce values. Attackers can modify critical user metadata including userspn_secret_token for any WordPress user. CVSS 9.8 (Critical). EPSS data not available. No public exploit identified at time of analysis, but exploitation requires only HTTP requests with predictable parameters. | CRITICAL | 9.8 | 0.4% | 49 |
No patch
|
| CVE-2026-3535 | Remote code execution in DSGVO Google Web Fonts GDPR WordPress plugin (all versions ≤1.1) allows unauthenticated attackers to upload PHP webshells via arbitrary file upload. The DSGVOGWPdownloadGoogleFonts() function, exposed through wp_ajax_nopriv_ hooks, accepts user-supplied URLs without file type validation and writes content to publicly accessible directories. Exploitation requires the target site to use specific themes (twentyfifteen, twentyseventeen, twentysixteen, storefront, salient, or shapely). CVSS 9.8 Critical reflects network-accessible, unauthenticated attack vector with full system compromise potential. No public exploit identified at time of analysis, though the vulnerability class (CWE-434 unrestricted file upload) is well-understood and commonly weaponized. | CRITICAL | 9.8 | 0.3% | 49 |
No patch
|
| CVE-2026-3584 | The Kali Forms plugin for WordPress contains a critical remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary code on the server. All versions up to and including 2.4.9 are affected, including the popular 'Kali Forms - Contact Form & Drag-and-Drop Builder' plugin by WPChill. The vulnerability carries a critical CVSS score of 9.8 due to its network-based attack vector, low complexity, and lack of required authentication or user interaction. | CRITICAL | 9.8 | 0.2% | 49 |
PoC
No patch
|
| CVE-2026-4257 | Remote code execution in Contact Form by Supsystic plugin for WordPress (all versions ≤1.7.36) allows unauthenticated attackers to execute arbitrary PHP functions and OS commands via Server-Side Template Injection. Attackers exploit the plugin's unsandboxed Twig template engine by injecting malicious Twig expressions through GET parameters in the cfsPreFill functionality, leveraging registerUndefinedFilterCallback() to register arbitrary PHP callbacks. CVSS 9.8 (Critical) with network-accessible, low-complexity attack vector requiring no authentication. EPSS data not provided, but the combination of unauthenticated RCE in a widely-deployed WordPress plugin represents severe real-world risk. No KEV status confirmed at time of analysis. | CRITICAL | 9.8 | 0.2% | 49 |
No patch
|
| CVE-2026-3300 | Remote code execution in Everest Forms Pro plugin for WordPress ≤1.9.12 allows unauthenticated attackers to execute arbitrary PHP code on the server via the Complex Calculation feature. Attackers can inject malicious PHP through any string-type form field (text, email, URL, select, radio) due to unsafe concatenation into eval() without proper escaping. This vulnerability carries a 9.8 CVSS score with maximum impact (confidentiality, integrity, availability) and requires no authentication or user interaction, representing a critical immediate threat to all installations using the affected plugin versions. | CRITICAL | 9.8 | 0.2% | 49 |
No patch
|