Skip to main content

WordPress

Vendor security scorecard – 4298 CVEs in the selected period

Period: 30d 90d 6m 1y All
Risk 9545
4298
CVEs
287
Critical
991
High
0
KEV
336
PoC
1189
Unpatched C/H
5.2%
Patch Rate
0.2%
Avg EPSS

Severity Breakdown

CRITICAL
287
HIGH
991
MEDIUM
2967
LOW
37

Monthly CVE Trend

Top Risky CVEs

CVE Summary Severity CVSS EPSS Priority Signals
CVE-2025-11749 The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint when the No-Auth URL feature is enabled. Unauthenticated attackers can extract this token to gain full API access, compromising AI assistant configurations and potentially accessing connected LLM provider API keys. CRITICAL 9.8 85.9% 170
PoC No patch
CVE-2025-13486 The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Remote Code Execution in versions 0.9.0.5 through 0.9.1.1 via the prepare_form() function. This is due to the function accepting user input and then passing that through call_user_func_array(). This makes it possible for unauthenticated attackers to execute arbitrary code on the server, which can be leveraged to inject backdoors or create new administrative user accounts. CRITICAL 9.8 75.3% 159
PoC No patch
CVE-2012-10027 WP-Property plugin for WordPress through version 1.35.0 contains an unauthenticated file upload vulnerability in the third-party `uploadify.php` script. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 73.7%. CRITICAL 9.3 73.7% 155
PoC No patch
CVE-2025-7441 The StoryChief WordPress plugin through version 1.0.42 contains an unauthenticated arbitrary file upload via the /wp-json/storychief/webhook REST API endpoint. Insufficient file type validation allows attackers to upload executable PHP files, achieving remote code execution on the WordPress server. CRITICAL 9.8 69.7% 154
PoC No patch
CVE-2012-10026 The WordPress plugin Asset-Manager version 2.0 and below contains an unauthenticated arbitrary file upload vulnerability in upload.php. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 66.5%. CRITICAL 10.0 66.5% 152
PoC No patch
CVE-2012-10025 The WordPress plugin Advanced Custom Fields (ACF) version 3.5.1 and below contains a remote file inclusion (RFI) vulnerability in core/actions/export.php. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 46.0%. CRITICAL 10.0 46.0% 131
PoC No patch
CVE-2026-4257 Remote code execution in Contact Form by Supsystic plugin for WordPress (all versions ≤1.7.36) allows unauthenticated attackers to execute arbitrary PHP functions and OS commands via Server-Side Template Injection. Attackers exploit the plugin's unsandboxed Twig template engine by injecting malicious Twig expressions through GET parameters in the cfsPreFill functionality, leveraging registerUndefinedFilterCallback() to register arbitrary PHP callbacks. CVSS 9.8 (Critical) with network-accessible, low-complexity attack vector requiring no authentication. EPSS data not provided, but the combination of unauthenticated RCE in a widely-deployed WordPress plugin represents severe real-world risk. No KEV status confirmed at time of analysis. CRITICAL 9.8 0.2% 84
PoC No patch
CVE-2025-11833 The Post SMTP - Complete SMTP Solution with Logs, Alerts, Backup SMTP & Mobile App plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 12.8% and no vendor patch available. CRITICAL 9.8 12.8% 82
PoC No patch
CVE-2025-8085 The Ditty WordPress plugin before 3.1.58 lacks authorization and authentication for requests to its displayItems endpoint, allowing unauthenticated visitors to make requests to arbitrary URLs. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 18.1%. HIGH 8.6 18.1% 81
PoC No patch
CVE-2025-12139 The File Manager for Google Drive - Integrate Google Drive with WordPress plugin for WordPress is vulnerable to sensitive information exposure in all versions up to, and including, 1.5.3 via the. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 22.0% and no vendor patch available. HIGH 7.5 22.0% 80
PoC No patch
CVE-2025-13138 The WP Directory Kit plugin for WordPress is vulnerable to SQL Injection via the 'columns_search' parameter of the select_2_ajax() function in all versions up to, and including, 1.4.3 due to. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 17.3% and no vendor patch available. HIGH 7.5 17.3% 75
PoC No patch
CVE-2025-11307 The WP Go Maps (formerly WP Google Maps) WordPress plugin before 9.0.48 does not sanitize user input provided via an AJAX action, allowing unauthenticated users to store XSS payloads which are later. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available. HIGH 8.8 7.0% 71
PoC No patch
CVE-2025-13390 The WP Directory Kit plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.4.4 due to incorrect implementation of the authentication algorithm in the "wdk_generate_auto_login_link" function. This is due to the feature using a cryptographically weak token generation mechanism. This makes it possible for unauthenticated attackers to gain administrative access and achieve full site takeover via the auto-login endpoint with a predictable token. CRITICAL 10.0 0.7% 71
PoC
CVE-2025-5947 The Service Finder Bookings plugin for WordPress is vulnerable to privilege escalation via authentication bypass in all versions up to, and including, 6.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available. CRITICAL 9.8 1.1% 70
PoC No patch
CVE-2026-49777 Backdoor/malicious code implant in the ShapedPlugin Product Slider Pro for WooCommerce WordPress plugin (versions before 3.5.3) allows remote unauthenticated attackers full compromise of the hosting site with CVSS 10.0 and a scope-changing vector. The Patchstack reference characterizes this as a backdoor vulnerability, and no public exploit has been identified at the time of analysis, though the trivial nature of supply-chain implants means abuse is plausible. Notably, the vendor patched the existing release without bumping the version number, so administrators cannot reliably tell whether their installation is fixed. CRITICAL 10.0 0.1% 70
PoC

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy