4298
CVEs
287
Critical
991
High
0
KEV
336
PoC
1189
Unpatched C/H
5.2%
Patch Rate
0.2%
Avg EPSS
Severity Breakdown
CRITICAL
287
HIGH
991
MEDIUM
2967
LOW
37
Monthly CVE Trend
Affected Products (30)
PHP
4375
Debian Linux
88
Open Redirect
69
Royal Elementor Addons
44
Download Manager
43
Essential Addons For Elementor
40
Tutor Lms
37
Ninja Forms
36
Givewp
35
Photo Gallery
34
Learnpress
31
Ultimate Member
29
The Plus Addons For Elementor
29
Contest Gallery
28
Element Pack
27
Premium Addons For Elementor
27
Contact Form
27
Booster For Woocommerce
26
Website Builder
26
Profilepress
25
Mstore Api
25
Quiz And Survey Master
25
Happy Addons For Elementor
25
Shortcodes Ultimate
23
Wpbot
23
Email Subscribers Newsletters
23
Beaver Builder
23
Gutenberg Blocks With Ai
22
Wp Fastest Cache
21
Elementor Addon Elements
21
Top Risky CVEs
| CVE | Summary | Severity | CVSS | EPSS | Priority | Signals |
|---|---|---|---|---|---|---|
| CVE-2025-11749 | The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint when the No-Auth URL feature is enabled. Unauthenticated attackers can extract this token to gain full API access, compromising AI assistant configurations and potentially accessing connected LLM provider API keys. | CRITICAL | 9.8 | 85.9% | 170 |
PoC
No patch
|
| CVE-2025-13486 | The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Remote Code Execution in versions 0.9.0.5 through 0.9.1.1 via the prepare_form() function. This is due to the function accepting user input and then passing that through call_user_func_array(). This makes it possible for unauthenticated attackers to execute arbitrary code on the server, which can be leveraged to inject backdoors or create new administrative user accounts. | CRITICAL | 9.8 | 75.3% | 159 |
PoC
No patch
|
| CVE-2012-10027 | WP-Property plugin for WordPress through version 1.35.0 contains an unauthenticated file upload vulnerability in the third-party `uploadify.php` script. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 73.7%. | CRITICAL | 9.3 | 73.7% | 155 |
PoC
No patch
|
| CVE-2025-7441 | The StoryChief WordPress plugin through version 1.0.42 contains an unauthenticated arbitrary file upload via the /wp-json/storychief/webhook REST API endpoint. Insufficient file type validation allows attackers to upload executable PHP files, achieving remote code execution on the WordPress server. | CRITICAL | 9.8 | 69.7% | 154 |
PoC
No patch
|
| CVE-2012-10026 | The WordPress plugin Asset-Manager version 2.0 and below contains an unauthenticated arbitrary file upload vulnerability in upload.php. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 66.5%. | CRITICAL | 10.0 | 66.5% | 152 |
PoC
No patch
|
| CVE-2012-10025 | The WordPress plugin Advanced Custom Fields (ACF) version 3.5.1 and below contains a remote file inclusion (RFI) vulnerability in core/actions/export.php. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 46.0%. | CRITICAL | 10.0 | 46.0% | 131 |
PoC
No patch
|
| CVE-2026-4257 | Remote code execution in Contact Form by Supsystic plugin for WordPress (all versions ≤1.7.36) allows unauthenticated attackers to execute arbitrary PHP functions and OS commands via Server-Side Template Injection. Attackers exploit the plugin's unsandboxed Twig template engine by injecting malicious Twig expressions through GET parameters in the cfsPreFill functionality, leveraging registerUndefinedFilterCallback() to register arbitrary PHP callbacks. CVSS 9.8 (Critical) with network-accessible, low-complexity attack vector requiring no authentication. EPSS data not provided, but the combination of unauthenticated RCE in a widely-deployed WordPress plugin represents severe real-world risk. No KEV status confirmed at time of analysis. | CRITICAL | 9.8 | 0.2% | 84 |
PoC
No patch
|
| CVE-2025-11833 | The Post SMTP - Complete SMTP Solution with Logs, Alerts, Backup SMTP & Mobile App plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 12.8% and no vendor patch available. | CRITICAL | 9.8 | 12.8% | 82 |
PoC
No patch
|
| CVE-2025-8085 | The Ditty WordPress plugin before 3.1.58 lacks authorization and authentication for requests to its displayItems endpoint, allowing unauthenticated visitors to make requests to arbitrary URLs. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 18.1%. | HIGH | 8.6 | 18.1% | 81 |
PoC
No patch
|
| CVE-2025-12139 | The File Manager for Google Drive - Integrate Google Drive with WordPress plugin for WordPress is vulnerable to sensitive information exposure in all versions up to, and including, 1.5.3 via the. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 22.0% and no vendor patch available. | HIGH | 7.5 | 22.0% | 80 |
PoC
No patch
|
| CVE-2025-13138 | The WP Directory Kit plugin for WordPress is vulnerable to SQL Injection via the 'columns_search' parameter of the select_2_ajax() function in all versions up to, and including, 1.4.3 due to. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Epss exploitation probability 17.3% and no vendor patch available. | HIGH | 7.5 | 17.3% | 75 |
PoC
No patch
|
| CVE-2025-11307 | The WP Go Maps (formerly WP Google Maps) WordPress plugin before 9.0.48 does not sanitize user input provided via an AJAX action, allowing unauthenticated users to store XSS payloads which are later. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available. | HIGH | 8.8 | 7.0% | 71 |
PoC
No patch
|
| CVE-2025-13390 | The WP Directory Kit plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.4.4 due to incorrect implementation of the authentication algorithm in the "wdk_generate_auto_login_link" function. This is due to the feature using a cryptographically weak token generation mechanism. This makes it possible for unauthenticated attackers to gain administrative access and achieve full site takeover via the auto-login endpoint with a predictable token. | CRITICAL | 10.0 | 0.7% | 71 |
PoC
|
| CVE-2025-5947 | The Service Finder Bookings plugin for WordPress is vulnerable to privilege escalation via authentication bypass in all versions up to, and including, 6.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available. | CRITICAL | 9.8 | 1.1% | 70 |
PoC
No patch
|
| CVE-2026-49777 | Backdoor/malicious code implant in the ShapedPlugin Product Slider Pro for WooCommerce WordPress plugin (versions before 3.5.3) allows remote unauthenticated attackers full compromise of the hosting site with CVSS 10.0 and a scope-changing vector. The Patchstack reference characterizes this as a backdoor vulnerability, and no public exploit has been identified at the time of analysis, though the trivial nature of supply-chain implants means abuse is plausible. Notably, the vendor patched the existing release without bumping the version number, so administrators cannot reliably tell whether their installation is fixed. | CRITICAL | 10.0 | 0.1% | 70 |
PoC
|