3779
CVEs
257
Critical
818
High
0
KEV
117
PoC
1006
Unpatched C/H
5.3%
Patch Rate
0.3%
Avg EPSS
Severity Breakdown
CRITICAL
257
HIGH
818
MEDIUM
2672
LOW
25
Monthly CVE Trend
Affected Products (30)
PHP
2591
Open Redirect
16
Ltl Freight Quotes
13
Industrial
12
AI / ML
12
Ninja Forms
9
Givewp
9
Wsdesk
8
Wp Job Portal
8
Ads Pro
7
Gdpr Cookie Compliance
7
Sureforms
7
Wp Recall
6
Zoomsounds
6
Booster For Woocommerce
6
Royal Elementor Addons
6
Everest Forms
6
Wpbookit
6
Form Maker
6
Forminator Forms
6
Buddyboss Platform
6
Jobcareer
5
Golang
5
School Management System
5
Wp Project Manager
5
Quiz Maker
5
Profilegrid
5
Jupiter X Core
5
Email Subscribers Newsletters
5
Learnpress
5
Top Risky CVEs
| CVE | Summary | Severity | CVSS | EPSS | Priority | Signals |
|---|---|---|---|---|---|---|
| CVE-2020-36847 | The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulnerability. Attackers can upload PHP files disguised with image extensions and then rename them back to .php using the plugin's built-in rename functionality, bypassing all upload restrictions. | CRITICAL | 9.8 | 86.1% | 155 |
PoC
|
| CVE-2025-34077 | The Pie Register WordPress plugin versions up to 3.7.1.4 contain an authentication bypass that allows unauthenticated attackers to log in as any user including administrators. By submitting a crafted POST request with social_site=true and a target user_id_social_site value, attackers generate valid WordPress sessions for arbitrary accounts. | CRITICAL | 10.0 | 72.4% | 142 |
PoC
No patch
|
| CVE-2020-36849 | The AIT CSV Import/Export WordPress plugin through version 3.0.3 allows unauthorized arbitrary file uploads without file type validation. The upload handler in upload-handler.php is accessible without authentication, enabling remote attackers to deploy PHP webshells and achieve code execution on the WordPress server. | CRITICAL | 9.8 | 72.2% | 141 |
PoC
No patch
|
| CVE-2025-7441 | The StoryChief WordPress plugin through version 1.0.42 contains an unauthenticated arbitrary file upload via the /wp-json/storychief/webhook REST API endpoint. Insufficient file type validation allows attackers to upload executable PHP files, achieving remote code execution on the WordPress server. | CRITICAL | 9.8 | 69.7% | 139 |
PoC
No patch
|
| CVE-2025-13486 | The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Remote Code Execution in versions 0.9.0.5 through 0.9.1.1 via the prepare_form() function. This is due to the function accepting user input and then passing that through call_user_func_array(). This makes it possible for unauthenticated attackers to execute arbitrary code on the server, which can be leveraged to inject backdoors or create new administrative user accounts. | CRITICAL | 9.8 | 75.3% | 124 |
No patch
|
| CVE-2020-36848 | The Total Upkeep WordPress backup plugin through version 1.14.9 exposes backup file locations via env-info.php and restore-info.json. Unauthenticated attackers can discover and download complete site backups containing the database, wp-config.php with credentials, and all uploaded files. | HIGH | 7.5 | 56.2% | 114 |
PoC
|
| CVE-2025-8085 | The Ditty WordPress plugin before 3.1.58 lacks authorization and authentication for requests to its displayItems endpoint, allowing unauthenticated visitors to make requests to arbitrary URLs. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 18.1%. | HIGH | 8.6 | 18.1% | 81 |
PoC
No patch
|
| CVE-2025-47608 | A remote code execution vulnerability in sonalsinha21 Recover abandoned cart for WooCommerce allows SQL Injection (CVSS 9.3). Risk factors: EPSS 32% exploitation probability. | CRITICAL | 9.3 | 31.8% | 78 |
No patch
|
| CVE-2025-4334 | The Simple User Registration plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 6.3. This is due to insu | CRITICAL | 9.8 | 29.3% | 78 |
No patch
|
| CVE-2025-6934 | The Opal Estate Pro - Property Management and Submission plugin for WordPress, used by the FullHouse - Real Estate Responsive WordPress Theme, is vulnerable to privilege escalation via in all versions up to, and including, 1.7.5. This is due to a lack of role restriction during registration in the 'on_regiser_user' function. This makes it possible for unauthenticated attackers to arbitrarily choose the role, including the Administrator role, assigned when registering. | CRITICAL | 9.8 | 23.6% | 73 |
No patch
|
| CVE-2025-6058 | The WPBookit WordPress plugin (versions ≤1.0.4) contains a critical arbitrary file upload vulnerability in the image_upload_handle() function due to missing file type validation, allowing unauthenticated attackers to upload malicious files and potentially achieve remote code execution. With a CVSS score of 9.8, network-accessible attack vector, and no authentication requirement, this vulnerability poses an immediate and severe threat to any WordPress installation using the affected plugin. | CRITICAL | 9.8 | 21.7% | 71 |
|
| CVE-2025-13390 | The WP Directory Kit plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.4.4 due to incorrect implementation of the authentication algorithm in the "wdk_generate_auto_login_link" function. This is due to the feature using a cryptographically weak token generation mechanism. This makes it possible for unauthenticated attackers to gain administrative access and achieve full site takeover via the auto-login endpoint with a predictable token. | CRITICAL | 10.0 | 0.7% | 71 |
PoC
|
| CVE-2025-6970 | The Events Manager - Calendar, Bookings, Tickets, and more! plugin for WordPress is vulnerable to time-based SQL Injection via the ‘orderby’ parameter in all versions up to, and including, 7.0.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | HIGH | 7.5 | 32.5% | 70 |
|
| CVE-2025-4578 | SQL injection in File Provider WordPress plugin through 1.2.3. PoC available. | CRITICAL | 9.8 | 0.3% | 69 |
PoC
No patch
|
| CVE-2026-3584 | The Kali Forms plugin for WordPress contains a critical remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary code on the server. All versions up to and including 2.4.9 are affected, including the popular 'Kali Forms - Contact Form & Drag-and-Drop Builder' plugin by WPChill. The vulnerability carries a critical CVSS score of 9.8 due to its network-based attack vector, low complexity, and lack of required authentication or user interaction. | CRITICAL | 9.8 | 0.2% | 69 |
PoC
No patch
|