1378
CVEs
97
Critical
394
High
0
KEV
219
PoC
426
Unpatched C/H
9.0%
Patch Rate
0.2%
Avg EPSS
Severity Breakdown
CRITICAL
97
HIGH
394
MEDIUM
874
LOW
13
Monthly CVE Trend
Affected Products (30)
PHP
4373
Debian Linux
88
Open Redirect
69
Royal Elementor Addons
44
Download Manager
43
Essential Addons For Elementor
40
Tutor Lms
37
Ninja Forms
36
Givewp
35
Photo Gallery
34
Learnpress
31
Ultimate Member
29
The Plus Addons For Elementor
29
Contest Gallery
28
Premium Addons For Elementor
27
Element Pack
27
Contact Form
27
Booster For Woocommerce
26
Website Builder
26
Profilepress
25
Quiz And Survey Master
25
Happy Addons For Elementor
25
Mstore Api
25
Shortcodes Ultimate
23
Wpbot
23
Beaver Builder
23
Email Subscribers Newsletters
23
Gutenberg Blocks With Ai
22
Elementor Addon Elements
21
Wp Fastest Cache
21
Top Risky CVEs
| CVE | Summary | Severity | CVSS | EPSS | Priority | Signals |
|---|---|---|---|---|---|---|
| CVE-2026-49777 | Backdoor/malicious code implant in the ShapedPlugin Product Slider Pro for WooCommerce WordPress plugin (versions before 3.5.3) allows remote unauthenticated attackers full compromise of the hosting site with CVSS 10.0 and a scope-changing vector. The Patchstack reference characterizes this as a backdoor vulnerability, and no public exploit has been identified at the time of analysis, though the trivial nature of supply-chain implants means abuse is plausible. Notably, the vendor patched the existing release without bumping the version number, so administrators cannot reliably tell whether their installation is fixed. | CRITICAL | 10.0 | 0.1% | 70 |
PoC
|
| CVE-2026-12415 | Account takeover in the Invoice Generator (Pravel) plugin for WordPress through version 1.0.0 lets unauthenticated attackers hijack any account, including administrators. The pravel_invoice_edit_account() AJAX handler is registered for unauthenticated users and calls wp_update_user() with attacker-supplied user_id and user_email without any capability check, nonce, or ownership verification, so an attacker can overwrite an admin's email and then drive the password-reset flow to seize the account. Rated CVSS 9.8 and reported by Wordfence; no public exploit identified at time of analysis and it is not in CISA KEV. | CRITICAL | 9.8 | 0.7% | 70 |
PoC
No patch
|
| CVE-2026-12417 | Unauthenticated account takeover in the SignUp & SignIn WordPress plugin (versions ≤ 1.0.0) allows remote attackers to reset any user's password - including administrators - via the unauthenticated `pravel_change_password` AJAX action. No public exploit identified at time of analysis, but the trivially-bypassable empty-string comparison and AV:N/AC:L/PR:N/UI:N vector make exploitation essentially one HTTP request. The plugin's small footprint likely keeps EPSS low, but any site running it is fully exposed. | CRITICAL | 9.8 | 0.5% | 69 |
PoC
No patch
|
| CVE-2026-12416 | Account takeover in the Invoice Generator WordPress plugin (versions through 1.0.0) allows unauthenticated remote attackers to reset the password of any user, including administrators, by abusing the nopriv `pravel_invoice_change_password()` AJAX handler. Reported by Wordfence with a CVSS of 9.8 and tagged for RCE potential via subsequent admin compromise; no public exploit identified at time of analysis, though the trivial nature of the bug makes weaponization straightforward. | CRITICAL | 9.8 | 0.4% | 69 |
PoC
No patch
|
| CVE-2026-10580 | Unauthenticated administrator account takeover in the Hippoo Mobile App for WooCommerce WordPress plugin (versions ≤ 1.9.4) allows remote attackers to reset any user's password - including the site administrator's - by sending a single crafted POST request to a cloned REST route. The root cause is a logic conflation in HippooPermissions::get_user_permissions() that returns the same null sentinel for both administrators and anonymous visitors, which is then interpreted as full admin access. No public exploit identified at time of analysis, but the trivial exploitation path and 9.8 CVSS score make this an urgent patch priority for any WordPress site running the plugin. | CRITICAL | 9.8 | 0.3% | 69 |
PoC
No patch
|
| CVE-2026-8181 | Authentication bypass in the Burst Statistics WordPress plugin versions 3.4.0 through 3.4.1.1 allows unauthenticated remote attackers to impersonate any administrator whose username they know by supplying an arbitrary Basic Authentication password. The flaw resides in flawed return-value handling within the `is_mainwp_authenticated()` function used to validate application passwords from the Authorization header, enabling privilege escalation per request. No public exploit identified at time of analysis, and EPSS is low (0.26%), but the CVSS 9.8 score and SSVC 'total' technical impact mark it as a high-severity authentication bypass worth prioritizing. | CRITICAL | 9.8 | 0.3% | 69 |
PoC
No patch
|
| CVE-2026-8935 | The WP MAPS PRO WordPress plugin before 6.1.1 registers an unauthenticated AJAX action which, given a valid nonce that is publicly emitted on any fron | CRITICAL | 9.8 | 0.1% | 69 |
PoC
|
| CVE-2026-3844 | Arbitrary file upload in Breeze Cache for WordPress allows unauthenticated remote attackers to upload malicious files and achieve remote code execution on vulnerable servers. Exploitation requires the non-default 'Host Files Locally - Gravatars' feature to be enabled. While CVSS rates this 9.8 critical, real-world exposure is limited by the disabled-by-default configuration requirement. No public exploit code or CISA KEV listing identified at time of analysis, though Wordfence threat intelligence has disclosed technical details including vulnerable code paths. | CRITICAL | 9.8 | 0.1% | 69 |
PoC
No patch
|
| CVE-2026-11563 | Arbitrary file deletion in the Word Count and Social Shares WordPress plugin (versions through 1.0) lets any authenticated low-privilege user, including a Subscriber, delete any file the web server can reach because the plugin neither validates the supplied file path nor enforces authorization or CSRF protection. Deleting critical files such as wp-config.php can trigger WordPress's setup/installation flow and enable a full site takeover. Publicly available exploit code exists (reported by WPScan); there is no public exploit identified as actively used, and the issue is not on the CISA KEV list. | CRITICAL | 9.6 | 0.1% | 68 |
PoC
No patch
|
| CVE-2018-25436 | WordPress Plugin Baggage Freight Shipping Australia 0.1.0 contains an unrestricted file upload vulnerability that allows unauthenticated attackers to upload arbitrary files by exploiting the. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available. | CRITICAL | 9.3 | 0.7% | 67 |
PoC
No patch
|
| CVE-2022-50972 | WooCommerce 7.1.0 contains a remote code execution vulnerability that allows attackers to execute arbitrary PHP code by injecting shell commands through the product-type parameter. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available. | CRITICAL | 9.3 | 0.6% | 67 |
PoC
No patch
|
| CVE-2019-25763 | WordPress Ultimate Addons for Beaver Builder 1.2.4.1 contains an authentication bypass vulnerability that allows attackers to gain unauthorized access by exploiting the social media login form. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available. | CRITICAL | 9.3 | 0.4% | 67 |
PoC
|
| CVE-2021-47965 | WordPress Plugin WP Super Edit 2.5.4 and earlier contains an unrestricted file upload vulnerability in the FCKeditor component that allows attackers to upload dangerous file types without validation. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available. | CRITICAL | 9.3 | 0.2% | 67 |
PoC
No patch
|
| CVE-2023-54352 | WordPress Seotheme contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary PHP code by uploading malicious files to the theme directory. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available. | CRITICAL | 9.3 | 0.2% | 67 |
PoC
No patch
|
| CVE-2024-58348 | WordPress Background Image Cropper version 1.2 contains a remote code execution vulnerability that allows unauthenticated attackers to upload arbitrary files by accessing the ups.php endpoint. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available. | CRITICAL | 9.3 | 0.2% | 67 |
PoC
No patch
|