CVE-2026-3666
published 2026-03-02CVE-2026-3666: CVE-2026-28804 [MEDIUM] CWE-407 pypdf vulnerable to inefficient decoding of ASCIIHexDecode streams pypdf vulnerable to inefficient decoding of ASCIIHexDecode…
PriorityP263high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.45%
35.7th percentile
CVE-2026-28804 [MEDIUM] CWE-407 pypdf vulnerable to inefficient decoding of ASCIIHexDecode streams pypdf vulnerable to inefficient decoding of ASCIIHexDecode streams ### Impact An attacker who uses this vulnerability can craft a PDF which leads to long runtimes. This requires accessing a stream which uses the `/ASCIIHexDecode` filter. ### Patches This has been fixed in [pypdf==6.7.5](https://github.com/py-pdf/pypdf/releases/tag/6.7.5). ### Workarounds If you cannot upgrade yet, consider applying the changes from PR [#3666](https://github.com/py-pdf/pypdf/pull/3666).
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| pypdf_project | pypdf | >= 0 < 6.7.5 | 6.7.5 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
Wiz
CVE-2025-67469 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2025-67469 [HIGH] CVE-2025-67469 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67469 :
WordPress vulnerability analysis and mitigation
Cross-Site Request Forgery (CSRF) vulnerability in kubiq PDF Thumbnail Generator pdf-thumbnail-generator allows Cross Site Request Forgery.This issue affects PDF Thumbnail Generator: from n/a through <= 1.4.
Source : NVD
## 8.8
Score
Published December 9, 2025
Severity HIGH
CNA Score 8.8
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 6.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
pdf-thumbnail-generator
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
Wiz
CVE-2025-69344 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-69344 [CRITICAL] CVE-2025-69344 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-69344 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in themehunk Oneline Lite oneline-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Oneline Lite: from n/a through <= 6.6.
Source : NVD
Published January 7, 2026
CNA Score N/A
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
oneline-lite
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
S
Wiz
CVE-2025-64242 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2025-64242 [MEDIUM] CVE-2025-64242 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-64242 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in Merv Barrett Easy Property Listings easy-property-listings allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Easy Property Listings: from n/a through <= 3.5.21.
Source : NVD
## 4.3
Score
Published December 16, 2025
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
easy-property-listings
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exp
Wiz
CVE-2025-67516 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-67516 [CRITICAL] CVE-2025-67516 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67516 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Agile Logix Store Locator WordPress agile-store-locator allows Blind SQL Injection.This issue affects Store Locator WordPress: from n/a through <= 1.6.2.
Source : NVD
## 9.8
Score
Published December 9, 2025
Severity CRITICAL
CNA Score 9.8
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 14.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
agile-store-locator
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus
Wiz
CVE-2026-24942 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-24942 [CRITICAL] CVE-2026-24942 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24942 :
WordPress vulnerability analysis and mitigation
Cross-Site Request Forgery (CSRF) vulnerability in magepeopleteam WpEvently mage-eventpress allows Cross Site Request Forgery.This issue affects WpEvently: from n/a through <= 5.1.1.
Source : NVD
## 4.3
Score
Published February 3, 2026
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 4.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
mage-eventpress
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabil
Wiz
CVE-2026-1886 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-1886 [CRITICAL] CVE-2026-1886 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1886 :
WordPress vulnerability analysis and mitigation
The Go Night Pro | WordPress Dark Mode Plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'go-night-pro-shortcode' shortcode in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping on the user-supplied 'margin' attribute. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Source : NVD
## 6.4
Score
Published March 21, 2026
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation
Wiz
CVE-2025-68534 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2025-68534 [MEDIUM] CVE-2025-68534 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68534 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in add-ons.org PDF for WPForms pdf-for-wpforms allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects PDF for WPForms: from n/a through <= 6.3.0.
Source : NVD
## 6.5
Score
Published February 20, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 9.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
pdf-for-wpforms
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's liste
Wiz
CVE-2025-69362 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2025-69362 [MEDIUM] CVE-2025-69362 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-69362 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in POSIMYTH UiChemy uichemy allows Stored XSS.This issue affects UiChemy: from n/a through <= 4.4.2.
Source : NVD
## 6.5
Score
Published January 6, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
uichemy
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress v
Wiz
CVE-2026-32484 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-32484 [CRITICAL] CVE-2026-32484 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32484 :
WordPress vulnerability analysis and mitigation
Deserialization of Untrusted Data vulnerability in BoldGrid weForms weforms allows Object Injection.This issue affects weForms: from n/a through <= 1.6.26.
Source : NVD
## 8.8
Score
Published March 25, 2026
Severity HIGH
CNA Score 8.8
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 16.8
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
weforms
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Score
Tech
Wiz
CVE-2025-67616 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2025-67616 [HIGH] CVE-2025-67616 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67616 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in BZOTheme Mella mella allows PHP Local File Inclusion.This issue affects Mella: from n/a through <= 1.2.29.
Source : NVD
## 8.1
Score
Published January 22, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 38.5
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
mella
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
Wiz
CVE-2025-13519 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2025-13519 [MEDIUM] CVE-2025-13519 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-13519 :
WordPress vulnerability analysis and mitigation
The SVG Map Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.0. This is due to missing or incorrect nonce validation on multiple AJAX actions including 'save_data', 'delete_data', and 'add_popup'. This makes it possible for unauthenticated attackers to update the plugin's settings, delete map data, and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Source : NVD
## 6.1
Score
Published January 7, 2026
Severity MEDIUM
CNA Score 6.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due
Wiz
CVE-2026-1981 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-1981 [CRITICAL] CVE-2026-1981 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1981 :
WordPress vulnerability analysis and mitigation
The HUMN-1 AI Website Scanner & Human Certification by Winston AI plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the winston_disconnect() function in all versions up to, and including, 0.0.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to reset the plugin's API connection settings via the 'winston_disconnect' AJAX action.
Source : NVD
## 4.3
Score
Published March 7, 2026
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2.2
Exploitation Probability (EP
Wiz
CVE-2025-62955 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-62955 [CRITICAL] CVE-2025-62955 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-62955 :
WordPress vulnerability analysis and mitigation
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in HappyDevs TempTool [Show Current Template Info] current-template-name allows Retrieve Embedded Sensitive Data.This issue affects TempTool [Show Current Template Info]: from n/a through <= 1.3.1.
Source : NVD
Published December 21, 2025
CNA Score N/A
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 7.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
current-template-name
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on
Wiz
CVE-2025-14906 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2025-14906 [MEDIUM] CVE-2025-14906 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14906 :
WordPress vulnerability analysis and mitigation
The WP Youtube Video Gallery plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing nonce verification on the wpYTVideoGallerySettingSave() function. This makes it possible for unauthenticated attackers to modify plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Source : NVD
## 4.3
Score
Published January 24, 2026
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1.3
Exploitation Probability (EPSS) N/
Wiz
CVE-2025-62117 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-62117 [CRITICAL] CVE-2025-62117 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-62117 :
WordPress vulnerability analysis and mitigation
Cross-Site Request Forgery (CSRF) vulnerability in Jayce53 EasyIndex easyindex allows Cross Site Request Forgery.This issue affects EasyIndex: from n/a through <= 1.1.1704.
Source : NVD
Published December 31, 2025
CNA Score N/A
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
easyindex
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Score
Technologies
C
Wiz
CVE-2025-14853 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2025-14853 [MEDIUM] CVE-2025-14853 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14853 :
WordPress vulnerability analysis and mitigation
The LEAV Last Email Address Validator plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions <= 1.7.1. This is due to missing or incorrect nonce validation on the display_settings_page function. This makes it possible for unauthenticated attackers to modify plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Source : NVD
## 4.3
Score
Published January 16, 2026
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 3.9
Exploitation Probability (EPSS) N/A
Affect
Wiz
CVE-2025-67583 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2025-67583 [MEDIUM] CVE-2025-67583 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67583 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in Foysal Imran IDonate idonate allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects IDonate: from n/a through <= 2.1.15.
Source : NVD
## 5.3
Score
Published December 9, 2025
Severity MEDIUM
CNA Score 5.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 12.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
idonate
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vuln
Wiz
CVE-2025-13409 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.9
CVE-2025-13409 [MEDIUM] CVE-2025-13409 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-13409 :
WordPress vulnerability analysis and mitigation
The Form Vibes – Database Manager for Forms plugin for WordPress is vulnerable to SQL Injection via the 'params' parameter in all versions up to, and including, 1.4.13 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Source : NVD
## 4.9
Score
Published January 6, 2026
Severity MEDIUM
CNA Score 4.9
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due
Wiz
CVE-2025-62990 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-62990 [CRITICAL] CVE-2025-62990 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-62990 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in livemesh Livemesh Addons for Beaver Builder addons-for-beaver-builder allows Stored XSS.This issue affects Livemesh Addons for Beaver Builder: from n/a through <= 3.9.2.
Source : NVD
Published December 31, 2025
CNA Score N/A
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
addons-for-beaver-builder
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exp
Wiz
CVE-2026-32482 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-32482 [CRITICAL] CVE-2026-32482 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32482 :
WordPress vulnerability analysis and mitigation
Unrestricted Upload of File with Dangerous Type vulnerability in deothemes Ona ona allows Upload a Web Shell to a Web Server.This issue affects Ona: from n/a through < 1.24.
Source : NVD
## 9.9
Score
Published March 25, 2026
Severity CRITICAL
CNA Score 9.9
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 14.6
Exploitation Probability (EPSS) N/A
Affected packages and libraries
ona
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Sev
Wiz
CVE-2025-64203 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2025-64203 [HIGH] CVE-2025-64203 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-64203 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in EverPress Mailster mailster allows Reflected XSS.This issue affects Mailster: from n/a through < 4.1.14.
Source : NVD
## 7.1
Score
Published December 18, 2025
Severity HIGH
CNA Score 7.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
mailster
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Wor
Wiz
CVE-2025-31054 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2025-31054 [HIGH] CVE-2025-31054 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-31054 :
WordPress vulnerability analysis and mitigation
Cross-Site Request Forgery (CSRF) vulnerability in Themefy Bloggie allows Reflected XSS.This issue affects Bloggie: from n/a through 2.0.8.
Source : NVD
## 7.1
Score
Published December 31, 2025
Severity HIGH
CNA Score 7.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 5.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
bloggie
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Score
Technologies
Comp
Wiz
CVE-2025-5919 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2025-5919 [MEDIUM] CVE-2025-5919 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-5919 :
WordPress vulnerability analysis and mitigation
The Appointment Booking and Scheduling Calendar Plugin – WP Timetics plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on the update and register_routes functions in all versions up to, and including, 1.0.36. This makes it possible for unauthenticated attackers to view and modify booking details.
Source : NVD
## 6.5
Score
Published January 6, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 25.3
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
timetics
Sources
NVD
Wiz
CVE-2026-25447 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-25447 [CRITICAL] CVE-2026-25447 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25447 :
WordPress vulnerability analysis and mitigation
Improper Control of Generation of Code ('Code Injection') vulnerability in Jonathan Daggerhart Widget Wrangler widget-wrangler allows Code Injection.This issue affects Widget Wrangler: from n/a through <= 2.3.9.
Source : NVD
## 9.1
Score
Published March 25, 2026
Severity CRITICAL
CNA Score 9.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 17.9
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
widget-wrangler
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
#
Wiz
CVE-2025-64231 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-64231 [CRITICAL] CVE-2025-64231 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-64231 :
WordPress vulnerability analysis and mitigation
Unrestricted Upload of File with Dangerous Type vulnerability in RedefiningTheWeb WordPress Contact Form 7 PDF, Google Sheet & Database rtwwcfp-wordpress-contact-form-7-pdf allows Using Malicious Files.This issue affects WordPress Contact Form 7 PDF, Google Sheet & Database: from n/a through <= 3.0.0.
Source : NVD
## 9.8
Score
Published December 18, 2025
Severity CRITICAL
CNA Score 9.8
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 19.8
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
rtwwcfp-wordpress-contact-form-7-pdf
Sources
NVD
## Get a CVE risk assessment
Wiz
CVE-2026-28019 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-28019 [CRITICAL] CVE-2026-28019 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-28019 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Manoir manoir allows PHP Local File Inclusion.This issue affects Manoir: from n/a through <= 1.11.
Source : NVD
## 8.1
Score
Published March 5, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 37.5
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
manoir
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
Wiz
CVE-2025-67598 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2025-67598 [MEDIUM] CVE-2025-67598 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67598 :
WordPress vulnerability analysis and mitigation
Cross-Site Request Forgery (CSRF) vulnerability in PSM Plugins SupportCandy supportcandy allows Cross Site Request Forgery.This issue affects SupportCandy: from n/a through <= 3.4.1.
Source : NVD
## 4.3
Score
Published December 9, 2025
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 4.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
supportcandy
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabiliti
Wiz
CVE-2026-28062 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-28062 [CRITICAL] CVE-2026-28062 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-28062 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Happy Baby happy-baby allows PHP Local File Inclusion.This issue affects Happy Baby: from n/a through <= 1.2.12.
Source : NVD
## 8.1
Score
Published March 5, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 37.5
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
happy-baby
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not ju
Wiz
CVE-2025-53445 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2025-53445 [HIGH] CVE-2025-53445 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-53445 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Catwalk catwalk allows PHP Local File Inclusion.This issue affects Catwalk: from n/a through <= 1.4.
Source : NVD
## 8.1
Score
Published December 18, 2025
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 38.5
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
catwalk
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what'
Wiz
CVE-2026-25456 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-25456 [CRITICAL] CVE-2026-25456 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25456 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in Aarsiv Groups Automated FedEx live/manual rates with shipping labels a2z-fedex-shipping allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Automated FedEx live/manual rates with shipping labels: from n/a through <= 5.1.8.
Source : NVD
## 7.5
Score
Published March 25, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 12.6
Exploitation Probability (EPSS) N/A
Affected packages and libraries
a2z-fedex-shipping
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view o
Wiz
CVE-2025-68980 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2025-68980 [HIGH] CVE-2025-68980 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68980 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in designthemes WeDesignTech Portfolio wedesigntech-portfolio allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WeDesignTech Portfolio: from n/a through <= 1.0.2.
Source : NVD
## 8.1
Score
Published December 30, 2025
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 12.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
wedesigntech-portfolio
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploi
Wiz
CVE-2025-60069 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2025-60069 [HIGH] CVE-2025-60069 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-60069 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeMove MinimogWP minimog allows PHP Local File Inclusion.This issue affects MinimogWP: from n/a through <= 3.9.6.
Source : NVD
## 8.1
Score
Published December 18, 2025
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 18.1
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
minimog
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just w
Wiz
CVE-2025-66532 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2025-66532 [HIGH] CVE-2025-66532 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-66532 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in Mikado-Themes Powerlift powerlift allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Powerlift: from n/a through < 3.2.1.
Source : NVD
## 8.8
Score
Published December 9, 2025
Severity HIGH
CNA Score 8.8
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 18.2
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
powerlift
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress
Wiz
CVE-2026-2022 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-2022 [CRITICAL] CVE-2026-2022 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-2022 :
WordPress vulnerability analysis and mitigation
The Smart Forms plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'rednao_smart_forms_get_campaigns' AJAX action in all versions up to, and including, 2.6.99. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve donation campaign data including campaign IDs and names.
Source : NVD
## 4.3
Score
Published February 14, 2026
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 9.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
smart-forms
Wiz
CVE-2025-14078 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2025-14078 [MEDIUM] CVE-2025-14078 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14078 :
WordPress vulnerability analysis and mitigation
/wp-json/paygent/v1/check/
Source : NVD
## 5.3
Score
Published January 17, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 29.3
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
woocommerce-for-paygent-payment-main
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
CVE-2026-0740
CRITICAL
9.
Wiz
CVE-2026-1647 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-1647 [CRITICAL] CVE-2026-1647 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1647 :
WordPress vulnerability analysis and mitigation
$_SERVER['PHP_SELF']
Source : NVD
## 6.1
Score
Published March 21, 2026
Severity MEDIUM
CNA Score 6.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 21.6
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
comment-genius
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
CVE-2026-0740
CRITICAL
9.8
WordPress
ninja-forms-uploa
Wiz
CVE-2025-69403 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.9
CVE-2025-69403 [CRITICAL] CVE-2025-69403 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-69403 :
WordPress vulnerability analysis and mitigation
Unrestricted Upload of File with Dangerous Type vulnerability in Bravis-Themes Bravis Addons bravis-addons allows Using Malicious Files.This issue affects Bravis Addons: from n/a through <= 1.3.0.
Source : NVD
## 9.9
Score
Published February 20, 2026
Severity CRITICAL
CNA Score 9.9
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 17.1
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
bravis-addons
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Word
Wiz
CVE-2026-32499 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-32499 [CRITICAL] CVE-2026-32499 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32499 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in QuantumCloud ChatBot chatbot allows Blind SQL Injection.This issue affects ChatBot: from n/a through <= 7.7.9.
Source : NVD
## 9.3
Score
Published March 25, 2026
Severity CRITICAL
CNA Score 9.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
chatbot
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Relat
Wiz
CVE-2026-24576 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-24576 [CRITICAL] CVE-2026-24576 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24576 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in COP UX Flat ux-flat allows Stored XSS.This issue affects UX Flat: from n/a through <= 5.4.0.
Source : NVD
## 5.4
Score
Published January 23, 2026
Severity MEDIUM
CNA Score 5.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
ux-flat
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulner
Wiz
CVE-2026-22419 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-22419 [CRITICAL] CVE-2026-22419 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22419 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Honor honor allows PHP Local File Inclusion.This issue affects Honor: from n/a through <= 2.3.
Source : NVD
## 8.1
Score
Published March 5, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 37.5
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
honor
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
Wiz
CVE-2025-62996 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2025-62996 [MEDIUM] CVE-2025-62996 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-62996 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in Code Amp Custom Layouts – Post + Product grids made easy custom-layouts allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Custom Layouts – Post + Product grids made easy: from n/a through <= 1.4.12.
Source : NVD
## 4.3
Score
Published December 9, 2025
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
custom-layouts
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—s
Wiz
CVE-2026-1401 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-1401 [CRITICAL] CVE-2026-1401 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1401 :
WordPress vulnerability analysis and mitigation
The Tune Library plugin for WordPress is vulnerable to Stored Cross-Site Scripting via CSV import in all versions up to, and including, 1.6.3. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the injected page. The vulnerability exists because the CSV import functionality lacks authorization checks and doesn't sanitize imported data, which is later rendered without escaping through the [tune-library] shortcode.
Source : NVD
## 6.4
Score
Published February 6, 2026
Severity MEDIUM
CNA Score 6.4
A
Wiz
CVE-2025-62082 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2025-62082 [MEDIUM] CVE-2025-62082 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-62082 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Nasir Uddin Generic Elements generic-elements-for-elementor allows Stored XSS.This issue affects Generic Elements: from n/a through <= 1.2.9.
Source : NVD
## 6.5
Score
Published December 9, 2025
Severity MEDIUM
CNA Score 6.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
generic-elements-for-elementor
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on
Wiz
CVE-2025-60086 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2025-60086 [HIGH] CVE-2025-60086 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-60086 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in Matt WP Voting Contest wp-voting-contest allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Voting Contest: from n/a through <= 5.8.
Source : NVD
## 7.5
Score
Published December 18, 2025
Severity HIGH
CNA Score 7.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 14.6
Exploitation Probability (EPSS) N/A
Affected packages and libraries
wp-voting-contest
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
Wiz
CVE-2025-60070 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2025-60070 [MEDIUM] CVE-2025-60070 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-60070 :
WordPress vulnerability analysis and mitigation
Improper Control of Generation of Code ('Code Injection') vulnerability in The4 Molla molla allows Code Injection.This issue affects Molla: from n/a through <= 1.5.13.
Source : NVD
## 6.5
Score
Published December 18, 2025
Severity MEDIUM
CNA Score 6.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 18.1
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
molla
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severi
Wiz
CVE-2026-28024 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-28024 [CRITICAL] CVE-2026-28024 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-28024 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Helion helion allows PHP Local File Inclusion.This issue affects Helion: from n/a through <= 1.1.12.
Source : NVD
## 8.1
Score
Published March 5, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 37.5
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
helion
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's lis
Wiz
CVE-2025-58951 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.3
CVE-2025-58951 [CRITICAL] CVE-2025-58951 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-58951 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in smartcms Advance Seat Reservation Management for WooCommerce scw-seat-reservation allows SQL Injection.This issue affects Advance Seat Reservation Management for WooCommerce: from n/a through <= 3.1.
Source : NVD
## 9.3
Score
Published December 18, 2025
Severity CRITICAL
CNA Score 9.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 10.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
scw-seat-reservation
Sources
NVD
## Get a CVE risk assessment
Get a prioriti
Wiz
CVE-2026-28084 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-28084 [CRITICAL] CVE-2026-28084 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-28084 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Bazinga bazinga allows PHP Local File Inclusion.This issue affects Bazinga: from n/a through <= 1.1.9.
Source : NVD
## 8.1
Score
Published March 5, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 37.5
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
bazinga
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's lis
Wiz
CVE-2025-67955 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2025-67955 [HIGH] CVE-2025-67955 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67955 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in TangibleWP MyHome Core myhome-core allows PHP Local File Inclusion.This issue affects MyHome Core: from n/a through <= 4.1.0.
Source : NVD
## 7.5
Score
Published January 22, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 19.8
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
myhome-core
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable
Wiz
CVE-2026-24958 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-24958 [CRITICAL] CVE-2026-24958 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24958 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetElements For Elementor jet-elements allows DOM-Based XSS.This issue affects JetElements For Elementor: from n/a through <= 2.7.12.2.
Source : NVD
## 6.5
Score
Published February 3, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.6
Exploitation Probability (EPSS) N/A
Affected packages and libraries
jet-elements
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploi
Wiz
CVE-2025-12884 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2025-12884 [MEDIUM] CVE-2025-12884 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-12884 :
WordPress vulnerability analysis and mitigation
placement_update_item()
Source : NVD
## 4.3
Score
Published February 19, 2026
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 9.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
advanced-ads
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
CVE-2026-0740
CRITICAL
9.8
WordPress
ninja-forms-u
Wiz
CVE-2025-13851 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-13851 [CRITICAL] CVE-2025-13851 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-13851 :
WordPress vulnerability analysis and mitigation
The Buyent Classified plugin for WordPress (bundled with Buyent theme) is vulnerable to privilege escalation via user registration in all versions up to, and including, 1.0.7. This is due to the plugin not validating or restricting the user role during registration via the REST API endpoint. This makes it possible for unauthenticated attackers to register accounts with arbitrary roles, including administrator, by manipulating the _buyent_classified_user_type parameter during the registration process, granting them complete control over the WordPress site.
Source : NVD
## 9.8
Score
Published February 19, 2026
Severity CRITICAL
CNA Score 9.8
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exp
Wiz
CVE-2026-1373 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-1373 [CRITICAL] CVE-2026-1373 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1373 :
WordPress vulnerability analysis and mitigation
The Easy Author Image plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'author_profile_picture_url' parameter in all versions up to, and including, 1.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Source : NVD
## 6.4
Score
Published February 19, 2026
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11
Exploitation Probability (EP
Wiz
CVE-2026-32528 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-32528 [CRITICAL] CVE-2026-32528 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32528 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in don-themes Riode riode allows Reflected XSS.This issue affects Riode: from n/a through < 1.6.29.
Source : NVD
## 7.1
Score
Published March 25, 2026
Severity HIGH
CNA Score 7.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 10.6
Exploitation Probability (EPSS) N/A
Affected packages and libraries
riode
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnera
Wiz
CVE-2025-62102 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2025-62102 [MEDIUM] CVE-2025-62102 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-62102 :
WordPress vulnerability analysis and mitigation
Cross-Site Request Forgery (CSRF) vulnerability in apasionados DoFollow Case by Case dofollow-case-by-case allows Cross Site Request Forgery.This issue affects DoFollow Case by Case: from n/a through <= 3.5.1.
Source : NVD
## 4.3
Score
Published December 9, 2025
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 5.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
dofollow-case-by-case
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
Wiz
CVE-2025-69352 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.4
CVE-2025-69352 [MEDIUM] CVE-2025-69352 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-69352 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in StellarWP The Events Calendar the-events-calendar allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects The Events Calendar: from n/a through <= 6.15.12.2.
Source : NVD
## 5.4
Score
Published January 6, 2026
Severity MEDIUM
CNA Score 5.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
the-events-calendar
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not
Wiz
CVE-2025-66121 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2025-66121 [MEDIUM] CVE-2025-66121 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-66121 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in SiteGround SiteGround Security sg-security allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects SiteGround Security: from n/a through <= 1.5.8.
Source : NVD
## 5.3
Score
Published December 16, 2025
Severity MEDIUM
CNA Score 5.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 12.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
sg-security
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's liste
Wiz
CVE-2026-1826 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-1826 [CRITICAL] CVE-2026-1826 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1826 :
WordPress vulnerability analysis and mitigation
The OpenPOS Lite – Point of Sale for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'width' parameter of the order_qrcode shortcode in all versions up to, and including, 3.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Source : NVD
## 6.4
Score
Published February 11, 2026
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (E
Wiz
CVE-2025-59137 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-59137 [CRITICAL] CVE-2025-59137 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-59137 :
WordPress vulnerability analysis and mitigation
Cross-Site Request Forgery (CSRF) vulnerability in eleopard Behance Portfolio Manager portfolio-manager-powered-by-behance allows Stored XSS.This issue affects Behance Portfolio Manager: from n/a through <= 1.7.5.
Source : NVD
Published December 31, 2025
CNA Score N/A
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
portfolio-manager-powered-by-behance
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related W
Wiz
CVE-2026-25471 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-25471 [CRITICAL] CVE-2026-25471 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25471 :
WordPress vulnerability analysis and mitigation
Authentication Bypass Using an Alternate Path or Channel vulnerability in Themepaste Admin Safety Guard admin-safety-guard allows Password Recovery Exploitation.This issue affects Admin Safety Guard: from n/a through <= 1.2.6.
Source : NVD
Published March 19, 2026
CNA Score N/A
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
admin-safety-guard
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPres
Wiz
CVE-2025-62762 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2025-62762 [MEDIUM] CVE-2025-62762 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-62762 :
WordPress vulnerability analysis and mitigation
Cross-Site Request Forgery (CSRF) vulnerability in photoboxone SMTP Mail smtp-mail allows Cross Site Request Forgery.This issue affects SMTP Mail: from n/a through <= 1.3.47.
Source : NVD
## 4.3
Score
Published December 9, 2025
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 5.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
smtp-mail
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE I
Wiz
CVE-2026-1926 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-1926 [CRITICAL] CVE-2026-1926 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1926 :
WordPress vulnerability analysis and mitigation
wps_sfw_admin_cancel_susbcription()
init
wp_verify_nonce()
wps_subscription_id
Source : NVD
## 5.3
Score
Published March 18, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 31.1
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
subscriptions-for-woocommerce
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Wiz
CVE-2025-62080 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-62080 [CRITICAL] CVE-2025-62080 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-62080 :
WordPress vulnerability analysis and mitigation
Cross-Site Request Forgery (CSRF) vulnerability in Channelize.io Team Live Shopping & Shoppable Videos For WooCommerce live-shopping-video-streams allows Cross Site Request Forgery.This issue affects Live Shopping & Shoppable Videos For WooCommerce: from n/a through <= 2.2.0.
Source : NVD
Published December 31, 2025
CNA Score N/A
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
live-shopping-video-streams
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what
Wiz
CVE-2025-13139 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2025-13139 [MEDIUM] CVE-2025-13139 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-13139 :
WordPress vulnerability analysis and mitigation
The SurveyJS: Drag & Drop WordPress Form Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.12.20. This is due to missing nonce validation on the SurveyJS_AddSurvey AJAX action. This makes it possible for unauthenticated attackers to create surveys via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Source : NVD
## 4.3
Score
Published January 24, 2026
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 4.3
Exploitation Probability (EP
Wiz
CVE-2025-67543 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2025-67543 [MEDIUM] CVE-2025-67543 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67543 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Catch Themes Essential Widgets essential-widgets allows Stored XSS.This issue affects Essential Widgets: from n/a through <= 2.2.2.
Source : NVD
## 6.5
Score
Published December 9, 2025
Severity MEDIUM
CNA Score 6.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
essential-widgets
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not
Wiz
CVE-2025-68552 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.3
CVE-2025-68552 [MEDIUM] CVE-2025-68552 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68552 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in WebCodingPlace WooCommerce Coming Soon Product with Countdown woo-coming-soon-product allows PHP Local File Inclusion.This issue affects WooCommerce Coming Soon Product with Countdown: from n/a through <= 5.0.
Source : NVD
## 6.3
Score
Published February 20, 2026
Severity MEDIUM
CNA Score 6.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 30.6
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
woo-coming-soon-product
Sources
NVD
## Get a CVE ri
Wiz
CVE-2025-68862 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.7
CVE-2025-68862 [HIGH] CVE-2025-68862 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68862 :
WordPress vulnerability analysis and mitigation
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Murtaza Bhurgri Woo File Dropzone woo-file-dropzone allows Path Traversal.This issue affects Woo File Dropzone: from n/a through <= 1.1.7.
Source : NVD
## 7.7
Score
Published February 20, 2026
Severity HIGH
CNA Score 7.7
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 19.1
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
woo-file-dropzone
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not
Wiz
CVE-2025-63042 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2025-63042 [MEDIUM] CVE-2025-63042 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-63042 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themeum Tutor LMS Elementor Addons tutor-lms-elementor-addons allows Stored XSS.This issue affects Tutor LMS Elementor Addons: from n/a through <= 3.0.1.
Source : NVD
## 6.5
Score
Published December 9, 2025
Severity MEDIUM
CNA Score 6.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
tutor-lms-elementor-addons
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can f
Wiz
CVE-2025-14045 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2025-14045 [MEDIUM] CVE-2025-14045 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14045 :
WordPress vulnerability analysis and mitigation
The URL Media Uploader plugin for WordPress is vulnerable to unauthorized safe file uploads due to a missing capability check on the url_media_uploader_url_upload_ajax_handler() function in all versions up to, and including, 1.0.1. This makes it possible for authenticated attackers, with Contributor-level access and above, to upload safe media files.
Source : NVD
## 4.3
Score
Published December 12, 2025
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
url-media-uploader
Sources
NVD
Wiz
CVE-2026-27374 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-27374 [CRITICAL] CVE-2026-27374 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27374 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in vanquish WooCommerce Order Details woocommerce-order-details allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WooCommerce Order Details: from n/a through <= 3.1.
Source : NVD
## 7.5
Score
Published March 5, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
woocommerce-order-details
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's expl
Wiz
CVE-2026-1307 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-1307 [CRITICAL] CVE-2026-1307 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1307 :
WordPress vulnerability analysis and mitigation
The Ninja Forms - The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.14.1 via a callback function for the admin_enqueue_scripts action handler in blocks/bootstrap.php. This makes it possible for authenticated attackers, with Contributor-level access and above, to gain access to an authorization token to view form submissions for arbitrary forms, which could potentially contain sensitive information.
Source : NVD
## 6.5
Score
Published March 28, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exp
Wiz
CVE-2025-66068 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2025-66068 [MEDIUM] CVE-2025-66068 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-66068 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in InstaWP InstaWP Connect instawp-connect allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects InstaWP Connect: from n/a through <= 0.1.1.9.
Source : NVD
## 6.5
Score
Published December 18, 2025
Severity MEDIUM
CNA Score 6.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
instawp-connect
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed
Wiz
CVE-2026-25369 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-25369 [CRITICAL] CVE-2026-25369 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25369 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in flexmls Flexmls® IDX flexmls-idx allows Reflected XSS.This issue affects Flexmls® IDX: from n/a through <= 3.15.9.
Source : NVD
Published March 16, 2026
CNA Score N/A
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
flexmls-idx
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities
Wiz
CVE-2026-1072 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-1072 [CRITICAL] CVE-2026-1072 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1072 :
WordPress vulnerability analysis and mitigation
The Keybase.io Verification plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4.5. This is due to missing nonce validation when updating plugin settings. This makes it possible for unauthenticated attackers to update the Keybase verification text via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Source : NVD
## 4.3
Score
Published February 18, 2026
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 0.4
Exploitation Probability (EPSS) N/A
Wiz
CVE-2026-2992 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-2992 [CRITICAL] CVE-2026-2992 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-2992 :
WordPress vulnerability analysis and mitigation
/wp-json/kivicare/v1/setup-wizard/clinic
Source : NVD
## 8.2
Score
Published March 18, 2026
Severity HIGH
CNA Score 8.2
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 14.5
Exploitation Probability (EPSS) N/A
Affected packages and libraries
kivicare-clinic-management-system
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
CVE-2026-0740
CRITIC
Wiz
CVE-2025-68022 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.3
CVE-2025-68022 [MEDIUM] CVE-2025-68022 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68022 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in soporteblue Plugin BlueX for WooCommerce bluex-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Plugin BlueX for WooCommerce: from n/a through <= 3.1.6.
Source : NVD
## 6.3
Score
Published February 20, 2026
Severity MEDIUM
CNA Score 6.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.3
Exploitation Probability (EPSS) N/A
Affected packages and libraries
bluex-for-woocommerce
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on wh
Wiz
CVE-2025-14301 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-14301 [CRITICAL] CVE-2025-14301 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14301 :
WordPress vulnerability analysis and mitigation
process_table_bulk_actions()
wsaw-log[]
wp-config.php
Source : NVD
## 9.8
Score
Published January 14, 2026
Severity CRITICAL
CNA Score 9.8
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 23.6
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
woosa-ai-for-woocommerce
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
CVE-2026
Wiz
CVE-2025-62998 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-62998 [CRITICAL] CVE-2025-62998 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-62998 :
WordPress vulnerability analysis and mitigation
Insertion of Sensitive Information Into Sent Data vulnerability in WP Messiah WP AI CoPilot ai-co-pilot-for-wp allows Retrieve Embedded Sensitive Data.This issue affects WP AI CoPilot: from n/a through <= 1.2.7.
Source : NVD
Published December 18, 2025
CNA Score N/A
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 7.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
ai-co-pilot-for-wp
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabili
Wiz
CVE-2025-31051 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2025-31051 [MEDIUM] CVE-2025-31051 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-31051 :
WordPress vulnerability analysis and mitigation
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in EngoTheme Plant - Gardening & Houseplants WordPress Theme allows Retrieve Embedded Sensitive Data.This issue affects Plant - Gardening & Houseplants WordPress Theme: from n/a through 1.0.0.
Source : NVD
## 5.3
Score
Published January 7, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 7.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
plant
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you ca
Wiz
CVE-2025-60090 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-60090 [CRITICAL] CVE-2025-60090 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-60090 :
WordPress vulnerability analysis and mitigation
Deserialization of Untrusted Data vulnerability in CRM Perks WP Gravity Forms Insightly gf-insightly allows Object Injection.This issue affects WP Gravity Forms Insightly: from n/a through <= 1.1.6.
Source : NVD
## 9.8
Score
Published December 18, 2025
Severity CRITICAL
CNA Score 9.8
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 19
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
gf-insightly
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordP
Wiz
CVE-2025-69319 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2025-69319 [HIGH] CVE-2025-69319 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-69319 :
WordPress vulnerability analysis and mitigation
Improper Control of Generation of Code ('Code Injection') vulnerability in Beaver Builder Beaver Builder beaver-builder-lite-version allows Code Injection.This issue affects Beaver Builder: from n/a through <= 2.9.4.1.
Source : NVD
## 7.5
Score
Published January 22, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 21.6
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
beaver-builder-lite-version
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just w
Wiz
CVE-2025-49359 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2025-49359 [HIGH] CVE-2025-49359 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-49359 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes ShieldGroup shieldgroup allows PHP Local File Inclusion.This issue affects ShieldGroup: from n/a through <= 2.13.
Source : NVD
## 8.1
Score
Published December 18, 2025
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 18.1
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
shieldgroup
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitab
Wiz
CVE-2024-30547 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2024-30547 [HIGH] CVE-2024-30547 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2024-30547 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Shazdeh Header Image Slider header-image-slider allows DOM-Based XSS.This issue affects Header Image Slider: from n/a through 0.3.
Source : NVD
## 7.1
Score
Published January 6, 2026
Severity HIGH
CNA Score 7.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 33.9
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
header-image-slider
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable
Wiz
CVE-2025-63006 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2025-63006 [MEDIUM] CVE-2025-63006 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-63006 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in Metagauss EventPrime eventprime-event-calendar-management allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects EventPrime: from n/a through <= 4.2.4.1.
Source : NVD
## 4.3
Score
Published December 9, 2025
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
eventprime-event-calendar-management
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's ex
Wiz
CVE-2025-67518 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-67518 [CRITICAL] CVE-2025-67518 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67518 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in LambertGroup Accordion Slider PRO accordion_slider_pro allows Blind SQL Injection.This issue affects Accordion Slider PRO: from n/a through <= 1.2.
Source : NVD
## 9.8
Score
Published December 9, 2025
Severity CRITICAL
CNA Score 9.8
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 14.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
accordion_slider_pro
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on wh
Wiz
CVE-2026-2831 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-2831 [CRITICAL] CVE-2026-2831 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-2831 :
WordPress vulnerability analysis and mitigation
The MailArchiver plugin for WordPress is vulnerable to SQL Injection via the ‘logid’ parameter in all versions up to, and including, 4.5.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Source : NVD
## 4.9
Score
Published February 27, 2026
Severity MEDIUM
CNA Score 4.9
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Proba
Wiz
CVE-2026-0929 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-0929 [CRITICAL] CVE-2026-0929 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-0929 :
WordPress vulnerability analysis and mitigation
The RegistrationMagic WordPress plugin before 6.0.7.2 does not have proper capability checks, allowing subscribers and above to create forms on the site.
Source : NVD
## 4.3
Score
Published February 16, 2026
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
custom-registration-form-builder-with-submission-manager
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPre
Wiz
CVE-2026-25391 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-25391 [CRITICAL] CVE-2026-25391 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25391 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in WP Grids WP Wand ai-content-generation allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Wand: from n/a through <= 1.3.07.
Source : NVD
## 5.4
Score
Published February 19, 2026
Severity MEDIUM
CNA Score 5.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 14
Exploitation Probability (EPSS) N/A
Affected packages and libraries
ai-content-generation
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
##
Wiz
CVE-2025-14162 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2025-14162 [MEDIUM] CVE-2025-14162 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14162 :
WordPress vulnerability analysis and mitigation
The BMLT WordPress Plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.11.4. This is due to missing nonce validation on the 'BMLTPlugin_create_option' and 'BMLTPlugin_delete_option ' action. This makes it possible for unauthenticated attackers to create new plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Source : NVD
## 4.3
Score
Published December 12, 2025
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 3.5
Exploitatio
Wiz
CVE-2026-22504 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-22504 [CRITICAL] CVE-2026-22504 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22504 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX ProLingua prolingua allows PHP Local File Inclusion.This issue affects ProLingua: from n/a through <= 1.1.12.
Source : NVD
## 8.1
Score
Published March 25, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 35.7
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
prolingua
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just
Wiz
CVE-2025-66163 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.4
CVE-2025-66163 [MEDIUM] CVE-2025-66163 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-66163 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in merkulove Masker for Elementor masker-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Masker for Elementor: from n/a through <= 1.1.4.
Source : NVD
## 5.4
Score
Published December 16, 2025
Severity MEDIUM
CNA Score 5.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
masker-elementor
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just w
Wiz
CVE-2025-14757 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2025-14757 [MEDIUM] CVE-2025-14757 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14757 :
WordPress vulnerability analysis and mitigation
The Cost Calculator Builder plugin for WordPress is vulnerable to Unauthenticated Payment Status Bypass in all versions up to, and including, 3.6.9 only when used in combination with Cost Calculator Builder PRO. This is due to the complete_payment AJAX action being registered via wp_ajax_nopriv, making it accessible to unauthenticated users, and the complete() function only verifying a nonce without checking user capabilities or order ownership. Since nonces are exposed to all visitors via window.ccb_nonces in the page source, any unauthenticated attacker can mark any order's payment status as "completed" without actual payment.
Source : NVD
## 5.3
Score
Published January 16, 2026
Severity MEDIUM
CNA Score 5.3
A
Wiz
CVE-2026-3550 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-3550 [CRITICAL] CVE-2026-3550 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-3550 :
WordPress vulnerability analysis and mitigation
The RockPress plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.0.17. This is due to missing capability checks on multiple AJAX actions (rockpress_import, rockpress_import_status, rockpress_last_import, rockpress_reset_import, and rockpress_check_services) combined with the plugin's nonce being exposed to all authenticated users via an unconditionally enqueued admin script. The plugin enqueues the 'rockpress-admin' script on all admin pages (including profile.php) without any page or capability restrictions, and the nonce for the 'rockpress-nonce' action is passed to this script via wp_localize_script. Since the AJAX handlers only verify this nonce and do not check current
Wiz
CVE-2026-2495 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-2495 [CRITICAL] CVE-2026-2495 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-2495 :
WordPress vulnerability analysis and mitigation
The WPNakama – Team and multi-Client Collaboration, Editorial and Project Management plugin for WordPress is vulnerable to SQL Injection via the 'order' parameter of the '/wp-json/WPNakama/v1/boards' REST API endpoint in all versions up to, and including, 0.6.5. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Source : NVD
## 7.5
Score
Published February 18, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
WordPress
Has Public Exploit No
Has C
Wiz
CVE-2026-27985 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-27985 [CRITICAL] CVE-2026-27985 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27985 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Humanum humanum allows PHP Local File Inclusion.This issue affects Humanum: from n/a through <= 1.1.4.
Source : NVD
## 8.1
Score
Published March 5, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 37.5
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
humanum
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's lis
Wiz
CVE-2025-14390 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2025-14390 [HIGH] CVE-2025-14390 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14390 :
WordPress vulnerability analysis and mitigation
The Video Merchant plugin for WordPress is vulnerable to Cross-Site Request Forgery in version <= 5.0.4. This is due to missing or incorrect nonce validation on the video_merchant_add_video_file() function. This makes it possible for unauthenticated attackers to upload arbitrary files that make remote code execution possible via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Source : NVD
## 8.8
Score
Published December 10, 2025
Severity HIGH
CNA Score 8.8
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 30.1
Exploitation
Wiz
CVE-2025-14003 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2025-14003 [MEDIUM] CVE-2025-14003 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14003 :
WordPress vulnerability analysis and mitigation
add_images_to_gallery_callback()
Source : NVD
## 4.3
Score
Published December 15, 2025
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
modula-best-grid-gallery
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
CVE-2026-0740
CRITICAL
9.8
Wo
Wiz
CVE-2024-34438 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2024-34438 [MEDIUM] CVE-2024-34438 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2024-34438 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in Anssi Laitila Shared Files shared-files.This issue affects Shared Files: from n/a through <= 1.7.19.
Source : NVD
## 5.3
Score
Published February 20, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 20.3
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
shared-files
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Score
Technologi
Wiz
CVE-2025-69046 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2025-69046 [HIGH] CVE-2025-69046 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-69046 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in WebGeniusLab iRecco Core irecco-core allows PHP Local File Inclusion.This issue affects iRecco Core: from n/a through <= 1.3.6.
Source : NVD
## 8.1
Score
Published January 22, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 36.7
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
irecco-core
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitab
Wiz
CVE-2026-2312 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-2312 [CRITICAL] CVE-2026-2312 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-2312 :
WordPress vulnerability analysis and mitigation
The Media Library Folders plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 8.3.6 via the delete_maxgalleria_media() and maxgalleria_rename_image() functions due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Author-level access and above, to delete or rename attachments owned by other users (including administrators). The rename flow also deletes all postmeta for the target attachment, causing data loss.
Source : NVD
## 4.3
Score
Published February 14, 2026
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CIS
Wiz
CVE-2026-28061 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-28061 [CRITICAL] CVE-2026-28061 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-28061 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Tiger Claw tiger-claw allows PHP Local File Inclusion.This issue affects Tiger Claw: from n/a through <= 1.1.14.
Source : NVD
## 8.1
Score
Published March 5, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 37.5
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
tiger-claw
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not ju
Wiz
CVE-2025-14079 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2025-14079 [MEDIUM] CVE-2025-14079 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14079 :
WordPress vulnerability analysis and mitigation
eh_crm_ticket_general
Source : NVD
## 5.3
Score
Published February 5, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
elex-helpdesk-customer-support-ticket-system
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
CVE-2026-0740
CRITICAL
Wiz
CVE-2026-1806 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-1806 [CRITICAL] CVE-2026-1806 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1806 :
WordPress vulnerability analysis and mitigation
The Tour & Activity Operator Plugin for TourCMS plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'target' parameter of the tourcms_doc_link shortcode in all versions up to, and including, 1.7.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Source : NVD
## 6.4
Score
Published March 21, 2026
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile
Wiz
CVE-2025-64634 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2025-64634 [HIGH] CVE-2025-64634 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-64634 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in ThemeFusion Avada avada allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Avada: from n/a through <= 7.13.2.
Source : NVD
## 8.8
Score
Published December 16, 2025
Severity HIGH
CNA Score 8.8
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 18.2
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
Avada
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE
Wiz
CVE-2025-13904 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.4
CVE-2025-13904 [MEDIUM] CVE-2025-13904 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-13904 :
WordPress vulnerability analysis and mitigation
The WPGancio plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'gancio-event' shortcode in all versions up to, and including, 1.12 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Source : NVD
## 6.4
Score
Published December 12, 2025
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13
Exploitatio
Wiz
CVE-2025-13498 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2025-13498 [MEDIUM] CVE-2025-13498 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-13498 :
WordPress vulnerability analysis and mitigation
wpdm_media_access
Source : NVD
## 4.3
Score
Published December 18, 2025
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 12.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
download-manager
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
CVE-2026-0740
CRITICAL
9.8
WordPress
ninja-forms-up
Wiz
CVE-2025-68855 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.9
CVE-2025-68855 [MEDIUM] CVE-2025-68855 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68855 :
WordPress vulnerability analysis and mitigation
Insertion of Sensitive Information Into Sent Data vulnerability in themeglow JobBoard Job listing job-board-light allows Retrieve Embedded Sensitive Data.This issue affects JobBoard Job listing: from n/a through <= 1.2.8.
Source : NVD
## 5.9
Score
Published February 20, 2026
Severity MEDIUM
CNA Score 5.9
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.5
Exploitation Probability (EPSS) N/A
Affected packages and libraries
job-board-light
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's
Wiz
CVE-2025-53430 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2025-53430 [HIGH] CVE-2025-53430 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-53430 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Etta etta allows PHP Local File Inclusion.This issue affects Etta: from n/a through <= 1.14.0.
Source : NVD
## 8.1
Score
Published December 18, 2025
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 38.5
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
etta
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed
Wiz
CVE-2025-14886 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2025-14886 [MEDIUM] CVE-2025-14886 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14886 :
WordPress vulnerability analysis and mitigation
order
Source : NVD
## 5.3
Score
Published January 9, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 10
Exploitation Probability (EPSS) N/A
Affected packages and libraries
woocommerce-for-japan
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
CVE-2026-0740
CRITICAL
9.8
WordPress
ninja-forms-uploads
No
Wiz
CVE-2026-32508 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-32508 [CRITICAL] CVE-2026-32508 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32508 :
WordPress vulnerability analysis and mitigation
Deserialization of Untrusted Data vulnerability in Mikado-Themes Halstein halstein allows Object Injection.This issue affects Halstein: from n/a through < 1.8.
Source : NVD
## 5.4
Score
Published March 25, 2026
Severity MEDIUM
CNA Score 5.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 17.2
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
halstein
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Scor
Wiz
CVE-2025-15522 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.4
CVE-2025-15522 [MEDIUM] CVE-2025-15522 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-15522 :
WordPress vulnerability analysis and mitigation
The Uncanny Automator – Easy Automation, Integration, Webhooks & Workflow Builder Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the automator_discord_user_mapping shortcode in all versions up to, and including, 6.10.0.2 due to insufficient input sanitization and output escaping on the verified_message parameter. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user with a verified Discord account accesses the injected page.
Source : NVD
## 6.4
Score
Published January 23, 2026
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA
Wiz
CVE-2025-66125 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2025-66125 [MEDIUM] CVE-2025-66125 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-66125 :
WordPress vulnerability analysis and mitigation
Insertion of Sensitive Information Into Sent Data vulnerability in Nitesh Ultimate Auction ultimate-auction allows Retrieve Embedded Sensitive Data.This issue affects Ultimate Auction : from n/a through <= 4.3.2.
Source : NVD
## 5.3
Score
Published December 16, 2025
Severity MEDIUM
CNA Score 5.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 12.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
ultimate-auction
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
Wiz
CVE-2026-0676 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-0676 [MEDIUM] CVE-2026-0676 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-0676 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in G5Theme Zorka zorka allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Zorka: from n/a through <= 1.5.7.
Source : NVD
## 5.3
Score
Published January 8, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2.3
Exploitation Probability (EPSS) N/A
Affected packages and libraries
zorka
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CV
Wiz
CVE-2025-68087 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.4
CVE-2025-68087 [MEDIUM] CVE-2025-68087 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68087 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in merkulove Modalier for Elementor modalier-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Modalier for Elementor: from n/a through <= 1.0.6.
Source : NVD
## 5.4
Score
Published December 16, 2025
Severity MEDIUM
CNA Score 5.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
modalier-elementor
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, no
Wiz
CVE-2025-15445 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.4
CVE-2025-15445 [MEDIUM] CVE-2025-15445 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-15445 :
WordPress vulnerability analysis and mitigation
The Restaurant Cafeteria WordPress theme through 0.4.6 exposes insecure admin-ajax actions without nonce or capability checks, allowing any logged-in user, like subscriber, to perform privileged operations. An attacker can install and activate a from a user-supplied URL, leading to arbitrary PHP code execution, and also import demo content that rewrites site configuration, including Restaurant Cafeteria WordPress theme through 0.4.6_mods, pages, menus, and front page settings.
Source : NVD
## 5.4
Score
Published March 28, 2026
Severity MEDIUM
CNA Score 5.4
Affected Technologies
WordPress
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability
Wiz
CVE-2026-1987 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-1987 [CRITICAL] CVE-2026-1987 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1987 :
WordPress vulnerability analysis and mitigation
scheduler_widget_ajax_save_event()
id
Source : NVD
## 5.4
Score
Published February 14, 2026
Severity MEDIUM
CNA Score 5.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 17.1
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
scheduler-widget
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
CVE-2026-0740
CRITICAL
9.8
WordP
Wiz
CVE-2026-25443 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-25443 [CRITICAL] CVE-2026-25443 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25443 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in Dotstore Fraud Prevention For Woocommerce woo-blocker-lite-prevent-fake-orders-and-blacklist-fraud-customers allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Fraud Prevention For Woocommerce: from n/a through <= 2.3.3.
Source : NVD
Published March 19, 2026
CNA Score N/A
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 6
Exploitation Probability (EPSS) N/A
Affected packages and libraries
woo-blocker-lite-prevent-fake-orders-and-blacklist-fraud-customers
Sources
NVD
## Get a CVE risk assessment
Get a priori
Wiz
CVE-2026-28036 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-28036 [CRITICAL] CVE-2026-28036 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-28036 :
WordPress vulnerability analysis and mitigation
Server-Side Request Forgery (SSRF) vulnerability in SkatDesign Ratatouille ratatouille allows Server Side Request Forgery.This issue affects Ratatouille: from n/a through <= 1.2.6.
Source : NVD
## 6.4
Score
Published March 5, 2026
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 9.3
Exploitation Probability (EPSS) N/A
Affected packages and libraries
ratatouille
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
Wiz
CVE-2026-22465 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-22465 [CRITICAL] CVE-2026-22465 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22465 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in SeventhQueen BuddyApp buddyapp allows Reflected XSS.This issue affects BuddyApp: from n/a through <= 1.9.2.
Source : NVD
## 7.1
Score
Published March 5, 2026
Severity HIGH
CNA Score 7.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
buddyapp
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Word
Wiz
CVE-2026-24968 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-24968 [CRITICAL] CVE-2026-24968 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24968 :
WordPress vulnerability analysis and mitigation
Incorrect Privilege Assignment vulnerability in Xagio SEO Xagio SEO xagio-seo allows Privilege Escalation.This issue affects Xagio SEO: from n/a through <= 7.1.0.30.
Source : NVD
## 9.8
Score
Published March 25, 2026
Severity CRITICAL
CNA Score 9.8
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 17.1
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
xagio-seo
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Sever
Wiz
CVE-2025-8072 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.4
CVE-2025-8072 [MEDIUM] CVE-2025-8072 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-8072 :
WordPress vulnerability analysis and mitigation
The Target Video Easy Publish plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘placeholder_img’ parameter in all versions up to, and including, 3.8.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Source : NVD
## 6.4
Score
Published January 28, 2026
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2.9
Exploitation Probability (EP
Wiz
CVE-2026-1070 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-1070 [CRITICAL] CVE-2026-1070 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1070 :
WordPress vulnerability analysis and mitigation
The Alex User Counter plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.0. This is due to missing nonce validation on the alex_user_counter_function() function. This makes it possible for unauthenticated attackers to update the plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Source : NVD
## 4.3
Score
Published January 24, 2026
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 0.4
Exploitation Probability (EPSS) N/A
Affe
Wiz
CVE-2026-1074 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-1074 [CRITICAL] CVE-2026-1074 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1074 :
WordPress vulnerability analysis and mitigation
App_Bar_Settings
Source : NVD
## 7.2
Score
Published March 7, 2026
Severity HIGH
CNA Score 7.2
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 23.7
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
wp-app-bar
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
CVE-2026-0740
CRITICAL
9.8
WordPress
ninja-forms-uploads
No
Yes
Wiz
CVE-2026-0727 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.4
CVE-2026-0727 [MEDIUM] CVE-2026-0727 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-0727 :
WordPress vulnerability analysis and mitigation
The Accordion and Accordion Slider plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.4.5. This is due to the plugin not properly verifying that a user is authorized to perform an action in the 'wp_aas_save_attachment_data' and 'wp_aas_get_attachment_edit_form' functions. This makes it possible for authenticated attackers, with contributor level access and above, to read and modify attachment metadata including file paths, titles, captions, alt text, and custom links for any attachment on the site.
Source : NVD
## 5.4
Score
Published February 14, 2026
Severity MEDIUM
CNA Score 5.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA
Wiz
CVE-2025-64633 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2025-64633 [MEDIUM] CVE-2025-64633 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-64633 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in colabrio Norebro Extra norebro-extra allows Code Injection.This issue affects Norebro Extra: from n/a through <= 1.6.8.
Source : NVD
## 5.3
Score
Published December 16, 2025
Severity MEDIUM
CNA Score 5.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 18.1
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
norebro-extra
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
Wiz
CVE-2026-27050 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-27050 [CRITICAL] CVE-2026-27050 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27050 :
WordPress vulnerability analysis and mitigation
Cross-Site Request Forgery (CSRF) vulnerability in ThimPress RealPress realpress allows Cross Site Request Forgery.This issue affects RealPress: from n/a through <= 1.1.0.
Source : NVD
## 5.4
Score
Published February 19, 2026
Severity MEDIUM
CNA Score 5.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 4.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
realpress
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Wiz
CVE-2025-14971 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2025-14971 [MEDIUM] CVE-2025-14971 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14971 :
WordPress vulnerability analysis and mitigation
The Link Invoice Payment for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the createPartialPayment and cancelPartialPayment functions in all versions up to, and including, 2.8.0. This makes it possible for unauthenticated attackers to create partial payments on any order or cancel any existing partial payment via ID enumeration.
Source : NVD
## 5.3
Score
Published January 27, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 8.6
Exploitation Probability (EPSS) N/A
Affected packa
Wiz
CVE-2025-60182 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2025-60182 [HIGH] CVE-2025-60182 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-60182 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Schiocco Support Board supportboard allows Reflected XSS.This issue affects Support Board: from n/a through < 3.8.7.
Source : NVD
## 7.1
Score
Published December 18, 2025
Severity HIGH
CNA Score 7.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
supportboard
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
Wiz
CVE-2026-1948 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-1948 [CRITICAL] CVE-2026-1948 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1948 :
WordPress vulnerability analysis and mitigation
The NEX-Forms – Ultimate Forms Plugin for WordPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the deactivate_license() function in all versions up to, and including, 9.1.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to to deactivate the plugin license.
Source : NVD
## 4.3
Score
Published March 16, 2026
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 8.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
nex-forms-express-wp-f
Wiz
CVE-2025-68048 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2025-68048 [HIGH] CVE-2025-68048 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68048 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in XLPlugins NextMove Lite woo-thank-you-page-nextmove-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects NextMove Lite: from n/a through <= 2.23.0.
Source : NVD
## 7.5
Score
Published February 20, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
woo-thank-you-page-nextmove-lite
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploi
Wiz
CVE-2025-63010 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.8
CVE-2025-63010 [MEDIUM] CVE-2025-63010 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-63010 :
WordPress vulnerability analysis and mitigation
Server-Side Request Forgery (SSRF) vulnerability in ThemesInflow Hercules Core hercules-core allows Server Side Request Forgery.This issue affects Hercules Core : from n/a through <= 7.4.
Source : NVD
## 4.8
Score
Published December 9, 2025
Severity MEDIUM
CNA Score 4.8
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
hercules-core
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabi
Wiz
CVE-2026-22401 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-22401 [CRITICAL] CVE-2026-22401 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22401 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in pavothemes Freshio freshio allows PHP Local File Inclusion.This issue affects Freshio: from n/a through <= 2.4.2.
Source : NVD
## 7.5
Score
Published January 22, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 19.8
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
freshio
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what'
Wiz
CVE-2025-68073 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2025-68073 [MEDIUM] CVE-2025-68073 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68073 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in Ninja Team GDPR CCPA Compliance Support ninja-gdpr-compliance allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects GDPR CCPA Compliance Support: from n/a through <= 2.7.4.
Source : NVD
## 6.5
Score
Published January 22, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 12.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
ninja-gdpr-compliance
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what
Wiz
CVE-2025-58944 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.2
CVE-2025-58944 [HIGH] CVE-2025-58944 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-58944 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Manufactory manufactory allows PHP Local File Inclusion.This issue affects Manufactory: from n/a through <= 1.4.
Source : NVD
## 8.2
Score
Published December 18, 2025
Severity HIGH
CNA Score 8.2
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 19.8
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
manufactory
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable
Wiz
CVE-2026-2126 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-2126 [CRITICAL] CVE-2026-2126 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-2126 :
WordPress vulnerability analysis and mitigation
usp_get_submitted_category()
usp_options['categories']
user-submitted-category[]
Source : NVD
## 5.3
Score
Published February 18, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 8.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
user-submitted-posts
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Publ
Wiz
CVE-2025-67596 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2025-67596 [MEDIUM] CVE-2025-67596 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67596 :
WordPress vulnerability analysis and mitigation
Cross-Site Request Forgery (CSRF) vulnerability in Strategy11 Team Business Directory business-directory-plugin allows Cross Site Request Forgery.This issue affects Business Directory: from n/a through <= 6.4.19.
Source : NVD
## 4.3
Score
Published December 9, 2025
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 4.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
business-directory-plugin
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's l
Wiz
CVE-2025-14044 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2025-14044 [HIGH] CVE-2025-14044 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14044 :
WordPress vulnerability analysis and mitigation
lpblocks
lp_track()
unserialize()
Source : NVD
## 8.1
Score
Published December 12, 2025
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 34.7
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
logic-pro
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
CVE-2026-0740
CRITICAL
9.8
WordPress
ninja
Wiz
CVE-2025-14389 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2025-14389 [MEDIUM] CVE-2025-14389 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14389 :
WordPress vulnerability analysis and mitigation
The WPBlogSyn plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0. This is due to missing or incorrect nonce validation. This makes it possible for unauthenticated attackers to update the plugin's remote sync settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Source : NVD
## 4.3
Score
Published January 14, 2026
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 4.3
Exploitation Probability (EPSS) N/A
Affected packages and libraries
Wiz
CVE-2026-3075 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-3075 [CRITICAL] CVE-2026-3075 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-3075 :
WordPress vulnerability analysis and mitigation
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Jeff Starr Simple Ajax Chat simple-ajax-chat allows Retrieve Embedded Sensitive Data.This issue affects Simple Ajax Chat: from n/a through <= 20251121.
Source : NVD
## 5.3
Score
Published February 23, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
simple-ajax-chat
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploit
Wiz
CVE-2026-23798 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-23798 [CRITICAL] CVE-2026-23798 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-23798 :
WordPress vulnerability analysis and mitigation
Deserialization of Untrusted Data vulnerability in blubrry PowerPress Podcasting powerpress allows Object Injection.This issue affects PowerPress Podcasting: from n/a through <= 11.15.10.
Source : NVD
## 8.8
Score
Published March 5, 2026
Severity HIGH
CNA Score 8.8
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 19.1
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
powerpress
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilitie
Wiz
CVE-2026-22452 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-22452 [CRITICAL] CVE-2026-22452 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22452 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Hoverex hoverex allows PHP Local File Inclusion.This issue affects Hoverex: from n/a through <= 1.5.10.
Source : NVD
## 8.1
Score
Published March 5, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 37.5
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
hoverex
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's li
Wiz
CVE-2025-15055 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.2
CVE-2025-15055 [HIGH] CVE-2025-15055 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-15055 :
WordPress vulnerability analysis and mitigation
The SlimStat Analytics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'notes' and 'resource' parameters in all versions up to, and including, 5.3.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever an administrator accesses the Recent Custom Events report.
Source : NVD
## 7.2
Score
Published January 9, 2026
Severity HIGH
CNA Score 7.2
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 14.4
Exploitation Probability (EPSS) N/A
Affected
Wiz
CVE-2025-23719 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-23719 [CRITICAL] CVE-2025-23719 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-23719 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in zckevin ZhinaTwitterWidget zhina-twitter-widget allows Reflected XSS.This issue affects ZhinaTwitterWidget: from n/a through <= 1.0.
Source : NVD
Published December 31, 2025
CNA Score N/A
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
zhina-twitter-widget
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Rel
Wiz
CVE-2025-68573 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2025-68573 [HIGH] CVE-2025-68573 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68573 :
WordPress vulnerability analysis and mitigation
Cross-Site Request Forgery (CSRF) vulnerability in Alessandro Piconi Simple Keyword to Link simple-keyword-to-link allows Cross Site Request Forgery.This issue affects Simple Keyword to Link: from n/a through <= 1.5.
Source : NVD
## 8.8
Score
Published December 24, 2025
Severity HIGH
CNA Score 8.8
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 6.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
simple-keyword-to-link
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's l
Wiz
CVE-2026-32441 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-32441 [CRITICAL] CVE-2026-32441 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32441 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in WebToffee Comments Import & Export comments-import-export-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Comments Import & Export: from n/a through <= 2.4.9.
Source : NVD
## 7.7
Score
Published March 25, 2026
Severity HIGH
CNA Score 7.7
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 12.3
Exploitation Probability (EPSS) N/A
Affected packages and libraries
comments-import-export-woocommerce
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can
Wiz
CVE-2025-12825 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2025-12825 [MEDIUM] CVE-2025-12825 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-12825 :
WordPress vulnerability analysis and mitigation
The User Registration Using Contact Form 7 plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'get_cf7_form_data' function in all versions up to, and including, 2.5. This makes it possible for unauthenticated attackers to retrieve form settings which includes Facebook app secrets.
Source : NVD
## 5.3
Score
Published January 17, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 21.3
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
user-registration-using-contact-form-7
Sources
Wiz
CVE-2026-22426 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-22426 [CRITICAL] CVE-2026-22426 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22426 :
WordPress vulnerability analysis and mitigation
Authorization Bypass Through User-Controlled Key vulnerability in Elated-Themes Sweet Jane sweetjane allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Sweet Jane: from n/a through <= 1.2.
Source : NVD
## 5.4
Score
Published January 22, 2026
Severity MEDIUM
CNA Score 5.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
sweetjane
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's
Wiz
CVE-2026-22454 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-22454 [CRITICAL] CVE-2026-22454 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22454 :
WordPress vulnerability analysis and mitigation
Deserialization of Untrusted Data vulnerability in ThemeREX Solaris solaris allows Object Injection.This issue affects Solaris: from n/a through <= 2.5.
Source : NVD
## 9.8
Score
Published March 5, 2026
Severity CRITICAL
CNA Score 9.8
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 18.2
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
solaris
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Score
Tech
Wiz
CVE-2025-68979 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2025-68979 [HIGH] CVE-2025-68979 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68979 :
WordPress vulnerability analysis and mitigation
Authorization Bypass Through User-Controlled Key vulnerability in SimpleCalendar Google Calendar Events google-calendar-events allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Google Calendar Events: from n/a through <= 3.5.9.
Source : NVD
## 8.1
Score
Published December 30, 2025
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 12.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
google-calendar-events
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so y
Wiz
CVE-2025-67587 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2025-67587 [MEDIUM] CVE-2025-67587 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67587 :
WordPress vulnerability analysis and mitigation
URL Redirection to Untrusted Site ('Open Redirect') vulnerability in CRM Perks WP Gravity Forms FreshDesk Plugin gf-freshdesk allows Phishing.This issue affects WP Gravity Forms FreshDesk Plugin: from n/a through <= 1.3.5.
Source : NVD
## 4.3
Score
Published December 9, 2025
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
gf-freshdesk
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's lis
Wiz
CVE-2026-27070 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-27070 [CRITICAL] CVE-2026-27070 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27070 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPEverest Everest Forms Pro allows Stored XSS.This issue affects Everest Forms Pro: from n/a through 1.9.10.
Source : NVD
## 7.1
Score
Published March 19, 2026
Severity HIGH
CNA Score 7.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 10.6
Exploitation Probability (EPSS) N/A
Affected packages and libraries
everest-forms-pro
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## R
Wiz
CVE-2026-4063 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-4063 [CRITICAL] CVE-2026-4063 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-4063 :
WordPress vulnerability analysis and mitigation
The Social Icons Widget & Block by WPZOOM plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check in the add_menu_item() method hooked to admin_menu in all versions up to, and including, 4.5.8. This is due to the method performing wp_insert_post() and update_post_meta() calls to create a sharing configuration without verifying the current user has administrator-level capabilities. This makes it possible for authenticated attackers, with Subscriber-level access and above, to trigger the creation of a published wpzoom-sharing configuration post with default sharing button settings, which causes social sharing buttons to be automatically injected into all post content on the fro
Wiz
CVE-2025-68608 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2025-68608 [HIGH] CVE-2025-68608 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68608 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in DeluxeThemes Userpro userpro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Userpro: from n/a through <= 5.1.9.
Source : NVD
## 8.8
Score
Published December 24, 2025
Severity HIGH
CNA Score 8.8
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 18.2
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
userpro
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulner
Wiz
CVE-2025-13848 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.4
CVE-2025-13848 [MEDIUM] CVE-2025-13848 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-13848 :
WordPress vulnerability analysis and mitigation
The STM Gallery 1.9 plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'composicion' parameter in all versions up to, and including, 0.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Source : NVD
## 6.4
Score
Published January 7, 2026
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2.7
Exploitation Probability (EPSS) N/A
Affecte
Wiz
CVE-2026-1844 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-1844 [CRITICAL] CVE-2026-1844 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1844 :
WordPress vulnerability analysis and mitigation
The PixelYourSite PRO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'pysTrafficSource' parameter and the 'pys_landing_page' parameter in all versions up to, and including, 12.4.0.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Source : NVD
## 7.2
Score
Published February 13, 2026
Severity HIGH
CNA Score 7.2
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.7
Exploitation Probability (EPSS) N/A
Wiz
CVE-2025-49066 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2025-49066 [MEDIUM] CVE-2025-49066 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-49066 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup Accordion Slider PRO accordion_slider_pro allows Reflected XSS.This issue affects Accordion Slider PRO: from n/a through <= 1.2.
Source : NVD
## 6.1
Score
Published January 22, 2026
Severity MEDIUM
CNA Score 6.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
accordion_slider_pro
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exp
Wiz
CVE-2025-49942 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2025-49942 [HIGH] CVE-2025-49942 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-49942 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Gardis gardis allows PHP Local File Inclusion.This issue affects Gardis: from n/a through <= 1.2.13.
Source : NVD
## 8.1
Score
Published December 18, 2025
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 38.5
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
gardis
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what'
Wiz
CVE-2026-2502 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-2502 [CRITICAL] CVE-2026-2502 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-2502 :
WordPress vulnerability analysis and mitigation
The xmlrpc attacks blocker plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.0, via the 'X-Forwarded-For' HTTP header. This is due to the plugin trusting and logging attacker-controlled IP header data and rendering debug log entries without output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts that execute when an administrator views the debug log page.
Source : NVD
## 6.1
Score
Published February 19, 2026
Severity MEDIUM
CNA Score 6.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 29.2
E
Wiz
CVE-2025-67932 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2025-67932 [MEDIUM] CVE-2025-67932 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67932 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in purethemes Listeo Core listeo-core allows Reflected XSS.This issue affects Listeo Core: from n/a through < 2.0.19.
Source : NVD
## 6.1
Score
Published January 8, 2026
Severity MEDIUM
CNA Score 6.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
listeo-core
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
#
Wiz
CVE-2026-1071 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-1071 [CRITICAL] CVE-2026-1071 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1071 :
WordPress vulnerability analysis and mitigation
The Carta Online plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.13.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Source : NVD
## 4.4
Score
Published March 7, 2026
Severity MEDIUM
CNA Score 4.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Wiz
CVE-2025-54751 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2025-54751 [HIGH] CVE-2025-54751 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-54751 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in WPXPO PostX ultimate-post allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects PostX: from n/a through <= 4.1.36.
Source : NVD
## 7.1
Score
Published December 18, 2025
Severity HIGH
CNA Score 7.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
ultimate-post
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vuln
Wiz
CVE-2025-68535 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.1
CVE-2025-68535 [CRITICAL] CVE-2025-68535 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68535 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in sunshinephotocart Sunshine Photo Cart sunshine-photo-cart allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Sunshine Photo Cart: from n/a through <= 3.5.7.1.
Source : NVD
## 9.1
Score
Published December 24, 2025
Severity CRITICAL
CNA Score 9.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
sunshine-photo-cart
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploit
Wiz
CVE-2026-1430 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-1430 [CRITICAL] CVE-2026-1430 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1430 :
WordPress vulnerability analysis and mitigation
The WP Lightbox 2 WordPress plugin before 3.0.7 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
Source : NVD
## 4.8
Score
Published March 26, 2026
Severity MEDIUM
CNA Score 4.8
Affected Technologies
WordPress
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 8.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
wp-lightbox-2
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cl
Wiz
CVE-2025-14446 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.4
CVE-2025-14446 [MEDIUM] CVE-2025-14446 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14446 :
WordPress vulnerability analysis and mitigation
The Popup Builder (Easy Notify Lite) plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the easynotify_cp_reset() function in all versions up to, and including, 1.1.37. This makes it possible for authenticated attackers, with Subscriber-level access and above, to reset plugin settings to their default values.
Source : NVD
## 6.5
Score
Published December 13, 2025
Severity MEDIUM
CNA Score 6.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 16.7
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
easy-notify-lite
Wiz
CVE-2025-14137 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2025-14137 [MEDIUM] CVE-2025-14137 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14137 :
WordPress vulnerability analysis and mitigation
$_SERVER['PHP_SELF']
Source : NVD
## 6.1
Score
Published December 12, 2025
Severity MEDIUM
CNA Score 6.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 36.6
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
simple-al-slider
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
CVE-2026-0740
CRITICAL
9.8
WordPress
ninja-forms
Wiz
CVE-2025-49045 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2025-49045 [MEDIUM] CVE-2025-49045 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-49045 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in highwarden Super Interactive Maps super-interactive-maps allows Reflected XSS.This issue affects Super Interactive Maps: from n/a through <= 2.3.
Source : NVD
## 6.1
Score
Published January 22, 2026
Severity MEDIUM
CNA Score 6.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
super-interactive-maps
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what
Wiz
CVE-2026-22404 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-22404 [CRITICAL] CVE-2026-22404 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22404 :
WordPress vulnerability analysis and mitigation
Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes Innovio innovio allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Innovio: from n/a through <= 1.7.
Source : NVD
## 5.4
Score
Published January 22, 2026
Severity MEDIUM
CNA Score 5.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
innovio
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
Wiz
CVE-2025-14385 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.4
CVE-2025-14385 [MEDIUM] CVE-2025-14385 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14385 :
WordPress vulnerability analysis and mitigation
The WP Recipe Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'name' parameter in all versions up to, and including, 10.2.3 due to insufficient input sanitization and output escaping on user-supplied attributes in the wprm-recipe-roundup-item shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Source : NVD
## 6.4
Score
Published December 17, 2025
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability
Wiz
CVE-2026-2924 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-2924 [CRITICAL] CVE-2026-2924 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-2924 :
WordPress vulnerability analysis and mitigation
The Gutenverse – Ultimate WordPress FSE Blocks Addons & Ecosystem plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'imageLoad' parameter in versions up to, and including, 3.4.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Source : NVD
## 6.4
Score
Published April 4, 2026
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 8.2
Explo
Wiz
CVE-2026-2233 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-2233 [CRITICAL] CVE-2026-2233 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-2233 :
WordPress vulnerability analysis and mitigation
The User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the draft_post() function in all versions up to, and including, 4.2.8. This makes it possible for unauthenticated attackers to modify arbitrary posts (e.g. unpublish published posts and overwrite the contents) via the 'post_id' parameter.
Source : NVD
## 5.3
Score
Published March 16, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 15.3
Exploita
Wiz
CVE-2026-1096 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-1096 [CRITICAL] CVE-2026-1096 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1096 :
WordPress vulnerability analysis and mitigation
The Best-wp-google-map plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'latitude' and 'longitudinal' parameters of the 'google_map_view' shortcode in all versions up to, and including, 2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Source : NVD
## 6.4
Score
Published February 14, 2026
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile
Wiz
CVE-2026-24596 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-24596 [CRITICAL] CVE-2026-24596 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24596 :
WordPress vulnerability analysis and mitigation
Cross-Site Request Forgery (CSRF) vulnerability in marynixie Related Posts Thumbnails Plugin for WordPress related-posts-thumbnails allows Cross Site Request Forgery.This issue affects Related Posts Thumbnails Plugin for WordPress: from n/a through <= 4.3.2.
Source : NVD
## 4.7
Score
Published January 23, 2026
Severity MEDIUM
CNA Score 4.7
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 0.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
related-posts-thumbnails
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can f
Wiz
CVE-2025-67554 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.9
CVE-2025-67554 [MEDIUM] CVE-2025-67554 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67554 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Humanityco Cookie Notice & Compliance for GDPR / CCPA cookie-notice allows Stored XSS.This issue affects Cookie Notice & Compliance for GDPR / CCPA: from n/a through <= 2.5.8.
Source : NVD
## 5.9
Score
Published December 9, 2025
Severity MEDIUM
CNA Score 5.9
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 12.6
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cookie-notice
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so
Wiz
CVE-2025-47474 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-47474 [CRITICAL] CVE-2025-47474 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-47474 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Ninetheme Anarkali anarkali allows PHP Local File Inclusion.This issue affects Anarkali: from n/a through <= 1.0.9.
Source : NVD
## 9.8
Score
Published January 22, 2026
Severity CRITICAL
CNA Score 9.8
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 38.5
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
anarkali
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not jus
Wiz
CVE-2026-32529 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-32529 [CRITICAL] CVE-2026-32529 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32529 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in don-themes Molla molla allows Reflected XSS.This issue affects Molla: from n/a through < 1.5.19.
Source : NVD
## 7.1
Score
Published March 25, 2026
Severity HIGH
CNA Score 7.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 10.6
Exploitation Probability (EPSS) N/A
Affected packages and libraries
molla
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnera
Wiz
CVE-2025-62108 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-62108 [CRITICAL] CVE-2025-62108 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-62108 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in SaifuMak Add Custom Codes add-custom-codes allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Add Custom Codes: from n/a through <= 4.80.
Source : NVD
Published December 31, 2025
CNA Score N/A
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
add-custom-codes
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabil
Wiz
CVE-2025-14075 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2025-14075 [MEDIUM] CVE-2025-14075 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14075 :
WordPress vulnerability analysis and mitigation
The WP Hotel Booking plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.2.7. This is due to the plugin exposing the 'hotel_booking_fetch_customer_info' AJAX action to unauthenticated users without proper capability checks, relying only on a nonce for protection. This makes it possible for unauthenticated attackers to retrieve sensitive customer information including full names, addresses, phone numbers, and email addresses by providing a valid email address and a publicly accessible nonce.
Source : NVD
## 5.3
Score
Published January 17, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CIS
Wiz
CVE-2025-68513 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.4
CVE-2025-68513 [MEDIUM] CVE-2025-68513 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68513 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in boldthemes Bold Timeline Lite bold-timeline-lite allows Stored XSS.This issue affects Bold Timeline Lite: from n/a through <= 1.2.7.
Source : NVD
## 5.4
Score
Published December 24, 2025
Severity MEDIUM
CNA Score 5.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
bold-timeline-lite
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable,
Wiz
CVE-2025-13067 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2025-13067 [HIGH] CVE-2025-13067 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-13067 :
WordPress vulnerability analysis and mitigation
The Royal Addons for Elementor plugin for WordPress is vulnerable to arbitrary file upload in all versions up to, and including, 1.7.1049. This is due to insufficient file type validation detecting files named main.php, allowing a file with such a name to bypass sanitization. This makes it possible for authenticated attackers, with author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
Source : NVD
## 8.8
Score
Published March 11, 2026
Severity HIGH
CNA Score 8.8
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS)
Wiz
CVE-2025-22715 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2025-22715 [HIGH] CVE-2025-22715 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-22715 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in loopus WP Attractive Donations System - Easy Stripe & Paypal donations WP_AttractiveDonationsSystem allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Attractive Donations System - Easy Stripe & Paypal donations: from n/a through <= 1.25.
Source : NVD
## 8.1
Score
Published January 8, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 12.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
WP_AttractiveDonationsSystem
Sources
NVD
## Get a CVE risk assess
Wiz
CVE-2025-13753 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2025-13753 [MEDIUM] CVE-2025-13753 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-13753 :
WordPress vulnerability analysis and mitigation
The WP Table Builder – Drag & Drop Table Builder plugin for WordPress is vulnerable to unauthorized modification of data due to an incorrect authorization check on the save_table() function in all versions up to, and including, 2.0.19. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create new wptb-table posts.
Source : NVD
## 4.3
Score
Published January 9, 2026
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
wp-table-builder
Sources
NV
Wiz
CVE-2025-64373 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2025-64373 [HIGH] CVE-2025-64373 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-64373 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in shinetheme Traveler traveler allows PHP Local File Inclusion.This issue affects Traveler: from n/a through < 3.2.6.
Source : NVD
## 8.1
Score
Published December 18, 2025
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 18.1
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
traveler
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just w
Wiz
CVE-2025-14552 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.4
CVE-2025-14552 [MEDIUM] CVE-2025-14552 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14552 :
WordPress vulnerability analysis and mitigation
The MediaPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's mpp-uploader shortcode in all versions up to, and including, 1.6.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Source : NVD
## 6.4
Score
Published January 6, 2026
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.1
Exploitati
Wiz
CVE-2025-64205 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.2
CVE-2025-64205 [HIGH] CVE-2025-64205 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-64205 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in TieLabs Jannah jannah allows PHP Local File Inclusion.This issue affects Jannah: from n/a through <= 7.6.0.
Source : NVD
## 8.2
Score
Published December 18, 2025
Severity HIGH
CNA Score 8.2
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 37.9
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
jannah
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's list
Wiz
CVE-2026-4278 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-4278 [CRITICAL] CVE-2026-4278 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-4278 :
WordPress vulnerability analysis and mitigation
The Simple Download Counter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'sdc_menu' shortcode in all versions up to, and including, 2.3. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes, specifically the 'text' and 'cat' attributes. The 'text' attribute is output directly into HTML content on line 159 without any escaping (e.g., esc_html()). The 'cat' attribute is used unescaped in HTML class attributes on lines 135 and 157 without esc_attr(). This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
So
Wiz
CVE-2026-25328 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-25328 [CRITICAL] CVE-2026-25328 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25328 :
WordPress vulnerability analysis and mitigation
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in add-ons.org Product File Upload for WooCommerce products-file-upload-for-woocommerce allows Path Traversal.This issue affects Product File Upload for WooCommerce: from n/a through <= 2.2.4.
Source : NVD
## 6.8
Score
Published March 25, 2026
Severity MEDIUM
CNA Score 6.8
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 21.6
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
products-file-upload-for-woocommerce
Sources
NVD
## Get a CVE risk assessment
Get a prioritized v
Wiz
CVE-2025-12984 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.9
CVE-2025-12984 [MEDIUM] CVE-2025-12984 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-12984 :
WordPress vulnerability analysis and mitigation
The Advanced Ads – Ad Manager & AdSense plugin for WordPress is vulnerable to SQL Injection via the 'order' parameter in all versions up to, and including, 2.0.15 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Source : NVD
## 4.9
Score
Published January 17, 2026
Severity MEDIUM
CNA Score 4.9
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date
Wiz
CVE-2026-3996 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-3996 [CRITICAL] CVE-2026-3996 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-3996 :
WordPress vulnerability analysis and mitigation
The WP Games Embed plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the [game] shortcode in all versions up to and including 0.1beta. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes such as 'width', 'height', 'src', 'title', 'description', 'game_url', 'main', and 'thumb', which are all directly concatenated into HTML output without any escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Source : NVD
## 6.4
Score
Published March 21, 2026
Severity MEDIUM
CNA Score 6.4
Affected Technologie
Wiz
CVE-2026-22468 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-22468 [CRITICAL] CVE-2026-22468 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22468 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in AbsolutePlugins Absolute Addons For Elementor absolute-addons allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Absolute Addons For Elementor: from n/a through <= 1.0.14.
Source : NVD
## 4.3
Score
Published January 22, 2026
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
absolute-addons
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's e
Wiz
CVE-2025-62754 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.1
CVE-2025-62754 [CRITICAL] CVE-2025-62754 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-62754 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in Kapil Paul Payment Gateway bKash for WC woo-payment-bkash allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Payment Gateway bKash for WC: from n/a through <= 3.1.0.
Source : NVD
## 9.1
Score
Published January 22, 2026
Severity CRITICAL
CNA Score 9.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
woo-payment-bkash
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exp
Wiz
CVE-2025-69373 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2025-69373 [HIGH] CVE-2025-69373 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-69373 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in beeteam368 VidoRev vidorev allows PHP Local File Inclusion.This issue affects VidoRev: from n/a through <= 2.9.9.9.9.9.7.
Source : NVD
## 7.5
Score
Published February 20, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 31.6
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
vidorev
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not j
Wiz
CVE-2025-68999 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.5
CVE-2025-68999 [HIGH] CVE-2025-68999 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68999 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in HappyMonster Happy Addons for Elementor happy-elementor-addons allows Blind SQL Injection.This issue affects Happy Addons for Elementor: from n/a through <= 3.20.4.
Source : NVD
## 8.5
Score
Published January 22, 2026
Severity HIGH
CNA Score 8.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.5
Exploitation Probability (EPSS) N/A
Affected packages and libraries
happy-elementor-addons
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you
Wiz
CVE-2024-10938 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2024-10938 [MEDIUM] CVE-2024-10938 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2024-10938 :
WordPress vulnerability analysis and mitigation
The OVRI Payment plugin for WordPress contains malicious .htaccess files in version 1.7.0. The files contain directives to prevent the execution of certain scripts while allowing execution of known malicious PHP files. If moved outside of the plugin's directory, they may interfere with the proper function of a site.
Source : NVD
## 6.5
Score
Published February 27, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 20.9
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
moneytigo
Sources
NVD
## Get a CVE risk assessment
Get a prior
Wiz
CVE-2025-15510 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2025-15510 [MEDIUM] CVE-2025-15510 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-15510 :
WordPress vulnerability analysis and mitigation
The NEX-Forms – Ultimate Forms Plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the NF5_Export_Forms class constructor in all versions up to, and including, 9.1.8. This makes it possible for unauthenticated attackers to export form configurations, that may include sensitive data, such as email addresses, PayPal API credentials, and third-party integration keys by enumerating the nex_forms_Id parameter.
Source : NVD
## 5.3
Score
Published January 31, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 6.1
Wiz
CVE-2025-68983 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-68983 [CRITICAL] CVE-2025-68983 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68983 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Greenmart greenmart allows PHP Local File Inclusion.This issue affects Greenmart: from n/a through <= 4.2.11.
Source : NVD
## 9.8
Score
Published December 30, 2025
Severity CRITICAL
CNA Score 9.8
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 38.5
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
greenmart
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not
Wiz
CVE-2025-68845 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2025-68845 [HIGH] CVE-2025-68845 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68845 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in aThemeArt Translations eDS Responsive Menu eds-responsive-menu allows Reflected XSS.This issue affects eDS Responsive Menu: from n/a through <= 1.2.
Source : NVD
## 7.1
Score
Published February 20, 2026
Severity HIGH
CNA Score 7.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
eds-responsive-menu
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what'
Wiz
CVE-2026-2277 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-2277 [CRITICAL] CVE-2026-2277 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-2277 :
WordPress vulnerability analysis and mitigation
The rexCrawler plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'url' and 'regex' parameters in the search-pattern tester page in all versions up to, and including, 1.0.15 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick an administrator into performing an action such as clicking on a link. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Source : NVD
## 6.1
Score
Published March 21, 2026
Severity MEDIUM
CNA Score 6.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV
Wiz
CVE-2026-24357 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-24357 [CRITICAL] CVE-2026-24357 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24357 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in Brecht WP Recipe Maker wp-recipe-maker allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Recipe Maker: from n/a through <= 10.2.4.
Source : NVD
## 8.1
Score
Published January 22, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 12.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
wp-recipe-maker
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
#
Wiz
CVE-2026-24953 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-24953 [CRITICAL] CVE-2026-24953 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24953 :
WordPress vulnerability analysis and mitigation
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Mitchell Bennis Simple File List simple-file-list allows Path Traversal.This issue affects Simple File List: from n/a through <= 6.1.15.
Source : NVD
## 6.5
Score
Published February 20, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 17.3
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
simple-file-list
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not
Wiz
CVE-2026-24593 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-24593 [CRITICAL] CVE-2026-24593 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24593 :
WordPress vulnerability analysis and mitigation
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Strategy11 Team AWP Classifieds another-wordpress-classifieds-plugin allows Retrieve Embedded Sensitive Data.This issue affects AWP Classifieds: from n/a through <= 4.4.3.
Source : NVD
## 5.3
Score
Published January 23, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
another-wordpress-classifieds-plugin
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your c
Wiz
CVE-2026-27049 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-27049 [CRITICAL] CVE-2026-27049 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27049 :
WordPress vulnerability analysis and mitigation
Authentication Bypass Using an Alternate Path or Channel vulnerability in NooTheme Jobica Core jobica-core allows Authentication Abuse.This issue affects Jobica Core: from n/a through <= 1.4.2.
Source : NVD
## 9.8
Score
Published March 25, 2026
Severity CRITICAL
CNA Score 9.8
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 20.4
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
jobica-core
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vu
Wiz
CVE-2025-69346 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.4
CVE-2025-69346 [MEDIUM] CVE-2025-69346 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-69346 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in WPCenter AffiliateX affiliatex allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AffiliateX: from n/a through <= 1.3.9.3.
Source : NVD
## 5.4
Score
Published January 6, 2026
Severity MEDIUM
CNA Score 5.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
affiliatex
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPr
Wiz
CVE-2026-3331 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-3331 [CRITICAL] CVE-2026-3331 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-3331 :
WordPress vulnerability analysis and mitigation
The Lobot Slider Administrator plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 0.6.0. This is due to missing or incorrect nonce validation on the fourty_slider_options_page function. This makes it possible for unauthenticated attackers to modify plugin slider-page configuration via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Source : NVD
## 4.3
Score
Published March 21, 2026
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1.9
Exploitation
Wiz
CVE-2026-1261 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-1261 [CRITICAL] CVE-2026-1261 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1261 :
WordPress vulnerability analysis and mitigation
The MetForm Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Quiz feature in all versions up to, and including, 3.9.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Source : NVD
## 7.2
Score
Published March 10, 2026
Severity HIGH
CNA Score 7.2
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 25.8
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
metform-pro
Sources
NVD
##
Wiz
CVE-2026-28022 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-28022 [CRITICAL] CVE-2026-28022 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-28022 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Foodie foodie allows PHP Local File Inclusion.This issue affects Foodie: from n/a through <= 1.14.
Source : NVD
## 8.1
Score
Published March 5, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 37.5
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
foodie
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
Wiz
CVE-2026-22409 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-22409 [CRITICAL] CVE-2026-22409 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22409 :
WordPress vulnerability analysis and mitigation
Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes Justicia justicia allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Justicia: from n/a through <= 1.2.
Source : NVD
## 5.4
Score
Published January 22, 2026
Severity MEDIUM
CNA Score 5.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
justicia
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed
Wiz
CVE-2025-39561 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2025-39561 [MEDIUM] CVE-2025-39561 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-39561 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in Marketing Fire, LLC LoginWP - Pro allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects LoginWP - Pro: from n/a through 4.0.8.5.
Source : NVD
## 6.5
Score
Published January 5, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 17.6
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
loginwp-pro
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress
Wiz
CVE-2025-13231 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2025-13231 [MEDIUM] CVE-2025-13231 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-13231 :
WordPress vulnerability analysis and mitigation
The Fancy Product Designer plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 6.4.8. This is due to a time-of-check/time-of-use (TOCTOU) race condition in the 'url' parameter of the fpd_custom_uplod_file AJAX action. The plugin validates the URL by calling getimagesize() first, then later retrieves the same URL using file_get_contents(). This makes it possible for unauthenticated attackers to exploit the timing gap to perform SSRF attacks by serving a valid image during validation, then changing the response to redirect to arbitrary internal or external URLs during the actual fetch.
Source : NVD
## 6.5
Score
Published December 16, 2025
Severity MEDIUM
CNA Score
Wiz
CVE-2025-49368 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2025-49368 [HIGH] CVE-2025-49368 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-49368 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Palladio palladio allows PHP Local File Inclusion.This issue affects Palladio: from n/a through <= 1.1.10.
Source : NVD
## 8.1
Score
Published December 18, 2025
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 38.5
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
palladio
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not ju
Wiz
CVE-2026-28134 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-28134 [CRITICAL] CVE-2026-28134 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-28134 :
WordPress vulnerability analysis and mitigation
Improper Control of Generation of Code ('Code Injection') vulnerability in Crocoblock JetEngine jet-engine allows Remote Code Inclusion.This issue affects JetEngine: from n/a through <= 3.7.2.
Source : NVD
## 8.5
Score
Published March 5, 2026
Severity HIGH
CNA Score 8.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 19
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
jet-engine
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabili
Wiz
CVE-2026-27406 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-27406 [CRITICAL] CVE-2026-27406 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27406 :
WordPress vulnerability analysis and mitigation
Insertion of Sensitive Information Into Sent Data vulnerability in Joe Dolson My Tickets my-tickets allows Retrieve Embedded Sensitive Data.This issue affects My Tickets: from n/a through <= 2.1.0.
Source : NVD
## 7.5
Score
Published March 5, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 3.5
Exploitation Probability (EPSS) N/A
Affected packages and libraries
my-tickets
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulne
Wiz
CVE-2026-2231 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-2231 [CRITICAL] CVE-2026-2231 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-2231 :
WordPress vulnerability analysis and mitigation
The Fluent Booking plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple parameters in all versions up to, and including, 2.0.01 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Source : NVD
## 7.2
Score
Published March 26, 2026
Severity HIGH
CNA Score 7.2
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 28
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
fluent-booking
Sources
Wiz
CVE-2026-24943 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-24943 [CRITICAL] CVE-2026-24943 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24943 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeGoods Grand Conference grandconference allows Reflected XSS.This issue affects Grand Conference: from n/a through <= 5.3.4.
Source : NVD
## 7.1
Score
Published February 20, 2026
Severity HIGH
CNA Score 7.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
grandconference
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just
Wiz
CVE-2026-24956 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-24956 [CRITICAL] CVE-2026-24956 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24956 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Shahjada Download Manager Addons for Elementor wpdm-elementor allows Blind SQL Injection.This issue affects Download Manager Addons for Elementor: from n/a through <= 1.3.0.
Source : NVD
## 9.3
Score
Published February 20, 2026
Severity CRITICAL
CNA Score 9.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13
Exploitation Probability (EPSS) N/A
Affected packages and libraries
wpdm-elementor
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so
Wiz
CVE-2025-14843 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2025-14843 [MEDIUM] CVE-2025-14843 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14843 :
WordPress vulnerability analysis and mitigation
The Wizit Gateway for WooCommerce plugin for WordPress is vulnerable to Unauthenticated Arbitrary Order Cancellation in all versions up to, and including, 1.2.9. This is due to a lack of authentication and authorization checks in the 'handle_checkout_redirecturl_response' function. This makes it possible for unauthenticated attackers to cancel arbitrary WooCommerce orders by sending a crafted request with a valid order ID.
Source : NVD
## 5.3
Score
Published January 24, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 18.4
Exploitation Probability (EPSS
Wiz
CVE-2025-68857 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.3
CVE-2025-68857 [CRITICAL] CVE-2025-68857 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68857 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ichurakov Paid Downloads paid-downloads allows Blind SQL Injection.This issue affects Paid Downloads: from n/a through <= 3.15.
Source : NVD
## 9.3
Score
Published January 22, 2026
Severity CRITICAL
CNA Score 9.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.6
Exploitation Probability (EPSS) N/A
Affected packages and libraries
paid-downloads
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just
Wiz
CVE-2025-59130 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-59130 [CRITICAL] CVE-2025-59130 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-59130 :
WordPress vulnerability analysis and mitigation
Cross-Site Request Forgery (CSRF) vulnerability in appointify Appointify appointify allows Cross Site Request Forgery.This issue affects Appointify: from n/a through <= 1.0.8.
Source : NVD
Published December 31, 2025
CNA Score N/A
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
appointify
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Score
Technologie
Wiz
CVE-2025-12037 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.4
CVE-2025-12037 [MEDIUM] CVE-2025-12037 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-12037 :
WordPress vulnerability analysis and mitigation
The WP 404 Auto Redirect to Similar Post plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Source : NVD
## 4.4
Score
Published February 18, 2026
Severity MEDIUM
CNA Score 4.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date
Wiz
CVE-2025-68514 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2025-68514 [MEDIUM] CVE-2025-68514 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68514 :
WordPress vulnerability analysis and mitigation
Authorization Bypass Through User-Controlled Key vulnerability in Cozmoslabs Paid Member Subscriptions paid-member-subscriptions allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Paid Member Subscriptions: from n/a through <= 2.16.8.
Source : NVD
## 6.5
Score
Published February 20, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 9.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
paid-member-subscriptions
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your
Wiz
CVE-2025-49041 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2025-49041 [MEDIUM] CVE-2025-49041 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-49041 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in The African Boss Get Cash get-cash allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Get Cash: from n/a through <= 3.2.3.
Source : NVD
## 6.5
Score
Published December 18, 2025
Severity MEDIUM
CNA Score 6.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
get-cash
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPr
Wiz
CVE-2025-31048 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.9
CVE-2025-31048 [CRITICAL] CVE-2025-31048 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-31048 :
WordPress vulnerability analysis and mitigation
Unrestricted Upload of File with Dangerous Type vulnerability in Themify Shopo allows Upload a Web Shell to a Web Server.This issue affects Shopo: from n/a through 1.1.4.
Source : NVD
## 9.9
Score
Published January 5, 2026
Severity CRITICAL
CNA Score 9.9
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
shopo
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Sev
Wiz
CVE-2025-64246 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2025-64246 [MEDIUM] CVE-2025-64246 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-64246 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in netopsae Accessibility by AudioEye accessibility-by-audioeye allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Accessibility by AudioEye: from n/a through <= 1.0.49.
Source : NVD
## 4.3
Score
Published December 16, 2025
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
accessibility-by-audioeye
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on wh
Wiz
CVE-2025-67977 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.2
CVE-2025-67977 [HIGH] CVE-2025-67977 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67977 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in VillaTheme HAPPY happy-helpdesk-support-ticket-system allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects HAPPY: from n/a through <= 1.0.8.
Source : NVD
## 8.2
Score
Published February 20, 2026
Severity HIGH
CNA Score 8.2
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
happy-helpdesk-support-ticket-system
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, n
Wiz
CVE-2026-1980 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-1980 [CRITICAL] CVE-2026-1980 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1980 :
WordPress vulnerability analysis and mitigation
The WPBookit plugin for WordPress is vulnerable to unauthorized data disclosure due to a missing authorization check on the 'get_customer_list' route in all versions up to, and including, 1.0.8. This makes it possible for unauthenticated attackers to retrieve sensitive customer information including names, emails, phone numbers, dates of birth, and gender.
Source : NVD
## 5.3
Score
Published March 4, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 17
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
wpbookit
Sources
NVD
## Get a
Wiz
CVE-2026-1104 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-1104 [CRITICAL] CVE-2026-1104 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1104 :
WordPress vulnerability analysis and mitigation
The FastDup – Fastest WordPress Migration & Duplicator plugin for WordPress is vulnerable to unauthorized backup creation and download due to a missing capability check on REST API endpoints in all versions up to, and including, 2.7.1. This makes it possible for authenticated attackers, with Contributor-level access and above, to create and download full-site backup archives containing the entire WordPress installation, including database exports and configuration files.
Source : NVD
## 8.8
Score
Published February 12, 2026
Severity HIGH
CNA Score 8.8
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percent
Wiz
CVE-2025-60054 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.2
CVE-2025-60054 [HIGH] CVE-2025-60054 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-60054 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes OnLeash onleash allows PHP Local File Inclusion.This issue affects OnLeash: from n/a through <= 1.5.2.
Source : NVD
## 8.2
Score
Published December 18, 2025
Severity HIGH
CNA Score 8.2
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 19.8
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
onleash
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just wh
Wiz
CVE-2026-22509 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-22509 [CRITICAL] CVE-2026-22509 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22509 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes Gioia gioia allows PHP Local File Inclusion.This issue affects Gioia: from n/a through <= 1.4.
Source : NVD
## 8.1
Score
Published March 25, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 35.7
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
gioia
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
Wiz
CVE-2025-49347 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2025-49347 [HIGH] CVE-2025-49347 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-49347 :
WordPress vulnerability analysis and mitigation
Cross-Site Request Forgery (CSRF) vulnerability in Jupitercow WP sIFR wp-sifr allows Stored XSS.This issue affects WP sIFR: from n/a through <= 0.6.8.1.
Source : NVD
## 7.1
Score
Published December 9, 2025
Severity HIGH
CNA Score 7.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 5.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
wp-sifr
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Score
Techno
Wiz
CVE-2025-14574 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2025-14574 [MEDIUM] CVE-2025-14574 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14574 :
WordPress vulnerability analysis and mitigation
/wp-json/wp/v2/docs/settings
Source : NVD
## 5.3
Score
Published January 9, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 5.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
wedocs
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
CVE-2026-0740
CRITICAL
9.8
WordPress
ninja-forms-uplo
Wiz
CVE-2025-69092 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2025-69092 [MEDIUM] CVE-2025-69092 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-69092 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPDeveloper Essential Addons for Elementor essential-addons-for-elementor-lite allows DOM-Based XSS.This issue affects Essential Addons for Elementor: from n/a through <= 6.5.3.
Source : NVD
## 6.5
Score
Published December 30, 2025
Severity MEDIUM
CNA Score 6.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
essential-addons-for-elementor-lite
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view
Wiz
CVE-2026-1357 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-1357 [CRITICAL] CVE-2026-1357 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1357 :
WordPress vulnerability analysis and mitigation
The Migration, Backup, Staging – WPvivid Backup & Migration plugin for WordPress is vulnerable to Unauthenticated Arbitrary File Upload in versions up to and including 0.9.123. This is due to improper error handling in the RSA decryption process combined with a lack of path sanitization when writing uploaded files. When the plugin fails to decrypt a session key using openssl_private_decrypt(), it does not terminate execution and instead passes the boolean false value to the phpseclib library's AES cipher initialization. The library treats this false value as a string of null bytes, allowing an attacker to encrypt a malicious payload using a predictable null-byte key. Additionally, the plugin accepts filenames from the dec
Wiz
CVE-2025-47666 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2025-47666 [MEDIUM] CVE-2025-47666 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-47666 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup Image&Video FullScreen Background lbg_fullscreen_fullwidth_slider allows Reflected XSS.This issue affects Image&Video FullScreen Background: from n/a through <= 1.6.7.
Source : NVD
## 6.1
Score
Published January 22, 2026
Severity MEDIUM
CNA Score 6.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
lbg_fullscreen_fullwidth_slider
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of
Wiz
CVE-2026-1792 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-1792 [CRITICAL] CVE-2026-1792 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1792 :
WordPress vulnerability analysis and mitigation
The Geo Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the URL path in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Source : NVD
## 6.1
Score
Published February 14, 2026
Severity MEDIUM
CNA Score 6.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 30.3
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
geowidget
Sources
NVD
## Get
Wiz
CVE-2025-68881 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.5
CVE-2025-68881 [HIGH] CVE-2025-68881 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68881 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Saad Iqbal AppExperts appexperts allows SQL Injection.This issue affects AppExperts: from n/a through <= 1.4.5.
Source : NVD
## 8.5
Score
Published January 22, 2026
Severity HIGH
CNA Score 8.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.5
Exploitation Probability (EPSS) N/A
Affected packages and libraries
appexperts
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Rel
Wiz
CVE-2025-12168 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2025-12168 [MEDIUM] CVE-2025-12168 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-12168 :
WordPress vulnerability analysis and mitigation
The Phrase TMS Integration for WordPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wp_ajax_delete_log' AJAX endpoint in all versions up to, and including, 4.7.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete log files.
Source : NVD
## 4.3
Score
Published January 17, 2026
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
memsource-connector
Sources
NVD
## G
Wiz
CVE-2025-50001 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-50001 [CRITICAL] CVE-2025-50001 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-50001 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in tagDiv tagDiv Composer td-composer allows Reflected XSS.This issue affects tagDiv Composer: from n/a through <= 5.4.2.
Source : NVD
Published March 19, 2026
CNA Score N/A
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
td-composer
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabili
Wiz
CVE-2025-12549 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-12549 [CRITICAL] CVE-2025-12549 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-12549 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in magentech Rozy - Flower Shop rozy allows PHP Local File Inclusion.This issue affects Rozy - Flower Shop: from n/a through <= 1.2.25.
Source : NVD
## 9.8
Score
Published January 8, 2026
Severity CRITICAL
CNA Score 9.8
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 18.4
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
rozy
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploita
Wiz
CVE-2026-0815 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-0815 [CRITICAL] CVE-2026-0815 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-0815 :
WordPress vulnerability analysis and mitigation
The Category Image plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'tag-image' parameter in all versions up to, and including, 2.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Editor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Source : NVD
## 4.4
Score
Published February 11, 2026
Severity MEDIUM
CNA Score 4.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1.4
Exploitation Probability (EPSS) N/A
Affected packa
Wiz
CVE-2025-14348 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2025-14348 [MEDIUM] CVE-2025-14348 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14348 :
WordPress vulnerability analysis and mitigation
x-wemail-user
/wp-json/wp/v2/users
Source : NVD
## 5.3
Score
Published January 20, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 22.6
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
wemail
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
CVE-2026-0740
CRITICAL
9.8
WordPress
ninja-f
Wiz
CVE-2026-1608 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-1608 [CRITICAL] CVE-2026-1608 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1608 :
WordPress vulnerability analysis and mitigation
youtube
Source : NVD
## 6.4
Score
Published February 7, 2026
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
video-onclick
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
CVE-2026-0740
CRITICAL
9.8
WordPress
ninja-forms-uploads
No
Yes
Wiz
CVE-2026-27370 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-27370 [CRITICAL] CVE-2026-27370 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27370 :
WordPress vulnerability analysis and mitigation
Insertion of Sensitive Information Into Sent Data vulnerability in Premio Chaty chaty allows Retrieve Embedded Sensitive Data.This issue affects Chaty: from n/a through <= 3.5.1.
Source : NVD
## 7.5
Score
Published March 5, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.5
Exploitation Probability (EPSS) N/A
Affected packages and libraries
chaty
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
S
Wiz
CVE-2026-32506 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-32506 [CRITICAL] CVE-2026-32506 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32506 :
WordPress vulnerability analysis and mitigation
Deserialization of Untrusted Data vulnerability in Edge-Themes Archicon archicon allows Object Injection.This issue affects Archicon: from n/a through < 1.7.
Source : NVD
## 5.4
Score
Published March 25, 2026
Severity MEDIUM
CNA Score 5.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 17.2
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
archicon
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Score
Wiz
CVE-2025-68852 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2025-68852 [HIGH] CVE-2025-68852 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68852 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in webmuehle Court Reservation court-reservation allows Reflected XSS.This issue affects Court Reservation: from n/a through <= 1.10.11.
Source : NVD
## 7.1
Score
Published February 20, 2026
Severity HIGH
CNA Score 7.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
court-reservation
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, no
Wiz
CVE-2025-67557 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2025-67557 [MEDIUM] CVE-2025-67557 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67557 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Rhys Wynne WP eBay Product Feeds ebay-feeds-for-wordpress allows Stored XSS.This issue affects WP eBay Product Feeds: from n/a through <= 3.4.9.
Source : NVD
## 6.5
Score
Published December 9, 2025
Severity MEDIUM
CNA Score 6.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
ebay-feeds-for-wordpress
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on wha
Wiz
CVE-2025-68585 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2025-68585 [HIGH] CVE-2025-68585 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68585 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in Ben Balter WP Document Revisions wp-document-revisions allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Document Revisions: from n/a through <= 3.7.2.
Source : NVD
## 8.8
Score
Published December 24, 2025
Severity HIGH
CNA Score 8.8
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 18.2
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
wp-document-revisions
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable,
Wiz
CVE-2026-1909 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-1909 [CRITICAL] CVE-2026-1909 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1909 :
WordPress vulnerability analysis and mitigation
The WaveSurfer-WP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's audio shortcode in all versions up to, and including, 2.8.3 due to insufficient input sanitization and output escaping on the 'src' attribute. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Source : NVD
## 6.4
Score
Published February 6, 2026
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2
Exploitation Probabili
Wiz
CVE-2026-1729 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-1729 [CRITICAL] CVE-2026-1729 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1729 :
WordPress vulnerability analysis and mitigation
The AdForest theme for WordPress is vulnerable to authentication bypass in all versions up to, and including, 6.0.12. This is due to the plugin not properly verifying a user's identity prior to authenticating them through the 'sb_login_user_with_otp_fun' function. This makes it possible for unauthenticated attackers to log in as arbitrary users, including administrators.
Source : NVD
## 9.8
Score
Published February 12, 2026
Severity CRITICAL
CNA Score 9.8
Affected Technologies
WordPress
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 31.2
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
adforest
Wiz
CVE-2025-68028 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2025-68028 [MEDIUM] CVE-2025-68028 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68028 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in Passionate Brains GA4WP: Google Analytics for WordPress ga-for-wp allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects GA4WP: Google Analytics for WordPress: from n/a through <= 2.10.0.
Source : NVD
## 6.5
Score
Published February 20, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 17.1
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
ga-for-wp
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on w
Wiz
CVE-2026-2826 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-2826 [CRITICAL] CVE-2026-2826 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-2826 :
WordPress vulnerability analysis and mitigation
upload_files
process_pattern
Source : NVD
## 4.3
Score
Published April 4, 2026
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 7.3
Exploitation Probability (EPSS) N/A
Affected packages and libraries
kadence-blocks
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
CVE-2026-0740
CRITICAL
9.8
WordPress
ninja-form
Wiz
CVE-2025-13628 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2025-13628 [MEDIUM] CVE-2025-13628 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-13628 :
WordPress vulnerability analysis and mitigation
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability check on the 'bulk_action_handler' and 'coupon_permanent_delete' functions in all versions up to, and including, 3.9.3. This makes it possible for authenticated attackers, with subscriber level access and above, to delete, activate, deactivate, or trash arbitrary coupons.
Source : NVD
## 4.3
Score
Published January 9, 2026
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2.1
Exploitation Probabi
Wiz
CVE-2025-63030 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2025-63030 [HIGH] CVE-2025-63030 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-63030 :
WordPress vulnerability analysis and mitigation
Cross-Site Request Forgery (CSRF) vulnerability in Saad Iqbal New User Approve new-user-approve allows Cross Site Request Forgery.This issue affects New User Approve: from n/a through <= 3.2.3.
Source : NVD
## 7.1
Score
Published December 9, 2025
Severity HIGH
CNA Score 7.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 5.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
new-user-approve
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress
Wiz
CVE-2025-62154 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-62154 [CRITICAL] CVE-2025-62154 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-62154 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in recorp AI Content Writing Assistant (Content Writer, ChatGPT, Image Generator) All in One ai-content-writing-assistant allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AI Content Writing Assistant (Content Writer, ChatGPT, Image Generator) All in One: from n/a through <= 1.1.7.
Source : NVD
Published December 31, 2025
CNA Score N/A
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
ai-content-writing-assistant
Sources
NVD
## Get a CVE risk
Wiz
CVE-2026-27340 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-27340 [CRITICAL] CVE-2026-27340 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27340 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Apollo | Night Club, DJ Event WordPress Theme apollo allows PHP Local File Inclusion.This issue affects Apollo | Night Club, DJ Event WordPress Theme: from n/a through <= 1.3.1.
Source : NVD
## 8.1
Score
Published March 5, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 37.5
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
apollo
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of
Wiz
CVE-2025-66118 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2025-66118 [HIGH] CVE-2025-66118 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-66118 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in BoldGrid Sprout Clients sprout-clients allows Reflected XSS.This issue affects Sprout Clients: from n/a through <= 3.2.1.
Source : NVD
## 7.1
Score
Published December 18, 2025
Severity HIGH
CNA Score 7.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
sprout-clients
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's l
Wiz
CVE-2026-32526 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-32526 [CRITICAL] CVE-2026-32526 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32526 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in VillaTheme Abandoned Cart Recovery for WooCommerce woo-abandoned-cart-recovery allows Stored XSS.This issue affects Abandoned Cart Recovery for WooCommerce: from n/a through <= 1.1.10.
Source : NVD
## 7.1
Score
Published March 25, 2026
Severity HIGH
CNA Score 7.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 10.6
Exploitation Probability (EPSS) N/A
Affected packages and libraries
woo-abandoned-cart-recovery
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVE
Wiz
CVE-2026-0737 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.4
CVE-2026-0737 [MEDIUM] CVE-2026-0737 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-0737 :
WordPress vulnerability analysis and mitigation
The WP Shortcodes Plugin - Shortcodes Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 7.4.7. This is due to insufficient input sanitization and output escaping in the 'src' attribute of the su_lightbox shortcode. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Source : NVD
## 6.4
Score
Published April 4, 2026
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (
Wiz
CVE-2025-66151 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-66151 [CRITICAL] CVE-2025-66151 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-66151 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in merkulove Countdowner for Elementor countdowner-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Countdowner for Elementor: from n/a through <= 1.0.4.
Source : NVD
Published December 31, 2025
CNA Score N/A
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
countdowner-elementor
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
#
Wiz
CVE-2026-3546 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-3546 [CRITICAL] CVE-2026-3546 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-3546 :
WordPress vulnerability analysis and mitigation
The e-shot form builder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0.2. The eshot_form_builder_get_account_data() function is registered as a wp_ajax_ AJAX handler accessible to all authenticated users. The function lacks any capability check (e.g., current_user_can('manage_options')) and does not verify a nonce. It directly queries the database for the e-shot API token stored in the eshotformbuilder_control table and returns it along with all subaccount data as a JSON response. This makes it possible for authenticated attackers, with Subscriber-level access and above, to extract the e-shot API token and subaccount information, which could then be used to a
Wiz
CVE-2025-67561 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.4
CVE-2025-67561 [MEDIUM] CVE-2025-67561 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67561 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in Oleksandr Lysyi Debug Log Viewer debug-log-viewer allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Debug Log Viewer: from n/a through <= 2.0.3.
Source : NVD
## 5.4
Score
Published December 9, 2025
Severity MEDIUM
CNA Score 5.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 8.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
debug-log-viewer
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what'
Wiz
CVE-2025-15064 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.4
CVE-2025-15064 [MEDIUM] CVE-2025-15064 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-15064 :
WordPress vulnerability analysis and mitigation
The Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the user description field in all versions up to, and including, 2.11.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability is only exploitable when "HTML support for user description" is enabled in Ultimate Member settings.
Source : NVD
## 6.4
Score
Published April 4, 2026
Severity MEDIUM
CNA Score 6.4
Affected Te
Wiz
CVE-2025-67918 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2025-67918 [MEDIUM] CVE-2025-67918 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67918 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WofficeIO Woffice woffice allows Reflected XSS.This issue affects Woffice: from n/a through <= 5.4.30.
Source : NVD
## 6.1
Score
Published January 8, 2026
Severity MEDIUM
CNA Score 6.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
woffice
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPr
Wiz
CVE-2025-13999 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.2
CVE-2025-13999 [HIGH] CVE-2025-13999 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-13999 :
WordPress vulnerability analysis and mitigation
The HTML5 Audio Player – The Ultimate No-Code Podcast, MP3 & Audio Player plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions from 2.4.0 up to, and including, 2.5.1 via the getIcyMetadata() function. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
Source : NVD
## 7.2
Score
Published December 19, 2025
Severity HIGH
CNA Score 7.2
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 28.2
Exploitation Probabili
Wiz
CVE-2025-58927 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2025-58927 [HIGH] CVE-2025-58927 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-58927 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Stallion stallion allows PHP Local File Inclusion.This issue affects Stallion: from n/a through <= 1.17.
Source : NVD
## 8.1
Score
Published December 18, 2025
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 38.5
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
stallion
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just
Wiz
CVE-2025-63012 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2025-63012 [MEDIUM] CVE-2025-63012 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-63012 :
WordPress vulnerability analysis and mitigation
Cross-Site Request Forgery (CSRF) vulnerability in ThimPress WP Hotel Booking wp-hotel-booking allows Cross Site Request Forgery.This issue affects WP Hotel Booking: from n/a through <= 2.2.8.
Source : NVD
## 4.3
Score
Published December 9, 2025
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 4.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
wp-hotel-booking
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress
Wiz
CVE-2025-68877 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-68877 [CRITICAL] CVE-2025-68877 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68877 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in cedcommerce CedCommerce Integration for Good Market ced-good-market-integration allows PHP Local File Inclusion.This issue affects CedCommerce Integration for Good Market: from n/a through <= 1.0.6.
Source : NVD
Published December 29, 2025
CNA Score N/A
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 23.6
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
ced-good-market-integration
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of
Wiz
CVE-2026-1994 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-1994 [CRITICAL] CVE-2026-1994 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1994 :
WordPress vulnerability analysis and mitigation
The s2Member plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 260127. This is due to the plugin not properly validating a user's identity prior to updating their password. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account.
Source : NVD
## 9.8
Score
Published February 19, 2026
Severity CRITICAL
CNA Score 9.8
Affected Technologies
WordPress
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 27.5
Exploitation Probability (EPSS) 0.1
Affected
Wiz
CVE-2026-1065 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-1065 [CRITICAL] CVE-2026-1065 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1065 :
WordPress vulnerability analysis and mitigation
The Form Maker by 10Web plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1.15.35. This is due to the plugin's default file upload allowlist including SVG files combined with weak substring-based extension validation. This makes it possible for unauthenticated attackers to upload malicious SVG files containing JavaScript code that will execute when viewed by administrators or site visitors via file upload fields in forms granted they can submit forms.
Source : NVD
## 7.2
Score
Published February 3, 2026
Severity HIGH
CNA Score 7.2
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Wiz
CVE-2025-67983 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2025-67983 [MEDIUM] CVE-2025-67983 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67983 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in osama.esh WP Visitor Statistics (Real Time Traffic) wp-stats-manager allows DOM-Based XSS.This issue affects WP Visitor Statistics (Real Time Traffic): from n/a through <= 8.3.
Source : NVD
## 6.5
Score
Published December 16, 2025
Severity MEDIUM
CNA Score 6.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
wp-stats-manager
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your clou
Wiz
CVE-2026-23546 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-23546 [CRITICAL] CVE-2026-23546 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-23546 :
WordPress vulnerability analysis and mitigation
Insertion of Sensitive Information Into Sent Data vulnerability in RadiusTheme Classified Listing classified-listing allows Retrieve Embedded Sensitive Data.This issue affects Classified Listing: from n/a through <= 5.3.4.
Source : NVD
## 6.5
Score
Published March 5, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
classified-listing
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's
Wiz
CVE-2026-24368 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-24368 [CRITICAL] CVE-2026-24368 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24368 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in Theme-one The Grid the-grid allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects The Grid: from n/a through < 2.8.0.
Source : NVD
## 8.8
Score
Published January 22, 2026
Severity HIGH
CNA Score 8.8
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 18.2
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
the-grid
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnera
Wiz
CVE-2025-69349 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.4
CVE-2025-69349 [MEDIUM] CVE-2025-69349 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-69349 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in Fahad Mahmood RSS Feed Widget rss-feed-widget allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects RSS Feed Widget: from n/a through <= 3.0.2.
Source : NVD
## 5.4
Score
Published January 6, 2026
Severity MEDIUM
CNA Score 5.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
rss-feed-widget
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's list
Wiz
CVE-2026-1389 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-1389 [CRITICAL] CVE-2026-1389 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1389 :
WordPress vulnerability analysis and mitigation
The Document Embedder – Embed PDFs, Word, Excel, and Other Files plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.0.4. This is due to the plugin not verifying that a user has permission to access the requested resource in the 'bplde_save_document_library', 'bplde_get_single', and 'bplde_delete_document_library' AJAX actions. This makes it possible for authenticated attackers, with Author-level access and above, to read, modify, and delete Document Library entries created by other users, including administrators, via the 'id' parameter.
Source : NVD
## 5.3
Score
Published January 28, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
WordPress
H
Wiz
CVE-2026-1047 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-1047 [CRITICAL] CVE-2026-1047 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1047 :
WordPress vulnerability analysis and mitigation
The salavat counter Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'image_url' parameter in all versions up to, and including, 0.9.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Source : NVD
## 4.4
Score
Published February 19, 2026
Severity MEDIUM
CNA Score 4.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.1
Exploitation Probability (EPSS) N
Wiz
CVE-2025-15476 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2025-15476 [MEDIUM] CVE-2025-15476 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-15476 :
WordPress vulnerability analysis and mitigation
The The Bucketlister plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the bucketlister_do_admin_ajax() function in all versions up to, and including, 0.1.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to add delete or modify arbitrary bucket list items.
Source : NVD
## 4.3
Score
Published February 7, 2026
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 9.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
the-bucketlister
Sources
Wiz
CVE-2025-66149 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-66149 [CRITICAL] CVE-2025-66149 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-66149 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in merkulove UnGrabber ungrabber allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects UnGrabber: from n/a through <= 3.1.3.
Source : NVD
Published December 31, 2025
CNA Score N/A
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
ungrabber
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Wiz
CVE-2025-68850 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-68850 [CRITICAL] CVE-2025-68850 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68850 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in codepeople Sell Downloads sell-downloads allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Sell Downloads: from n/a through <= 1.1.12.
Source : NVD
Published January 5, 2026
CNA Score N/A
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
sell-downloads
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
Wiz
CVE-2025-14610 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.2
CVE-2025-14610 [HIGH] CVE-2025-14610 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14610 :
WordPress vulnerability analysis and mitigation
The TableMaster for Elementor plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.3.6. This is due to the plugin not restricting which URLs can be fetched when importing CSV data from a URL in the Data Table widget. This makes it possible for authenticated attackers, with Author-level access and above, to make web requests to arbitrary locations, including localhost and internal network services, and read sensitive files such as wp-config.php via the 'csv_url' parameter.
Source : NVD
## 7.2
Score
Published January 28, 2026
Severity HIGH
CNA Score 7.2
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
C
Wiz
CVE-2025-69090 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2025-69090 [HIGH] CVE-2025-69090 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-69090 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ovatheme Remons remons allows PHP Local File Inclusion.This issue affects Remons: from n/a through <= 1.3.4.
Source : NVD
## 8.1
Score
Published March 5, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 37.5
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
remons
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
Wiz
CVE-2026-28050 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-28050 [CRITICAL] CVE-2026-28050 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-28050 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Beacon beacon allows PHP Local File Inclusion.This issue affects Beacon: from n/a through <= 2.24.
Source : NVD
## 8.1
Score
Published March 5, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 37.5
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
beacon
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
Wiz
CVE-2026-4668 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-4668 [CRITICAL] CVE-2026-4668 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-4668 :
WordPress vulnerability analysis and mitigation
sort
sort
PaymentRepository.php
wpamelia-manager
Source : NVD
## 6.5
Score
Published April 1, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
ameliabooking
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
CVE-2026-0740
CRITICAL
9.8
Wiz
CVE-2026-0800 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-0800 [CRITICAL] CVE-2026-0800 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-0800 :
WordPress vulnerability analysis and mitigation
The User Submitted Posts – Enable Users to Submit Posts from the Front End plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the custom fields in all versions up to, and including, 20251210 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Source : NVD
## 7.2
Score
Published January 24, 2026
Severity HIGH
CNA Score 7.2
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 35.2
Exploitation Probability (EPSS) 0.1
Wiz
CVE-2025-67914 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2025-67914 [HIGH] CVE-2025-67914 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67914 :
WordPress vulnerability analysis and mitigation
Path Traversal: '.../...//' vulnerability in beeteam368 VidMov vidmov allows Path Traversal.This issue affects VidMov: from n/a through <= 2.3.8.
Source : NVD
## 7.5
Score
Published January 8, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 20.1
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
vidmov
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Score
Technologies
Wiz
CVE-2024-43228 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2024-43228 [MEDIUM] CVE-2024-43228 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2024-43228 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in SecuPress SecuPress Free secupress.This issue affects SecuPress Free: from n/a through <= 2.2.5.3.
Source : NVD
## 5.3
Score
Published February 20, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 7.6
Exploitation Probability (EPSS) N/A
Affected packages and libraries
secupress
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Score
Technologies
Co
Wiz
CVE-2025-63035 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2025-63035 [MEDIUM] CVE-2025-63035 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-63035 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in VibeThemes WPLMS wplms_plugin allows DOM-Based XSS.This issue affects WPLMS: from n/a through <= 1.9.9.5.4.
Source : NVD
## 6.5
Score
Published December 9, 2025
Severity MEDIUM
CNA Score 6.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
wplms_plugin
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Rel
Wiz
CVE-2025-69313 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2025-69313 [HIGH] CVE-2025-69313 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-69313 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in WPXPO PostX ultimate-post allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects PostX: from n/a through <= 5.0.3.
Source : NVD
## 7.5
Score
Published January 22, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 14.6
Exploitation Probability (EPSS) N/A
Affected packages and libraries
ultimate-post
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulner
Wiz
CVE-2025-49353 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-49353 [CRITICAL] CVE-2025-49353 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-49353 :
WordPress vulnerability analysis and mitigation
Cross-Site Request Forgery (CSRF) vulnerability in Marcin Kijak Noindex by Path noindex-by-path allows Stored XSS.This issue affects Noindex by Path: from n/a through <= 1.0.
Source : NVD
Published December 31, 2025
CNA Score N/A
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
noindex-by-path
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Score
Technol
Wiz
CVE-2025-53344 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2025-53344 [MEDIUM] CVE-2025-53344 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-53344 :
WordPress vulnerability analysis and mitigation
Cross-Site Request Forgery (CSRF) vulnerability in ThimPress Thim Core allows Cross Site Request Forgery.This issue affects Thim Core: from n/a through 2.3.3.
Source : NVD
## 4.3
Score
Published January 5, 2026
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 5.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
thim-core
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Scor
Wiz
CVE-2025-13884 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.4
CVE-2025-13884 [MEDIUM] CVE-2025-13884 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-13884 :
WordPress vulnerability analysis and mitigation
bg-hide-email-address
Source : NVD
## 6.4
Score
Published December 12, 2025
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13
Exploitation Probability (EPSS) N/A
Affected packages and libraries
bg-hide-email-address
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
CVE-2026-0740
CRITICAL
9.8
WordPress
ninja-f
Wiz
CVE-2026-1797 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-1797 [CRITICAL] CVE-2026-1797 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1797 :
WordPress vulnerability analysis and mitigation
The Appointment Booking and Scheduler Plugin – Truebooker plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.1.4 through views php files. This makes it possible for unauthenticated attackers to view potentially sensitive information contained in the exposed views php files via direct access.
Source : NVD
## 5.3
Score
Published March 31, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.5
Exploitation Probability (EPSS) N/A
Affected packages and libraries
truebooker-appointment-booking
Sources
Wiz
CVE-2026-4987 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-4987 [CRITICAL] CVE-2026-4987 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-4987 :
WordPress vulnerability analysis and mitigation
The SureForms – Contact Form, Payment Form & Other Custom Form Builder plugin for WordPress is vulnerable to Payment Amount Bypass in all versions up to, and including, 2.5.2. This is due to the create_payment_intent() function performing a payment validation solely based on the value of a user-controlled parameter. This makes it possible for unauthenticated attackers to bypass configured form payment-amount validation and create underpriced payment/subscription intents by setting form_id to 0.
Source : NVD
## 7.5
Score
Published March 28, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitatio
Wiz
CVE-2025-68901 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.6
CVE-2025-68901 [HIGH] CVE-2025-68901 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68901 :
WordPress vulnerability analysis and mitigation
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in AivahThemes Anona anona allows Path Traversal.This issue affects Anona: from n/a through <= 8.0.
Source : NVD
## 8.6
Score
Published January 22, 2026
Severity HIGH
CNA Score 8.6
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 8.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
anona
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilit
Wiz
CVE-2025-68889 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2025-68889 [HIGH] CVE-2025-68889 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68889 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Pinpoll Pinpoll pinpoll allows Reflected XSS.This issue affects Pinpoll: from n/a through <= 4.0.0.
Source : NVD
## 7.1
Score
Published January 8, 2026
Severity HIGH
CNA Score 7.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
pinpoll
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vu
Wiz
CVE-2026-28096 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-28096 [CRITICAL] CVE-2026-28096 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-28096 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX WealthCo wealthco allows PHP Local File Inclusion.This issue affects WealthCo: from n/a through <= 2.18.
Source : NVD
## 8.1
Score
Published March 5, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 37.5
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
wealthco
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's
Wiz
CVE-2025-9436 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.4
CVE-2025-9436 [MEDIUM] CVE-2025-9436 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-9436 :
WordPress vulnerability analysis and mitigation
trustindex
Source : NVD
## 6.4
Score
Published December 11, 2025
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
wp-reviews-plugin-for-google
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
CVE-2026-0740
CRITICAL
9.8
WordPress
ninja-form
Wiz
CVE-2026-25394 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-25394 [CRITICAL] CVE-2026-25394 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25394 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in sparklewpthemes Fitness FSE fitness-fse allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Fitness FSE: from n/a through <= 1.0.6.
Source : NVD
## 4.3
Score
Published February 19, 2026
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 9.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
fitness-fse
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Rela
Wiz
CVE-2025-68583 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2025-68583 [HIGH] CVE-2025-68583 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68583 :
WordPress vulnerability analysis and mitigation
Cross-Site Request Forgery (CSRF) vulnerability in Tikweb Management Fast User Switching fast-user-switching allows Cross Site Request Forgery.This issue affects Fast User Switching: from n/a through <= 1.4.10.
Source : NVD
## 8.8
Score
Published December 24, 2025
Severity HIGH
CNA Score 8.8
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 6.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
fast-user-switching
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
Wiz
CVE-2025-14445 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.4
CVE-2025-14445 [MEDIUM] CVE-2025-14445 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14445 :
WordPress vulnerability analysis and mitigation
The Image Hotspot by DevVN plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'hotspot_content' custom field meta in all versions up to, and including, 1.2.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Source : NVD
## 6.4
Score
Published February 19, 2026
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 10.9
Exploitation Probability
Wiz
CVE-2025-14508 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2025-14508 [MEDIUM] CVE-2025-14508 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14508 :
WordPress vulnerability analysis and mitigation
upload_files
Source : NVD
## 6.5
Score
Published December 13, 2025
Severity MEDIUM
CNA Score 6.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
mediacommander
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
CVE-2026-0740
CRITICAL
9.8
WordPress
ninja-forms-uploads
Wiz
CVE-2026-27376 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-27376 [CRITICAL] CVE-2026-27376 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27376 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in JanStudio Claue - Clean, Minimal Elementor WooCommerce Theme claue allows Reflected XSS.This issue affects Claue - Clean, Minimal Elementor WooCommerce Theme: from n/a through <= 2.2.7.
Source : NVD
## 7.1
Score
Published March 5, 2026
Severity HIGH
CNA Score 7.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
claue
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you
Wiz
CVE-2026-27384 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-27384 [CRITICAL] CVE-2026-27384 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27384 :
WordPress vulnerability analysis and mitigation
Improper Validation of Specified Quantity in Input vulnerability in BoldGrid W3 Total Cache w3-total-cache allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects W3 Total Cache: from n/a through <= 2.9.1.
Source : NVD
## 9
Score
Published March 5, 2026
Severity CRITICAL
CNA Score 9.0
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 23.9
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
w3-total-cache
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just w
Wiz
CVE-2025-15400 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2025-15400 [MEDIUM] CVE-2025-15400 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-15400 :
WordPress vulnerability analysis and mitigation
The OpenPix for WooCommerce WordPress plugin through 2.13.3 allows any authenticated user to trigger AJAX actions that reset payment gateway configuration options without capability or nonce checks. This permits any authenticated users, such as subscribers to clear API credentials and webhook status, causing persistent disruption of OpenPix payment functionality.
Source : NVD
## 6.5
Score
Published February 11, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
WordPress
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
openpix-for-woocomme
Wiz
CVE-2025-15030 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-15030 [CRITICAL] CVE-2025-15030 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-15030 :
WordPress vulnerability analysis and mitigation
The User Profile Builder WordPress plugin before 3.15.2 does not have a proper password reset process, allowing a few unauthenticated requests to reset the password of any user by knowing their username, such as administrator ones, and therefore gain access to their account
Source : NVD
## 9.8
Score
Published February 2, 2026
Severity CRITICAL
CNA Score 9.8
Affected Technologies
WordPress
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 5.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
profile-builder
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so
Wiz
CVE-2025-62150 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-62150 [CRITICAL] CVE-2025-62150 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-62150 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in themesawesome History Timeline timeline-awesome allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects History Timeline: from n/a through <= 1.0.6.
Source : NVD
Published December 31, 2025
CNA Score N/A
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
timeline-awesome
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vuln
Wiz
CVE-2025-67982 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2025-67982 [HIGH] CVE-2025-67982 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67982 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Urna urna allows PHP Local File Inclusion.This issue affects Urna: from n/a through <= 2.5.12.
Source : NVD
## 8.1
Score
Published February 20, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 37.5
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
urna
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
#
Wiz
CVE-2025-53237 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2025-53237 [HIGH] CVE-2025-53237 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-53237 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Soflyy WP Wizard Cloak wp-wizard-cloak allows Reflected XSS.This issue affects WP Wizard Cloak: from n/a through <= 1.0.1.
Source : NVD
## 7.1
Score
Published February 20, 2026
Severity HIGH
CNA Score 7.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
wp-wizard-cloak
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's
Wiz
CVE-2026-24367 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-24367 [CRITICAL] CVE-2026-24367 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24367 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in shinetheme Traveler traveler allows Blind SQL Injection.This issue affects Traveler: from n/a through < 3.2.8.
Source : NVD
## 8.8
Score
Published January 22, 2026
Severity HIGH
CNA Score 8.8
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
traveler
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Relate
Wiz
CVE-2025-67964 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2025-67964 [HIGH] CVE-2025-67964 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67964 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in favethemes Homey Core homey-core allows Reflected XSS.This issue affects Homey Core: from n/a through <= 2.4.3.
Source : NVD
## 7.1
Score
Published January 22, 2026
Severity HIGH
CNA Score 7.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
homey-core
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Rela
Wiz
CVE-2026-1000 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-1000 [CRITICAL] CVE-2026-1000 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1000 :
WordPress vulnerability analysis and mitigation
The MailerLite - WooCommerce integration plugin for WordPress is vulnerable to unauthorized data modification and deletion in all versions up to, and including, 3.1.3. This is due to missing capability checks on the resetIntegration() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to reset the plugin's integration settings, delete all plugin options, and drop the plugin's database tables (woo_mailerlite_carts and woo_mailerlite_jobs), resulting in complete loss of plugin data including customer abandoned cart information and sync job history.
Source : NVD
## 6.5
Score
Published January 16, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
WordPress
H
Wiz
CVE-2026-25361 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-25361 [CRITICAL] CVE-2026-25361 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25361 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in magepeopleteam WpEvently mage-eventpress allows Reflected XSS.This issue affects WpEvently: from n/a through <= 5.1.4.
Source : NVD
## 7.1
Score
Published March 25, 2026
Severity HIGH
CNA Score 7.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 10.6
Exploitation Probability (EPSS) N/A
Affected packages and libraries
mage-eventpress
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed
Wiz
CVE-2026-2418 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-2418 [CRITICAL] CVE-2026-2418 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-2418 :
WordPress vulnerability analysis and mitigation
The Login with Salesforce WordPress plugin through 1.0.2 does not validate that users are allowed to login through Salesforce, allowing unauthenticated users to be authenticated as any user (such as admin) by simply knowing the email
Source : NVD
## 9.1
Score
Published March 5, 2026
Severity CRITICAL
CNA Score 9.1
Affected Technologies
WordPress
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 28.2
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
login-with-salesforce
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable,
Wiz
CVE-2026-1277 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-1277 [CRITICAL] CVE-2026-1277 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1277 :
WordPress vulnerability analysis and mitigation
The URL Shortify plugin for WordPress is vulnerable to Open Redirect in all versions up to, and including, 1.12.1 due to insufficient validation on the 'redirect_to' parameter in the promotional dismissal handler. This makes it possible for unauthenticated attackers to redirect users to potentially malicious sites via a crafted link.
Source : NVD
## 4.7
Score
Published February 18, 2026
Severity MEDIUM
CNA Score 4.7
Affected Technologies
WordPress
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 37.9
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
url-shortify
Sources
NVD
## Get a CVE risk ass
Wiz
CVE-2025-67986 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2025-67986 [MEDIUM] CVE-2025-67986 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67986 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Barn2 Plugins Document Library Lite document-library-lite allows DOM-Based XSS.This issue affects Document Library Lite: from n/a through <= 1.1.7.
Source : NVD
## 6.1
Score
Published December 16, 2025
Severity MEDIUM
CNA Score 6.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
document-library-lite
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on wh
Wiz
CVE-2026-0552 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.4
CVE-2026-0552 [MEDIUM] CVE-2026-0552 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-0552 :
WordPress vulnerability analysis and mitigation
The Simple Shopping Cart plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wpsc_display_product' shortcode in all versions up to, and including, 5.2.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Source : NVD
## 6.4
Score
Published April 4, 2026
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS)
Wiz
CVE-2025-14453 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.4
CVE-2025-14453 [MEDIUM] CVE-2025-14453 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14453 :
WordPress vulnerability analysis and mitigation
The My Album Gallery plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'style_css' shortcode attribute in all versions up to, and including, 1.0.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Source : NVD
## 6.4
Score
Published January 7, 2026
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13
Exploitation Probability (EPSS) N/
Wiz
CVE-2026-22353 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-22353 [CRITICAL] CVE-2026-22353 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22353 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in winkm89 teachPress teachpress allows Stored XSS.This issue affects teachPress: from n/a through <= 9.0.12.
Source : NVD
## 6.5
Score
Published January 22, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
teachpress
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Relate
Wiz
CVE-2026-2289 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-2289 [CRITICAL] CVE-2026-2289 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-2289 :
WordPress vulnerability analysis and mitigation
The Taskbuilder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 5.0.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Source : NVD
## 4.4
Score
Published March 4, 2026
Severity MEDIUM
CNA Score 4.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
E
Wiz
CVE-2025-68086 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.4
CVE-2025-68086 [MEDIUM] CVE-2025-68086 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68086 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in merkulove Reformer for Elementor reformer-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Reformer for Elementor: from n/a through <= 1.0.6.
Source : NVD
## 5.4
Score
Published December 16, 2025
Severity MEDIUM
CNA Score 5.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
reformer-elementor
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, no
Wiz
CVE-2025-12835 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.3
CVE-2025-12835 [HIGH] CVE-2025-12835 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-12835 :
WordPress vulnerability analysis and mitigation
The WooMulti WordPress plugin through 17 does not validate a file parameter when deleting files, which could allow any authenticated users, such as subscriber to delete arbitrary files on the server.
Source : NVD
## 7.3
Score
Published December 12, 2025
Severity HIGH
CNA Score 7.3
Affected Technologies
WordPress
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 22.3
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
woomulti
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress
Wiz
CVE-2026-27993 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-27993 [CRITICAL] CVE-2026-27993 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27993 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Aldo aldo allows PHP Local File Inclusion.This issue affects Aldo: from n/a through <= 1.0.10.
Source : NVD
## 8.1
Score
Published March 5, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 37.5
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
aldo
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## R
Wiz
CVE-2025-15475 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2025-15475 [MEDIUM] CVE-2025-15475 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-15475 :
WordPress vulnerability analysis and mitigation
The PayHere Payment Gateway Plugin for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to an improper validation logic in the check_payhere_response function in all versions up to, and including, 2.3.9. This makes it possible for unauthenticated attackers to change the status of pending WooCommerce orders to paid/completed/on hold.
Source : NVD
## 5.3
Score
Published January 14, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 17.2
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
payhere-payme
Wiz
CVE-2025-68516 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2025-68516 [HIGH] CVE-2025-68516 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68516 :
WordPress vulnerability analysis and mitigation
Insertion of Sensitive Information Into Sent Data vulnerability in Essekia Tablesome tablesome allows Retrieve Embedded Sensitive Data.This issue affects Tablesome: from n/a through <= 1.1.35.1.
Source : NVD
## 7.5
Score
Published December 24, 2025
Severity HIGH
CNA Score 7.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 14.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
tablesome
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vuln
Wiz
CVE-2025-69011 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2025-69011 [MEDIUM] CVE-2025-69011 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-69011 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPKube Cool Tag Cloud cool-tag-cloud allows Stored XSS.This issue affects Cool Tag Cloud: from n/a through <= 2.29.
Source : NVD
## 6.5
Score
Published February 20, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.6
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cool-tag-cloud
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's liste
Wiz
CVE-2026-4306 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-4306 [CRITICAL] CVE-2026-4306 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-4306 :
WordPress vulnerability analysis and mitigation
The WP Job Portal plugin for WordPress is vulnerable to SQL Injection via the 'radius' parameter in all versions up to, and including, 2.4.8 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Source : NVD
## 7.5
Score
Published March 23, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 26
Exploitation Pro
Wiz
CVE-2026-27074 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-27074 [CRITICAL] CVE-2026-27074 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27074 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in vaakash Shortcoder shortcoder allows Stored XSS.This issue affects Shortcoder: from n/a through <= 6.5.1.
Source : NVD
## 6.5
Score
Published February 19, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.6
Exploitation Probability (EPSS) N/A
Affected packages and libraries
shortcoder
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Relate
Wiz
CVE-2025-68996 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2025-68996 [HIGH] CVE-2025-68996 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68996 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in WebCodingPlace Responsive Posts Carousel Pro responsive-posts-carousel-pro allows PHP Local File Inclusion.This issue affects Responsive Posts Carousel Pro: from n/a through <= 15.1.
Source : NVD
## 7.5
Score
Published December 30, 2025
Severity HIGH
CNA Score 7.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 30.6
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
responsive-posts-carousel-pro
Sources
NVD
## Get a CVE risk assessment
Get a p
Wiz
CVE-2026-28034 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-28034 [CRITICAL] CVE-2026-28034 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-28034 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Progress progress allows PHP Local File Inclusion.This issue affects Progress: from n/a through <= 1.2.
Source : NVD
## 8.1
Score
Published March 5, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 37.5
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
progress
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's l
Wiz
CVE-2026-32510 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-32510 [CRITICAL] CVE-2026-32510 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32510 :
WordPress vulnerability analysis and mitigation
Deserialization of Untrusted Data vulnerability in Edge-Themes Kamperen kamperen allows Object Injection.This issue affects Kamperen: from n/a through < 1.3.
Source : NVD
## 5.4
Score
Published March 25, 2026
Severity MEDIUM
CNA Score 5.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 17.2
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
kamperen
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Score
Wiz
CVE-2026-24535 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-24535 [CRITICAL] CVE-2026-24535 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24535 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in webdevstudios Automatic Featured Images from Videos automatic-featured-images-from-videos allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Automatic Featured Images from Videos: from n/a through <= 1.2.7.
Source : NVD
## 4.3
Score
Published January 23, 2026
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
automatic-featured-images-from-videos
Sources
NVD
## Get a CVE risk assessment
Get a prioritize
Wiz
CVE-2025-68072 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2025-68072 [MEDIUM] CVE-2025-68072 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68072 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in Merv Barrett Easy Property Listings easy-property-listings allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Easy Property Listings: from n/a through <= 3.5.20.
Source : NVD
## 6.5
Score
Published January 22, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 12
Exploitation Probability (EPSS) N/A
Affected packages and libraries
easy-property-listings
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploi
Wiz
CVE-2025-14985 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.4
CVE-2025-14985 [MEDIUM] CVE-2025-14985 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14985 :
WordPress vulnerability analysis and mitigation
The Alpha Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘alpha_block_css’ parameter in all versions up to, and including, 1.5.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Source : NVD
## 6.4
Score
Published January 24, 2026
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2.7
Exploitation Probability (EPSS) N/A
Aff
Wiz
CVE-2025-12551 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2025-12551 [MEDIUM] CVE-2025-12551 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-12551 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in e-plugins ListingHub listinghub allows Reflected XSS.This issue affects ListingHub: from n/a through 1.2.6.
Source : NVD
## 6.1
Score
Published January 8, 2026
Severity MEDIUM
CNA Score 6.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
listinghub
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Relate
Wiz
CVE-2025-66164 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.4
CVE-2025-66164 [MEDIUM] CVE-2025-66164 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-66164 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in merkulove Laser laser allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Laser: from n/a through <= 1.1.1.
Source : NVD
## 5.4
Score
Published December 16, 2025
Severity MEDIUM
CNA Score 5.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
laser
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities
Wiz
CVE-2025-67619 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2025-67619 [HIGH] CVE-2025-67619 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67619 :
WordPress vulnerability analysis and mitigation
Deserialization of Untrusted Data vulnerability in designthemes Kids Heaven kids-world allows Object Injection.This issue affects Kids Heaven: from n/a through <= 3.2.
Source : NVD
## 8.8
Score
Published January 22, 2026
Severity HIGH
CNA Score 8.8
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 21.7
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
kids-world
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Seve
Wiz
CVE-2025-67631 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.4
CVE-2025-67631 [MEDIUM] CVE-2025-67631 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67631 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ecommerce Platforms Gift Hunt gift-hunt allows Stored XSS.This issue affects Gift Hunt: from n/a through <= 2.0.2.
Source : NVD
## 5.4
Score
Published December 24, 2025
Severity MEDIUM
CNA Score 5.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
gift-hunt
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
#
Wiz
CVE-2026-25363 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-25363 [CRITICAL] CVE-2026-25363 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25363 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in FooPlugins FooGallery foogallery allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects FooGallery: from n/a through <= 3.1.11.
Source : NVD
## 4.3
Score
Published February 19, 2026
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 9.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
foogallery
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Word
Wiz
CVE-2026-1275 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-1275 [CRITICAL] CVE-2026-1275 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1275 :
WordPress vulnerability analysis and mitigation
The Multi Post Carousel by Category plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'slides' shortcode attribute in all versions up to, and including, 1.4. This is due to insufficient input sanitization and output escaping on the user-supplied 'slides' parameter in the post_slides_shortcode function. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Source : NVD
## 6.4
Score
Published March 21, 2026
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV
Wiz
CVE-2026-24583 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-24583 [CRITICAL] CVE-2026-24583 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24583 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in sumup SumUp Payment Gateway For WooCommerce sumup-payment-gateway-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects SumUp Payment Gateway For WooCommerce: from n/a through <= 2.7.9.
Source : NVD
## 5.3
Score
Published January 23, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 12.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
sumup-payment-gateway-for-woocommerce
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view o
Wiz
CVE-2025-9856 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.4
CVE-2025-9856 [MEDIUM] CVE-2025-9856 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-9856 :
WordPress vulnerability analysis and mitigation
The Popup Builder – Create highly converting, mobile friendly marketing popups. plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'sg_popup' shortcode in all versions up to, and including, 4.4.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Source : NVD
## 6.4
Score
Published December 13, 2025
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date
Wiz
CVE-2026-28124 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-28124 [CRITICAL] CVE-2026-28124 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-28124 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Notarius notarius allows PHP Local File Inclusion.This issue affects Notarius: from n/a through <= 1.9.
Source : NVD
## 8.1
Score
Published March 5, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 37.5
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
notarius
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what
Wiz
CVE-2025-13527 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2025-13527 [MEDIUM] CVE-2025-13527 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-13527 :
WordPress vulnerability analysis and mitigation
The xShare plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.1. This is due to missing nonce validation on the 'xshare_plugin_reset()' function. This makes it possible for unauthenticated attackers to reset the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Source : NVD
## 4.3
Score
Published January 7, 2026
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 3.5
Exploitation Probability (EPSS) N/A
Affected packages
Wiz
CVE-2026-27090 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-27090 [CRITICAL] CVE-2026-27090 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27090 :
WordPress vulnerability analysis and mitigation
Cross-Site Request Forgery (CSRF) vulnerability in WP Moose Kenta Companion kenta-companion allows Cross Site Request Forgery.This issue affects Kenta Companion: from n/a through <= 1.3.3.
Source : NVD
## 4.3
Score
Published February 19, 2026
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 4.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
kenta-companion
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vul
Wiz
CVE-2025-68843 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2025-68843 [HIGH] CVE-2025-68843 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68843 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Bas Schuiling FeedWordPress Advanced Filters faf allows Reflected XSS.This issue affects FeedWordPress Advanced Filters: from n/a through <= 0.6.2.
Source : NVD
## 7.1
Score
Published February 20, 2026
Severity HIGH
CNA Score 7.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
faf
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, no
Wiz
CVE-2025-68977 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2025-68977 [MEDIUM] CVE-2025-68977 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68977 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in designthemes DesignThemes Portfolio Addon designthemes-portfolio-addon allows DOM-Based XSS.This issue affects DesignThemes Portfolio Addon: from n/a through <= 1.5.
Source : NVD
## 6.1
Score
Published December 30, 2025
Severity MEDIUM
CNA Score 6.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
designthemes-portfolio-addon
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your clo
Wiz
CVE-2025-69320 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2025-69320 [HIGH] CVE-2025-69320 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-69320 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeGoods Grand Magazine grandmagazine allows Reflected XSS.This issue affects Grand Magazine: from n/a through <= 3.5.7.
Source : NVD
## 7.1
Score
Published January 22, 2026
Severity HIGH
CNA Score 7.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
grandmagazine
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's li
Wiz
CVE-2025-14718 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.4
CVE-2025-14718 [MEDIUM] CVE-2025-14718 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14718 :
WordPress vulnerability analysis and mitigation
The Schedule Post Changes With PublishPress Future plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.9.3. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with Contributor-level access and above, to create, update, delete, and publish malicious workflows that may automatically delete any post upon publication or update, including posts created by administrators.
Source : NVD
## 5.4
Score
Published January 9, 2026
Severity MEDIUM
CNA Score 5.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Dat
Wiz
CVE-2026-2279 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-2279 [CRITICAL] CVE-2026-2279 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-2279 :
WordPress vulnerability analysis and mitigation
The myLinksDump plugin for WordPress is vulnerable to SQL Injection via the 'sort_by' and 'sort_order' parameters in all versions up to, and including, 1.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Source : NVD
## 7.2
Score
Published March 21, 2026
Severity HIGH
CNA Score 7.2
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploi
Wiz
CVE-2026-28088 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-28088 [CRITICAL] CVE-2026-28088 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-28088 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Aqualots aqualots allows PHP Local File Inclusion.This issue affects Aqualots: from n/a through <= 1.1.6.
Source : NVD
## 8.1
Score
Published March 5, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 37.5
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
aqualots
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's
Wiz
CVE-2026-1901 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-1901 [CRITICAL] CVE-2026-1901 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1901 :
WordPress vulnerability analysis and mitigation
The QuestionPro Surveys plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'questionpro' shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Source : NVD
## 6.4
Score
Published February 14, 2026
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 10.9
Exploitati
Wiz
CVE-2025-62960 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-62960 [CRITICAL] CVE-2025-62960 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-62960 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in sparklewpthemes Construction Light construction-light allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Construction Light: from n/a through <= 1.6.7.
Source : NVD
Published December 18, 2025
CNA Score N/A
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
construction-light
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Word
Wiz
CVE-2026-24386 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-24386 [CRITICAL] CVE-2026-24386 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24386 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in Element Invader Element Invader – Template Kits for Elementor elementinvader allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Element Invader – Template Kits for Elementor: from n/a through <= 1.2.4.
Source : NVD
## 4.3
Score
Published January 22, 2026
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
elementinvader
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—
Wiz
CVE-2025-13693 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.4
CVE-2025-13693 [MEDIUM] CVE-2025-13693 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-13693 :
WordPress vulnerability analysis and mitigation
The Image Photo Gallery Final Tiles Grid plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Custom scripts' setting in all versions up to, and including, 3.6.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Source : NVD
## 6.4
Score
Published December 21, 2025
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.9
Exploitation Probabili
Wiz
CVE-2025-13861 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2025-13861 [MEDIUM] CVE-2025-13861 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-13861 :
WordPress vulnerability analysis and mitigation
The HTML Forms – Simple WordPress Forms Plugin for WordPress is vulnerable to Unauthenticated Stored Cross-Site Scripting in all versions up to and including 1.6.0 due to insufficient sanitization of fabricated file upload field metadata before displaying it in the WordPress admin dashboard. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute whenever an administrator accesses the form submissions page.
Source : NVD
## 6.1
Score
Published December 17, 2025
Severity MEDIUM
CNA Score 6.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS)
Wiz
CVE-2026-1216 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-1216 [CRITICAL] CVE-2026-1216 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1216 :
WordPress vulnerability analysis and mitigation
The RSS Aggregator plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'template' parameter in all versions up to, and including, 5.0.10 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Source : NVD
## 7.2
Score
Published February 17, 2026
Severity HIGH
CNA Score 7.2
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 37.7
Exploitati
Wiz
CVE-2026-2367 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-2367 [CRITICAL] CVE-2026-2367 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-2367 :
WordPress vulnerability analysis and mitigation
The Secure Copy Content Protection and Content Locking plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'ays_block' shortcode in all versions up to, and including, 5.0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Source : NVD
## 6.4
Score
Published February 25, 2026
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probab
Wiz
CVE-2025-14357 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2025-14357 [MEDIUM] CVE-2025-14357 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14357 :
WordPress vulnerability analysis and mitigation
The Mega Store Woocommerce theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the setup_widgets() function in core/includes/importer/whizzie.php in all versions up to, and including, 5.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create arbitrary pages and modify site settings.
Source : NVD
## 5.3
Score
Published February 19, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.3
Exploitation Probability (EPSS) N/A
Affected packages and librarie
Wiz
CVE-2025-49356 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-49356 [CRITICAL] CVE-2025-49356 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-49356 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in Mykola Lukin Orders Chat for WooCommerce orders-chat-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Orders Chat for WooCommerce: from n/a through <= 1.2.0.
Source : NVD
Published December 31, 2025
CNA Score N/A
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
orders-chat-for-woocommerce
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just
Wiz
CVE-2026-0831 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-0831 [CRITICAL] CVE-2026-0831 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-0831 :
WordPress vulnerability analysis and mitigation
save_template_to_file()
session_id
content_id
ai_page_ids
.ai.json
Source : NVD
## 5.3
Score
Published January 10, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 16.3
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
templately
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
CVE-2026-0
Wiz
CVE-2025-58900 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2025-58900 [HIGH] CVE-2025-58900 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-58900 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes UniTravel unitravel allows PHP Local File Inclusion.This issue affects UniTravel: from n/a through <= 1.4.2.
Source : NVD
## 8.1
Score
Published December 18, 2025
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 38.5
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
unitravel
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not
Wiz
CVE-2025-60055 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.2
CVE-2025-60055 [HIGH] CVE-2025-60055 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-60055 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Fabrica fabrica allows PHP Local File Inclusion.This issue affects Fabrica: from n/a through <= 1.8.1.
Source : NVD
## 8.2
Score
Published December 18, 2025
Severity HIGH
CNA Score 8.2
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 37.9
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
fabrica
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just wh
Wiz
CVE-2025-15021 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.4
CVE-2025-15021 [MEDIUM] CVE-2025-15021 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-15021 :
WordPress vulnerability analysis and mitigation
The Gotham Block Extra Light plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.5.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Source : NVD
## 4.4
Score
Published January 14, 2026
Severity MEDIUM
CNA Score 4.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KE
Wiz
CVE-2025-69022 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.4
CVE-2025-69022 [MEDIUM] CVE-2025-69022 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-69022 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in Weblizar - WordPress Themes & Plugin HR Management Lite hr-management-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects HR Management Lite: from n/a through <= 3.6.
Source : NVD
## 5.4
Score
Published December 30, 2025
Severity MEDIUM
CNA Score 5.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
hr-management-lite
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what'
Wiz
CVE-2026-22389 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-22389 [CRITICAL] CVE-2026-22389 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22389 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Cocco cocco allows PHP Local File Inclusion.This issue affects Cocco: from n/a through <= 1.5.1.
Source : NVD
## 8.1
Score
Published March 5, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 37.5
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
cocco
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed
Wiz
CVE-2025-62757 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-62757 [CRITICAL] CVE-2025-62757 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-62757 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WebMan Design | Oliver Juhas WebMan Amplifier webman-amplifier allows DOM-Based XSS.This issue affects WebMan Amplifier: from n/a through <= 1.5.12.
Source : NVD
Published December 31, 2025
CNA Score N/A
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
webman-amplifier
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's liste
Wiz
CVE-2025-66150 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-66150 [CRITICAL] CVE-2025-66150 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-66150 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in merkulove Appender appender allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Appender: from n/a through <= 1.1.1.
Source : NVD
Published December 31, 2025
CNA Score N/A
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
appender
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Sco
Wiz
CVE-2025-14581 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2025-14581 [MEDIUM] CVE-2025-14581 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14581 :
WordPress vulnerability analysis and mitigation
The HAPPY – Helpdesk Support Ticket System plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the 'submit_form_reply' AJAX action in all versions up to, and including, 1.0.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to submit replies to arbitrary support tickets by manipulating the 'happy_topic_id' parameter, regardless of whether they are the ticket owner or have been assigned to the ticket.
Source : NVD
## 5.3
Score
Published December 13, 2025
Severity MEDIUM
CNA Score 5.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation
Wiz
CVE-2025-69021 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.4
CVE-2025-69021 [MEDIUM] CVE-2025-69021 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-69021 :
WordPress vulnerability analysis and mitigation
Cross-Site Request Forgery (CSRF) vulnerability in Ays Pro Popup box ays-popup-box allows Cross Site Request Forgery.This issue affects Popup box: from n/a through <= 6.0.7.
Source : NVD
## 5.4
Score
Published December 30, 2025
Severity MEDIUM
CNA Score 5.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 4.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
ays-popup-box
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
C
Wiz
CVE-2024-56208 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2024-56208 [MEDIUM] CVE-2024-56208 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2024-56208 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in desertthemes NewsMash newsmash allows Stored XSS.This issue affects NewsMash: from n/a through <= 1.0.71.
Source : NVD
## 6.5
Score
Published February 20, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 30.7
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
newsdaily
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related
Wiz
CVE-2025-15386 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2025-15386 [HIGH] CVE-2025-15386 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-15386 :
WordPress vulnerability analysis and mitigation
The Responsive Lightbox & Gallery WordPress plugin before 2.6.1 is vulnerable to an Unauthenticated Stored-XSS attack due to flawed regex replacement rules that can be abused by posting a comment with a malicious link when lightbox for comments are enabled and then approved.
Source : NVD
## 8.8
Score
Published February 24, 2026
Severity HIGH
CNA Score 8.8
Affected Technologies
WordPress
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 15
Exploitation Probability (EPSS) N/A
Affected packages and libraries
responsive-lightbox
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—s
Wiz
CVE-2025-63052 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2025-63052 [MEDIUM] CVE-2025-63052 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-63052 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in GalleryCreator SimpLy Gallery simply-gallery-block allows Stored XSS.This issue affects SimpLy Gallery: from n/a through <= 3.3.2.1.
Source : NVD
## 6.5
Score
Published December 9, 2025
Severity MEDIUM
CNA Score 6.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
simply-gallery-block
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable,
Wiz
CVE-2025-10753 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2025-10753 [MEDIUM] CVE-2025-10753 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-10753 :
WordPress vulnerability analysis and mitigation
The OAuth Single Sign On – SSO (OAuth Client) plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 6.26.14. This is due to missing capability checks and authentication verification on the OAuth redirect functionality accessible via the 'oauthredirect' option parameter. This makes it possible for unauthenticated attackers to set the global redirect URL option via the redirect_url parameter granted they can access the site directly.
Source : NVD
## 5.3
Score
Published February 6, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Per
Wiz
CVE-2026-2466 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-2466 [CRITICAL] CVE-2026-2466 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-2466 :
WordPress vulnerability analysis and mitigation
The DukaPress WordPress plugin through 3.2.4 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
Source : NVD
## 7.1
Score
Published March 11, 2026
Severity HIGH
CNA Score 7.1
Affected Technologies
WordPress
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 10.6
Exploitation Probability (EPSS) N/A
Affected packages and libraries
dukapress
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's
Wiz
CVE-2025-63028 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2025-63028 [MEDIUM] CVE-2025-63028 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-63028 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in shinetheme Traveler traveler allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Traveler: from n/a through <= 3.2.6.
Source : NVD
## 5.3
Score
Published December 9, 2025
Severity MEDIUM
CNA Score 5.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 12.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
traveler
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vul
Wiz
CVE-2025-66139 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.4
CVE-2025-66139 [MEDIUM] CVE-2025-66139 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-66139 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in merkulove Audier For Elementor audier-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Audier For Elementor: from n/a through <= 1.0.9.
Source : NVD
## 5.4
Score
Published January 22, 2026
Severity MEDIUM
CNA Score 5.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 16.6
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
audier-elementor
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just wh
Wiz
CVE-2025-4521 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2025-4521 [HIGH] CVE-2025-4521 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-4521 :
WordPress vulnerability analysis and mitigation
The IDonate – Blood Donation, Request And Donor Management System plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the idonate_donor_profile() function in versions 2.1.5 to 2.1.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to hijack any account by reassigning its email address (via the donor_id they supply) and then triggering a password reset, ultimately granting themselves full administrator privileges.
Source : NVD
## 8.8
Score
Published February 19, 2026
Severity HIGH
CNA Score 8.8
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exp
Wiz
CVE-2026-28011 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-28011 [CRITICAL] CVE-2026-28011 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-28011 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Yottis yottis allows PHP Local File Inclusion.This issue affects Yottis: from n/a through <= 1.0.10.
Source : NVD
## 8.1
Score
Published March 5, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 37.5
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
yottis
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed
Wiz
CVE-2026-27428 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-27428 [CRITICAL] CVE-2026-27428 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27428 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Eagle-Themes Eagle Booking eagle-booking allows SQL Injection.This issue affects Eagle Booking: from n/a through <= 1.3.4.3.
Source : NVD
## 8.5
Score
Published March 5, 2026
Severity HIGH
CNA Score 8.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
eagle-booking
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's lis
Wiz
CVE-2026-1656 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-1656 [CRITICAL] CVE-2026-1656 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1656 :
WordPress vulnerability analysis and mitigation
The Business Directory Plugin for WordPress is vulnerable to authorization bypass due to a missing authorization check in all versions up to, and including, 6.4.20. This makes it possible for unauthenticated attackers to modify arbitrary listings, including changing titles, content, and email addresses, by directly referencing the listing ID in crafted requests to the wpbdp_ajax AJAX action.
Source : NVD
## 5.3
Score
Published February 18, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 8.2
Exploitation Probability (EPSS) N/A
Affected packages and libr
Wiz
CVE-2025-67940 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2025-67940 [HIGH] CVE-2025-67940 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67940 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Powerlift powerlift allows PHP Local File Inclusion.This issue affects Powerlift: from n/a through < 3.2.1.
Source : NVD
## 8.1
Score
Published January 22, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 38.5
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
powerlift
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not
Wiz
CVE-2026-22423 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-22423 [CRITICAL] CVE-2026-22423 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22423 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Select-Themes SetSail setsail allows PHP Local File Inclusion.This issue affects SetSail: from n/a through <= 1.8.
Source : NVD
## 8.1
Score
Published March 5, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 37.5
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
setsail
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's
Wiz
CVE-2025-54045 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2025-54045 [MEDIUM] CVE-2025-54045 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-54045 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in CreativeMindsSolutions CM On Demand Search And Replace cm-on-demand-search-and-replace allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects CM On Demand Search And Replace: from n/a through <= 1.5.5.
Source : NVD
## 4.3
Score
Published December 16, 2025
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cm-on-demand-search-and-replace
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs
Wiz
CVE-2025-68520 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2025-68520 [HIGH] CVE-2025-68520 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68520 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeGoods DotLife dotlife allows Reflected XSS.This issue affects DotLife: from n/a through < 4.9.5.
Source : NVD
## 7.1
Score
Published January 22, 2026
Severity HIGH
CNA Score 7.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
dotlife
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress
Wiz
CVE-2025-69033 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2025-69033 [MEDIUM] CVE-2025-69033 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-69033 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in A WP Life Blog Filter blog-filter allows DOM-Based XSS.This issue affects Blog Filter: from n/a through <= 1.7.3.
Source : NVD
## 6.5
Score
Published December 30, 2025
Severity MEDIUM
CNA Score 6.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
blog-filter
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
Wiz
CVE-2025-14633 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2025-14633 [MEDIUM] CVE-2025-14633 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14633 :
WordPress vulnerability analysis and mitigation
The F70 Lead Document Download plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'file_download' function in all versions up to, and including, 1.4.4. This makes it possible for unauthenticated attackers to download any file from the WordPress media library by guessing or enumerating WordPress attachment IDs.
Source : NVD
## 5.3
Score
Published December 20, 2025
Severity MEDIUM
CNA Score 5.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 17.1
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
f70-lead-document-
Wiz
CVE-2025-7058 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.4
CVE-2025-7058 [MEDIUM] CVE-2025-7058 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-7058 :
WordPress vulnerability analysis and mitigation
The Kingcabs theme for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘progressbarLayout’ parameter in all versions up to, and including, 1.1.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Source : NVD
## 6.4
Score
Published December 13, 2025
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13
Exploitation Probability (EPSS) N/A
Affecte
Wiz
CVE-2026-2694 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-2694 [CRITICAL] CVE-2026-2694 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-2694 :
WordPress vulnerability analysis and mitigation
The The Events Calendar plugin for WordPress is vulnerable to unauthorized modification of data and loss of data due to an improper capability check on the 'can_edit' and 'can_delete' function in all versions up to, and including, 6.15.16. This makes it possible for authenticated attackers, with Contributor-level access and above, to update or trash events, organizers and venues via REST API.
Source : NVD
## 5.4
Score
Published February 25, 2026
Severity MEDIUM
CNA Score 5.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 17.1
Exploitation Probability (EPSS) 0.1
Affected packages and li
Wiz
CVE-2026-2430 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-2430 [CRITICAL] CVE-2026-2430 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-2430 :
WordPress vulnerability analysis and mitigation
add_lazyload
\ssrc=
src
src=
Source : NVD
## 6.4
Score
Published March 21, 2026
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 10.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
autoptimize
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
CVE-2026-0740
CRITICAL
9.8
WordPress
ninja-for
Wiz
CVE-2026-1058 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-1058 [CRITICAL] CVE-2026-1058 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1058 :
WordPress vulnerability analysis and mitigation
The Form Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via hidden field values in all versions up to, and including, 1.15.35. This is due to insufficient output escaping when displaying hidden field values in the admin submissions list. The plugin uses html_entity_decode() on user-supplied hidden field values without subsequent escaping before output, which converts HTML entity-encoded payloads back into executable JavaScript. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in the admin submissions view that will execute whenever an administrator accesses the submissions list.
Source : NVD
## 7.1
Score
Published February 3, 2026
Severity HIGH
CNA Score
Wiz
CVE-2026-0816 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-0816 [CRITICAL] CVE-2026-0816 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-0816 :
WordPress vulnerability analysis and mitigation
The All push notification for WP plugin for WordPress is vulnerable to time-based SQL Injection via the 'delete_id' parameter in all versions up to, and including, 1.5.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Source : NVD
## 4.9
Score
Published February 4, 2026
Severity MEDIUM
CNA Score 4.9
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Du
Wiz
CVE-2025-68540 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-68540 [CRITICAL] CVE-2025-68540 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68540 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Fana fana allows PHP Local File Inclusion.This issue affects Fana: from n/a through <= 1.1.35.
Source : NVD
## 9.8
Score
Published December 24, 2025
Severity CRITICAL
CNA Score 9.8
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 38.5
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
fana
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
Wiz
CVE-2025-23993 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-23993 [CRITICAL] CVE-2025-23993 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-23993 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in RiceTheme Felan Framework felan-framework allows SQL Injection.This issue affects Felan Framework: from n/a through <= 1.1.3.
Source : NVD
## 9.8
Score
Published January 8, 2026
Severity CRITICAL
CNA Score 9.8
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 14.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
felan-framework
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just w
Wiz
CVE-2026-1915 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-1915 [CRITICAL] CVE-2026-1915 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1915 :
WordPress vulnerability analysis and mitigation
The Simple Plyr plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'poster' parameter in the 'plyr' shortcode in all versions up to, and including, 0.0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Source : NVD
## 6.4
Score
Published February 14, 2026
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1.9
Wiz
CVE-2026-28014 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-28014 [CRITICAL] CVE-2026-28014 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-28014 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Translogic translogic allows PHP Local File Inclusion.This issue affects Translogic: from n/a through <= 1.2.11.
Source : NVD
## 8.1
Score
Published March 5, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 37.5
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
translogic
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not ju
Wiz
CVE-2025-12883 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2025-12883 [MEDIUM] CVE-2025-12883 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-12883 :
WordPress vulnerability analysis and mitigation
The Campay Woocommerce Payment Gateway plugin for WordPress is vulnerable to Unauthenticated Payment Bypass in all versions up to, and including, 1.2.2. This is due to the plugin not properly validating that a transaction has occurred through the payment gateway. This makes it possible for unauthenticated attackers to bypass payments and mark orders as successfully completed resulting in a loss of income.
Source : NVD
## 5.3
Score
Published December 12, 2025
Severity MEDIUM
CNA Score 5.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 26.9
Exploitation Probability (EPSS) 0.1
Affected p
Wiz
CVE-2026-1935 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-1935 [CRITICAL] CVE-2026-1935 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1935 :
WordPress vulnerability analysis and mitigation
linkedin_company_post_reset_handler()
admin_post_reset_linkedin_company_post
Source : NVD
## 4.3
Score
Published March 21, 2026
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 7.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
company-posts-for-linkedin
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Publis
Wiz
CVE-2025-69025 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2025-69025 [MEDIUM] CVE-2025-69025 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-69025 :
WordPress vulnerability analysis and mitigation
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Aethonic Poptics poptics allows Retrieve Embedded Sensitive Data.This issue affects Poptics: from n/a through <= 1.0.20.
Source : NVD
## 4.3
Score
Published December 30, 2025
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 12.3
Exploitation Probability (EPSS) N/A
Affected packages and libraries
poptics
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Rela
Wiz
CVE-2026-22514 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-22514 [CRITICAL] CVE-2026-22514 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22514 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Unica unica allows PHP Local File Inclusion.This issue affects Unica: from n/a through <= 1.4.1.
Source : NVD
## 8.1
Score
Published March 25, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 35.7
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
unica
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed
Wiz
CVE-2026-3523 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-3523 [CRITICAL] CVE-2026-3523 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-3523 :
WordPress vulnerability analysis and mitigation
&&
||
in_array()
stripslashes_deep()
wp_magic_quotes()
Source : NVD
## 4.9
Score
Published March 5, 2026
Severity MEDIUM
CNA Score 4.9
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 18.3
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
apocalypse-meow
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
CVE-2026-0740
CRITI
Wiz
CVE-2025-68581 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2025-68581 [HIGH] CVE-2025-68581 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68581 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in YITHEMES YITH Slider for page builders yith-slider-for-page-builders allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects YITH Slider for page builders: from n/a through <= 1.0.11.
Source : NVD
## 8.1
Score
Published December 24, 2025
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 12.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
yith-slider-for-page-builders
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you c
Wiz
CVE-2025-14475 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2025-14475 [HIGH] CVE-2025-14475 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14475 :
WordPress vulnerability analysis and mitigation
extensive_vc_get_module_template_part
shortcode_name
extensive_vc_init_shortcode_pagination
shortcode_name
Source : NVD
## 8.1
Score
Published December 13, 2025
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 24.1
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
extensive-vc-addon
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA K
Wiz
CVE-2026-25417 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-25417 [CRITICAL] CVE-2026-25417 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25417 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Metagauss ProfileGrid profilegrid-user-profiles-groups-and-communities allows Stored XSS.This issue affects ProfileGrid : from n/a through <= 5.9.8.1.
Source : NVD
## 6.5
Score
Published March 25, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 9.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
profilegrid-user-profiles-groups-and-communities
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cl
Wiz
CVE-2026-3570 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-3570 [CRITICAL] CVE-2026-3570 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-3570 :
WordPress vulnerability analysis and mitigation
The Smarter Analytics plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 2.0. This is due to missing authentication and capability checks on the configuration reset functionality in the global scope of smarter-analytics.php. This makes it possible for unauthenticated attackers to reset all plugin configuration and delete all per-page/per-post analytics settings via the 'reset' parameter.
Source : NVD
## 5.3
Score
Published March 21, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 26.5
Exploitation Probability
Wiz
CVE-2025-69017 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2025-69017 [MEDIUM] CVE-2025-69017 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-69017 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Magnigenie RestroPress restropress allows Stored XSS.This issue affects RestroPress: from n/a through <= 3.2.8.4.
Source : NVD
## 6.5
Score
Published December 30, 2025
Severity MEDIUM
CNA Score 6.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
restropress
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
Wiz
CVE-2025-63022 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-63022 [CRITICAL] CVE-2025-63022 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-63022 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in topdevs.net Simple Like Page simple-facebook-plugin allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Simple Like Page: from n/a through <= 1.5.3.
Source : NVD
Published December 31, 2025
CNA Score N/A
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
simple-facebook-plugin
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Word
Wiz
CVE-2026-25341 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-25341 [CRITICAL] CVE-2026-25341 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25341 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in RSJoomla! RSFirewall! rsfirewall allows Stored XSS.This issue affects RSFirewall!: from n/a through <= 1.1.45.
Source : NVD
## 7.1
Score
Published March 25, 2026
Severity HIGH
CNA Score 7.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 10.6
Exploitation Probability (EPSS) N/A
Affected packages and libraries
rsfirewall
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Relate
Wiz
CVE-2026-2410 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-2410 [CRITICAL] CVE-2026-2410 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-2410 :
WordPress vulnerability analysis and mitigation
showPageContent()
Source : NVD
## 4.3
Score
Published February 25, 2026
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
disable-admin-notices
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
CVE-2026-0740
CRITICAL
9.8
WordPress
ninja-forms
Wiz
CVE-2025-63015 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2025-63015 [MEDIUM] CVE-2025-63015 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-63015 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in paysera WooCommerce Payment Gateway - Paysera woo-payment-gateway-paysera allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WooCommerce Payment Gateway - Paysera: from n/a through <= 3.10.0.
Source : NVD
## 4.3
Score
Published December 9, 2025
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
woo-payment-gateway-paysera
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cl
Wiz
CVE-2026-2941 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-2941 [CRITICAL] CVE-2026-2941 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-2941 :
WordPress vulnerability analysis and mitigation
The Linksy Search and Replace plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'linksy_search_and_replace_item_details' function in all versions up to, and including, 1.0.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to update any database table, any value, including the wp_capabilities database field, which allows attackers to change their own role to administrator, which leads to privilege escalation.
Source : NVD
## 8.8
Score
Published March 21, 2026
Severity HIGH
CNA Score 8.8
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due D
Wiz
CVE-2026-0974 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-0974 [CRITICAL] CVE-2026-0974 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-0974 :
WordPress vulnerability analysis and mitigation
The Orderable – WordPress Restaurant Online Ordering System and Food Ordering Plugin plugin for WordPress is vulnerable to unauthorized plugin installation due to a missing capability check on the 'install_plugin' function in all versions up to, and including, 1.20.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install arbitrary plugins, which can lead to Remote Code Execution.
Source : NVD
## 8.8
Score
Published February 19, 2026
Severity HIGH
CNA Score 8.8
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 51
Exploitation Probability (EPS
Wiz
CVE-2025-13440 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2025-13440 [MEDIUM] CVE-2025-13440 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-13440 :
WordPress vulnerability analysis and mitigation
The Premmerce Wishlist for WooCommerce plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.1.10. This is due to a missing capability check on the deleteWishlist() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary wishlists.
Source : NVD
## 5.3
Score
Published December 12, 2025
Severity MEDIUM
CNA Score 5.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
premmerce-woocommerce-wishlist
Sources
N
Wiz
CVE-2025-14797 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.4
CVE-2025-14797 [MEDIUM] CVE-2025-14797 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14797 :
WordPress vulnerability analysis and mitigation
htmlspecialchars_decode()
Source : NVD
## 5.4
Score
Published January 24, 2026
Severity MEDIUM
CNA Score 5.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
same-category-posts
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
CVE-2026-0740
CRITICAL
9.8
WordPress
ninja
Wiz
CVE-2026-25035 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-25035 [CRITICAL] CVE-2026-25035 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25035 :
WordPress vulnerability analysis and mitigation
Authentication Bypass Using an Alternate Path or Channel vulnerability in Wasiliy Strecker / ContestGallery developer Contest Gallery contest-gallery allows Authentication Abuse.This issue affects Contest Gallery: from n/a through <= 28.1.2.2.
Source : NVD
## 9.8
Score
Published March 25, 2026
Severity CRITICAL
CNA Score 9.8
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 20.4
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
contest-gallery
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploita
Wiz
CVE-2026-24378 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-24378 [CRITICAL] CVE-2026-24378 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24378 :
WordPress vulnerability analysis and mitigation
Deserialization of Untrusted Data vulnerability in Metagauss EventPrime eventprime-event-calendar-management allows Object Injection.This issue affects EventPrime: from n/a through <= 4.2.8.0.
Source : NVD
## 9.8
Score
Published March 25, 2026
Severity CRITICAL
CNA Score 9.8
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 16.9
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
eventprime-event-calendar-management
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
Wiz
CVE-2025-64244 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2025-64244 [MEDIUM] CVE-2025-64244 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-64244 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in Codexpert, Inc Restrict Elementor Widgets, Columns and Sections restrict-elementor-widgets allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Restrict Elementor Widgets, Columns and Sections: from n/a through <= 1.12.
Source : NVD
## 4.3
Score
Published December 16, 2025
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
restrict-elementor-widgets
Sources
NVD
## Get a CVE risk assessment
Get a prioritiz
Wiz
CVE-2026-24621 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-24621 [CRITICAL] CVE-2026-24621 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24621 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Vladimir Statsenko Terms descriptions terms-descriptions allows DOM-Based XSS.This issue affects Terms descriptions: from n/a through <= 3.4.9.
Source : NVD
## 4.8
Score
Published January 23, 2026
Severity MEDIUM
CNA Score 4.8
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 10.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
terms-descriptions
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exp
Wiz
CVE-2025-11185 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.4
CVE-2025-11185 [MEDIUM] CVE-2025-11185 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-11185 :
WordPress vulnerability analysis and mitigation
The Complianz – GDPR/CCPA Cookie Consent plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's cmplz-accept-link shortcode in all versions up to, and including, 7.4.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Source : NVD
## 6.4
Score
Published February 18, 2026
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability P
Wiz
CVE-2026-1843 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-1843 [CRITICAL] CVE-2026-1843 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1843 :
WordPress vulnerability analysis and mitigation
The Super Page Cache plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Activity Log in all versions up to, and including, 5.2.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Source : NVD
## 7.2
Score
Published February 14, 2026
Severity HIGH
CNA Score 7.2
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 34.3
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
wp-cloudflare-page-cac
Wiz
CVE-2025-68563 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-68563 [CRITICAL] CVE-2025-68563 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68563 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in WP Shuffle Subscribe to Unlock Lite subscribe-to-unlock-lite allows PHP Local File Inclusion.This issue affects Subscribe to Unlock Lite: from n/a through <= 1.3.0.
Source : NVD
## 9.8
Score
Published December 24, 2025
Severity CRITICAL
CNA Score 9.8
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 38.5
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
subscribe-to-unlock-lite
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of
Wiz
CVE-2025-11693 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-11693 [CRITICAL] CVE-2025-11693 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-11693 :
WordPress vulnerability analysis and mitigation
The Export WP Page to Static HTML & PDF plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.3.4 through publicly exposed cookies.txt files containing authentication cookies. This makes it possible for unauthenticated attackers to cookies that may have been injected into the log file if the site administrator triggered a back-up using a specific user role like 'administrator.'
Source : NVD
## 9.8
Score
Published December 13, 2025
Severity CRITICAL
CNA Score 9.8
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 50.4
Exploitation Proba
Wiz
CVE-2025-49348 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2025-49348 [MEDIUM] CVE-2025-49348 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-49348 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in Hype Hype pico allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Hype: from n/a through <= 1.0.5.
Source : NVD
## 5.3
Score
Published December 9, 2025
Severity MEDIUM
CNA Score 5.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 12.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
pico
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Wiz
CVE-2025-53442 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2025-53442 [HIGH] CVE-2025-53442 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-53442 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Rentic rentic allows PHP Local File Inclusion.This issue affects Rentic: from n/a through <= 1.1.
Source : NVD
## 8.1
Score
Published December 18, 2025
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 38.5
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
rentic
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's li
Wiz
CVE-2026-0691 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.4
CVE-2026-0691 [MEDIUM] CVE-2026-0691 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-0691 :
WordPress vulnerability analysis and mitigation
The CM E-Mail Blacklist – Simple email filtering for safer registration plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'black_email' parameter in all versions up to, and including, 1.6.2. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Source : NVD
## 4.4
Score
Published January 17, 2026
Severity MEDIUM
CNA Score 4.4
Affected Technologies
WordPress
Has Public Exploit No
Wiz
CVE-2025-63067 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2025-63067 [MEDIUM] CVE-2025-63067 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-63067 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in p-themes Porto Theme - Functionality porto-functionality allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Porto Theme - Functionality: from n/a through < 3.7.3.
Source : NVD
## 4.3
Score
Published December 9, 2025
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
porto-functionality
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploi
Wiz
CVE-2025-14431 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-14431 [CRITICAL] CVE-2025-14431 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14431 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in THEMELOGI Navian navian allows PHP Local File Inclusion.This issue affects Navian: from n/a through <= 1.5.4.
Source : NVD
## 9.8
Score
Published January 8, 2026
Severity CRITICAL
CNA Score 9.8
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 38.5
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
navian
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's
Wiz
CVE-2025-14635 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.4
CVE-2025-14635 [MEDIUM] CVE-2025-14635 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14635 :
WordPress vulnerability analysis and mitigation
The Happy Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'ha_page_custom_js' parameter in all versions up to, and including, 3.20.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page, despite the intended role restriction of Custom JS to Administrators.
Source : NVD
## 6.4
Score
Published December 23, 2025
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Wiz
CVE-2026-2576 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-2576 [CRITICAL] CVE-2026-2576 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-2576 :
WordPress vulnerability analysis and mitigation
The Business Directory Plugin – Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based SQL Injection via the 'payment' parameter in all versions up to, and including, 6.4.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Source : NVD
## 7.5
Score
Published February 18, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
WordPress
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date
Wiz
CVE-2025-14427 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2025-14427 [MEDIUM] CVE-2025-14427 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14427 :
WordPress vulnerability analysis and mitigation
MfaEmailDisable
Source : NVD
## 4.3
Score
Published February 19, 2026
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 9.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
wp-simple-firewall
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
CVE-2026-0740
CRITICAL
9.8
WordPress
ninja-forms-upl
Wiz
CVE-2026-22453 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-22453 [CRITICAL] CVE-2026-22453 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22453 :
WordPress vulnerability analysis and mitigation
Deserialization of Untrusted Data vulnerability in ThemeREX Pets Club petclub allows Object Injection.This issue affects Pets Club: from n/a through <= 2.3.
Source : NVD
## 9.8
Score
Published March 5, 2026
Severity CRITICAL
CNA Score 9.8
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 18.2
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
petclub
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Score
Wiz
CVE-2025-48094 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2025-48094 [MEDIUM] CVE-2025-48094 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-48094 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup Magic Slider magic_slider allows Reflected XSS.This issue affects Magic Slider: from n/a through <= 2.2.
Source : NVD
## 6.1
Score
Published January 22, 2026
Severity MEDIUM
CNA Score 6.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
magic_slider
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed
Wiz
CVE-2026-24392 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-24392 [CRITICAL] CVE-2026-24392 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24392 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Nabil Lemsieh HurryTimer hurrytimer allows Stored XSS.This issue affects HurryTimer: from n/a through <= 2.14.2.
Source : NVD
## 5.9
Score
Published February 19, 2026
Severity MEDIUM
CNA Score 5.9
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 10.6
Exploitation Probability (EPSS) N/A
Affected packages and libraries
hurrytimer
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
##
Wiz
CVE-2026-0867 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-0867 [CRITICAL] CVE-2026-0867 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-0867 :
WordPress vulnerability analysis and mitigation
The Essential Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's ew-author, ew-archive, ew-category, ew-page, and ew-menu shortcodes in all versions up to, and including, 3.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. NOTE: This vulnerability was partially fixed in version 3.0.
Source : NVD
## 6.4
Score
Published February 5, 2026
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
Wiz
CVE-2025-69098 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2025-69098 [MEDIUM] CVE-2025-69098 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-69098 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpWave Hide My WP hide_my_wp allows Reflected XSS.This issue affects Hide My WP: from n/a through <= 6.2.12.
Source : NVD
## 6.1
Score
Published January 22, 2026
Severity MEDIUM
CNA Score 6.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
hide_my_wp
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Rela
Wiz
CVE-2026-1273 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-1273 [CRITICAL] CVE-2026-1273 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1273 :
WordPress vulnerability analysis and mitigation
/ultp/v3/starter_dummy_post/
/ultp/v3/starter_import_content/
Source : NVD
## 7.2
Score
Published March 4, 2026
Severity HIGH
CNA Score 7.2
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 14.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
ultimate-post
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
CVE-2026-0740
CRITI
Wiz
CVE-2025-13563 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-13563 [CRITICAL] CVE-2025-13563 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-13563 :
WordPress vulnerability analysis and mitigation
The Lizza LMS Pro plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.0.3. This is due to the 'lizza_lms_pro_register_user_front_end' function not restricting what user roles a user can register with. This makes it possible for unauthenticated attackers to supply the 'administrator' role during registration and gain administrator access to the site.
Source : NVD
## 9.8
Score
Published February 19, 2026
Severity CRITICAL
CNA Score 9.8
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 28.5
Exploitation Probability (EPSS) 0.1
Affected packages
Wiz
CVE-2025-69072 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2025-69072 [HIGH] CVE-2025-69072 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-69072 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Prider prider allows PHP Local File Inclusion.This issue affects Prider: from n/a through <= 1.1.3.1.
Source : NVD
## 8.1
Score
Published January 22, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 17.6
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
prider
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what'
Wiz
CVE-2025-14294 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2025-14294 [MEDIUM] CVE-2025-14294 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14294 :
WordPress vulnerability analysis and mitigation
The Razorpay for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the getCouponList() function in all versions up to, and including, 4.7.8. This is due to the checkAuthCredentials() permission callback always returning true, providing no actual authentication. This makes it possible for unauthenticated attackers to modify the billing and shipping contact information (email and phone) of any WooCommerce order by knowing or guessing the order ID.
Source : NVD
## 5.3
Score
Published February 19, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KE
Wiz
CVE-2025-69306 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.3
CVE-2025-69306 [CRITICAL] CVE-2025-69306 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-69306 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in TeconceTheme Electio Core electio-core allows Blind SQL Injection.This issue affects Electio Core: from n/a through <= 1.4.
Source : NVD
## 9.3
Score
Published February 20, 2026
Severity CRITICAL
CNA Score 9.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13
Exploitation Probability (EPSS) N/A
Affected packages and libraries
electio-core
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's
Wiz
CVE-2025-13072 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2025-13072 [HIGH] CVE-2025-13072 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-13072 :
WordPress vulnerability analysis and mitigation
The HandL UTM Grabber / Tracker WordPress plugin before 2.8.1 does not sanitize and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
Source : NVD
## 7.1
Score
Published December 10, 2025
Severity HIGH
CNA Score 7.1
Affected Technologies
WordPress
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
handl-utm-grabber
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's
Wiz
CVE-2025-15268 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2025-15268 [HIGH] CVE-2025-15268 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-15268 :
WordPress vulnerability analysis and mitigation
The Infility Global plugin for WordPress is vulnerable to unauthenticated SQL Injection via the 'infility_get_data' API action in all versions up to, and including, 2.14.46. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append - with certain server configurations - additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Source : NVD
## 7.5
Score
Published February 4, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CIS
Wiz
CVE-2026-32565 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-32565 [CRITICAL] CVE-2026-32565 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32565 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in Ajay Contextual Related Posts contextual-related-posts allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Contextual Related Posts: from n/a through < 4.2.2.
Source : NVD
Published March 18, 2026
CNA Score N/A
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 6
Exploitation Probability (EPSS) N/A
Affected packages and libraries
contextual-related-posts
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Rel
Wiz
CVE-2025-64213 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2025-64213 [HIGH] CVE-2025-64213 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-64213 :
WordPress vulnerability analysis and mitigation
Insertion of Sensitive Information Into Sent Data vulnerability in StylemixThemes MasterStudy LMS Pro masterstudy-lms-learning-management-system-pro allows Retrieve Embedded Sensitive Data.This issue affects MasterStudy LMS Pro: from n/a through < 4.7.16.
Source : NVD
## 7.5
Score
Published December 18, 2025
Severity HIGH
CNA Score 7.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 14.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
masterstudy-lms-learning-management-system-pro
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your
Wiz
CVE-2025-14280 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2025-14280 [MEDIUM] CVE-2025-14280 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14280 :
WordPress vulnerability analysis and mitigation
The PixelYourSite plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 11.1.5 through publicly exposed log files. This makes it possible for unauthenticated attackers to view potentially sensitive information contained in the exposed log files, when the "Meta API logs" setting is enabled (disabled by default). The vulnerability was partially patched in version 11.1.5 and fully patched in version 11.1.5.1.
Source : NVD
## 5.3
Score
Published December 29, 2025
Severity MEDIUM
CNA Score 5.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS)
Wiz
CVE-2025-14393 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.4
CVE-2025-14393 [MEDIUM] CVE-2025-14393 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14393 :
WordPress vulnerability analysis and mitigation
The Wpik WordPress Basic Ajax Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'dname' parameter in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Source : NVD
## 6.4
Score
Published December 12, 2025
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 16.9
Exploitation Probability (EPSS)
Wiz
CVE-2026-3881 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-3881 [CRITICAL] CVE-2026-3881 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-3881 :
WordPress vulnerability analysis and mitigation
The Performance Monitor WordPress plugin through 1.0.6 does not validate a parameter before making a request to it, which could allow unauthenticated users to perform SSRF attacks
Source : NVD
## 5.8
Score
Published March 31, 2026
Severity MEDIUM
CNA Score 5.8
Affected Technologies
WordPress
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.5
Exploitation Probability (EPSS) N/A
Affected packages and libraries
performance-monitor
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabil
Wiz
CVE-2025-68030 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.2
CVE-2025-68030 [HIGH] CVE-2025-68030 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68030 :
WordPress vulnerability analysis and mitigation
Server-Side Request Forgery (SSRF) vulnerability in WP Messiah Frontis Blocks frontis-blocks allows Server Side Request Forgery.This issue affects Frontis Blocks: from n/a through <= 1.1.5.
Source : NVD
## 7.2
Score
Published January 22, 2026
Severity HIGH
CNA Score 7.2
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 12
Exploitation Probability (EPSS) N/A
Affected packages and libraries
frontis-blocks
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnera
Wiz
CVE-2025-69326 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2025-69326 [HIGH] CVE-2025-69326 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-69326 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Basix NEX-Forms nex-forms-express-wp-form-builder allows Reflected XSS.This issue affects NEX-Forms: from n/a through <= 9.1.7.
Source : NVD
## 7.1
Score
Published February 20, 2026
Severity HIGH
CNA Score 7.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
nex-forms-express-wp-form-builder
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's explo
Wiz
CVE-2025-14455 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.4
CVE-2025-14455 [MEDIUM] CVE-2025-14455 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14455 :
WordPress vulnerability analysis and mitigation
The Image Photo Gallery Final Tiles Grid plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.6.7. This is due to the plugin not properly verifying that a user is authorized to perform actions on gallery management functions. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete, modify, or clone galleries created by any user, including administrators.
Source : NVD
## 5.4
Score
Published December 19, 2025
Severity MEDIUM
CNA Score 5.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 17.8
Exploi
Wiz
CVE-2025-14130 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2025-14130 [MEDIUM] CVE-2025-14130 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14130 :
WordPress vulnerability analysis and mitigation
$_SERVER['PHP_SELF']
Source : NVD
## 6.1
Score
Published January 7, 2026
Severity MEDIUM
CNA Score 6.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 35.4
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
post-like-dislike
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
CVE-2026-0740
CRITICAL
9.8
WordPress
ninja-forms-
Wiz
CVE-2025-62085 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2025-62085 [MEDIUM] CVE-2025-62085 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-62085 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in Bertha AI – Andrew Palmer BERTHA AI bertha-ai-free allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects BERTHA AI: from n/a through <= 1.13.
Source : NVD
## 5.3
Score
Published December 9, 2025
Severity MEDIUM
CNA Score 5.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 12.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
bertha-ai-free
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed
Wiz
CVE-2025-64378 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2025-64378 [HIGH] CVE-2025-64378 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-64378 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in CridioStudio ListingPro listingpro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ListingPro: from n/a through < 2.9.10.
Source : NVD
## 7.5
Score
Published December 18, 2025
Severity HIGH
CNA Score 7.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 12.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
listingpro
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Word
Wiz
CVE-2025-60068 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2025-60068 [MEDIUM] CVE-2025-60068 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-60068 :
WordPress vulnerability analysis and mitigation
Improper Control of Generation of Code ('Code Injection') vulnerability in javothemes Javo Core javo-core allows Code Injection.This issue affects Javo Core: from n/a through <= 3.0.0.266.
Source : NVD
## 6.5
Score
Published December 18, 2025
Severity MEDIUM
CNA Score 6.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 18.1
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
javo-core
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerab
Wiz
CVE-2026-28063 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-28063 [CRITICAL] CVE-2026-28063 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-28063 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Asia Garden asia-garden allows PHP Local File Inclusion.This issue affects Asia Garden: from n/a through <= 1.3.1.
Source : NVD
## 8.1
Score
Published March 5, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 37.5
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
asia-garden
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not
Wiz
CVE-2025-69410 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2025-69410 [HIGH] CVE-2025-69410 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-69410 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Edge-Themes Belletrist belletrist allows PHP Local File Inclusion.This issue affects Belletrist: from n/a through <= 1.2.
Source : NVD
## 8.1
Score
Published February 20, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 37.5
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
belletrist
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, no
Wiz
CVE-2025-8199 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.4
CVE-2025-8199 [MEDIUM] CVE-2025-8199 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-8199 :
WordPress vulnerability analysis and mitigation
The MarqueeAddons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Testimonial Marquee widget in all versions up to, and including, 2.4.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Source : NVD
## 6.4
Score
Published December 13, 2025
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13
Expl
Wiz
CVE-2026-1646 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-1646 [CRITICAL] CVE-2026-1646 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1646 :
WordPress vulnerability analysis and mitigation
The Advance Block Extend plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the TitleColor block attribute in the Latest Posts Gutenberg block in all versions up to, and including, 1.0.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Source : NVD
## 6.4
Score
Published February 19, 2026
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 10
Wiz
CVE-2026-2479 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-2479 [CRITICAL] CVE-2026-2479 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-2479 :
WordPress vulnerability analysis and mitigation
strpos()
ajax_upload_image()
Source : NVD
## 5
Score
Published February 25, 2026
Severity MEDIUM
CNA Score 5.0
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 10.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
responsive-lightbox
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
CVE-2026-0740
CRITICAL
9.8
WordPress
ni
Wiz
CVE-2026-28137 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-28137 [CRITICAL] CVE-2026-28137 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-28137 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in QuanticaLabs MediCenter - Health Medical Clinic medicenter allows Reflected XSS.This issue affects MediCenter - Health Medical Clinic: from n/a through <= 14.9.
Source : NVD
## 7.1
Score
Published March 5, 2026
Severity HIGH
CNA Score 7.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
medicenter
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's
Wiz
CVE-2026-1754 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-1754 [CRITICAL] CVE-2026-1754 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1754 :
WordPress vulnerability analysis and mitigation
The personal-authors-category plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the URL path in all versions up to, and including, 0.3 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Source : NVD
## 6.1
Score
Published February 14, 2026
Severity MEDIUM
CNA Score 6.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 32.3
Exploitation Probability (EPSS) 0.1
Aff
Wiz
CVE-2025-14153 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2025-14153 [MEDIUM] CVE-2025-14153 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14153 :
WordPress vulnerability analysis and mitigation
The Page Expire Popup/Redirection for WordPress plugin for WordPress is vulnerable to time-based SQL Injection via the 'id' shortcode attribute in all versions up to, and including, 1.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Author-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Source : NVD
## 6.5
Score
Published January 6, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CI
Wiz
CVE-2025-68575 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2025-68575 [HIGH] CVE-2025-68575 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68575 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in Wappointment team Wappointment wappointment allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Wappointment: from n/a through <= 2.7.6.
Source : NVD
## 8.8
Score
Published December 24, 2025
Severity HIGH
CNA Score 8.8
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 18.2
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
wappointment
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
##
Wiz
CVE-2025-60057 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2025-60057 [HIGH] CVE-2025-60057 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-60057 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes DJ Rainflow dj-rainflow allows PHP Local File Inclusion.This issue affects DJ Rainflow: from n/a through <= 1.3.13.
Source : NVD
## 8.1
Score
Published December 18, 2025
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 38.5
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
dj-rainflow
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploit
Wiz
CVE-2025-67962 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.6
CVE-2025-67962 [HIGH] CVE-2025-67962 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67962 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in AIOSEO Plugin Team Broken Link Checker broken-link-checker-seo allows SQL Injection.This issue affects Broken Link Checker: from n/a through <= 1.2.6.
Source : NVD
## 7.6
Score
Published December 16, 2025
Severity HIGH
CNA Score 7.6
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.5
Exploitation Probability (EPSS) N/A
Affected packages and libraries
broken-link-checker-seo
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on
Wiz
CVE-2025-62870 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2025-62870 [MEDIUM] CVE-2025-62870 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-62870 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in Eupago Eupago Gateway For Woocommerce eupago-gateway-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Eupago Gateway For Woocommerce: from n/a through <= 4.7.1.
Source : NVD
## 5.3
Score
Published December 9, 2025
Severity MEDIUM
CNA Score 5.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 12.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
eupago-gateway-for-woocommerce
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you
Wiz
CVE-2025-60047 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2025-60047 [HIGH] CVE-2025-60047 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-60047 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes IPharm ipharm allows PHP Local File Inclusion.This issue affects IPharm: from n/a through <= 1.2.3.
Source : NVD
## 8.1
Score
Published December 18, 2025
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 18.1
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
ipharm
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's
Wiz
CVE-2025-50053 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-50053 [CRITICAL] CVE-2025-50053 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-50053 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in nebelhorn Blappsta Mobile App Plugin – Your native, mobile iPhone App and Android App yournewsapp allows Reflected XSS.This issue affects Blappsta Mobile App Plugin – Your native, mobile iPhone App and Android App: from n/a through <= 0.8.8.8.
Source : NVD
Published December 31, 2025
CNA Score N/A
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
yournewsapp
Sources
NVD
## Get a CVE risk assessment
Get a prioritiz
Wiz
CVE-2026-22412 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-22412 [CRITICAL] CVE-2026-22412 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22412 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Eona eona allows PHP Local File Inclusion.This issue affects Eona: from n/a through <= 1.3.
Source : NVD
## 8.1
Score
Published March 5, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 37.5
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
eona
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
##
Wiz
CVE-2025-53222 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-53222 [CRITICAL] CVE-2025-53222 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-53222 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in tagDiv tagDiv Opt-In Builder td-subscription allows Reflected XSS.This issue affects tagDiv Opt-In Builder: from n/a through <= 1.7.3.
Source : NVD
Published March 19, 2026
CNA Score N/A
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
td-subscription
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related W
Wiz
CVE-2025-69012 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2025-69012 [MEDIUM] CVE-2025-69012 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-69012 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in Stephen Harris Event Organiser event-organiser allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Event Organiser: from n/a through <= 3.12.8.
Source : NVD
## 4.3
Score
Published December 30, 2025
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
event-organiser
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's
Wiz
CVE-2025-66146 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-66146 [CRITICAL] CVE-2025-66146 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-66146 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in merkulove Logger for Elementor logger-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Logger for Elementor: from n/a through <= 1.0.9.
Source : NVD
Published December 31, 2025
CNA Score N/A
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
logger-elementor
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress
Wiz
CVE-2025-67523 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-67523 [CRITICAL] CVE-2025-67523 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67523 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in trippleS Exhibz exhibz allows PHP Local File Inclusion.This issue affects Exhibz: from n/a through <= 3.0.9.
Source : NVD
## 9.8
Score
Published December 9, 2025
Severity CRITICAL
CNA Score 9.8
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 38.5
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
exhibz
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's
Wiz
CVE-2025-9318 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2025-9318 [MEDIUM] CVE-2025-9318 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-9318 :
WordPress vulnerability analysis and mitigation
The Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker plugin for WordPress is vulnerable to time-based SQL Injection via the ‘is_linking’ parameter in all versions up to, and including, 10.3.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Source : NVD
## 6.5
Score
Published January 6, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Re
Wiz
CVE-2026-2375 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-2375 [CRITICAL] CVE-2026-2375 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-2375 :
WordPress vulnerability analysis and mitigation
verify_role()
AuthTrails.php
wcfm_vendor
subscriber
customer
wp_insert_user()
wcfm_vendor
role
/wp-json/app-builder/v1/register
Source : NVD
## 6.5
Score
Published March 21, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 17.9
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
app-builder
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Score
Technologies
Compo
Wiz
CVE-2026-24572 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-24572 [CRITICAL] CVE-2026-24572 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24572 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Nelio Software Nelio Content nelio-content allows Blind SQL Injection.This issue affects Nelio Content: from n/a through <= 4.2.0.
Source : NVD
## 8.8
Score
Published January 23, 2026
Severity HIGH
CNA Score 8.8
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 3.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
nelio-content
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just wh
Wiz
CVE-2025-67559 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.4
CVE-2025-67559 [MEDIUM] CVE-2025-67559 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67559 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in vcita Online Booking & Scheduling Calendar for WordPress by vcita meeting-scheduler-by-vcita allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Online Booking & Scheduling Calendar for WordPress by vcita: from n/a through <= 4.5.5.
Source : NVD
## 5.4
Score
Published December 9, 2025
Severity MEDIUM
CNA Score 5.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
meeting-scheduler-by-vcita
Sources
NVD
## Get a CVE risk assessment
Ge
Wiz
CVE-2026-1093 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-1093 [CRITICAL] CVE-2026-1093 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1093 :
WordPress vulnerability analysis and mitigation
The WPFAQBlock– FAQ & Accordion Plugin For Gutenberg plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'class' parameter of the 'wpfaqblock' shortcode in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Source : NVD
## 6.4
Score
Published March 21, 2026
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitat
Wiz
CVE-2026-24600 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-24600 [CRITICAL] CVE-2026-24600 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24600 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PenciDesign Penci Review penci-review allows Stored XSS.This issue affects Penci Review: from n/a through <= 3.5.
Source : NVD
## 5.4
Score
Published January 23, 2026
Severity MEDIUM
CNA Score 5.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
penci-review
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
#
Wiz
CVE-2025-67589 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2025-67589 [MEDIUM] CVE-2025-67589 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67589 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in WP Overnight WooCommerce PDF Invoices & Packing Slips woocommerce-pdf-invoices-packing-slips allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WooCommerce PDF Invoices & Packing Slips: from n/a through <= 4.9.1.
Source : NVD
## 4.3
Score
Published December 9, 2025
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
woocommerce-pdf-invoices-packing-slips
Sources
NVD
## Get a CVE risk assessment
Get a pri
Wiz
CVE-2025-62740 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2025-62740 [MEDIUM] CVE-2025-62740 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-62740 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in Mario Peshev WP-CRM System wp-crm-system allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP-CRM System: from n/a through <= 3.4.6.
Source : NVD
## 5.3
Score
Published December 9, 2025
Severity MEDIUM
CNA Score 5.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 12.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
wp-crm-system
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
##
Wiz
CVE-2026-32495 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-32495 [CRITICAL] CVE-2026-32495 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32495 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in Link Software LLC WP Terms Popup wp-terms-popup allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Terms Popup: from n/a through <= 2.10.0.
Source : NVD
## 7.5
Score
Published March 25, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 12.6
Exploitation Probability (EPSS) N/A
Affected packages and libraries
wp-terms-popup
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed
Wiz
CVE-2025-68874 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2025-68874 [HIGH] CVE-2025-68874 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68874 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Shahjada Visitor Stats Widget visitor-stats-widget allows Reflected XSS.This issue affects Visitor Stats Widget: from n/a through <= 1.5.0.
Source : NVD
## 7.1
Score
Published January 8, 2026
Severity HIGH
CNA Score 7.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
visitor-stats-widget
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploita
Wiz
CVE-2026-2448 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-2448 [CRITICAL] CVE-2026-2448 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-2448 :
WordPress vulnerability analysis and mitigation
The Page Builder by SiteOrigin plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.33.5 via the locate_template() function. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
Source : NVD
## 8.8
Score
Published March 3, 2026
Severity HIGH
CNA Score 8.8
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release
Wiz
CVE-2025-62991 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-62991 [CRITICAL] CVE-2025-62991 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-62991 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in thinkupthemes Minamaze minamaze allows Stored XSS.This issue affects Minamaze: from n/a through <= 1.10.1.
Source : NVD
Published December 31, 2025
CNA Score N/A
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
minamaze
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE I
Wiz
CVE-2026-27098 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-27098 [CRITICAL] CVE-2026-27098 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27098 :
WordPress vulnerability analysis and mitigation
Deserialization of Untrusted Data vulnerability in axiomthemes Au Pair Agency - Babysitting & Nanny Theme au-pair-agency allows Object Injection.This issue affects Au Pair Agency - Babysitting & Nanny Theme: from n/a through <= 1.2.2.
Source : NVD
## 8.1
Score
Published March 5, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 18.2
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
au-pair-agency
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just w
Wiz
CVE-2025-13403 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2025-13403 [MEDIUM] CVE-2025-13403 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-13403 :
WordPress vulnerability analysis and mitigation
The Employee Spotlight – Team Member Showcase & Meet the Team Plugin for WordPress is vulnerable to unauthorized tracking settings modification due to missing authorization validation on the employee_spotlight_check_optin() function in all versions up to, and including, 5.1.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to enable or disable tracking settings.
Source : NVD
## 5.3
Score
Published December 13, 2025
Severity MEDIUM
CNA Score 5.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 12.8
Exploitation Probability (EPSS) N/A
Affected
Wiz
CVE-2025-64193 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2025-64193 [HIGH] CVE-2025-64193 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-64193 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in 8theme XStore xstore allows PHP Local File Inclusion.This issue affects XStore: from n/a through < 9.6.1.
Source : NVD
## 7.5
Score
Published December 18, 2025
Severity HIGH
CNA Score 7.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 38.3
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
xstore
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed
Wiz
CVE-2025-13113 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2025-13113 [MEDIUM] CVE-2025-13113 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-13113 :
WordPress vulnerability analysis and mitigation
accessibe_render_js_in_footer()
Source : NVD
## 5.3
Score
Published February 19, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
accessibe
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
CVE-2026-0740
CRITICAL
9.8
WordPress
ninja-f
Wiz
CVE-2025-67933 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2025-67933 [MEDIUM] CVE-2025-67933 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67933 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in taskbuilder Taskbuilder taskbuilder allows Reflected XSS.This issue affects Taskbuilder: from n/a through <= 4.0.9.
Source : NVD
## 6.1
Score
Published January 8, 2026
Severity MEDIUM
CNA Score 6.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
taskbuilder
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
Wiz
CVE-2025-54745 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2025-54745 [MEDIUM] CVE-2025-54745 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-54745 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in miniOrange miniOrange's Google Authenticator miniorange-2-factor-authentication allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects miniOrange's Google Authenticator: from n/a through <= 6.1.1.
Source : NVD
## 6.5
Score
Published December 18, 2025
Severity MEDIUM
CNA Score 6.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 19.6
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
miniorange-2-factor-authentication
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs i
Wiz
CVE-2026-27363 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-27363 [CRITICAL] CVE-2026-27363 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27363 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in kamleshyadav WP Bakery Autoresponder Addon vc-autoresponder-addon allows Stored XSS.This issue affects WP Bakery Autoresponder Addon: from n/a through <= 1.0.6.
Source : NVD
## 7.1
Score
Published March 5, 2026
Severity HIGH
CNA Score 7.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
vc-autoresponder-addon
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can foc
Wiz
CVE-2025-69353 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.4
CVE-2025-69353 [MEDIUM] CVE-2025-69353 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-69353 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in Proxy & VPN Blocker Proxy & VPN Blocker proxy-vpn-blocker allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Proxy & VPN Blocker: from n/a through <= 3.5.3.
Source : NVD
## 5.4
Score
Published January 6, 2026
Severity MEDIUM
CNA Score 5.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
proxy-vpn-blocker
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, no
Wiz
CVE-2025-63008 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2025-63008 [MEDIUM] CVE-2025-63008 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-63008 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in weDevs WP ERP erp allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP ERP: from n/a through <= 1.16.7.
Source : NVD
## 5.3
Score
Published December 9, 2025
Severity MEDIUM
CNA Score 5.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 12.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
erp
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
C
Wiz
CVE-2025-64630 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.7
CVE-2025-64630 [MEDIUM] CVE-2025-64630 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-64630 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in Strategy11 Team Business Directory business-directory-plugin allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Business Directory: from n/a through <= 6.4.19.
Source : NVD
## 4.7
Score
Published December 16, 2025
Severity MEDIUM
CNA Score 4.7
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 14.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
business-directory-plugin
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's ex
Wiz
CVE-2026-4004 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-4004 [CRITICAL] CVE-2026-4004 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-4004 :
WordPress vulnerability analysis and mitigation
The Task Manager plugin for WordPress is vulnerable to arbitrary shortcode execution via the 'search' AJAX action in all versions up to, and including, 3.0.2. This is due to missing capability checks in the callback_search() function and insufficient input validation that allows shortcode syntax (square brackets) to pass through sanitize_text_field() and be concatenated into a do_shortcode() call. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary shortcodes on the site by injecting shortcode syntax into parameters like 'task_id', 'point_id', 'categories_id', or 'term'.
Source : NVD
## 6.5
Score
Published March 21, 2026
Severity MEDIUM
CNA Score 6.5
Af
Wiz
CVE-2025-62997 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2025-62997 [MEDIUM] CVE-2025-62997 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-62997 :
WordPress vulnerability analysis and mitigation
Insertion of Sensitive Information Into Sent Data vulnerability in levelfourdevelopment WP EasyCart wp-easycart allows Retrieve Embedded Sensitive Data.This issue affects WP EasyCart: from n/a through <= 5.8.11.
Source : NVD
## 5.3
Score
Published December 9, 2025
Severity MEDIUM
CNA Score 5.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 12.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
wp-easycart
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Re
Wiz
CVE-2025-69058 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2025-69058 [HIGH] CVE-2025-69058 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-69058 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes PartyMaker partymaker allows PHP Local File Inclusion.This issue affects PartyMaker: from n/a through <= 1.1.15.
Source : NVD
## 8.1
Score
Published January 22, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 17.6
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
partymaker
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable,
Wiz
CVE-2026-28121 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-28121 [CRITICAL] CVE-2026-28121 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-28121 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Anderson andersonclinic allows PHP Local File Inclusion.This issue affects Anderson: from n/a through <= 1.4.2.
Source : NVD
## 8.1
Score
Published March 5, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 37.5
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
andersonclinic
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable,
Wiz
CVE-2025-68512 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.4
CVE-2025-68512 [MEDIUM] CVE-2025-68512 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68512 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in creativeinteractivemedia Real 3D FlipBook real3d-flipbook-lite allows Stored XSS.This issue affects Real 3D FlipBook: from n/a through <= 4.11.4.
Source : NVD
## 5.4
Score
Published December 24, 2025
Severity MEDIUM
CNA Score 5.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
real3d-flipbook-lite
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what'
Wiz
CVE-2026-2504 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-2504 [CRITICAL] CVE-2026-2504 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-2504 :
WordPress vulnerability analysis and mitigation
The Dealia – Request a quote plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on multiple AJAX handlers in all versions up to, and including, 1.0.6. The admin nonce (DEALIA_ADMIN_NONCE) is exposed to all users with edit_posts capability (Contributor+) via wp_localize_script() in PostsController.php, while the AJAX handlers in AdminSettingsController.php only verify the nonce without checking current_user_can('manage_options'). This makes it possible for authenticated attackers, with Contributor-level access and above, to reset the plugin configuration.
Source : NVD
## 4.3
Score
Published February 19, 2026
Severity MEDIUM
CNA Score 4.3
Affected Technologies
Wiz
CVE-2025-13728 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.4
CVE-2025-13728 [MEDIUM] CVE-2025-13728 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-13728 :
WordPress vulnerability analysis and mitigation
fluent_auth_reset_password
Source : NVD
## 6.4
Score
Published December 15, 2025
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
fluent-security
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
CVE-2026-0740
CRITICAL
9.8
WordPress
ninja-
Wiz
CVE-2026-1060 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-1060 [CRITICAL] CVE-2026-1060 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1060 :
WordPress vulnerability analysis and mitigation
The WP Adminify plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.0.7.7 via the /wp-json/adminify/v1/get-addons-list REST API endpoint. The endpoint is registered with permission_callback set to __return_true, allowing unauthenticated attackers to retrieve the complete list of available addons, their installation status, version numbers, and download URLs.
Source : NVD
## 5.3
Score
Published January 28, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 16.7
Exploitation Probability (EPSS) 0.1
Aff
Wiz
CVE-2026-1397 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-1397 [CRITICAL] CVE-2026-1397 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1397 :
WordPress vulnerability analysis and mitigation
The PQ Addons – Creative Elementor Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via widget attributes in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping on the html_tag parameter in the PQ Section Title widget. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Source : NVD
## 6.4
Score
Published March 21, 2026
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probabili
Wiz
CVE-2025-62749 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-62749 [CRITICAL] CVE-2025-62749 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-62749 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Bainternet User Specific Content user-specific-content allows DOM-Based XSS.This issue affects User Specific Content: from n/a through <= 1.0.6.
Source : NVD
Published December 31, 2025
CNA Score N/A
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
user-specific-content
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's list
Wiz
CVE-2025-69190 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.3
CVE-2025-69190 [HIGH] CVE-2025-69190 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-69190 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in e-plugins Listihub listihub allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Listihub: from n/a through <= 1.0.6.
Source : NVD
## 7.3
Score
Published January 22, 2026
Severity HIGH
CNA Score 7.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 16.8
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
listihub
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulner
Wiz
CVE-2025-63065 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.4
CVE-2025-63065 [MEDIUM] CVE-2025-63065 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-63065 :
WordPress vulnerability analysis and mitigation
Authorization Bypass Through User-Controlled Key vulnerability in David Lingren Media LIbrary Assistant media-library-assistant allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Media LIbrary Assistant: from n/a through <= 3.29.
Source : NVD
## 5.4
Score
Published December 9, 2025
Severity MEDIUM
CNA Score 5.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
media-library-assistant
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—s
Wiz
CVE-2025-59001 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2025-59001 [MEDIUM] CVE-2025-59001 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-59001 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in ThemeNectar Salient Core salient-core allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Salient Core: from n/a through <= 3.0.8.
Source : NVD
## 4.3
Score
Published December 16, 2025
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 10.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
salient-core
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Rel
Wiz
CVE-2025-12709 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.4
CVE-2025-12709 [MEDIUM] CVE-2025-12709 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-12709 :
WordPress vulnerability analysis and mitigation
The Interactions – Create Interactive Experiences in the Block Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via event selectors in all versions up to, and including, 1.3.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Source : NVD
## 6.4
Score
Published January 28, 2026
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2.7
Exp
Wiz
CVE-2026-3585 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-3585 [CRITICAL] CVE-2026-3585 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-3585 :
WordPress vulnerability analysis and mitigation
The The Events Calendar plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 6.15.17 via the 'ajax_create_import' function. This makes it possible for authenticated attackers, with Author-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.
Source : NVD
## 7.5
Score
Published March 10, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 22.3
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
the-events-calendar
Sources
NVD
## Get a C
Wiz
CVE-2026-1925 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-1925 [CRITICAL] CVE-2026-1925 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1925 :
WordPress vulnerability analysis and mitigation
The EmailKit – Email Customizer for WooCommerce & WP plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check on the 'update_template_data' function in all versions up to, and including, 1.6.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify the title of any post on the site, including posts, pages, and custom post types.
Source : NVD
## 4.3
Score
Published February 18, 2026
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1.4
Exploitation Probability (EPSS) N/
Wiz
CVE-2026-28018 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-28018 [CRITICAL] CVE-2026-28018 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-28018 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Global Logistics globallogistics allows PHP Local File Inclusion.This issue affects Global Logistics: from n/a through <= 3.20.
Source : NVD
## 8.1
Score
Published March 5, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 37.5
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
globallogistics
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's
Wiz
CVE-2025-66135 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2025-66135 [HIGH] CVE-2025-66135 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-66135 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in merkulove Imager for Elementor imager-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Imager for Elementor: from n/a through <= 2.0.4.
Source : NVD
## 8.8
Score
Published January 22, 2026
Severity HIGH
CNA Score 8.8
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 18.2
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
imager-elementor
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what
Wiz
CVE-2026-32522 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-32522 [CRITICAL] CVE-2026-32522 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32522 :
WordPress vulnerability analysis and mitigation
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in vanquish WooCommerce Support Ticket System woocommerce-support-ticket-system allows Path Traversal.This issue affects WooCommerce Support Ticket System: from n/a through < 18.5.
Source : NVD
## 8.6
Score
Published March 25, 2026
Severity HIGH
CNA Score 8.6
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 19.5
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
woocommerce-support-ticket-system
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in yo
Wiz
CVE-2026-22507 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-22507 [CRITICAL] CVE-2026-22507 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22507 :
WordPress vulnerability analysis and mitigation
Deserialization of Untrusted Data vulnerability in AncoraThemes Beelove beelove allows Object Injection.This issue affects Beelove: from n/a through <= 1.2.6.
Source : NVD
## 9.8
Score
Published March 25, 2026
Severity CRITICAL
CNA Score 9.8
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 16.9
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
beelove
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Scor
Wiz
CVE-2026-22490 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-22490 [CRITICAL] CVE-2026-22490 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22490 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in niklaslindemann Bulk Landing Page Creator for WordPress LPagery lpagery allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Bulk Landing Page Creator for WordPress LPagery: from n/a through <= 2.4.9.
Source : NVD
Published January 8, 2026
CNA Score N/A
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
lpagery
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not jus
Wiz
CVE-2026-1795 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-1795 [CRITICAL] CVE-2026-1795 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1795 :
WordPress vulnerability analysis and mitigation
The Address Bar Ads plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the URL Path in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Source : NVD
## 6.1
Score
Published February 14, 2026
Severity MEDIUM
CNA Score 6.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 32.3
Exploitation Probability (EPSS) 0.1
Affected pa
Wiz
CVE-2026-24945 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-24945 [CRITICAL] CVE-2026-24945 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24945 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in Themefic Ultimate Addons for Contact Form 7 ultimate-addons-for-contact-form-7 allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ultimate Addons for Contact Form 7: from n/a through <= 3.5.34.
Source : NVD
## 5.3
Score
Published February 3, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 12.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
ultimate-addons-for-contact-form-7
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs i
Wiz
CVE-2025-14975 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2025-14975 [HIGH] CVE-2025-14975 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14975 :
WordPress vulnerability analysis and mitigation
The Custom Login Page Customizer WordPress plugin before 2.5.4 does not have a proper password reset process, allowing a few unauthenticated requests to reset the password of any user by knowing their username, such as administrator ones, and therefore gain access to their account
Source : NVD
## 8.1
Score
Published January 29, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 5.6
Exploitation Probability (EPSS) N/A
Affected packages and libraries
login-customizer
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your clou
Wiz
CVE-2025-11370 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2025-11370 [MEDIUM] CVE-2025-11370 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-11370 :
WordPress vulnerability analysis and mitigation
The Popup and Slider Builder by Depicter – Add Email collecting Popup, Popup Modal, Coupon Popup, Image Slider, Carousel Slider, Post Slider Carousel plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'store' function of the RulesAjaxController class in all versions up to, and including, 4.0.7. This makes it possible for unauthenticated attackers to update pop-up display settings.
Source : NVD
## 5.3
Score
Published January 6, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 26.4
Exploitation
Wiz
CVE-2025-67565 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2025-67565 [MEDIUM] CVE-2025-67565 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67565 :
WordPress vulnerability analysis and mitigation
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in sizam Rehub rehub-theme allows Retrieve Embedded Sensitive Data.This issue affects Rehub: from n/a through <= 19.9.9.1.
Source : NVD
## 5.3
Score
Published December 9, 2025
Severity MEDIUM
CNA Score 5.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 12.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
rehub-theme
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Re
Wiz
CVE-2023-52212 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.4
CVE-2023-52212 [MEDIUM] CVE-2023-52212 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2023-52212 :
WordPress vulnerability analysis and mitigation
Cross-Site Request Forgery (CSRF) vulnerability in Automattic WP Job Manager allows Cross Site Request Forgery.This issue affects WP Job Manager: from n/a through 2.0.0.
Source : NVD
## 5.4
Score
Published January 5, 2026
Severity MEDIUM
CNA Score 5.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 10.3
Exploitation Probability (EPSS) N/A
Affected packages and libraries
wp-job-manager
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE I
Wiz
CVE-2025-13885 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.4
CVE-2025-13885 [MEDIUM] CVE-2025-13885 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-13885 :
WordPress vulnerability analysis and mitigation
button
Source : NVD
## 6.4
Score
Published December 12, 2025
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13
Exploitation Probability (EPSS) N/A
Affected packages and libraries
zenost-shortcodes
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
CVE-2026-0740
CRITICAL
9.8
WordPress
ninja-forms-uploads
No
Y
Wiz
CVE-2025-49941 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2025-49941 [HIGH] CVE-2025-49941 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-49941 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes GlamChic glamchic allows PHP Local File Inclusion.This issue affects GlamChic: from n/a through <= 1.0.11.
Source : NVD
## 8.1
Score
Published December 18, 2025
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 38.5
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
glamchic
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not ju
Wiz
CVE-2025-63074 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2025-63074 [HIGH] CVE-2025-63074 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-63074 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Dream-Theme The7 dt-the7 allows PHP Local File Inclusion.This issue affects The7: from n/a through < 12.8.1.1.
Source : NVD
## 7.5
Score
Published December 9, 2025
Severity HIGH
CNA Score 7.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 38.3
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
dt-the7
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's l
Wiz
CVE-2026-1053 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-1053 [CRITICAL] CVE-2026-1053 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1053 :
WordPress vulnerability analysis and mitigation
The Ivory Search – WordPress Search Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 5.5.13 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Source : NVD
## 4.4
Score
Published January 28, 2026
Severity MEDIUM
CNA Score 4.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Dat
Wiz
CVE-2026-24557 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-24557 [CRITICAL] CVE-2026-24557 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24557 :
WordPress vulnerability analysis and mitigation
Insertion of Sensitive Information Into Sent Data vulnerability in WEN Solutions Contact Form 7 GetResponse Extension contact-form-7-getresponse-extension allows Retrieve Embedded Sensitive Data.This issue affects Contact Form 7 GetResponse Extension: from n/a through <= 1.0.8.
Source : NVD
## 5.3
Score
Published January 23, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 12.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
contact-form-7-getresponse-extension
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view o
Wiz
CVE-2026-25355 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-25355 [CRITICAL] CVE-2026-25355 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25355 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in skygroup Sanzo sanzo allows Stored XSS.This issue affects Sanzo: from n/a through < 2.4.3.
Source : NVD
## 6.5
Score
Published March 25, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 9.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
sanzo
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilit
Wiz
CVE-2025-13749 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2025-13749 [MEDIUM] CVE-2025-13749 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-13749 :
WordPress vulnerability analysis and mitigation
The Clearfy Cache – WordPress optimization plugin, Minify HTML, CSS & JS, Defer plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.4.0. This is due to missing nonce validation on the "wbcr_upm_change_flag" function. This makes it possible for unauthenticated attackers to disable plugin/theme update notifications via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Source : NVD
## 4.3
Score
Published January 9, 2026
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probabi
Wiz
CVE-2025-13921 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2025-13921 [MEDIUM] CVE-2025-13921 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-13921 :
WordPress vulnerability analysis and mitigation
The weDocs: AI Powered Knowledge Base, Docs, Documentation, Wiki & AI Chatbot plugin for WordPress is vulnerable to unauthorized modification or loss of data due to a missing capability check on the 'wedocs_user_documentation_handling_capabilities' function in all versions up to, and including, 2.1.16. This makes it possible for authenticated attackers, with Subscriber-level access and above, to edit any documentation post. The vulnerability was partially patched in version 2.1.16.
Source : NVD
## 4.3
Score
Published January 23, 2026
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probab
Wiz
CVE-2025-14145 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.4
CVE-2025-14145 [MEDIUM] CVE-2025-14145 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14145 :
WordPress vulnerability analysis and mitigation
The Niche Hero | Beautifully-designed blocks in seconds plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'spacing' parameter of the nh_row shortcode in all versions up to, and including, 1.0.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Source : NVD
## 6.4
Score
Published January 7, 2026
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentil
Wiz
CVE-2025-14943 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2025-14943 [MEDIUM] CVE-2025-14943 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14943 :
WordPress vulnerability analysis and mitigation
The Blog2Social: Social Media Auto Post & Scheduler plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 8.7.2. This is due to a misconfigured authorization check on the 'getShipItemFullText' function which only verifies that a user has the 'read' capability (Subscriber-level) and a valid nonce, but fails to verify whether the user has permission to access the specific post being requested. This makes it possible for authenticated attackers, with Subscriber-level access and above, to extract data from password-protected, private, or draft posts.
Source : NVD
## 4.3
Score
Published January 10, 2026
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Wiz
CVE-2025-67537 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2025-67537 [MEDIUM] CVE-2025-67537 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67537 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Blair Williams ThirstyAffiliates thirstyaffiliates allows Stored XSS.This issue affects ThirstyAffiliates: from n/a through <= 3.11.8.
Source : NVD
## 6.5
Score
Published December 9, 2025
Severity MEDIUM
CNA Score 6.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
thirstyaffiliates
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable,
Wiz
CVE-2025-68526 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2025-68526 [HIGH] CVE-2025-68526 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68526 :
WordPress vulnerability analysis and mitigation
Deserialization of Untrusted Data vulnerability in A WP Life Modal Popup Box modal-popup-box allows Object Injection.This issue affects Modal Popup Box: from n/a through <= 1.6.1.
Source : NVD
## 8.8
Score
Published February 20, 2026
Severity HIGH
CNA Score 8.8
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 19.1
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
modal-popup-box
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabiliti
Wiz
CVE-2025-68572 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2025-68572 [HIGH] CVE-2025-68572 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68572 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in Spider Themes BBP Core bbp-core allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects BBP Core: from n/a through <= 1.4.1.
Source : NVD
## 8.8
Score
Published December 24, 2025
Severity HIGH
CNA Score 8.8
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 18.2
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
bbp-core
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress v
Wiz
CVE-2026-22477 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-22477 [CRITICAL] CVE-2026-22477 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22477 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Felizia felizia allows PHP Local File Inclusion.This issue affects Felizia: from n/a through <= 1.3.4.
Source : NVD
## 8.1
Score
Published March 5, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 37.5
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
felizia
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's
Wiz
CVE-2026-24536 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-24536 [CRITICAL] CVE-2026-24536 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24536 :
WordPress vulnerability analysis and mitigation
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in webpushr Webpushr webpushr-web-push-notifications allows Retrieve Embedded Sensitive Data.This issue affects Webpushr: from n/a through <= 4.38.0.
Source : NVD
## 7.5
Score
Published January 23, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 3.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
webpushr-web-push-notifications
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's
Wiz
CVE-2026-1570 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-1570 [CRITICAL] CVE-2026-1570 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1570 :
WordPress vulnerability analysis and mitigation
verse
Source : NVD
## 6.4
Score
Published February 7, 2026
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
simple-bible-verse-via-shortcode
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
CVE-2026-0740
CRITICAL
9.8
WordPress
ninja-forms-u
Wiz
CVE-2026-22450 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-22450 [CRITICAL] CVE-2026-22450 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22450 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in Select-Themes Don Peppe donpeppe allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Don Peppe: from n/a through <= 1.3.
Source : NVD
## 4.3
Score
Published January 22, 2026
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
donpeppe
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress
Wiz
CVE-2026-28094 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-28094 [CRITICAL] CVE-2026-28094 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-28094 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX RexCoin rexcoin allows PHP Local File Inclusion.This issue affects RexCoin: from n/a through <= 1.2.6.
Source : NVD
## 8.1
Score
Published March 5, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 37.5
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
rexcoin
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's lis
Wiz
CVE-2025-67468 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2025-67468 [MEDIUM] CVE-2025-67468 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67468 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in CRM Perks Integration for Salesforce and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms cf7-salesforce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Integration for Salesforce and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms: from n/a through <= 1.4.6.
Source : NVD
## 4.3
Score
Published December 9, 2025
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cf7-salesforce
Source
Wiz
CVE-2026-1912 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-1912 [CRITICAL] CVE-2026-1912 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1912 :
WordPress vulnerability analysis and mitigation
The Citations tools plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'code' parameter in the 'ctdoi' shortcode in all versions up to, and including, 0.3.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Source : NVD
## 6.4
Score
Published February 14, 2026
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS)
Wiz
CVE-2026-25399 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-25399 [CRITICAL] CVE-2026-25399 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25399 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in CryoutCreations Serious Slider cryout-serious-slider allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Serious Slider: from n/a through <= 1.2.7.
Source : NVD
## 4.3
Score
Published February 19, 2026
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 14
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cryout-serious-slider
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just
Wiz
CVE-2025-67573 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2025-67573 [MEDIUM] CVE-2025-67573 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67573 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in ThimPress Sailing sailing allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Sailing: from n/a through < 4.4.6.
Source : NVD
## 5.3
Score
Published December 9, 2025
Severity MEDIUM
CNA Score 5.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 12.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
sailing
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabi
Wiz
CVE-2025-63001 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-63001 [CRITICAL] CVE-2025-63001 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-63001 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in nicdark Hotel Booking nd-booking allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Hotel Booking: from n/a through <= 3.8.
Source : NVD
Published December 31, 2025
CNA Score N/A
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
nd-booking
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Sev
Wiz
CVE-2026-27991 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-27991 [CRITICAL] CVE-2026-27991 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27991 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Avventure avventure allows PHP Local File Inclusion.This issue affects Avventure: from n/a through <= 1.1.12.
Source : NVD
## 8.1
Score
Published March 5, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 37.5
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
avventure
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just w
Wiz
CVE-2026-2023 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-2023 [CRITICAL] CVE-2026-2023 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-2023 :
WordPress vulnerability analysis and mitigation
The WP Plugin Info Card plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.2.0. This is due to missing nonce validation in the ajax_save_custom_plugin() function, which is disabled by prefixing the check with 'false &&'. This makes it possible for unauthenticated attackers to create or modify custom plugin entries via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Source : NVD
## 4.3
Score
Published February 18, 2026
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Prob
Wiz
CVE-2025-4776 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.4
CVE-2025-4776 [MEDIUM] CVE-2025-4776 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-4776 :
WordPress vulnerability analysis and mitigation
data-caption
Source : NVD
## 6.4
Score
Published January 6, 2026
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
phlox
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
CVE-2026-0740
CRITICAL
9.8
WordPress
ninja-forms-uploads
No
Yes
Apr
Wiz
CVE-2026-22403 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-22403 [CRITICAL] CVE-2026-22403 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22403 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Innovio innovio allows PHP Local File Inclusion.This issue affects Innovio: from n/a through <= 1.7.
Source : NVD
## 8.1
Score
Published March 5, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 37.5
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
innovio
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's
Wiz
CVE-2026-1219 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-1219 [CRITICAL] CVE-2026-1219 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1219 :
WordPress vulnerability analysis and mitigation
The MP3 Audio Player – Music Player, Podcast Player & Radio by Sonaar plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions 4.0 to 5.10 via the 'load_track_note_ajax' due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to view the contents of private posts.
Source : NVD
## 5.3
Score
Published February 19, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 8.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
mp3-music-player-by-sonaar
Sources
NVD
## Ge
Wiz
CVE-2025-12570 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.2
CVE-2025-12570 [HIGH] CVE-2025-12570 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-12570 :
WordPress vulnerability analysis and mitigation
The Fancy Product Designer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 6.4.8 due to insufficient input sanitization and output escaping in the data-to-image.php and pdf-to-image.php files. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
Source : NVD
## 7.2
Score
Published December 12, 2025
Severity HIGH
CNA Score 7.2
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 35.2
Exploitation Probability (EPSS) 0.1
Wiz
CVE-2026-2428 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-2428 [CRITICAL] CVE-2026-2428 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-2428 :
WordPress vulnerability analysis and mitigation
disable_ipn_verification
'yes'
PayPalSettings.php
Source : NVD
## 7.5
Score
Published February 27, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 9.6
Exploitation Probability (EPSS) N/A
Affected packages and libraries
fluentformpro
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
CVE-2026-0740
CRITICAL
9.8
Wiz
CVE-2026-24959 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-24959 [CRITICAL] CVE-2026-24959 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24959 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in JoomSky JS Help Desk js-support-ticket allows Blind SQL Injection.This issue affects JS Help Desk: from n/a through <= 3.0.1.
Source : NVD
## 8.5
Score
Published February 20, 2026
Severity HIGH
CNA Score 8.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
js-support-ticket
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just w
Wiz
CVE-2025-47500 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.4
CVE-2025-47500 [MEDIUM] CVE-2025-47500 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-47500 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Benjamin Intal Stackable stackable-ultimate-gutenberg-blocks allows Stored XSS.This issue affects Stackable: from n/a through <= 3.19.5.
Source : NVD
## 5.4
Score
Published January 22, 2026
Severity MEDIUM
CNA Score 5.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
stackable-ultimate-gutenberg-blocks
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on
Wiz
CVE-2025-59003 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-59003 [CRITICAL] CVE-2025-59003 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-59003 :
WordPress vulnerability analysis and mitigation
Insertion of Sensitive Information Into Sent Data vulnerability in inkthemescom ColorWay colorway allows Retrieve Embedded Sensitive Data.This issue affects ColorWay: from n/a through <= 4.2.3.
Source : NVD
Published December 31, 2025
CNA Score N/A
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 5.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
butterbelly
cloriato-lite
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CV
Wiz
CVE-2026-25464 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-25464 [CRITICAL] CVE-2026-25464 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25464 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in TieLabs Jannah jannah allows PHP Local File Inclusion.This issue affects Jannah: from n/a through <= 7.6.3.
Source : NVD
## 8.1
Score
Published March 25, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 35.7
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
jannah
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
Wiz
CVE-2025-62147 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-62147 [CRITICAL] CVE-2025-62147 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-62147 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in nikmelnik Realbig realbig-media allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Realbig: from n/a through <= 1.1.3.
Source : NVD
Published December 31, 2025
CNA Score N/A
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
realbig-media
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Sever
Wiz
CVE-2025-14554 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.2
CVE-2025-14554 [HIGH] CVE-2025-14554 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14554 :
WordPress vulnerability analysis and mitigation
The Sell BTC - Cryptocurrency Selling Calculator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'orderform_data' AJAX action in all versions up to, and including, 1.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in order records that will execute whenever an administrator accesses the Orders page in the admin dashboard. The vulnerability was partially patched in version 1.5.
Source : NVD
## 7.2
Score
Published January 31, 2026
Severity HIGH
CNA Score 7.2
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exp
Wiz
CVE-2026-32511 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-32511 [CRITICAL] CVE-2026-32511 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32511 :
WordPress vulnerability analysis and mitigation
Deserialization of Untrusted Data vulnerability in Mikado-Themes Stål stal allows Object Injection.This issue affects Stål: from n/a through < 1.7.
Source : NVD
## 5.4
Score
Published March 25, 2026
Severity MEDIUM
CNA Score 5.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 17.2
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
stal
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Score
Technologies
Wiz
CVE-2025-66154 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-66154 [CRITICAL] CVE-2025-66154 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-66154 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in merkulove Couponer for Elementor couponer-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Couponer for Elementor: from n/a through <= 1.1.7.
Source : NVD
Published December 31, 2025
CNA Score N/A
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 0.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
couponer-elementor
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related
Wiz
CVE-2026-1004 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-1004 [CRITICAL] CVE-2026-1004 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1004 :
WordPress vulnerability analysis and mitigation
The Essential Addons for Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to and including 6.5.5 via the 'eael_product_quickview_popup' function. This makes it possible for unauthenticated attackers to retrieve WooCommerce product information for products with draft, pending, or private status, which should normally be restricted.
Source : NVD
## 5.3
Score
Published January 16, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 6.3
Exploitation Probability (EPSS) N/A
Affected packages and libraries
essenti
Wiz
CVE-2025-13764 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-13764 [CRITICAL] CVE-2025-13764 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-13764 :
WordPress vulnerability analysis and mitigation
The WP CarDealer plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.2.16. This is due to the 'WP_CarDealer_User::process_register' function not restricting what user roles a user can register with. This makes it possible for unauthenticated attackers to supply the 'administrator' role during registration and gain administrator access to the site.
Source : NVD
## 9.8
Score
Published December 11, 2025
Severity CRITICAL
CNA Score 9.8
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 35
Exploitation Probability (EPSS) 0.1
Affected packages and
Wiz
CVE-2025-68050 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2025-68050 [MEDIUM] CVE-2025-68050 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68050 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in Leadpages Leadpages leadpages allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Leadpages: from n/a through <= 1.1.3.
Source : NVD
## 6.5
Score
Published February 20, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 16.9
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
leadpages
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress
Wiz
CVE-2024-50555 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2024-50555 [MEDIUM] CVE-2024-50555 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2024-50555 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Elementor Elementor Website Builder elementor allows Stored XSS.This issue affects Elementor Website Builder: from n/a through <= 3.29.0.
Source : NVD
## 6.5
Score
Published February 20, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 4.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
elementor
elementor-pro
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exp
Wiz
CVE-2026-25455 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-25455 [CRITICAL] CVE-2026-25455 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25455 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in PickPlugins Product Slider for WooCommerce woocommerce-products-slider allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Product Slider for WooCommerce: from n/a through <= 1.13.60.
Source : NVD
## 6.5
Score
Published March 25, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 8.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
woocommerce-products-slider
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you c
Wiz
CVE-2026-1051 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-1051 [CRITICAL] CVE-2026-1051 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1051 :
WordPress vulnerability analysis and mitigation
The Newsletter – Send awesome emails from WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 9.1.0. This is due to missing or incorrect nonce validation on the hook_newsletter_action() function. This makes it possible for unauthenticated attackers to unsubscribe newsletter subscribers via a forged request granted they can trick a logged-in user into performing an action such as clicking on a link.
Source : NVD
## 4.3
Score
Published January 20, 2026
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 4
Wiz
CVE-2026-1463 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-1463 [CRITICAL] CVE-2026-1463 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1463 :
WordPress vulnerability analysis and mitigation
The Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.0.3 via the 'template' parameter in gallery shortcodes. This makes it possible for authenticated attackers, with Author-level access and above, to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included.
Source : NVD
## 8.8
Score
Published March 18, 2026
Severity HIGH
CNA Score 8.8
Affected Technologies
WordPress
Has Public Exploit No
Has CISA
Wiz
CVE-2025-68870 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-68870 [CRITICAL] CVE-2025-68870 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68870 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in reDim GmbH CookieHint WP cookiehint-wp allows PHP Local File Inclusion.This issue affects CookieHint WP: from n/a through <= 1.0.0.
Source : NVD
Published December 29, 2025
CNA Score N/A
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 23.6
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
cookiehint-wp
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's liste
Wiz
CVE-2026-1369 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-1369 [CRITICAL] CVE-2026-1369 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1369 :
WordPress vulnerability analysis and mitigation
The Conditional CAPTCHA WordPress plugin through 4.0.0 does not validate a parameter before redirecting the user to its value, leading to an Open Redirect issue
Source : NVD
## 4.3
Score
Published February 22, 2026
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 9.5
Exploitation Probability (EPSS) N/A
Affected packages and libraries
wp-conditional-captcha
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE I
Wiz
CVE-2025-68976 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2025-68976 [HIGH] CVE-2025-68976 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68976 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in Eagle-Themes Eagle Booking eagle-booking allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Eagle Booking: from n/a through <= 1.3.4.3.
Source : NVD
## 8.8
Score
Published December 30, 2025
Severity HIGH
CNA Score 8.8
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 18.2
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
eagle-booking
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
#
Wiz
CVE-2025-14371 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2025-14371 [MEDIUM] CVE-2025-14371 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14371 :
WordPress vulnerability analysis and mitigation
The Tag, Category, and Taxonomy Manager – AI Autotagger with OpenAI plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the taxopress_ai_add_post_term function in all versions up to, and including, 3.41.0. This makes it possible for authenticated attackers, with Contributor-level access and above, to add or remove taxonomy terms (tags, categories) on any post, including ones they do not own.
Source : NVD
## 4.3
Score
Published January 6, 2026
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.8
Exploi
Wiz
CVE-2026-3347 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-3347 [CRITICAL] CVE-2026-3347 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-3347 :
WordPress vulnerability analysis and mitigation
arv_lb[message]
arv_lb_options_val()
message
genLB()
Source : NVD
## 5.5
Score
Published March 21, 2026
Severity MEDIUM
CNA Score 5.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
multi-functional-flexi-lightbox
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
CVE-20
Wiz
CVE-2025-67546 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2025-67546 [MEDIUM] CVE-2025-67546 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67546 :
WordPress vulnerability analysis and mitigation
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in weDevs WP ERP erp allows Retrieve Embedded Sensitive Data.This issue affects WP ERP: from n/a through <= 1.16.6.
Source : NVD
## 6.5
Score
Published December 18, 2025
Severity MEDIUM
CNA Score 6.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 14
Exploitation Probability (EPSS) N/A
Affected packages and libraries
erp
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress
Wiz
CVE-2025-66142 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.4
CVE-2025-66142 [MEDIUM] CVE-2025-66142 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-66142 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in merkulove Comparimager for Elementor comparimager-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Comparimager for Elementor: from n/a through <= 1.0.1.
Source : NVD
## 5.4
Score
Published January 22, 2026
Severity MEDIUM
CNA Score 5.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 16.6
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
comparimager-elementor
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's
Wiz
CVE-2026-25396 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-25396 [CRITICAL] CVE-2026-25396 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25396 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in CoderPress Commerce Coinbase For WooCommerce commerce-coinbase-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Commerce Coinbase For WooCommerce: from n/a through <= 1.6.6.
Source : NVD
## 7.5
Score
Published March 25, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 12.6
Exploitation Probability (EPSS) N/A
Affected packages and libraries
commerce-coinbase-for-woocommerce
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your
Wiz
CVE-2026-24997 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-24997 [CRITICAL] CVE-2026-24997 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24997 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in Wired Impact Wired Impact Volunteer Management wired-impact-volunteer-management allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Wired Impact Volunteer Management: from n/a through <= 2.8.
Source : NVD
## 5.3
Score
Published February 3, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 12.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
wired-impact-volunteer-management
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in y
Wiz
CVE-2025-12650 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.4
CVE-2025-12650 [MEDIUM] CVE-2025-12650 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-12650 :
WordPress vulnerability analysis and mitigation
The Simple post listing plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'class_name' parameter in the postlist shortcode in all versions up to, and including, 0.2. This is due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page via mouse interaction.
Source : NVD
## 6.4
Score
Published December 12, 2025
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Ex
Wiz
CVE-2025-66134 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.4
CVE-2025-66134 [MEDIUM] CVE-2025-66134 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-66134 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in NinjaTeam FileBird Pro filebird-pro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects FileBird Pro: from n/a through <= 6.5.1.
Source : NVD
## 5.4
Score
Published December 16, 2025
Severity MEDIUM
CNA Score 5.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
filebird-pro
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Relat
Wiz
CVE-2025-62099 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-62099 [CRITICAL] CVE-2025-62099 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-62099 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in approveme Signature Add-On for Gravity Forms gravity-signature-forms-add-on allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Signature Add-On for Gravity Forms: from n/a through <= 1.8.6.
Source : NVD
Published December 31, 2025
CNA Score N/A
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 0.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
gravity-signature-forms-add-on
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's ex
Wiz
CVE-2025-62742 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-62742 [CRITICAL] CVE-2025-62742 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-62742 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Curator.io Curator.io curatorio allows Stored XSS.This issue affects Curator.io: from n/a through <= 1.9.5.
Source : NVD
Published December 31, 2025
CNA Score N/A
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
curatorio
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CV
Wiz
CVE-2025-12707 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2025-12707 [HIGH] CVE-2025-12707 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-12707 :
WordPress vulnerability analysis and mitigation
The Library Management System plugin for WordPress is vulnerable to SQL Injection via the 'bid' parameter in all versions up to, and including, 3.2.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Source : NVD
## 7.5
Score
Published February 19, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 10.8
E
Wiz
CVE-2025-14050 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.9
CVE-2025-14050 [MEDIUM] CVE-2025-14050 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14050 :
WordPress vulnerability analysis and mitigation
The Design Import/Export plugin for WordPress is vulnerable to SQL Injection via XML File Import in all versions up to, and including, 2.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Source : NVD
## 4.9
Score
Published December 13, 2025
Severity MEDIUM
CNA Score 4.9
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Pe
Wiz
CVE-2026-22518 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-22518 [CRITICAL] CVE-2026-22518 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22518 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in pencilwp X Addons for Elementor x-addons-elementor allows DOM-Based XSS.This issue affects X Addons for Elementor: from n/a through <= 1.0.23.
Source : NVD
Published January 8, 2026
CNA Score N/A
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
x-addons-elementor
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
Wiz
CVE-2025-64273 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2025-64273 [HIGH] CVE-2025-64273 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-64273 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in GetResponse Email marketing for WordPress by GetResponse Official getresponse-official allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Email marketing for WordPress by GetResponse Official: from n/a through <= 1.5.3.
Source : NVD
## 7.5
Score
Published December 18, 2025
Severity HIGH
CNA Score 7.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 12.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
getresponse-official
Sources
NVD
## Get a CVE risk assessment
Get a prioritized vie
Wiz
CVE-2025-68058 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.6
CVE-2025-68058 [HIGH] CVE-2025-68058 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68058 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in e-plugins Institutions Directory institutions-directory allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Institutions Directory: from n/a through <= 1.3..4.
Source : NVD
## 7.6
Score
Published January 22, 2026
Severity HIGH
CNA Score 7.6
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 17.7
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
institutions-directory
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitab
Wiz
CVE-2026-25013 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-25013 [CRITICAL] CVE-2026-25013 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25013 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WHMCSdes Phox Hosting phox-host allows Reflected XSS.This issue affects Phox Hosting: from n/a through <= 2.0.8.
Source : NVD
## 7.1
Score
Published March 25, 2026
Severity HIGH
CNA Score 7.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 10.6
Exploitation Probability (EPSS) N/A
Affected packages and libraries
phox-host
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Relat
Wiz
CVE-2025-68562 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.9
CVE-2025-68562 [CRITICAL] CVE-2025-68562 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68562 :
WordPress vulnerability analysis and mitigation
Unrestricted Upload of File with Dangerous Type vulnerability in RomanCode MapSVG allows Upload a Web Shell to a Web Server.This issue affects MapSVG: from n/a through 8.7.3.
Source : NVD
## 9.9
Score
Published December 29, 2025
Severity CRITICAL
CNA Score 9.9
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 19.7
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
mapsvg-lite-interactive-vector-maps
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Word
Wiz
CVE-2026-0913 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-0913 [CRITICAL] CVE-2026-0913 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-0913 :
WordPress vulnerability analysis and mitigation
The User Submitted Posts – Enable Users to Submit Posts from the Front End plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'usp_access' shortcode in all versions up to, and including, 20260110 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Source : NVD
## 6.4
Score
Published January 16, 2026
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N
Wiz
CVE-2026-2127 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-2127 [CRITICAL] CVE-2026-2127 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-2127 :
WordPress vulnerability analysis and mitigation
siteorigin_widget_preview_widget_action()
wp_ajax_so_widgets_preview
widgets_action
SiteOrigin_Widget_Editor_Widget
data-ajax-url
Source : NVD
## 5.4
Score
Published February 18, 2026
Severity MEDIUM
CNA Score 5.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
so-widgets-bundle
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Score
Technologies
Wiz
CVE-2025-13521 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2025-13521 [MEDIUM] CVE-2025-13521 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-13521 :
WordPress vulnerability analysis and mitigation
The WP Status Notifier plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to update the plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Source : NVD
## 4.3
Score
Published January 7, 2026
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 3.5
Exploitation Probability (EPSS) N/A
Wiz
CVE-2025-14864 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2025-14864 [MEDIUM] CVE-2025-14864 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14864 :
WordPress vulnerability analysis and mitigation
vd_get_apikey
wp_ajax_virusdie_apikey
Source : NVD
## 4.3
Score
Published February 19, 2026
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 9.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
virusdie
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
CVE-2026-0740
CRITICAL
9.8
WordPress
ni
Wiz
CVE-2025-69406 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2025-69406 [HIGH] CVE-2025-69406 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-69406 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX FreightCo freightco allows PHP Local File Inclusion.This issue affects FreightCo: from n/a through <= 1.1.7.
Source : NVD
## 8.1
Score
Published February 20, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 37.5
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
freightco
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not jus
Wiz
CVE-2026-24565 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-24565 [CRITICAL] CVE-2026-24565 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24565 :
WordPress vulnerability analysis and mitigation
Insertion of Sensitive Information Into Sent Data vulnerability in bPlugins B Accordion b-accordion allows Retrieve Embedded Sensitive Data.This issue affects B Accordion: from n/a through <= 2.0.2.
Source : NVD
## 6.5
Score
Published January 23, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 14
Exploitation Probability (EPSS) N/A
Affected packages and libraries
b-accordion
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress
Wiz
CVE-2025-14782 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2025-14782 [MEDIUM] CVE-2025-14782 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14782 :
WordPress vulnerability analysis and mitigation
The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.49.1 via the 'listen_for_csv_export' function. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with access to the Forminator dashboard, to export sensitive form submission data including personally identifiable information.
Source : NVD
## 5.3
Score
Published January 9, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitatio
Wiz
CVE-2025-68503 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-68503 [CRITICAL] CVE-2025-68503 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68503 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in Crocoblock JetBlog jet-blog allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects JetBlog: from n/a through <= 2.4.7.
Source : NVD
Published December 29, 2025
CNA Score N/A
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
jet-blog
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Scor
Wiz
CVE-2025-63002 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-63002 [CRITICAL] CVE-2025-63002 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-63002 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in wpforchurch Sermon Manager sermon-manager-for-wordpress allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Sermon Manager: from n/a through <= 2.30.0.
Source : NVD
Published December 18, 2025
CNA Score N/A
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
sermon-manager-for-wordpress
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Rel
Wiz
CVE-2026-1888 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-1888 [CRITICAL] CVE-2026-1888 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1888 :
WordPress vulnerability analysis and mitigation
The Docus – YouTube Video Playlist plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'docusplaylist' shortcode in all versions up to, and including, 1.0.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Source : NVD
## 6.4
Score
Published February 6, 2026
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2
Wiz
CVE-2025-15096 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2025-15096 [HIGH] CVE-2025-15096 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-15096 :
WordPress vulnerability analysis and mitigation
The 'Videospirecore Theme Plugin' plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.0.6. This is due to the plugin not properly validating a user's identity prior to updating their details like email. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account.
Source : NVD
## 8.8
Score
Published February 11, 2026
Severity HIGH
CNA Score 8.8
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Dat
Wiz
CVE-2026-1941 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-1941 [CRITICAL] CVE-2026-1941 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1941 :
WordPress vulnerability analysis and mitigation
The WP Event Aggregator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wp_events' shortcode in all versions up to, and including, 1.8.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Source : NVD
## 6.4
Score
Published February 18, 2026
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 5.5
Ex
Wiz
CVE-2025-68500 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.1
CVE-2025-68500 [CRITICAL] CVE-2025-68500 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68500 :
WordPress vulnerability analysis and mitigation
Server-Side Request Forgery (SSRF) vulnerability in bdthemes Prime Slider – Addons For Elementor bdthemes-prime-slider-lite allows Server Side Request Forgery.This issue affects Prime Slider – Addons For Elementor: from n/a through <= 4.0.10.
Source : NVD
## 9.1
Score
Published December 24, 2025
Severity CRITICAL
CNA Score 9.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
bdthemes-prime-slider-lite
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on wh
Wiz
CVE-2026-1305 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-1305 [CRITICAL] CVE-2026-1305 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1305 :
WordPress vulnerability analysis and mitigation
paidy_webhook_permission_check
true
Source : NVD
## 5.3
Score
Published February 27, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 62.8
Exploitation Probability (EPSS) 0.4
Affected packages and libraries
woocommerce-for-japan
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
CVE-2026-0740
CRITICAL
9.8
Wo
Wiz
CVE-2026-24938 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-24938 [CRITICAL] CVE-2026-24938 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24938 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ajay Better Search better-search allows Stored XSS.This issue affects Better Search: from n/a through <= 4.2.1.
Source : NVD
## 5.9
Score
Published February 3, 2026
Severity MEDIUM
CNA Score 5.9
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 10.6
Exploitation Probability (EPSS) N/A
Affected packages and libraries
better-search
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
#
Wiz
CVE-2025-14147 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.4
CVE-2025-14147 [MEDIUM] CVE-2025-14147 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14147 :
WordPress vulnerability analysis and mitigation
The Easy GitHub Gist Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' parameter of the gist shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Source : NVD
## 6.4
Score
Published January 7, 2026
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13
Exploitation Probabi
Wiz
CVE-2025-62759 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-62759 [CRITICAL] CVE-2025-62759 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-62759 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Justin Tadlock Series series allows Stored XSS.This issue affects Series: from n/a through <= 2.0.1.
Source : NVD
Published December 31, 2025
CNA Score N/A
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
series
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Seve
Wiz
CVE-2026-28104 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-28104 [CRITICAL] CVE-2026-28104 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-28104 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in Aryan Shirani Bid Abadi Site Suggest site-suggest allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Site Suggest: from n/a through <= 1.3.9.
Source : NVD
## 6.5
Score
Published March 5, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 16.9
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
site-suggest
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Rel
Wiz
CVE-2026-32503 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-32503 [CRITICAL] CVE-2026-32503 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32503 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in CreativeWS Trendustry trendustry allows PHP Local File Inclusion.This issue affects Trendustry: from n/a through <= 1.1.4.
Source : NVD
## 8.1
Score
Published March 25, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 35.7
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
trendustry
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not
Wiz
CVE-2025-68536 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2025-68536 [HIGH] CVE-2025-68536 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68536 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Zota zota allows PHP Local File Inclusion.This issue affects Zota: from n/a through <= 1.3.14.
Source : NVD
## 8.1
Score
Published February 20, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 37.5
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
zota
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
#
Wiz
CVE-2026-24560 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-24560 [CRITICAL] CVE-2026-24560 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24560 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in Cloudinary Cloudinary cloudinary-image-management-and-manipulation-in-the-cloud-cdn allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Cloudinary: from n/a through <= 3.3.2.
Source : NVD
## 5.4
Score
Published January 23, 2026
Severity MEDIUM
CNA Score 5.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cloudinary-image-management-and-manipulation-in-the-cloud-cdn
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of
Wiz
CVE-2025-14804 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.7
CVE-2025-14804 [HIGH] CVE-2025-14804 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14804 :
WordPress vulnerability analysis and mitigation
The Frontend File Manager Plugin WordPress plugin before 23.5 did not validate a path parameter and ownership of the file, allowing any authenticated users, such as subscribers to delete arbitrary files on the server
Source : NVD
## 7.7
Score
Published January 7, 2026
Severity HIGH
CNA Score 7.7
Affected Technologies
WordPress
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
nmedia-user-file-uploader
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what'
Wiz
CVE-2025-67621 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2025-67621 [HIGH] CVE-2025-67621 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67621 :
WordPress vulnerability analysis and mitigation
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in 10up Eight Day Week Print Workflow eight-day-week-print-workflow allows Retrieve Embedded Sensitive Data.This issue affects Eight Day Week Print Workflow: from n/a through <= 1.2.5.
Source : NVD
## 7.5
Score
Published December 24, 2025
Severity HIGH
CNA Score 7.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 14.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
eight-day-week-print-workflow
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in you
Wiz
CVE-2025-68839 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2025-68839 [HIGH] CVE-2025-68839 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68839 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Remi Corson Easy Theme Options easy-theme-options allows Reflected XSS.This issue affects Easy Theme Options: from n/a through <= 1.0.
Source : NVD
## 7.1
Score
Published January 22, 2026
Severity HIGH
CNA Score 7.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
easy-theme-options
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, n
Wiz
CVE-2023-49186 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2023-49186 [HIGH] CVE-2023-49186 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2023-49186 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in KlbTheme Machic Core allows DOM-Based XSS.This issue affects Machic Core: from n/a through 1.2.6.
Source : NVD
## 7.1
Score
Published January 5, 2026
Severity HIGH
CNA Score 7.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 34
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
machic-core
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Word
Wiz
CVE-2026-27092 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-27092 [CRITICAL] CVE-2026-27092 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27092 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in Greg Winiarski WPAdverts wpadverts allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WPAdverts: from n/a through <= 2.3.0.
Source : NVD
## 6.5
Score
Published February 19, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 10.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
wpadverts
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Word
Wiz
CVE-2025-53449 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2025-53449 [HIGH] CVE-2025-53449 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-53449 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Convex convex allows PHP Local File Inclusion.This issue affects Convex: from n/a through <= 1.11.
Source : NVD
## 8.1
Score
Published December 18, 2025
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 38.5
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
convex
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's l
Wiz
CVE-2025-67988 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2025-67988 [HIGH] CVE-2025-67988 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67988 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in LoftOcean CozyStay cozystay allows PHP Local File Inclusion.This issue affects CozyStay: from n/a through < 1.9.1.
Source : NVD
## 8.1
Score
Published February 20, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 37.5
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
cozystay
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just wh
Wiz
CVE-2025-10915 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-10915 [CRITICAL] CVE-2025-10915 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-10915 :
WordPress vulnerability analysis and mitigation
The Dreamer Blog WordPress theme through 1.2 is vulnerable to arbitrary installations due to a missing capability check.
Source : NVD
## 9.8
Score
Published January 13, 2026
Severity CRITICAL
CNA Score 9.8
Affected Technologies
WordPress
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 19.3
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
dreamer-blog
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Score
Technologies
Component nam
Wiz
CVE-2026-28021 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-28021 [CRITICAL] CVE-2026-28021 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-28021 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Craftis craftis allows PHP Local File Inclusion.This issue affects Craftis: from n/a through <= 1.2.8.
Source : NVD
## 8.1
Score
Published March 5, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 37.5
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
craftis
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's lis
Wiz
CVE-2025-31642 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2025-31642 [HIGH] CVE-2025-31642 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-31642 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Dasinfomedia WPCHURCH allows Reflected XSS.This issue affects WPCHURCH: from n/a through 2.7.0.
Source : NVD
## 7.1
Score
Published January 7, 2026
Severity HIGH
CNA Score 7.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
church-management
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordP
Wiz
CVE-2025-69095 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2025-69095 [MEDIUM] CVE-2025-69095 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-69095 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in designthemes Reservation Plugin dt-reservation-plugin allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Reservation Plugin: from n/a through <= 1.7.
Source : NVD
## 6.5
Score
Published January 22, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 12
Exploitation Probability (EPSS) N/A
Affected packages and libraries
dt-reservation-plugin
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not ju
Wiz
CVE-2026-1644 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-1644 [CRITICAL] CVE-2026-1644 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1644 :
WordPress vulnerability analysis and mitigation
The WP Frontend Profile plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.8. This is due to missing nonce validation on the 'update_action' function. This makes it possible for unauthenticated attackers to approve or reject user account registrations via a forged request granted they can trick an administrator into performing an action such as clicking on a link.
Source : NVD
## 4.3
Score
Published March 7, 2026
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 0.4
Exploitation Probability (EPSS) N/A
Af
Wiz
CVE-2025-67917 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2025-67917 [HIGH] CVE-2025-67917 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67917 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in shinetheme Traveler traveler allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Traveler: from n/a through <= 3.2.6.
Source : NVD
## 8.1
Score
Published January 8, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 12.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
traveler
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulner
Wiz
CVE-2026-2383 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-2383 [CRITICAL] CVE-2026-2383 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-2383 :
WordPress vulnerability analysis and mitigation
The Simple Download Monitor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via custom field in all versions up to, and including, 4.0.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Source : NVD
## 6.4
Score
Published February 27, 2026
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.7
Exploitation Probability (EPSS) N/A
Affected p
Wiz
CVE-2025-69395 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2025-69395 [HIGH] CVE-2025-69395 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-69395 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Gable gable allows PHP Local File Inclusion.This issue affects Gable: from n/a through <= 1.5.
Source : NVD
## 8.1
Score
Published February 20, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 37.5
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
gable
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
Wiz
CVE-2026-22463 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-22463 [CRITICAL] CVE-2026-22463 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22463 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Micro.company Form to Chat App form-to-chat allows Stored XSS.This issue affects Form to Chat App: from n/a through <= 1.2.5.
Source : NVD
## 6.5
Score
Published January 22, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
form-to-chat
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what'
Wiz
CVE-2025-58943 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.2
CVE-2025-58943 [HIGH] CVE-2025-58943 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-58943 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Agricola agricola allows PHP Local File Inclusion.This issue affects Agricola: from n/a through <= 1.1.0.
Source : NVD
## 8.2
Score
Published December 18, 2025
Severity HIGH
CNA Score 8.2
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 19.8
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
agricola
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just
Wiz
CVE-2025-67465 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2025-67465 [HIGH] CVE-2025-67465 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67465 :
WordPress vulnerability analysis and mitigation
Cross-Site Request Forgery (CSRF) vulnerability in QuantumCloud Simple Link Directory simple-link-directory allows Cross Site Request Forgery.This issue affects Simple Link Directory: from n/a through <= 8.8.3.
Source : NVD
## 8.8
Score
Published December 9, 2025
Severity HIGH
CNA Score 8.8
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 6.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
simple-link-directory
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
Wiz
CVE-2025-69302 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2025-69302 [HIGH] CVE-2025-69302 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-69302 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in designthemes DesignThemes Core Features designthemes-core-features allows Reflected XSS.This issue affects DesignThemes Core Features: from n/a through <= 2.3.
Source : NVD
## 7.1
Score
Published February 20, 2026
Severity HIGH
CNA Score 7.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
designthemes-core-features
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you
Wiz
CVE-2025-69396 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2025-69396 [HIGH] CVE-2025-69396 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-69396 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Splendour splendour allows PHP Local File Inclusion.This issue affects Splendour: from n/a through <= 1.23.
Source : NVD
## 8.1
Score
Published February 20, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 37.5
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
splendour
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just
Wiz
CVE-2026-27358 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-27358 [CRITICAL] CVE-2026-27358 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27358 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeGoods Architecturer architecturer allows Reflected XSS.This issue affects Architecturer: from n/a through <= 3.8.8.
Source : NVD
## 7.1
Score
Published March 5, 2026
Severity HIGH
CNA Score 7.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
architecturer
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
Wiz
CVE-2025-13463 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.4
CVE-2025-13463 [MEDIUM] CVE-2025-13463 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-13463 :
WordPress vulnerability analysis and mitigation
The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Post Grid component in all versions up to, and including, 5.5.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Source : NVD
## 6.4
Score
Published February 7, 2026
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1.8
Exploitation Probability (EPSS) N/A
Affected pa
Wiz
CVE-2025-67630 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.4
CVE-2025-67630 [MEDIUM] CVE-2025-67630 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67630 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in webheadcoder WH Tweaks wh-tweaks allows Stored XSS.This issue affects WH Tweaks: from n/a through <= 1.0.2.
Source : NVD
## 5.4
Score
Published December 24, 2025
Severity MEDIUM
CNA Score 5.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
wh-tweaks
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Relat
Wiz
CVE-2025-13738 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.4
CVE-2025-13738 [MEDIUM] CVE-2025-13738 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-13738 :
WordPress vulnerability analysis and mitigation
ez-toc
Source : NVD
## 6.4
Score
Published February 19, 2026
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 10.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
easy-table-of-contents
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
CVE-2026-0740
CRITICAL
9.8
WordPress
ninja-forms-uploads
Wiz
CVE-2026-24579 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-24579 [CRITICAL] CVE-2026-24579 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24579 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in WP Messiah Ai Image Alt Text Generator for WP ai-image-alt-text-generator-for-wp allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ai Image Alt Text Generator for WP: from n/a through <= 1.1.9.
Source : NVD
## 4.3
Score
Published January 23, 2026
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
ai-image-alt-text-generator-for-wp
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs
Wiz
CVE-2026-28090 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-28090 [CRITICAL] CVE-2026-28090 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-28090 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Gamezone gamezone allows PHP Local File Inclusion.This issue affects Gamezone: from n/a through <= 1.1.11.
Source : NVD
## 8.1
Score
Published March 5, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 37.5
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
gamezone
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what'
Wiz
CVE-2025-49375 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2025-49375 [HIGH] CVE-2025-49375 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-49375 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in cozythemes HomeLancer homelancer allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects HomeLancer: from n/a through <= 1.0.1.
Source : NVD
## 8.8
Score
Published January 22, 2026
Severity HIGH
CNA Score 8.8
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
homelancer
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPre
Wiz
CVE-2025-53231 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2025-53231 [HIGH] CVE-2025-53231 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-53231 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpdevstudio Easy Taxonomy Images easy-taxonomy-images allows Stored XSS.This issue affects Easy Taxonomy Images: from n/a through <= 1.0.1.
Source : NVD
## 7.1
Score
Published February 20, 2026
Severity HIGH
CNA Score 7.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
easy-taxonomy-images
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploit
Wiz
CVE-2025-11725 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2025-11725 [MEDIUM] CVE-2025-11725 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-11725 :
WordPress vulnerability analysis and mitigation
The Aruba HiSpeed Cache plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability checks on the multiple functions in all versions up to, and including, 3.0.2. This makes it possible for unauthenticated attackers to modify plugin's configuration settings, enable or disable features, as well as enable/disable WordPress cron jobs or debug mode
Source : NVD
## 6.5
Score
Published February 19, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 20.8
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
Wiz
CVE-2025-14983 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.4
CVE-2025-14983 [MEDIUM] CVE-2025-14983 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14983 :
WordPress vulnerability analysis and mitigation
The Advanced Custom Fields: Font Awesome Field plugin for WordPress is vulnerable to Cross-Site Scripting in all versions up to, and including, 5.0.1 due to insufficient input sanitization and output escaping. This makes it possible forauthenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts that execute in a victim's browser.
Source : NVD
## 6.4
Score
Published February 19, 2026
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 22
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
advanced-custom-fi
Wiz
CVE-2026-1920 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-1920 [CRITICAL] CVE-2026-1920 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1920 :
WordPress vulnerability analysis and mitigation
The Booking Calendar for Appointments and Service Businesses – Booktics plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'Extension_Controller::update_item_permissions_check' function in all versions up to, and including, 1.0.16. This makes it possible for unauthenticated attackers to install addon plugins.
Source : NVD
## 5.3
Score
Published March 10, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
booktics
Sources
Wiz
CVE-2025-14937 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.2
CVE-2025-14937 [HIGH] CVE-2025-14937 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14937 :
WordPress vulnerability analysis and mitigation
The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'acff' parameter in the 'frontend_admin/forms/update_field' AJAX action in all versions up to, and including, 3.28.23 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Source : NVD
## 7.2
Score
Published January 9, 2026
Severity HIGH
CNA Score 7.2
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 14.4
Exploitation Probabi
Wiz
CVE-2025-52746 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2025-52746 [MEDIUM] CVE-2025-52746 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-52746 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ayecode Restaurante restaurante allows Reflected XSS.This issue affects Restaurante: from n/a through <= 3.0.7.
Source : NVD
## 6.1
Score
Published January 22, 2026
Severity MEDIUM
CNA Score 6.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
restaurante
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
##
Wiz
CVE-2026-2230 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-2230 [CRITICAL] CVE-2026-2230 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-2230 :
WordPress vulnerability analysis and mitigation
The Booking Calendar plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 10.14.14 via the handle_ajax_save function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, and booking permissions granted by an Administrator, to modify other users' plugin settings, such as booking calendar display options, which can disrupt the booking calendar functionality for the targeted user.
Source : NVD
## 4.3
Score
Published February 18, 2026
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
C
Wiz
CVE-2026-22388 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-22388 [CRITICAL] CVE-2026-22388 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22388 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Imran Emu Owl Carousel WP owl-carousel-wp allows Stored XSS.This issue affects Owl Carousel WP: from n/a through <= 2.2.2.
Source : NVD
## 5.9
Score
Published January 22, 2026
Severity MEDIUM
CNA Score 5.9
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
owl-carousel-wp
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's
Wiz
CVE-2025-60091 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-60091 [CRITICAL] CVE-2025-60091 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-60091 :
WordPress vulnerability analysis and mitigation
Deserialization of Untrusted Data vulnerability in CRM Perks WP Gravity Forms Zoho CRM and Bigin gf-zoho allows Object Injection.This issue affects WP Gravity Forms Zoho CRM and Bigin: from n/a through <= 1.2.9.
Source : NVD
## 9.8
Score
Published December 18, 2025
Severity CRITICAL
CNA Score 9.8
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 19
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
gf-zoho
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Relat
Wiz
CVE-2025-57897 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2025-57897 [HIGH] CVE-2025-57897 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-57897 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in venusweb Logtik logtik allows Reflected XSS.This issue affects Logtik: from n/a through <= 2.3.
Source : NVD
## 7.1
Score
Published December 18, 2025
Severity HIGH
CNA Score 7.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
logtik
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vuln
Wiz
CVE-2025-62152 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2025-62152 [HIGH] CVE-2025-62152 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-62152 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in ConveyThis ConveyThis conveythis-translate allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ConveyThis: from n/a through <= 269.2.
Source : NVD
## 8.8
Score
Published December 9, 2025
Severity HIGH
CNA Score 8.8
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 18.2
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
conveythis-translate
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
Wiz
CVE-2025-13729 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.4
CVE-2025-13729 [MEDIUM] CVE-2025-13729 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-13729 :
WordPress vulnerability analysis and mitigation
The Entry Views plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'entry-views' shortcode in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Source : NVD
## 6.4
Score
Published January 9, 2026
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.9
Exploita
Wiz
CVE-2026-1939 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-1939 [CRITICAL] CVE-2026-1939 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1939 :
WordPress vulnerability analysis and mitigation
percent_to_graph
Source : NVD
## 6.4
Score
Published February 14, 2026
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
percent-to-infograph
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
CVE-2026-0740
CRITICAL
9.8
WordPress
ninja-forms-u
Wiz
CVE-2026-32500 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-32500 [CRITICAL] CVE-2026-32500 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32500 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in CreativeWS MetaMax metamax allows PHP Local File Inclusion.This issue affects MetaMax: from n/a through <= 1.1.4.
Source : NVD
## 8.1
Score
Published March 25, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 35.7
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
metamax
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's
Wiz
CVE-2025-14438 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.4
CVE-2025-14438 [MEDIUM] CVE-2025-14438 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14438 :
WordPress vulnerability analysis and mitigation
The Xagio SEO – AI Powered SEO plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 7.1.0.30 via the 'pixabayDownloadImage' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
Source : NVD
## 6.4
Score
Published January 6, 2026
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 12.9
Exploitation Probability (EP
Wiz
CVE-2026-22408 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-22408 [CRITICAL] CVE-2026-22408 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22408 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Justicia justicia allows PHP Local File Inclusion.This issue affects Justicia: from n/a through <= 1.2.
Source : NVD
## 8.1
Score
Published March 5, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 37.5
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
justicia
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just wha
Wiz
CVE-2026-0682 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 2.2
CVE-2026-0682 [LOW] CVE-2026-0682 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-0682 :
WordPress vulnerability analysis and mitigation
The Church Admin plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.0.28 due to insufficient validation of user-supplied URLs in the 'audio_url' parameter. This makes it possible for authenticated attackers, with Administrator-level access, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
Source : NVD
## 2.2
Score
Published January 17, 2026
Severity LOW
CNA Score 2.2
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.3
Exploitation
Wiz
CVE-2026-22421 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-22421 [CRITICAL] CVE-2026-22421 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22421 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Quantum quantum allows PHP Local File Inclusion.This issue affects Quantum: from n/a through <= 1.0.
Source : NVD
## 8.1
Score
Published March 5, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 37.5
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
quantum
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's l
Wiz
CVE-2025-14741 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.1
CVE-2025-14741 [CRITICAL] CVE-2025-14741 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14741 :
WordPress vulnerability analysis and mitigation
The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to missing authorization to unauthorized data modification and deletion due to a missing capability check on the 'delete_object' function in all versions up to, and including, 3.28.25. This makes it possible for unauthenticated attackers to delete arbitrary posts, pages, products, taxonomy terms, and user accounts.
Source : NVD
## 9.1
Score
Published January 9, 2026
Severity CRITICAL
CNA Score 9.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 14.3
Exploitation Probability (EPSS) N/A
Affected packages and libraries
a
Wiz
CVE-2025-68988 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2025-68988 [HIGH] CVE-2025-68988 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68988 :
WordPress vulnerability analysis and mitigation
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in o2oe E-Invoice App Malaysia einvoiceapp-malaysia allows Retrieve Embedded Sensitive Data.This issue affects E-Invoice App Malaysia: from n/a through <= 1.3.0.
Source : NVD
## 7.5
Score
Published December 30, 2025
Severity HIGH
CNA Score 7.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 14.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
einvoiceapp-malaysia
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what
Wiz
CVE-2025-68576 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2025-68576 [HIGH] CVE-2025-68576 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68576 :
WordPress vulnerability analysis and mitigation
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Virusdie Virusdie virusdie allows Retrieve Embedded Sensitive Data.This issue affects Virusdie: from n/a through <= 1.1.6.
Source : NVD
## 7.5
Score
Published December 24, 2025
Severity HIGH
CNA Score 7.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 14.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
virusdie
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Rel
Wiz
CVE-2025-67970 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2025-67970 [MEDIUM] CVE-2025-67970 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67970 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in vertim Schedula schedula-smart-appointment-booking allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Schedula: from n/a through <= 1.0.
Source : NVD
## 5.3
Score
Published February 20, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 12.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
schedula-smart-appointment-booking
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not
Wiz
CVE-2026-32452 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-32452 [CRITICAL] CVE-2026-32452 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32452 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in ThemeFusion Fusion Builder fusion-builder allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Fusion Builder: from n/a through < 3.15.0.
Source : NVD
## 5.3
Score
Published March 13, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 10.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
fusion-builder
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
#
Wiz
CVE-2025-13850 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.4
CVE-2025-13850 [MEDIUM] CVE-2025-13850 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-13850 :
WordPress vulnerability analysis and mitigation
The LS Google Map Router plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'map_type' parameter in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Source : NVD
## 6.4
Score
Published December 12, 2025
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13
Exploitation Probability (EPSS) N/A
Af
Wiz
CVE-2025-58923 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2025-58923 [HIGH] CVE-2025-58923 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-58923 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Critique critique allows PHP Local File Inclusion.This issue affects Critique: from n/a through <= 1.17.
Source : NVD
## 8.1
Score
Published December 18, 2025
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 38.5
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
critique
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just
Wiz
CVE-2025-14482 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2025-14482 [MEDIUM] CVE-2025-14482 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14482 :
WordPress vulnerability analysis and mitigation
The Crush.pics Image Optimizer - Image Compression and Optimization plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on multiple functions in all versions up to, and including, 1.8.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify plugin settings including disabling auto-compression and changing image quality settings.
Source : NVD
## 4.3
Score
Published January 14, 2026
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.9
Exploitation Probability
Wiz
CVE-2026-3460 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-3460 [CRITICAL] CVE-2026-3460 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-3460 :
WordPress vulnerability analysis and mitigation
The REST API TO MiniProgram plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.2. This is due to the permission callback (update_user_wechatshop_info_permissions_check) only validating that the supplied 'openid' parameter corresponds to an existing WordPress user, while the callback function (update_user_wechatshop_info) uses a separate, attacker-controlled 'userid' parameter to determine which user's metadata gets modified, with no verification that the 'openid' and 'userid' belong to the same user. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify arbitrary users' store-related metadata (storeinfo, storeappi
Wiz
CVE-2026-1400 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-1400 [CRITICAL] CVE-2026-1400 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1400 :
WordPress vulnerability analysis and mitigation
rest_helpers_update_media_metadata
update_media_metadata
Source : NVD
## 7.2
Score
Published January 28, 2026
Severity HIGH
CNA Score 7.2
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 30
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
ai-engine
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
CVE-2026-0740
CRITICAL
9.8
Wiz
CVE-2026-1706 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-1706 [CRITICAL] CVE-2026-1706 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1706 :
WordPress vulnerability analysis and mitigation
The All-in-One Video Gallery plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'vi' parameter in all versions up to, and including, 4.7.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Source : NVD
## 6.1
Score
Published March 4, 2026
Severity MEDIUM
CNA Score 6.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 33.5
Exploitation Probability (EPSS) 0.1
Wiz
CVE-2025-68502 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-68502 [CRITICAL] CVE-2025-68502 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68502 :
WordPress vulnerability analysis and mitigation
Authorization Bypass Through User-Controlled Key vulnerability in Crocoblock JetPopup jet-popup allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects JetPopup: from n/a through <= 2.0.20.1.
Source : NVD
Published December 29, 2025
CNA Score N/A
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
jet-popup
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnera
Wiz
CVE-2025-53235 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-53235 [CRITICAL] CVE-2025-53235 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-53235 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in osuthorpe Easy Social easy-social-media allows Reflected XSS.This issue affects Easy Social: from n/a through <= 1.3.
Source : NVD
Published December 31, 2025
CNA Score N/A
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
easy-social-media
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vuln
Wiz
CVE-2025-69358 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2025-69358 [HIGH] CVE-2025-69358 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-69358 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in Metagauss EventPrime eventprime-event-calendar-management allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects EventPrime: from n/a through <= 4.2.6.0.
Source : NVD
## 7.5
Score
Published March 25, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 16.8
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
eventprime-event-calendar-management
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploi
Wiz
CVE-2026-2589 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-2589 [CRITICAL] CVE-2026-2589 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-2589 :
WordPress vulnerability analysis and mitigation
The Greenshift – animation and page builder blocks plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 12.8.3 via the automated Settings Backup stored in a publicly accessible file. This makes it possible for unauthenticated attackers to extract sensitive data including the configured OpenAI, Claude, Google Maps, Gemini, DeepSeek, and Cloudflare Turnstile API keys.
Source : NVD
## 5.3
Score
Published March 6, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 12.3
Exploitation Probability (EPSS) N/A
A
Wiz
CVE-2026-1210 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-1210 [CRITICAL] CVE-2026-1210 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1210 :
WordPress vulnerability analysis and mitigation
The Happy Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the '_elementor_data' meta field in all versions up to, and including, 3.20.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Source : NVD
## 6.4
Score
Published February 3, 2026
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 5.5
Exploitation Probability
Wiz
CVE-2026-24985 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-24985 [CRITICAL] CVE-2026-24985 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24985 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in approveme WP Forms Signature Contract Add-On wp-forms-signature-contract-add-on allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Forms Signature Contract Add-On: from n/a through <= 1.8.2.
Source : NVD
## 4.3
Score
Published February 3, 2026
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 9.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
wp-forms-signature-contract-add-on
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in
Wiz
CVE-2026-0926 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-0926 [CRITICAL] CVE-2026-0926 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-0926 :
WordPress vulnerability analysis and mitigation
The Prodigy Commerce plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.2.9 via the 'parameters[template_name]' parameter. This makes it possible for unauthenticated attackers to include and read arbitrary files or execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
Source : NVD
## 9.8
Score
Published February 19, 2026
Severity CRITICAL
CNA Score 9.8
Affected Technologies
WordPress
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N
Wiz
CVE-2025-63070 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2025-63070 [MEDIUM] CVE-2025-63070 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-63070 :
WordPress vulnerability analysis and mitigation
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Shahjada Download Manager download-manager allows Retrieve Embedded Sensitive Data.This issue affects Download Manager: from n/a through <= 3.3.32.
Source : NVD
## 4.3
Score
Published December 9, 2025
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 12.3
Exploitation Probability (EPSS) N/A
Affected packages and libraries
download-manager
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable
Wiz
CVE-2026-25360 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-25360 [CRITICAL] CVE-2026-25360 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25360 :
WordPress vulnerability analysis and mitigation
Deserialization of Untrusted Data vulnerability in rascals Vex vex allows Object Injection.This issue affects Vex: from n/a through < 1.2.9.
Source : NVD
## 8.8
Score
Published March 25, 2026
Severity HIGH
CNA Score 8.8
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 16.8
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
vex
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Score
Technologies
Component
Wiz
CVE-2025-62138 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-62138 [CRITICAL] CVE-2025-62138 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-62138 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in cedcommerce WP Advanced PDF wp-advanced-pdf allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Advanced PDF: from n/a through <= 1.1.7.
Source : NVD
Published December 31, 2025
CNA Score N/A
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
wp-advanced-pdf
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabil
Wiz
CVE-2025-14426 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2025-14426 [MEDIUM] CVE-2025-14426 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14426 :
WordPress vulnerability analysis and mitigation
The Strong Testimonials plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check in the 'edit_rating' function in all versions up to, and including, 3.2.18. This makes it possible for authenticated attackers with Contributor-level access and above to modify or delete the rating meta on any testimonial post, including those created by other users, by reusing a valid nonce obtained from their own testimonial edit screen.
Source : NVD
## 4.3
Score
Published December 30, 2025
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percenti
Wiz
CVE-2025-69312 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.1
CVE-2025-69312 [CRITICAL] CVE-2025-69312 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-69312 :
WordPress vulnerability analysis and mitigation
Unrestricted Upload of File with Dangerous Type vulnerability in Xpro Xpro Elementor Addons xpro-elementor-addons allows Upload a Web Shell to a Web Server.This issue affects Xpro Elementor Addons: from n/a through <= 1.4.19.1.
Source : NVD
## 9.1
Score
Published January 22, 2026
Severity CRITICAL
CNA Score 9.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 18.3
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
xpro-elementor-addons
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not
Wiz
CVE-2026-32458 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-32458 [CRITICAL] CVE-2026-32458 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32458 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in RealMag777 WOLF bulk-editor allows Blind SQL Injection.This issue affects WOLF: from n/a through <= 1.0.8.7.
Source : NVD
## 7.6
Score
Published March 13, 2026
Severity HIGH
CNA Score 7.6
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 10.6
Exploitation Probability (EPSS) N/A
Affected packages and libraries
bulk-editor
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related
Wiz
CVE-2026-25422 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-25422 [CRITICAL] CVE-2026-25422 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25422 :
WordPress vulnerability analysis and mitigation
Cross-Site Request Forgery (CSRF) vulnerability in Themes4WP Popularis Extra popularis-extra allows Cross Site Request Forgery.This issue affects Popularis Extra: from n/a through <= 1.2.10.
Source : NVD
## 5.4
Score
Published February 19, 2026
Severity MEDIUM
CNA Score 5.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 4.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
popularis-extra
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress v
Wiz
CVE-2025-8780 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.4
CVE-2025-8780 [MEDIUM] CVE-2025-8780 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-8780 :
WordPress vulnerability analysis and mitigation
The Livemesh SiteOrigin Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Hero Header and Pricing Table widgets in all versions up to, and including, 3.9.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Source : NVD
## 6.4
Score
Published December 13, 2025
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability P
Wiz
CVE-2025-67588 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2025-67588 [MEDIUM] CVE-2025-67588 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67588 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in Elementor Elementor Website Builder elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Elementor Website Builder: from n/a through <= 3.33.0.
Source : NVD
## 4.3
Score
Published December 9, 2025
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
elementor
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what'
Wiz
CVE-2025-10684 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2025-10684 [MEDIUM] CVE-2025-10684 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-10684 :
WordPress vulnerability analysis and mitigation
The Construction Light WordPress theme before 1.6.8 does not have authorisation and CSRF when activating via an AJAX action, allowing any authenticated users, such as subscriber to activate arbitrary .
Source : NVD
## 4.3
Score
Published December 12, 2025
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 5.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
construction-light
wp-record
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed
Wiz
CVE-2026-27367 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-27367 [CRITICAL] CVE-2026-27367 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27367 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeGoods Musico musico allows Reflected XSS.This issue affects Musico: from n/a through <= 3.2.4.
Source : NVD
## 7.1
Score
Published March 5, 2026
Severity HIGH
CNA Score 7.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
musico
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vuln
Wiz
CVE-2025-69354 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.4
CVE-2025-69354 [MEDIUM] CVE-2025-69354 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-69354 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in BBR Plugins Better Business Reviews better-business-reviews allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Better Business Reviews: from n/a through <= 0.1.1.
Source : NVD
## 5.4
Score
Published January 6, 2026
Severity MEDIUM
CNA Score 5.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
better-business-reviews
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exp
Wiz
CVE-2026-3034 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-3034 [CRITICAL] CVE-2026-3034 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-3034 :
WordPress vulnerability analysis and mitigation
The OoohBoi Steroids for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the _ob_spacerat_link, _ob_bbad_link, and _ob_teleporter_link URL parameters in all versions up to, and including, 2.1.24. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user clicks on the injected element.
Source : NVD
## 6.4
Score
Published March 5, 2026
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 12.7
Exploitation Probability (EPSS) N
Wiz
CVE-2025-67628 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.4
CVE-2025-67628 [MEDIUM] CVE-2025-67628 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67628 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in AMP-MODE Review Disclaimer review-disclaimer allows Stored XSS.This issue affects Review Disclaimer: from n/a through <= 2.0.3.
Source : NVD
## 5.4
Score
Published December 24, 2025
Severity MEDIUM
CNA Score 5.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
review-disclaimer
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not ju
Wiz
CVE-2026-1257 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-1257 [CRITICAL] CVE-2026-1257 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1257 :
WordPress vulnerability analysis and mitigation
The Administrative Shortcodes plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 0.3.4 via the 'slug' attribute of the 'get_template' shortcode. This is due to insufficient path validation on user-supplied input passed to the get_template_part() function. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other "safe" file types can be uploaded and included.
Source : NVD
## 7.5
Score
Published January 24,
Wiz
CVE-2025-69009 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2025-69009 [MEDIUM] CVE-2025-69009 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-69009 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in kamleshyadav Medicalequipment medicalequipment allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Medicalequipment: from n/a through <= 1.0.9.
Source : NVD
## 5.3
Score
Published December 30, 2025
Severity MEDIUM
CNA Score 5.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 12.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
medicalequipment
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's
Wiz
CVE-2026-1860 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-1860 [CRITICAL] CVE-2026-1860 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1860 :
WordPress vulnerability analysis and mitigation
get_items_permissions_check()
/kaliforms/v1/forms/{id}
edit_posts
Source : NVD
## 4.3
Score
Published February 18, 2026
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 0.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
kali-forms
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
CVE-2026-0740
Wiz
CVE-2025-67536 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2025-67536 [MEDIUM] CVE-2025-67536 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67536 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThimPress LearnPress learnpress allows Stored XSS.This issue affects LearnPress: from n/a through <= 4.2.9.4.
Source : NVD
## 6.5
Score
Published December 9, 2025
Severity MEDIUM
CNA Score 6.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
learnpress
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Rel
Wiz
CVE-2026-25375 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-25375 [CRITICAL] CVE-2026-25375 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25375 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in WP Chill Image Photo Gallery Final Tiles Grid final-tiles-grid-gallery-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Image Photo Gallery Final Tiles Grid: from n/a through <= 3.6.10.
Source : NVD
## 4.3
Score
Published February 19, 2026
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 14
Exploitation Probability (EPSS) N/A
Affected packages and libraries
final-tiles-grid-gallery-lite
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your
Wiz
CVE-2025-68541 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-68541 [CRITICAL] CVE-2025-68541 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68541 :
WordPress vulnerability analysis and mitigation
Deserialization of Untrusted Data vulnerability in BoldThemes Ippsum ippsum allows Object Injection.This issue affects Ippsum: from n/a through <= 1.2.0.
Source : NVD
## 9.8
Score
Published February 20, 2026
Severity CRITICAL
CNA Score 9.8
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 18.2
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
ippsum
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Score
Wiz
CVE-2026-4022 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-4022 [CRITICAL] CVE-2026-4022 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-4022 :
WordPress vulnerability analysis and mitigation
The Show Posts list – Easy designs, filters and more plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'post_type' shortcode attribute in the 'swiftpost-list' shortcode in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Source : NVD
## 6.4
Score
Published March 21, 2026
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due
Wiz
CVE-2025-66100 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2025-66100 [MEDIUM] CVE-2025-66100 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-66100 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in Magnigenie RestroPress restropress allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects RestroPress: from n/a through <= 3.2.3.5.
Source : NVD
## 6.5
Score
Published December 18, 2025
Severity MEDIUM
CNA Score 6.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
restropress
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Relate
Wiz
CVE-2025-50005 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2025-50005 [MEDIUM] CVE-2025-50005 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-50005 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in tagDiv tagDiv Composer td-composer allows DOM-Based XSS.This issue affects tagDiv Composer: from n/a through <= 5.4.2.
Source : NVD
## 6.1
Score
Published January 22, 2026
Severity MEDIUM
CNA Score 6.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
td-composer
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed
Wiz
CVE-2026-25371 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-25371 [CRITICAL] CVE-2026-25371 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25371 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in King-Theme Lumise Product Designer lumise allows Blind SQL Injection.This issue affects Lumise Product Designer: from n/a through < 2.0.9.
Source : NVD
## 9.3
Score
Published March 25, 2026
Severity CRITICAL
CNA Score 9.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
lumise
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not jus
Wiz
CVE-2025-69024 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2025-69024 [MEDIUM] CVE-2025-69024 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-69024 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in bizswoop BizPrint print-google-cloud-print-gcp-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects BizPrint: from n/a through <= 4.6.7.
Source : NVD
## 6.5
Score
Published December 30, 2025
Severity MEDIUM
CNA Score 6.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
print-google-cloud-print-gcp-woocommerce
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's
Wiz
CVE-2026-3350 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-3350 [CRITICAL] CVE-2026-3350 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-3350 :
WordPress vulnerability analysis and mitigation
The Image Alt Text Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the post title in all versions up to, and including, 1.8.2. This is due to insufficient input sanitization and output escaping when dynamically generating image alt and title attributes using a DOM parser. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Source : NVD
## 6.4
Score
Published March 21, 2026
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Pro
Wiz
CVE-2025-15363 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.9
CVE-2025-15363 [MEDIUM] CVE-2025-15363 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-15363 :
WordPress vulnerability analysis and mitigation
The Get Use APIs WordPress plugin before 2.0.10 executes imported JSON, which could allow users with a role as low as contributor to perform Cross-Site Scripting attacks under certain server configurations.
Source : NVD
## 5.9
Score
Published March 18, 2026
Severity MEDIUM
CNA Score 5.9
Affected Technologies
WordPress
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 9.5
Exploitation Probability (EPSS) N/A
Affected packages and libraries
json-content-importer
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
##
Wiz
CVE-2026-28012 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-28012 [CRITICAL] CVE-2026-28012 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-28012 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Gridiron gridiron allows PHP Local File Inclusion.This issue affects Gridiron: from n/a through <= 1.0.14.
Source : NVD
## 8.1
Score
Published March 5, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 37.5
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
gridiron
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what'
Wiz
CVE-2025-60053 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.2
CVE-2025-60053 [HIGH] CVE-2025-60053 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-60053 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes MaxCube maxcube allows PHP Local File Inclusion.This issue affects MaxCube: from n/a through <= 1.3.1.
Source : NVD
## 8.2
Score
Published December 18, 2025
Severity HIGH
CNA Score 8.2
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 19.8
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
maxcube
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just wh
Wiz
CVE-2025-58706 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2025-58706 [HIGH] CVE-2025-58706 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-58706 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Woo Hoo woohoo allows PHP Local File Inclusion.This issue affects Woo Hoo: from n/a through <= 1.25.
Source : NVD
## 8.1
Score
Published December 18, 2025
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 38.5
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
woohoo
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's
Wiz
CVE-2025-66534 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2025-66534 [HIGH] CVE-2025-66534 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-66534 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in Elated-Themes The Aisle theaisle allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects The Aisle: from n/a through <= 2.9.
Source : NVD
## 8.8
Score
Published December 9, 2025
Severity HIGH
CNA Score 8.8
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 18.2
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
theaisle
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vu
Wiz
CVE-2025-62109 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2025-62109 [HIGH] CVE-2025-62109 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-62109 :
WordPress vulnerability analysis and mitigation
Insertion of Sensitive Information Into Sent Data vulnerability in INFINITUM FORM Geo Controller cf-geoplugin allows Retrieve Embedded Sensitive Data.This issue affects Geo Controller: from n/a through <= 8.9.4.
Source : NVD
## 7.5
Score
Published December 9, 2025
Severity HIGH
CNA Score 7.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 14.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cf-geoplugin
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Rel
Wiz
CVE-2025-13903 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.4
CVE-2025-13903 [MEDIUM] CVE-2025-13903 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-13903 :
WordPress vulnerability analysis and mitigation
The PullQuote plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'pullquote' shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Source : NVD
## 6.4
Score
Published January 9, 2026
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2.7
Exploitation Pr
Wiz
CVE-2026-1032 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-1032 [CRITICAL] CVE-2026-1032 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1032 :
WordPress vulnerability analysis and mitigation
The Conditional Menus plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.6. This is due to missing nonce validation on the 'save_options' function. This makes it possible for unauthenticated attackers to modify conditional menu assignments via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Source : NVD
## 4.3
Score
Published March 26, 2026
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2.2
Exploitation Probability (EPSS) N/A
Affected
Wiz
CVE-2026-28087 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-28087 [CRITICAL] CVE-2026-28087 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-28087 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Filmax filmax allows PHP Local File Inclusion.This issue affects Filmax: from n/a through <= 1.1.11.
Source : NVD
## 8.1
Score
Published March 5, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 37.5
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
filmax
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed
Wiz
CVE-2025-68887 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2025-68887 [HIGH] CVE-2025-68887 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68887 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CMSJunkie - WordPress Business Directory Plugins WP-BusinessDirectory wp-businessdirectory allows Reflected XSS.This issue affects WP-BusinessDirectory: from n/a through <= 4.0.1.
Source : NVD
## 7.1
Score
Published January 8, 2026
Severity HIGH
CNA Score 7.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
wp-businessdirectory
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cl
Wiz
CVE-2026-0679 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-0679 [MEDIUM] CVE-2026-0679 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-0679 :
WordPress vulnerability analysis and mitigation
The Fortis for WooCommerce plugin for WordPress is vulnerable to authorization bypass due to an inverted nonce check in the 'check_fortis_notify_response' function in all versions up to, and including, 1.2.0. This makes it possible for unauthenticated attackers to update arbitrary WooCommerce order statuses to paid/processing/completed, effectively allowing them to mark orders as paid without payment.
Source : NVD
## 5.3
Score
Published February 4, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 8.3
Exploitation Probability (EPSS) N/A
Affected packages
Wiz
CVE-2026-27045 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-27045 [CRITICAL] CVE-2026-27045 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27045 :
WordPress vulnerability analysis and mitigation
Deserialization of Untrusted Data vulnerability in sbthemes WooCommerce Infinite Scroll sb-woocommerce-infinite-scroll allows Object Injection.This issue affects WooCommerce Infinite Scroll: from n/a through <= 1.6.2.
Source : NVD
## 8.8
Score
Published March 25, 2026
Severity HIGH
CNA Score 8.8
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 16.8
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
sb-woocommerce-infinite-scroll
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just w
Wiz
CVE-2026-27986 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-27986 [CRITICAL] CVE-2026-27986 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27986 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX OsTende ostende allows PHP Local File Inclusion.This issue affects OsTende: from n/a through <= 1.4.3.
Source : NVD
## 8.1
Score
Published March 5, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 37.5
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
ostende
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's lis
Wiz
CVE-2025-67985 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2025-67985 [MEDIUM] CVE-2025-67985 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67985 :
WordPress vulnerability analysis and mitigation
Authorization Bypass Through User-Controlled Key vulnerability in Barn2 Plugins Document Library Lite document-library-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Document Library Lite: from n/a through <= 1.1.7.
Source : NVD
## 5.3
Score
Published December 16, 2025
Severity MEDIUM
CNA Score 5.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 12.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
document-library-lite
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you
Wiz
CVE-2026-1650 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-1650 [CRITICAL] CVE-2026-1650 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1650 :
WordPress vulnerability analysis and mitigation
The MDJM Event Management plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check on the 'custom_fields_controller' function in all versions up to, and including, 1.7.8.1. This makes it possible for unauthenticated attackers to delete arbitrary custom event fields via the 'delete_custom_field' and 'id' parameters.
Source : NVD
## 5.3
Score
Published March 7, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 14.5
Exploitation Probability (EPSS) N/A
Affected packages and libraries
mobile-dj-manager
Sources
Wiz
CVE-2026-23806 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-23806 [CRITICAL] CVE-2026-23806 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-23806 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in BlueGlass Interactive AG Jobs for WordPress job-postings allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Jobs for WordPress: from n/a through <= 2.8.
Source : NVD
## 7.5
Score
Published March 25, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 12.6
Exploitation Probability (EPSS) N/A
Affected packages and libraries
job-postings
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what'
Wiz
CVE-2025-68007 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2025-68007 [MEDIUM] CVE-2025-68007 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68007 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in Event Espresso Event Espresso 4 Decaf event-espresso-decaf allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Event Espresso 4 Decaf: from n/a through <= 5.0.37.decaf.
Source : NVD
## 6.5
Score
Published January 22, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 12
Exploitation Probability (EPSS) N/A
Affected packages and libraries
event-espresso-decaf
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's ex
Wiz
CVE-2025-13361 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2025-13361 [MEDIUM] CVE-2025-13361 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-13361 :
WordPress vulnerability analysis and mitigation
The Web to SugarCRM Lead plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.0. This is due to missing nonce validation on the custom field deletion functionality. This makes it possible for unauthenticated attackers to delete custom fields via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Source : NVD
## 4.3
Score
Published December 21, 2025
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 3.9
Exploitation Probability (EPSS) N/A
Affec
Wiz
CVE-2025-14394 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2025-14394 [MEDIUM] CVE-2025-14394 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14394 :
WordPress vulnerability analysis and mitigation
The Popover Windows plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.2. This is due to missing or incorrect nonce validation. This makes it possible for unauthenticated attackers to update the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Source : NVD
## 4.3
Score
Published December 13, 2025
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 4.3
Exploitation Probability (EPSS) N/A
Affected packages and libraries
popov
Wiz
CVE-2026-2631 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-2631 [CRITICAL] CVE-2026-2631 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-2631 :
WordPress vulnerability analysis and mitigation
datalogics_token
update_option()
Source : NVD
## 9.8
Score
Published March 11, 2026
Severity CRITICAL
CNA Score 9.8
Affected Technologies
WordPress
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 17.7
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
datalogics
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
CVE-2026-0740
CRITICAL
9.8
WordPress
ninja
Wiz
CVE-2025-62926 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-62926 [CRITICAL] CVE-2025-62926 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-62926 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in HappyDevs TempTool [Show Current Template Info] current-template-name allows Stored XSS.This issue affects TempTool [Show Current Template Info]: from n/a through <= 1.3.1.
Source : NVD
Published December 21, 2025
CNA Score N/A
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 6.3
Exploitation Probability (EPSS) N/A
Affected packages and libraries
current-template-name
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's explo
Wiz
CVE-2025-13897 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.4
CVE-2025-13897 [MEDIUM] CVE-2025-13897 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-13897 :
WordPress vulnerability analysis and mitigation
The Client Testimonial Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'aft_testimonial_meta_name' custom field in the Client Information metabox in all versions up to, and including, 2.0 due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the injected administrative page.
Source : NVD
## 6.4
Score
Published January 9, 2026
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV D
Wiz
CVE-2025-13439 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.9
CVE-2025-13439 [MEDIUM] CVE-2025-13439 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-13439 :
WordPress vulnerability analysis and mitigation
The Fancy Product Designer plugin for WordPress is vulnerable to Information Disclosure and PHAR Deserialization in all versions up to, and including, 6.4.8. This is due to insufficient validation of user-supplied input in the 'url' parameter of the 'fpd_custom_uplod_file' AJAX action, which flows directly into the 'getimagesize' function without sanitization. This makes it possible for unauthenticated attackers to read arbitrary sensitive files from the server, including wp-config.php.
Source : NVD
## 5.9
Score
Published December 16, 2025
Severity MEDIUM
CNA Score 5.9
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation
Wiz
CVE-2026-28115 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-28115 [CRITICAL] CVE-2026-28115 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-28115 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in loopus WP Attractive Donations System - Easy Stripe & Paypal donations WP_AttractiveDonationsSystem allows Blind SQL Injection.This issue affects WP Attractive Donations System - Easy Stripe & Paypal donations: from n/a through <= 1.25.
Source : NVD
## 9.3
Score
Published March 5, 2026
Severity CRITICAL
CNA Score 9.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13
Exploitation Probability (EPSS) N/A
Affected packages and libraries
WP_AttractiveDonationsSystem
Sources
NVD
## Get
Wiz
CVE-2025-60087 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2025-60087 [HIGH] CVE-2025-60087 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-60087 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Nenad Obradovic Extensive VC Addons for WPBakery page builder extensive-vc-addon allows PHP Local File Inclusion.This issue affects Extensive VC Addons for WPBakery page builder: from n/a through <= 1.9.1.
Source : NVD
## 8.1
Score
Published February 20, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 37.5
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
extensive-vc-addon
Sources
NVD
## Get a CVE risk assessme
Wiz
CVE-2025-68856 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2025-68856 [HIGH] CVE-2025-68856 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68856 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in keeswolters Mopinion Feedback Form mopinion-feedback-form allows DOM-Based XSS.This issue affects Mopinion Feedback Form: from n/a through <= 1.1.1.
Source : NVD
## 7.1
Score
Published February 20, 2026
Severity HIGH
CNA Score 7.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
mopinion-feedback-form
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on wh
Wiz
CVE-2025-14980 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2025-14980 [MEDIUM] CVE-2025-14980 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14980 :
WordPress vulnerability analysis and mitigation
The BetterDocs plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.3.3 via the scripts() function. This makes it possible for authenticated attackers, with contributor-level access and above, to extract sensitive data including the OpenAI API key stored in plugin settings.
Source : NVD
## 6.5
Score
Published January 9, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 3.5
Exploitation Probability (EPSS) N/A
Affected packages and libraries
betterdocs
Sources
NVD
## Get a CVE risk assessment
Wiz
CVE-2025-64238 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2025-64238 [MEDIUM] CVE-2025-64238 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-64238 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in NicolasKulka WPS Bidouille wps-bidouille allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WPS Bidouille: from n/a through <= 1.33.1.
Source : NVD
## 4.3
Score
Published December 16, 2025
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
wps-bidouille
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
Wiz
CVE-2026-27044 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-27044 [CRITICAL] CVE-2026-27044 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27044 :
WordPress vulnerability analysis and mitigation
Improper Control of Generation of Code ('Code Injection') vulnerability in TotalSuite Total Poll Lite totalpoll-lite allows Remote Code Inclusion.This issue affects Total Poll Lite: from n/a through <= 4.12.0.
Source : NVD
## 9.9
Score
Published March 25, 2026
Severity CRITICAL
CNA Score 9.9
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 16.6
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
totalpoll-lite
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## R
Wiz
CVE-2026-24992 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-24992 [CRITICAL] CVE-2026-24992 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24992 :
WordPress vulnerability analysis and mitigation
Insertion of Sensitive Information Into Sent Data vulnerability in WPFactory Advanced WooCommerce Product Sales Reporting webd-woocommerce-advanced-reporting-statistics allows Retrieve Embedded Sensitive Data.This issue affects Advanced WooCommerce Product Sales Reporting: from n/a through <= 4.1.2.
Source : NVD
## 5.3
Score
Published February 3, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
webd-woocommerce-advanced-reporting-statistics
Sources
NVD
## Get a CVE risk asses
Wiz
CVE-2026-3589 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-3589 [CRITICAL] CVE-2026-3589 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-3589 :
WordPress vulnerability analysis and mitigation
The WooCommerce WordPress plugin from versions 5.4.0 to 10.5.2 does not properly handle batch requests, which could allow unauthenticated users to make a logged in admin call non store/WC REST endpoints, and create arbitrary admin users via a CSRF attack for example.
Source : NVD
## 7.5
Score
Published March 6, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
WordPress
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 10.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
woocommerce
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on
Wiz
CVE-2026-22496 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-22496 [CRITICAL] CVE-2026-22496 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22496 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Hypnotherapy hypnotherapy allows PHP Local File Inclusion.This issue affects Hypnotherapy: from n/a through <= 1.2.10.
Source : NVD
## 8.1
Score
Published March 25, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 35.7
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
hypnotherapy
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploi
Wiz
CVE-2026-22415 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-22415 [CRITICAL] CVE-2026-22415 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22415 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes The Mounty the-mounty allows PHP Local File Inclusion.This issue affects The Mounty: from n/a through <= 1.1.
Source : NVD
## 8.1
Score
Published March 5, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 37.5
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
the-mounty
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not j
Wiz
CVE-2025-69378 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.3
CVE-2025-69378 [HIGH] CVE-2025-69378 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-69378 :
WordPress vulnerability analysis and mitigation
Incorrect Privilege Assignment vulnerability in XforWooCommerce Product Filter for WooCommerce prdctfltr allows Privilege Escalation.This issue affects Product Filter for WooCommerce: from n/a through <= 9.1.2.
Source : NVD
## 7.3
Score
Published February 20, 2026
Severity HIGH
CNA Score 7.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 16.1
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
prdctfltr
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Relate
Wiz
CVE-2026-0820 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-0820 [CRITICAL] CVE-2026-0820 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-0820 :
WordPress vulnerability analysis and mitigation
The RepairBuddy – Repair Shop CRM & Booking Plugin for WordPress plugin for WordPress is vulnerable to Insecure Direct Object Reference due to missing capability checks on the wc_upload_and_save_signature_handler function in all versions up to, and including, 4.1116. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary signatures to any order in the system, potentially modifying order metadata and triggering unauthorized status changes.
Source : NVD
## 5.3
Score
Published January 17, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploit
Wiz
CVE-2026-3584 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-3584 [CRITICAL] CVE-2026-3584 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-3584 :
WordPress vulnerability analysis and mitigation
The Kali Forms plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.4.9 via the 'form_process' function. This is due to the 'prepare_post_data' function mapping user-supplied keys directly into internal placeholder storage, combined with the use of 'call_user_func' on these placeholder values. This makes it possible for unauthenticated attackers to execute code on the server.
Source : NVD
## 9.8
Score
Published March 20, 2026
Severity CRITICAL
CNA Score 9.8
Affected Technologies
WordPress
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 52.1
Exploitation Probability (EPSS)
Wiz
CVE-2026-22402 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-22402 [CRITICAL] CVE-2026-22402 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22402 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in pavothemes Triply triply allows PHP Local File Inclusion.This issue affects Triply: from n/a through <= 2.4.7.
Source : NVD
## 7.5
Score
Published January 22, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 38.3
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
triply
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's li
Wiz
CVE-2025-68054 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.5
CVE-2025-68054 [HIGH] CVE-2025-68054 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68054 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in LambertGroup CountDown With Image or Video Background countdown_with_background allows Blind SQL Injection.This issue affects CountDown With Image or Video Background: from n/a through <= 1.5.
Source : NVD
## 8.5
Score
Published December 16, 2025
Severity HIGH
CNA Score 8.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
countdown_with_background
Sources
NVD
## Get a CVE risk assessment
Get a prioritized vi
Wiz
CVE-2026-24947 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-24947 [CRITICAL] CVE-2026-24947 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24947 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in LA-Studio LA-Studio Element Kit for Elementor lastudio-element-kit allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects LA-Studio Element Kit for Elementor: from n/a through < 1.5.6.3.
Source : NVD
## 4.3
Score
Published February 3, 2026
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 9.3
Exploitation Probability (EPSS) N/A
Affected packages and libraries
lastudio-element-kit
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can fo
Wiz
CVE-2026-25306 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-25306 [CRITICAL] CVE-2026-25306 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25306 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in 8theme XStore Core et-core-plugin allows Reflected XSS.This issue affects XStore Core: from n/a through <= 5.6.4.
Source : NVD
## 7.1
Score
Published March 25, 2026
Severity HIGH
CNA Score 7.1
Affected Technologies
WordPress
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 10.6
Exploitation Probability (EPSS) N/A
Affected packages and libraries
et-core-plugin
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
#
Wiz
CVE-2026-22466 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-22466 [CRITICAL] CVE-2026-22466 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22466 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in Chandni Patel WP MapIt wp-mapit allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP MapIt: from n/a through <= 3.0.3.
Source : NVD
## 4.3
Score
Published January 22, 2026
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
wp-mapit
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress
Wiz
CVE-2026-23545 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-23545 [CRITICAL] CVE-2026-23545 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-23545 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in Aruba.it Dev Aruba HiSpeed Cache aruba-hispeed-cache allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Aruba HiSpeed Cache: from n/a through <= 3.0.4.
Source : NVD
## 6.5
Score
Published February 19, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
aruba-hispeed-cache
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not
Wiz
CVE-2025-68543 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2025-68543 [HIGH] CVE-2025-68543 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68543 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Diza diza allows PHP Local File Inclusion.This issue affects Diza: from n/a through <= 1.3.15.
Source : NVD
## 8.1
Score
Published February 20, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 37.5
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
diza
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
#
Wiz
CVE-2025-14143 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.4
CVE-2025-14143 [MEDIUM] CVE-2025-14143 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14143 :
WordPress vulnerability analysis and mitigation
The Ayo Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'color' parameter of the ayo_action shortcode in all versions up to, and including, 0.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Source : NVD
## 6.4
Score
Published December 12, 2025
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 15
Exploitation Probabili
Wiz
CVE-2025-68505 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2025-68505 [HIGH] CVE-2025-68505 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68505 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in icc0rz H5P h5p allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects H5P: from n/a through <= 1.16.1.
Source : NVD
## 8.8
Score
Published December 24, 2025
Severity HIGH
CNA Score 8.8
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 18.2
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
h5p
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Wiz
CVE-2025-68594 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2025-68594 [HIGH] CVE-2025-68594 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68594 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in Opinion Stage Poll, Survey & Quiz Maker Plugin by Opinion Stage social-polls-by-opinionstage allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Poll, Survey & Quiz Maker Plugin by Opinion Stage: from n/a through <= 19.12.0.
Source : NVD
## 8.1
Score
Published December 24, 2025
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 12.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
social-polls-by-opinionstage
Sources
NVD
## Get a CVE risk assessment
Get a pri
Wiz
CVE-2025-62865 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2025-62865 [MEDIUM] CVE-2025-62865 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-62865 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in Evan Herman Post Cloner post-cloner allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Post Cloner: from n/a through <= 1.0.0.
Source : NVD
## 5.3
Score
Published December 9, 2025
Severity MEDIUM
CNA Score 5.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 12.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
post-cloner
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related
Wiz
CVE-2026-24379 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-24379 [CRITICAL] CVE-2026-24379 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24379 :
WordPress vulnerability analysis and mitigation
Authorization Bypass Through User-Controlled Key vulnerability in wpjobportal WP Job Portal wp-job-portal allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Job Portal: from n/a through <= 2.4.3.
Source : NVD
## 9.1
Score
Published January 22, 2026
Severity CRITICAL
CNA Score 9.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
wp-job-portal
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable,
Wiz
CVE-2025-14000 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.4
CVE-2025-14000 [MEDIUM] CVE-2025-14000 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14000 :
WordPress vulnerability analysis and mitigation
The Membership Plugin – Restrict Content plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'register_form' and 'restrict' shortcodes in all versions up to, and including, 3.2.15 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Source : NVD
## 6.4
Score
Published December 23, 2025
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitatio
Wiz
CVE-2025-14312 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2025-14312 [MEDIUM] CVE-2025-14312 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14312 :
WordPress vulnerability analysis and mitigation
The Advance WP Query Search Filter WordPress plugin through 1.0.10 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin
Source : NVD
## 6.1
Score
Published December 30, 2025
Severity MEDIUM
CNA Score 6.1
Affected Technologies
WordPress
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
advance-wp-query-search-filter
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you c
Wiz
CVE-2025-69310 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.3
CVE-2025-69310 [CRITICAL] CVE-2025-69310 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-69310 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in TeconceTheme Woodly Core woodly-core allows Blind SQL Injection.This issue affects Woodly Core: from n/a through <= 1.4.
Source : NVD
## 9.3
Score
Published February 20, 2026
Severity CRITICAL
CNA Score 9.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13
Exploitation Probability (EPSS) N/A
Affected packages and libraries
woodly-core
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's lis
Wiz
CVE-2026-2480 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-2480 [CRITICAL] CVE-2026-2480 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-2480 :
WordPress vulnerability analysis and mitigation
su_box
Source : NVD
## 6.4
Score
Published March 31, 2026
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 9.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
shortcodes-ultimate
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
CVE-2026-0740
CRITICAL
9.8
WordPress
ninja-forms-uploads
No
Ye
Wiz
CVE-2025-62734 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2025-62734 [MEDIUM] CVE-2025-62734 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-62734 :
WordPress vulnerability analysis and mitigation
Cross-Site Request Forgery (CSRF) vulnerability in M.Code Media Library Downloader media-library-downloader allows Cross Site Request Forgery.This issue affects Media Library Downloader: from n/a through <= 1.4.0.
Source : NVD
## 4.3
Score
Published December 9, 2025
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 5.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
media-library-downloader
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's l
Wiz
CVE-2026-27540 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-27540 [CRITICAL] CVE-2026-27540 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27540 :
WordPress vulnerability analysis and mitigation
Unrestricted Upload of File with Dangerous Type vulnerability in Rymera Web Co Pty Ltd. Woocommerce Wholesale Lead Capture allows Using Malicious Files.This issue affects Woocommerce Wholesale Lead Capture: from n/a through 2.0.3.1.
Source : NVD
## 9
Score
Published March 19, 2026
Severity CRITICAL
CNA Score 9.0
Affected Technologies
WordPress
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
woocommerce-wholesale-lead-capture
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's expl
Wiz
CVE-2026-27417 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-27417 [CRITICAL] CVE-2026-27417 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27417 :
WordPress vulnerability analysis and mitigation
Deserialization of Untrusted Data vulnerability in SeventhQueen Sweet Date sweetdate allows Object Injection.This issue affects Sweet Date: from n/a through < 4.0.1.
Source : NVD
## 9.8
Score
Published March 5, 2026
Severity CRITICAL
CNA Score 9.8
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 18.2
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
sweetdate
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severi
Wiz
CVE-2025-12803 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.4
CVE-2025-12803 [MEDIUM] CVE-2025-12803 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-12803 :
WordPress vulnerability analysis and mitigation
The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin 'bt_bb_tabs' shortcode in all versions up to, and including, 5.5.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Source : NVD
## 6.4
Score
Published February 7, 2026
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1.8
Explo
Wiz
CVE-2025-68554 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.9
CVE-2025-68554 [CRITICAL] CVE-2025-68554 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68554 :
WordPress vulnerability analysis and mitigation
Unrestricted Upload of File with Dangerous Type vulnerability in zozothemes Keenarch keenarch allows Using Malicious Files.This issue affects Keenarch: from n/a through < 2.0.1.
Source : NVD
## 9.9
Score
Published March 5, 2026
Severity CRITICAL
CNA Score 9.9
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 17.1
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
keenarch
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE
Wiz
CVE-2025-62736 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2025-62736 [MEDIUM] CVE-2025-62736 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-62736 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in opicron Image Cleanup image-cleanup allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Image Cleanup: from n/a through <= 1.9.2.
Source : NVD
## 4.3
Score
Published December 9, 2025
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
image-cleanup
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Rela
Wiz
CVE-2026-24944 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-24944 [CRITICAL] CVE-2026-24944 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24944 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in weDevs Subscribe2 subscribe2 allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Subscribe2: from n/a through <= 10.44.
Source : NVD
## 6.5
Score
Published February 20, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
subscribe2
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPres
Wiz
CVE-2025-13094 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2025-13094 [HIGH] CVE-2025-13094 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-13094 :
WordPress vulnerability analysis and mitigation
The WP3D Model Import Viewer plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the handle_import_file() function in all versions up to, and including, 1.0.7. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
Source : NVD
## 8.8
Score
Published December 13, 2025
Severity HIGH
CNA Score 8.8
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 57.7
Exploitation Probability (EPSS) 0.4
Affected packages and
Wiz
CVE-2026-2412 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-2412 [CRITICAL] CVE-2026-2412 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-2412 :
WordPress vulnerability analysis and mitigation
The Quiz and Survey Master (QSM) plugin for WordPress is vulnerable to SQL Injection via the 'merged_question' parameter in all versions up to, and including, 10.3.5. This is due to insufficient sanitization of user-supplied input before being used in a SQL query. The sanitize_text_field() function applied to the merged_question parameter does not prevent SQL metacharacters like ), OR, AND, and # from being included in the value, which is then directly concatenated into a SQL IN() clause without using $wpdb->prepare() or casting values to integers. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to
Wiz
CVE-2025-12356 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2025-12356 [MEDIUM] CVE-2025-12356 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-12356 :
WordPress vulnerability analysis and mitigation
The Tickera – Sell Tickets & Manage Events plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wp_ajax_change_ticket_status' AJAX endpoint in all versions up to, and including, 3.5.6.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update post/event statuses.
Source : NVD
## 4.3
Score
Published February 18, 2026
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1.3
Exploitation Probability (EPSS) N/A
Affected packages and libraries
tickera-event-ti
Wiz
CVE-2025-69351 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2025-69351 [MEDIUM] CVE-2025-69351 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-69351 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Shahjahan Jewel Ninja Tables ninja-tables allows Blind SQL Injection.This issue affects Ninja Tables: from n/a through <= 5.2.4.
Source : NVD
## 6.5
Score
Published January 6, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 10.6
Exploitation Probability (EPSS) N/A
Affected packages and libraries
ninja-tables
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just wha
Wiz
CVE-2026-31913 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-31913 [CRITICAL] CVE-2026-31913 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-31913 :
WordPress vulnerability analysis and mitigation
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Whitebox-Studio Scape scape allows Path Traversal.This issue affects Scape: from n/a through < 1.5.16.
Source : NVD
## 8.6
Score
Published March 25, 2026
Severity HIGH
CNA Score 8.6
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 19.5
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
scape
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnera
Wiz
CVE-2026-22359 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-22359 [CRITICAL] CVE-2026-22359 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22359 :
WordPress vulnerability analysis and mitigation
Cross-Site Request Forgery (CSRF) vulnerability in AA-Team Wordpress Movies Bulk Importer movies importer allows Cross Site Request Forgery.This issue affects Wordpress Movies Bulk Importer: from n/a through <= 1.0.
Source : NVD
## 4.3
Score
Published January 22, 2026
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 0.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
movies-importer
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
Wiz
CVE-2026-28081 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-28081 [CRITICAL] CVE-2026-28081 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-28081 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Windsor windsor allows PHP Local File Inclusion.This issue affects Windsor: from n/a through <= 2.5.0.
Source : NVD
## 8.1
Score
Published March 5, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 37.5
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
windsor
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's lis
Wiz
CVE-2026-4075 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-4075 [CRITICAL] CVE-2026-4075 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-4075 :
WordPress vulnerability analysis and mitigation
The BWL Advanced FAQ Manager Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'baf_sbox' shortcode in all versions up to and including 1.1.1. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes such as 'sbox_id', 'sbox_class', 'placeholder', 'highlight_color', 'highlight_bg', and 'cont_ext_class'. These attributes are directly interpolated into HTML element attributes without any esc_attr() escaping in the baf_sbox() function. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Source : NVD
## 6.4
Wiz
CVE-2025-13820 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2025-13820 [MEDIUM] CVE-2025-13820 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-13820 :
WordPress vulnerability analysis and mitigation
The Comments WordPress plugin before 7.6.40 does not properly validate user's identity when using the disqus.com provider, allowing an attacker to log in to any user (when knowing their email address) when such user does not have an account on disqus.com yet.
Source : NVD
## 5.3
Score
Published January 1, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
WordPress
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 12.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
wpdiscuz
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's
Wiz
CVE-2025-12882 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-12882 [CRITICAL] CVE-2025-12882 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-12882 :
WordPress vulnerability analysis and mitigation
The Clasifico Listing plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 2.0. This is due to the plugin allowing users who are registering new accounts to set their own role by supplying the 'listing_user_role' parameter. This makes it possible for unauthenticated attackers to gain elevated privileges by registering an account with the administrator role.
Source : NVD
## 9.8
Score
Published February 19, 2026
Severity CRITICAL
CNA Score 9.8
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 28.5
Exploitation Probability (EPSS) 0.1
Affected packages
Wiz
CVE-2025-14803 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.8
CVE-2025-14803 [MEDIUM] CVE-2025-14803 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14803 :
WordPress vulnerability analysis and mitigation
The NEX-Forms WordPress plugin before 9.1.8 does not sanitise and escape some of its settings. The NEX-Forms WordPress plugin before 9.1.8 can be configured in such a way that could allow subscribers to perform Stored Cross-Site Scripting.
Source : NVD
## 6.8
Score
Published January 9, 2026
Severity MEDIUM
CNA Score 6.8
Affected Technologies
WordPress
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 16.1
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
nex-forms-express-wp-form-builder
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on w
Wiz
CVE-2025-69003 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2025-69003 [HIGH] CVE-2025-69003 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-69003 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in QantumThemes KenthaRadio qt-kentharadio allows Reflected XSS.This issue affects KenthaRadio: from n/a through <= 2.2.0.
Source : NVD
## 7.1
Score
Published January 22, 2026
Severity HIGH
CNA Score 7.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
qt-kentharadio
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's list
Wiz
CVE-2026-28100 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-28100 [CRITICAL] CVE-2026-28100 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-28100 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup UberSlider PerpetuumMobile uberSlider_perpetuummobile allows Reflected XSS.This issue affects UberSlider PerpetuumMobile: from n/a through <= 2.3.
Source : NVD
## 7.1
Score
Published March 5, 2026
Severity HIGH
CNA Score 7.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
uberSlider_perpetuummobile
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can
Wiz
CVE-2025-14873 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2025-14873 [MEDIUM] CVE-2025-14873 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14873 :
WordPress vulnerability analysis and mitigation
The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.2.5. This is due to the 'call_by_route_name' function in the routing layer only validating user capabilities without enforcing nonce verification. This makes it possible for unauthenticated attackers to perform multiple administrative actions via forged requests granted they can trick a site administrator into performing an action such as clicking on a link.
Source : NVD
## 4.3
Score
Published February 14, 2026
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date
Wiz
CVE-2026-1075 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-1075 [CRITICAL] CVE-2026-1075 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1075 :
WordPress vulnerability analysis and mitigation
The ZT Captcha plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.4. This is due to improper nonce validation on the save_ztcpt_captcha_settings action where the nonce check can be bypassed by sending an empty token value. This makes it possible for unauthenticated attackers to modify the plugin's settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Source : NVD
## 4.3
Score
Published January 24, 2026
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability
Wiz
CVE-2026-24616 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-24616 [CRITICAL] CVE-2026-24616 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24616 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in Damian WP Popups wp-popups-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Popups: from n/a through <= 2.2.0.5.
Source : NVD
## 6.5
Score
Published January 23, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 12.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
wp-popups-lite
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related W
Wiz
CVE-2026-1779 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-1779 [CRITICAL] CVE-2026-1779 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1779 :
WordPress vulnerability analysis and mitigation
The User Registration & Membership plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 5.1.2. This is due to incorrect authentication in the 'register_member' function. This makes it possible for unauthenticated attackers to log in a newly registered user on the site who has the 'urm_user_just_created' user meta set.
Source : NVD
## 8.1
Score
Published February 26, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 40.6
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
user-registration
Sources
Wiz
CVE-2025-69350 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2025-69350 [MEDIUM] CVE-2025-69350 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-69350 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themepoints Accordion accordions-wp allows Stored XSS.This issue affects Accordion: from n/a through <= 3.0.3.
Source : NVD
## 6.5
Score
Published January 6, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
accordions-wp
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
##
Wiz
CVE-2025-13887 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.4
CVE-2025-13887 [MEDIUM] CVE-2025-13887 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-13887 :
WordPress vulnerability analysis and mitigation
ai_botkit_widget
Source : NVD
## 6.4
Score
Published January 7, 2026
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13
Exploitation Probability (EPSS) N/A
Affected packages and libraries
ai-botkit-for-lead-generation
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
CVE-2026-0740
CRITICAL
9.8
WordPress
ninja-
Wiz
CVE-2025-14978 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2025-14978 [MEDIUM] CVE-2025-14978 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14978 :
WordPress vulnerability analysis and mitigation
The PeachPay — Payments & Express Checkout for WooCommerce (supports Stripe, PayPal, Square, Authorize.net) plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability checks on the ConvesioPay webhook REST endpoint in all versions up to, and including, 1.119.8. This makes it possible for unauthenticated attackers to modify the status of arbitrary WooCommerce orders.
Source : NVD
## 5.3
Score
Published January 20, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 29
Exploitation Probability (EPSS) 0.1
Affected pac
Wiz
CVE-2025-69169 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.4
CVE-2025-69169 [MEDIUM] CVE-2025-69169 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-69169 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Noor Alam Easy Media Download easy-media-download allows Reflection Injection.This issue affects Easy Media Download: from n/a through <= 1.1.11.
Source : NVD
## 5.4
Score
Published January 8, 2026
Severity MEDIUM
CNA Score 5.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
easy-media-download
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitab
Wiz
CVE-2025-64209 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2025-64209 [HIGH] CVE-2025-64209 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-64209 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in StylemixThemes Masterstudy masterstudy allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Masterstudy: from n/a through < 4.8.122.
Source : NVD
## 7.5
Score
Published December 18, 2025
Severity HIGH
CNA Score 7.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 14.6
Exploitation Probability (EPSS) N/A
Affected packages and libraries
masterstudy
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordP
Wiz
CVE-2026-2468 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-2468 [CRITICAL] CVE-2026-2468 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-2468 :
WordPress vulnerability analysis and mitigation
get_user_access()
Source : NVD
## 7.5
Score
Published March 21, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 25.3
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
quentn-wp
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
CVE-2026-0740
CRITICAL
9.8
WordPress
ninja-forms-uploads
No
Ye
Wiz
CVE-2026-24359 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-24359 [CRITICAL] CVE-2026-24359 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24359 :
WordPress vulnerability analysis and mitigation
Authentication Bypass Using an Alternate Path or Channel vulnerability in Dokan, Inc. Dokan dokan-lite allows Authentication Abuse.This issue affects Dokan: from n/a through <= 4.2.4.
Source : NVD
## 8.8
Score
Published March 25, 2026
Severity HIGH
CNA Score 8.8
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 17.4
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
dokan-lite
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
Wiz
CVE-2025-69308 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.3
CVE-2025-69308 [CRITICAL] CVE-2025-69308 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-69308 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in TeconceTheme Nestbyte Core nestbyte-core allows Blind SQL Injection.This issue affects Nestbyte Core: from n/a through <= 1.2.
Source : NVD
## 9.3
Score
Published February 20, 2026
Severity CRITICAL
CNA Score 9.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13
Exploitation Probability (EPSS) N/A
Affected packages and libraries
nestbyte-core
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just wh
Wiz
CVE-2026-22482 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-22482 [CRITICAL] CVE-2026-22482 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22482 :
WordPress vulnerability analysis and mitigation
Server-Side Request Forgery (SSRF) vulnerability in wbolt.com IMGspider imgspider allows Server Side Request Forgery.This issue affects IMGspider: from n/a through <= 2.3.12.
Source : NVD
## 9.1
Score
Published January 22, 2026
Severity CRITICAL
CNA Score 9.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
imgspider
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CV
Wiz
CVE-2025-13704 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.4
CVE-2025-13704 [MEDIUM] CVE-2025-13704 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-13704 :
WordPress vulnerability analysis and mitigation
The Autogen Headers Menu plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'head_class' parameter of the 'autogen_menu' shortcode in all versions up to, and including, 1.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Source : NVD
## 6.4
Score
Published January 9, 2026
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 3.5
Exploi
Wiz
CVE-2025-68892 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2025-68892 [MEDIUM] CVE-2025-68892 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68892 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in [email protected] Scroll rss excerpt scroll-rss-excerpt allows Reflected XSS.This issue affects Scroll rss excerpt: from n/a through <= 5.0.
Source : NVD
## 6.1
Score
Published January 8, 2026
Severity MEDIUM
CNA Score 6.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
scroll-rss-excerpt
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's expl
Wiz
CVE-2025-68080 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2025-68080 [MEDIUM] CVE-2025-68080 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68080 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Saad Iqbal User Avatar - Reloaded user-avatar-reloaded allows Stored XSS.This issue affects User Avatar - Reloaded: from n/a through <= 1.2.2.
Source : NVD
## 6.5
Score
Published December 16, 2025
Severity MEDIUM
CNA Score 6.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
user-avatar-reloaded
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's e
Wiz
CVE-2026-24636 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-24636 [CRITICAL] CVE-2026-24636 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24636 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in Syed Balkhi Sugar Calendar (Lite) sugar-calendar-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Sugar Calendar (Lite): from n/a through <= 3.9.1.
Source : NVD
## 4.3
Score
Published January 23, 2026
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
sugar-calendar-lite
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, no
Wiz
CVE-2026-2918 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-2918 [CRITICAL] CVE-2026-2918 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-2918 :
WordPress vulnerability analysis and mitigation
ha_condition_update
validate_reqeust()
current_user_can('edit_posts', $template_id)
current_user_can('edit_post', $template_id)
ha_get_current_condition
ha_library
cond_to_html()
esc_attr()
onmouseover
Source : NVD
## 6.4
Score
Published March 11, 2026
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 10.3
Exploitation Probability (EPSS) N/A
Affected packages and libraries
happy-elementor-addons
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
Wiz
CVE-2026-3191 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-3191 [CRITICAL] CVE-2026-3191 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-3191 :
WordPress vulnerability analysis and mitigation
The Minify HTML plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1.12. This is due to missing or incorrect nonce validation on the 'minify_html_menu_options' function. This makes it possible for unauthenticated attackers to update plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Source : NVD
## 5.4
Score
Published March 31, 2026
Severity MEDIUM
CNA Score 5.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2.1
Exploitation Probability (EPSS) N/A
Af
Wiz
CVE-2025-66528 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2025-66528 [HIGH] CVE-2025-66528 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-66528 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in VillaTheme Thank You Page Customizer for WooCommerce woo-thank-you-page-customizer allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Thank You Page Customizer for WooCommerce: from n/a through <= 1.1.8.
Source : NVD
## 8.1
Score
Published December 9, 2025
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 12.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
woo-thank-you-page-customizer
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVE
Wiz
CVE-2025-15512 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2025-15512 [MEDIUM] CVE-2025-15512 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-15512 :
WordPress vulnerability analysis and mitigation
pending payment
Source : NVD
## 5.3
Score
Published January 14, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 27.7
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
aplazo-payment-gateway
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
CVE-2026-0740
CRITICAL
9.8
WordPress
ninja-forms
Wiz
CVE-2026-28007 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-28007 [CRITICAL] CVE-2026-28007 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-28007 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Coinpress coinpress allows PHP Local File Inclusion.This issue affects Coinpress: from n/a through <= 1.0.14.
Source : NVD
## 8.1
Score
Published March 5, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 37.5
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
coinpress
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just w
Wiz
CVE-2026-28074 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-28074 [CRITICAL] CVE-2026-28074 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-28074 :
WordPress vulnerability analysis and mitigation
Deserialization of Untrusted Data vulnerability in ThemeREX Pizza House pizzahouse allows Object Injection.This issue affects Pizza House: from n/a through <= 1.4.0.
Source : NVD
## 9.8
Score
Published March 5, 2026
Severity CRITICAL
CNA Score 9.8
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 18.2
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
pizzahouse
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Sever
Wiz
CVE-2026-0608 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.4
CVE-2026-0608 [MEDIUM] CVE-2026-0608 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-0608 :
WordPress vulnerability analysis and mitigation
The Head Meta Data plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'head-meta-data' post meta field in all versions up to, and including, 20251118 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Source : NVD
## 6.4
Score
Published January 20, 2026
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.1
Exploitation Probability (EPSS
Wiz
CVE-2026-1704 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-1704 [CRITICAL] CVE-2026-1704 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1704 :
WordPress vulnerability analysis and mitigation
get_item_permissions_check
ssa_manage_appointments
Source : NVD
## 4.3
Score
Published March 13, 2026
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 7.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
simply-schedule-appointments
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
CVE-2026-0740
Wiz
CVE-2025-68020 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2025-68020 [MEDIUM] CVE-2025-68020 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68020 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in WANotifier Notifier notifier allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Notifier: from n/a through <= 2.7.13.
Source : NVD
## 6.5
Score
Published January 22, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 12
Exploitation Probability (EPSS) N/A
Affected packages and libraries
notifier
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vuln
Wiz
CVE-2026-1854 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-1854 [CRITICAL] CVE-2026-1854 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1854 :
WordPress vulnerability analysis and mitigation
The Post Flagger plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'flag' shortcode in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Source : NVD
## 6.4
Score
Published March 21, 2026
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 9.9
Exploitation Probab
Wiz
CVE-2026-24964 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-24964 [CRITICAL] CVE-2026-24964 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24964 :
WordPress vulnerability analysis and mitigation
Server-Side Request Forgery (SSRF) vulnerability in Wasiliy Strecker / ContestGallery developer Contest Gallery contest-gallery allows Server Side Request Forgery.This issue affects Contest Gallery: from n/a through <= 28.1.2.1.
Source : NVD
## 6.4
Score
Published March 25, 2026
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
contest-gallery
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's
Wiz
CVE-2025-15511 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2025-15511 [MEDIUM] CVE-2025-15511 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-15511 :
WordPress vulnerability analysis and mitigation
The Rupantorpay plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the handle_webhook() function in all versions up to, and including, 2.0.0. This makes it possible for unauthenticated attackers to modify WooCommerce order statuses by sending crafted requests to the WooCommerce API endpoint.
Source : NVD
## 5.3
Score
Published January 28, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 27.9
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
rupantorpay
Sources
NVD
## Get a
Wiz
CVE-2025-69187 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.3
CVE-2025-69187 [HIGH] CVE-2025-69187 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-69187 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in e-plugins Final User final-user allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Final User: from n/a through <= 1.2.5.
Source : NVD
## 7.3
Score
Published January 22, 2026
Severity HIGH
CNA Score 7.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 16.8
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
final-user
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPres
Wiz
CVE-2026-4067 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-4067 [CRITICAL] CVE-2026-4067 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-4067 :
WordPress vulnerability analysis and mitigation
The Ad Short plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'ad' shortcode's 'client' attribute in all versions up to and including 2.0.1. This is due to insufficient input sanitization and output escaping on the 'client' shortcode attribute. The ad_func() shortcode handler at line 71 accepts a 'client' attribute via shortcode_atts() and directly concatenates it into a double-quoted HTML attribute (data-ad-client) at line 130 without applying esc_attr() or any other sanitization. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Source : NVD
## 6.4
Wiz
CVE-2025-60058 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2025-60058 [HIGH] CVE-2025-60058 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-60058 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes DetailX detailx allows PHP Local File Inclusion.This issue affects DetailX: from n/a through <= 1.10.0.
Source : NVD
## 8.1
Score
Published December 18, 2025
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 38.5
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
detailx
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just w
Wiz
CVE-2026-25357 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-25357 [CRITICAL] CVE-2026-25357 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25357 :
WordPress vulnerability analysis and mitigation
Authentication Bypass Using an Alternate Path or Channel vulnerability in azzaroco Ultimate Membership Pro indeed-membership-pro allows Authentication Abuse.This issue affects Ultimate Membership Pro: from n/a through <= 13.7.
Source : NVD
## 8.1
Score
Published March 25, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
indeed-membership-pro
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just w
Wiz
CVE-2026-2991 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-2991 [CRITICAL] CVE-2026-2991 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-2991 :
WordPress vulnerability analysis and mitigation
patientSocialLogin()
Source : NVD
## 9.8
Score
Published March 18, 2026
Severity CRITICAL
CNA Score 9.8
Affected Technologies
WordPress
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 41
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
kivicare-clinic-management-system
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
CVE-2026-0740
CRITICAL
9.8
WordPres
Wiz
CVE-2025-52768 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2025-52768 [HIGH] CVE-2025-52768 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-52768 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Faith & Hope faith-hope allows PHP Local File Inclusion.This issue affects Faith & Hope: from n/a through <= 2.13.0.
Source : NVD
## 8.1
Score
Published December 18, 2025
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 38.5
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
faith-hope
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploit
Wiz
CVE-2025-14114 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.4
CVE-2025-14114 [MEDIUM] CVE-2025-14114 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14114 :
WordPress vulnerability analysis and mitigation
The 1180px Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'class' shortcode attribute in all versions up to, and including, 1.1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Source : NVD
## 6.4
Score
Published January 7, 2026
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2.7
Exploitation Probability (EPSS) N/A
Wiz
CVE-2025-62083 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-62083 [CRITICAL] CVE-2025-62083 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-62083 :
WordPress vulnerability analysis and mitigation
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in WP Messiah BoomDevs WordPress Coming Soon coming-soon-by-boomdevs allows Retrieve Embedded Sensitive Data.This issue affects BoomDevs WordPress Coming Soon: from n/a through <= 1.0.4.
Source : NVD
Published December 31, 2025
CNA Score N/A
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 0.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
coming-soon-by-boomdevs
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's ex
Wiz
CVE-2025-67569 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2025-67569 [MEDIUM] CVE-2025-67569 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67569 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in scriptsbundle AdForest adforest allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AdForest: from n/a through <= 6.0.11.
Source : NVD
## 5.3
Score
Published December 9, 2025
Severity MEDIUM
CNA Score 5.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 12.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
adforest
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress
Wiz
CVE-2025-13603 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2025-13603 [HIGH] CVE-2025-13603 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-13603 :
WordPress vulnerability analysis and mitigation
The WP AUDIO GALLERY plugin for WordPress is vulnerable to Unauthorized Arbitrary File Read in all versions up to, and including, 2.0. This is due to insufficient capability checks and lack of nonce verification on the "wpag_htaccess_callback" function This makes it possible for authenticated attackers, with subscriber-level access and above, to overwrite the site's .htaccess file with arbitrary content, which can lead to arbitrary file read on the server under certain configurations.
Source : NVD
## 8.8
Score
Published February 19, 2026
Severity HIGH
CNA Score 8.8
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Prob
Wiz
CVE-2025-62143 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-62143 [CRITICAL] CVE-2025-62143 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-62143 :
WordPress vulnerability analysis and mitigation
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in nicashmu Post Video Players video-playlist-and-gallery-plugin allows Retrieve Embedded Sensitive Data.This issue affects Post Video Players: from n/a through <= 1.163.
Source : NVD
Published December 31, 2025
CNA Score N/A
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 7.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
video-playlist-and-gallery-plugin
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploita
Wiz
CVE-2025-12684 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2025-12684 [HIGH] CVE-2025-12684 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-12684 :
WordPress vulnerability analysis and mitigation
The URL Shortify WordPress plugin before 1.11.3 does not sanitize and escape a parameter before outputting it back in the page, leading to a reflected cross site scripting, which could be used against high-privilege users such as admins.
Source : NVD
## 7.1
Score
Published December 15, 2025
Severity HIGH
CNA Score 7.1
Affected Technologies
WordPress
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
url-shortify
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not
Wiz
CVE-2026-27354 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-27354 [CRITICAL] CVE-2026-27354 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27354 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WebCodingPlace WooCommerce Coming Soon Product with Countdown woo-coming-soon-product allows Stored XSS.This issue affects WooCommerce Coming Soon Product with Countdown: from n/a through <= 5.0.
Source : NVD
## 6.5
Score
Published March 5, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.6
Exploitation Probability (EPSS) N/A
Affected packages and libraries
woo-coming-soon-product
Sources
NVD
## Get a CVE risk assessment
Get a prioritized vie
Wiz
CVE-2026-28068 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-28068 [CRITICAL] CVE-2026-28068 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-28068 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Rhythmo rhythmo allows PHP Local File Inclusion.This issue affects Rhythmo: from n/a through <= 1.3.4.
Source : NVD
## 8.1
Score
Published March 5, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 37.5
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
rhythmo
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's lis
Wiz
CVE-2026-2363 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-2363 [CRITICAL] CVE-2026-2363 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-2363 :
WordPress vulnerability analysis and mitigation
The WP-Members Membership Plugin plugin for WordPress is vulnerable to SQL Injection via the 'order_by' attribute of the [wpmem_user_membership_posts] shortcode in all versions up to, and including, 3.5.5.1. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Source : NVD
## 6.5
Score
Published March 4, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit N
Wiz
CVE-2026-24589 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-24589 [CRITICAL] CVE-2026-24589 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24589 :
WordPress vulnerability analysis and mitigation
Insertion of Sensitive Information Into Sent Data vulnerability in Cargus eCommerce Cargus cargus allows Retrieve Embedded Sensitive Data.This issue affects Cargus: from n/a through <= 1.5.8.
Source : NVD
## 5.3
Score
Published January 23, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cargus
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabil
Wiz
CVE-2025-13841 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.4
CVE-2025-13841 [MEDIUM] CVE-2025-13841 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-13841 :
WordPress vulnerability analysis and mitigation
The Smart App Banners plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'size' and 'verticalalign' parameters of the 'app-store-download' shortcode in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Source : NVD
## 6.4
Score
Published January 7, 2026
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitati
Wiz
CVE-2025-63036 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2025-63036 [HIGH] CVE-2025-63036 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-63036 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in DFDevelopment Ronneby Theme Core ronneby-core allows PHP Local File Inclusion.This issue affects Ronneby Theme Core: from n/a through <= 1.5.68.
Source : NVD
## 7.5
Score
Published December 9, 2025
Severity HIGH
CNA Score 7.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 18.6
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
ronneby-core
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus o
Wiz
CVE-2025-15507 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2025-15507 [MEDIUM] CVE-2025-15507 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-15507 :
WordPress vulnerability analysis and mitigation
The Magic Import Document Extractor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_sync_usage() function in all versions up to, and including, 1.0.4. This makes it possible for unauthenticated attackers to modify the plugin's license status and credit balance.
Source : NVD
## 5.3
Score
Published February 4, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 9.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
magic-import-document-extractor
Sources
NVD
## Get a
Wiz
CVE-2025-62880 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-62880 [CRITICAL] CVE-2025-62880 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-62880 :
WordPress vulnerability analysis and mitigation
Cross-Site Request Forgery (CSRF) vulnerability in Kunal Custom 404 Pro custom-404-pro allows Cross Site Request Forgery.This issue affects Custom 404 Pro: from n/a through <= 3.12.0.
Source : NVD
Published December 22, 2025
CNA Score N/A
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
custom-404-pro
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Score
Wiz
CVE-2025-49340 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-49340 [CRITICAL] CVE-2025-49340 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-49340 :
WordPress vulnerability analysis and mitigation
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Digages Direct Payments WP direct-payments-wp allows Retrieve Embedded Sensitive Data.This issue affects Direct Payments WP: from n/a through <= 1.3.2.
Source : NVD
Published December 31, 2025
CNA Score N/A
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 0.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
direct-payments-wp
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
Wiz
CVE-2026-3567 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-3567 [CRITICAL] CVE-2026-3567 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-3567 :
WordPress vulnerability analysis and mitigation
The RepairBuddy – Repair Shop CRM & Booking Plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 4.1132. The plugin exposes two AJAX handlers that, when combined, allow any authenticated user to modify admin-level plugin settings. First, the wc_rb_get_fresh_nonce() function (registered via wp_ajax and wp_ajax_nopriv hooks) allows any user to generate a valid WordPress nonce for any arbitrary action name by simply providing the nonce_name parameter, with no capability checks. Second, the wc_rep_shop_settings_submission() function only verifies the nonce (wcrb_main_setting_nonce) but performs no current_user_can() capability check before updating 15+ plugin options via update_optio
Wiz
CVE-2025-14477 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.9
CVE-2025-14477 [MEDIUM] CVE-2025-14477 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14477 :
WordPress vulnerability analysis and mitigation
filterText
ajaxUpdatePaginationLinks
*$/
*/
$
Source : NVD
## 4.9
Score
Published December 13, 2025
Severity MEDIUM
CNA Score 4.9
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 12.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
404-solution
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
CVE-2026-0740
CRITICAL
9.
Wiz
CVE-2025-62129 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-62129 [CRITICAL] CVE-2025-62129 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-62129 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in Magnigenie RestroPress restropress allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects RestroPress: from n/a through <= 3.2.7.
Source : NVD
Published December 31, 2025
CNA Score N/A
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
restropress
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Wiz
CVE-2026-1055 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-1055 [CRITICAL] CVE-2026-1055 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1055 :
WordPress vulnerability analysis and mitigation
The TalkJS plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 0.1.15 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Source : NVD
## 4.4
Score
Published February 19, 2026
Severity MEDIUM
CNA Score 4.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
E
Wiz
CVE-2026-2512 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-2512 [CRITICAL] CVE-2026-2512 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-2512 :
WordPress vulnerability analysis and mitigation
sec_check_post_fields()
save_post
wp_ajax_add_meta
save_post
ce_filter()
Source : NVD
## 6.4
Score
Published March 18, 2026
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 10.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
simple-embed-code
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
Wiz
CVE-2025-22725 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.4
CVE-2025-22725 [MEDIUM] CVE-2025-22725 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-22725 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in loopus WP Virtual Assistant VirtualAssistant allows Stored XSS.This issue affects WP Virtual Assistant: from n/a through <= 3.1.
Source : NVD
## 5.4
Score
Published January 8, 2026
Severity MEDIUM
CNA Score 5.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
VirtualAssistant
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just
Wiz
CVE-2026-1902 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-1902 [CRITICAL] CVE-2026-1902 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1902 :
WordPress vulnerability analysis and mitigation
The Hammas Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'apix' parameter in the 'hp-calendar-manage-redirect' shortcode in all versions up to, and including, 1.5.11 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Source : NVD
## 6.4
Score
Published March 7, 2026
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 9.9
Expl
Wiz
CVE-2026-25019 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-25019 [CRITICAL] CVE-2026-25019 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25019 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in Vito Peleg Atarim atarim-visual-collaboration allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Atarim: from n/a through <= 4.3.1.
Source : NVD
## 5.3
Score
Published February 3, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 12.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
atarim-visual-collaboration
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's
Wiz
CVE-2026-1103 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-1103 [CRITICAL] CVE-2026-1103 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1103 :
WordPress vulnerability analysis and mitigation
The AIKTP plugin for WordPress is vulnerable to unauthorized modification of data due to missing authorization checks on the /aiktp/getToken REST API endpoint in all versions up to, and including, 5.0.04. The endpoint uses the 'verify_user_logged_in' as a permission callback, which only checks if a user is logged in, but fails to verify if the user has administrative capabilities. This makes it possible for authenticated attackers with Subscriber-level access and above to retrieve the administrator's 'aiktpz_token' access token, which can then be used to create posts, upload media library files, and access private content as the administrator.
Source : NVD
## 5.4
Score
Published January 24, 2026
Severity MEDIUM
CN
Wiz
CVE-2026-2351 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-2351 [CRITICAL] CVE-2026-2351 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-2351 :
WordPress vulnerability analysis and mitigation
The Task Manager plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 3.0.2 via the callback_get_text_from_url() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.
Source : NVD
## 6.5
Score
Published March 21, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 9.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
task-manager
Sources
NVD
## Get a
Wiz
CVE-2025-14437 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2025-14437 [HIGH] CVE-2025-14437 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14437 :
WordPress vulnerability analysis and mitigation
The Hummingbird Performance plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.18.0 via the 'request' function. This makes it possible for unauthenticated attackers to extract sensitive data including Cloudflare API credentials.
Source : NVD
## 7.5
Score
Published December 18, 2025
Severity HIGH
CNA Score 7.5
Affected Technologies
WordPress
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 97.3
Exploitation Probability (EPSS) 39.5
Affected packages and libraries
hummingbird-performance
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CV
Wiz
CVE-2025-67591 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2025-67591 [MEDIUM] CVE-2025-67591 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67591 :
WordPress vulnerability analysis and mitigation
Cross-Site Request Forgery (CSRF) vulnerability in jegtheme JNews Paywall jnews-paywall allows Cross Site Request Forgery.This issue affects JNews Paywall: from n/a through < 12.0.1.
Source : NVD
## 4.3
Score
Published December 9, 2025
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 4.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
jnews-paywall
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilit
Wiz
CVE-2025-12957 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2025-12957 [HIGH] CVE-2025-12957 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-12957 :
WordPress vulnerability analysis and mitigation
The All-in-One Video Gallery plugin for WordPress is vulnerable to arbitrary file upload in all versions up to, and including, 4.5.7. This is due to insufficient file type validation detecting VTT files, allowing double extension files to bypass sanitization while being accepted as a valid VTT file. This makes it possible for authenticated attackers, with author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
Source : NVD
## 8.8
Score
Published January 16, 2026
Severity HIGH
CNA Score 8.8
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Pro
Wiz
CVE-2025-58894 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.2
CVE-2025-58894 [HIGH] CVE-2025-58894 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-58894 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Good Mood good-mood allows PHP Local File Inclusion.This issue affects Good Mood: from n/a through <= 1.16.
Source : NVD
## 8.2
Score
Published December 18, 2025
Severity HIGH
CNA Score 8.2
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 19.8
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
good-mood
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not j
Wiz
CVE-2026-22416 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-22416 [CRITICAL] CVE-2026-22416 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22416 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes FixTeam fixteam allows PHP Local File Inclusion.This issue affects FixTeam: from n/a through <= 1.5.0.
Source : NVD
## 8.1
Score
Published March 5, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 37.5
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
fixteam
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's
Wiz
CVE-2025-66122 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.4
CVE-2025-66122 [MEDIUM] CVE-2025-66122 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-66122 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in Design Stylish Price List stylish-price-list allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Stylish Price List: from n/a through <= 7.2.2.
Source : NVD
## 5.4
Score
Published December 16, 2025
Severity MEDIUM
CNA Score 5.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
stylish-price-list
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what
Wiz
CVE-2026-0735 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.4
CVE-2026-0735 [MEDIUM] CVE-2026-0735 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-0735 :
WordPress vulnerability analysis and mitigation
The User Language Switch plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'tab_color_picker_language_switch' parameter in all versions up to, and including, 1.6.10 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Source : NVD
## 4.4
Score
Published February 14, 2026
Severity MEDIUM
CNA Score 4.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV
Wiz
CVE-2025-62131 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-62131 [CRITICAL] CVE-2025-62131 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-62131 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in Strategy11 Team Tasty Recipes Lite tasty-recipes-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Tasty Recipes Lite: from n/a through <= 1.1.5.
Source : NVD
Published December 31, 2025
CNA Score N/A
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
tasty-recipes-lite
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Word
Wiz
CVE-2025-13846 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.4
CVE-2025-13846 [MEDIUM] CVE-2025-13846 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-13846 :
WordPress vulnerability analysis and mitigation
The Easy Map Creator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'width' parameter in all versions up to, and including, 3.0.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Source : NVD
## 6.4
Score
Published December 12, 2025
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13
Exploitation Probability (EPSS) N/A
Affected
Wiz
CVE-2025-14121 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.4
CVE-2025-14121 [MEDIUM] CVE-2025-14121 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14121 :
WordPress vulnerability analysis and mitigation
The EDD Download Info plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'edd_download_info_link' shortcode in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Source : NVD
## 6.4
Score
Published January 7, 2026
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13
Expl
Wiz
CVE-2025-13853 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.4
CVE-2025-13853 [MEDIUM] CVE-2025-13853 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-13853 :
WordPress vulnerability analysis and mitigation
The Nearby Now Reviews plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'data_tech' parameter of the nn-tech shortcode in all versions up to, and including, 5.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Source : NVD
## 6.4
Score
Published January 9, 2026
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13
Exploitation Probab
Wiz
CVE-2026-2386 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-2386 [CRITICAL] CVE-2026-2386 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-2386 :
WordPress vulnerability analysis and mitigation
The The Plus Addons for Elementor – Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce plugin for WordPress is vulnerable to Incorrect Authorization in all versions up to, and including, 6.4.7. This is due to the tpae_create_page() AJAX handler authorizing users only with current_user_can('edit_posts') while accepting a user-controlled 'post_type' value passed directly to wp_insert_post() without post-type-specific capability checks. This makes it possible for authenticated attackers, with Author-level access and above, to create arbitrary draft posts for restricted post types (e.g., 'page' and 'nxt_builder') via the 'post_type' parameter.
Source : NVD
## 4.3
Score
Published February 18, 2026
Sev
Wiz
CVE-2025-68875 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.4
CVE-2025-68875 [MEDIUM] CVE-2025-68875 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68875 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in jcaruso001 Flaming Password Reset flaming-password-reset allows Stored XSS.This issue affects Flaming Password Reset: from n/a through <= 1.0.3.
Source : NVD
## 5.4
Score
Published January 8, 2026
Severity MEDIUM
CNA Score 5.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
flaming-password-reset
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's
Wiz
CVE-2025-64632 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2025-64632 [MEDIUM] CVE-2025-64632 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-64632 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in Auctollo Google XML Sitemaps google-sitemap-generator allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Google XML Sitemaps: from n/a through <= 4.1.22.
Source : NVD
## 5.3
Score
Published December 16, 2025
Severity MEDIUM
CNA Score 5.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 12.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
google-sitemap-generator
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitab
Wiz
CVE-2025-68908 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2025-68908 [HIGH] CVE-2025-68908 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68908 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in temash Barberry barberry allows PHP Local File Inclusion.This issue affects Barberry: from n/a through <= 2.9.9.87.
Source : NVD
## 8.1
Score
Published January 22, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 38.5
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
barberry
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just wh
Wiz
CVE-2026-22505 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-22505 [CRITICAL] CVE-2026-22505 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22505 :
WordPress vulnerability analysis and mitigation
Deserialization of Untrusted Data vulnerability in AncoraThemes Morning Records morning-records allows Object Injection.This issue affects Morning Records: from n/a through <= 1.2.
Source : NVD
## 8.1
Score
Published March 25, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 16.9
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
morning-records
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities
Wiz
CVE-2025-53434 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2025-53434 [HIGH] CVE-2025-53434 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-53434 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes ChildHope childhope allows PHP Local File Inclusion.This issue affects ChildHope: from n/a through <= 1.1.8.
Source : NVD
## 8.1
Score
Published December 18, 2025
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 38.5
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
childhope
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not
Wiz
CVE-2025-67534 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2025-67534 [HIGH] CVE-2025-67534 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67534 :
WordPress vulnerability analysis and mitigation
Cross-Site Request Forgery (CSRF) vulnerability in Jacques Malgrange Rencontre rencontre allows Stored XSS.This issue affects Rencontre: from n/a through <= 3.13.7.
Source : NVD
## 7.1
Score
Published December 9, 2025
Severity HIGH
CNA Score 7.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 5.6
Exploitation Probability (EPSS) N/A
Affected packages and libraries
rencontre
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Wiz
CVE-2025-68077 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2025-68077 [MEDIUM] CVE-2025-68077 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68077 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Select-Themes Stockholm stockholm allows Stored XSS.This issue affects Stockholm: from n/a through <= 9.14.1.
Source : NVD
## 6.5
Score
Published December 16, 2025
Severity MEDIUM
CNA Score 6.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
stockholm
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Rel
Wiz
CVE-2025-60060 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2025-60060 [HIGH] CVE-2025-60060 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-60060 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Pubzinne pubzinne allows PHP Local File Inclusion.This issue affects Pubzinne: from n/a through <= 1.0.12.
Source : NVD
## 8.1
Score
Published December 18, 2025
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 38.5
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
pubzinne
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not jus
Wiz
CVE-2026-27088 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-27088 [CRITICAL] CVE-2026-27088 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27088 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in G5Theme Darna Framework darna-framework allows Reflected XSS.This issue affects Darna Framework: from n/a through <= 2.9.
Source : NVD
## 7.1
Score
Published March 25, 2026
Severity HIGH
CNA Score 7.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 10.6
Exploitation Probability (EPSS) N/A
Affected packages and libraries
darna-framework
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's lis
Wiz
CVE-2025-68056 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.5
CVE-2025-68056 [HIGH] CVE-2025-68056 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68056 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in LambertGroup LBG Zoominoutslider lbg_zoominoutslider allows SQL Injection.This issue affects LBG Zoominoutslider: from n/a through <= 5.4.4.
Source : NVD
## 8.5
Score
Published December 16, 2025
Severity HIGH
CNA Score 8.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
lbg_zoominoutslider
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploi
Wiz
CVE-2026-27381 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-27381 [CRITICAL] CVE-2026-27381 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27381 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Aora aora allows PHP Local File Inclusion.This issue affects Aora: from n/a through <= 1.3.15.
Source : NVD
## 8.1
Score
Published March 5, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 37.5
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
aora
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Re
Wiz
CVE-2025-66166 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.4
CVE-2025-66166 [MEDIUM] CVE-2025-66166 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-66166 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in merkulove Lottier for Elementor lottier-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Lottier for Elementor: from n/a through <= 1.0.9.
Source : NVD
## 5.4
Score
Published December 16, 2025
Severity MEDIUM
CNA Score 5.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
lottier-elementor
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not ju
Wiz
CVE-2026-2371 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-2371 [CRITICAL] CVE-2026-2371 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-2371 :
WordPress vulnerability analysis and mitigation
gspb_el_reusable_load()
post_id
wp_block
current_user_can('read_post', $post_id)
[wp_reusable_render]
ajax="1"
Source : NVD
## 5.3
Score
Published March 7, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
greenshift-animation-and-page-builder-blocks
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Score
Technolo
Wiz
CVE-2026-2301 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-2301 [CRITICAL] CVE-2026-2301 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-2301 :
WordPress vulnerability analysis and mitigation
duplicate_post()
includes/api.php
$wpdb->insert()
wp_postmeta
add_post_meta()
is_protected_meta()
_
_wp_page_template
_wp_attached_file
customMetaData
/wp-json/post-duplicator/v1/duplicate-post
Source : NVD
## 4.3
Score
Published February 25, 2026
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 9.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
post-duplicator
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related
Wiz
CVE-2025-62995 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2025-62995 [MEDIUM] CVE-2025-62995 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-62995 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in multiparcels MultiParcels Shipping For WooCommerce multiparcels-shipping-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects MultiParcels Shipping For WooCommerce: from n/a through <= 1.30.12.
Source : NVD
## 4.3
Score
Published December 9, 2025
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
multiparcels-shipping-for-woocommerce
Sources
NVD
## Get a CVE risk assessment
Get a prioritiz
Wiz
CVE-2025-69315 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2025-69315 [MEDIUM] CVE-2025-69315 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-69315 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in NSquared Simply Schedule Appointments simply-schedule-appointments allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Simply Schedule Appointments: from n/a through <= 1.6.9.15.
Source : NVD
## 6.5
Score
Published January 22, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 12
Exploitation Probability (EPSS) N/A
Affected packages and libraries
simply-schedule-appointments
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can
Wiz
CVE-2025-67958 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2025-67958 [MEDIUM] CVE-2025-67958 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67958 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in Taxcloud TaxCloud for WooCommerce simple-sales-tax allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects TaxCloud for WooCommerce: from n/a through <= 8.3.8.
Source : NVD
## 6.5
Score
Published January 22, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 17.6
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
simple-sales-tax
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not
Wiz
CVE-2025-69005 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2025-69005 [HIGH] CVE-2025-69005 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-69005 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes Search & Go search-and-go allows PHP Local File Inclusion.This issue affects Search & Go: from n/a through <= 2.8.
Source : NVD
## 8.1
Score
Published January 22, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 38.5
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
search-and-go
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploi
Wiz
CVE-2025-58895 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.2
CVE-2025-58895 [HIGH] CVE-2025-58895 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-58895 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Integro integro allows PHP Local File Inclusion.This issue affects Integro: from n/a through <= 1.8.0.
Source : NVD
## 8.2
Score
Published December 18, 2025
Severity HIGH
CNA Score 8.2
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 19.8
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
integro
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just wh
Wiz
CVE-2025-13854 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.4
CVE-2025-13854 [MEDIUM] CVE-2025-13854 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-13854 :
WordPress vulnerability analysis and mitigation
The Curved Text plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'radius' parameter of the arctext shortcode in all versions up to, and including, 0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Source : NVD
## 6.4
Score
Published January 9, 2026
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2.7
Exploitation Probability (EP
Wiz
CVE-2026-4143 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-4143 [CRITICAL] CVE-2026-4143 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-4143 :
WordPress vulnerability analysis and mitigation
The Neos Connector for Fakturama plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 0.0.14. This is due to missing nonce validation in the ncff_add_plugin_page() function which handles settings updates. This makes it possible for unauthenticated attackers to modify plugin settings via a forged request, granted they can trick a site administrator into performing an action such as clicking a link.
Source : NVD
## 4.3
Score
Published March 21, 2026
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2.7
Exploitation
Wiz
CVE-2025-13374 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-13374 [CRITICAL] CVE-2025-13374 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-13374 :
WordPress vulnerability analysis and mitigation
The Kalrav AI Agent plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the kalrav_upload_file AJAX action in all versions up to, and including, 2.3.3. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
Source : NVD
## 9.8
Score
Published January 24, 2026
Severity CRITICAL
CNA Score 9.8
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 25.3
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
kalrav-ai-agent
Sources
NVD
Wiz
CVE-2025-15486 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.4
CVE-2025-15486 [MEDIUM] CVE-2025-15486 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-15486 :
WordPress vulnerability analysis and mitigation
The Kunze Law plugin for WordPress is vulnerable to Stored Cross-Site Scripting via plugin's shortcode in all versions up to, and including, 2.1 due to the plugin fetching HTML content from a remote server and injecting it into pages without any sanitization or escaping. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Additional presence of a path traversal vulnerability in the shortcode name allows writing malicious HTML files to arbitrary writable locations on the server.
Wiz
CVE-2026-2389 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-2389 [CRITICAL] CVE-2026-2389 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-2389 :
WordPress vulnerability analysis and mitigation
revert_divs_to_summary
”
"
Source : NVD
## 4.9
Score
Published March 26, 2026
Severity MEDIUM
CNA Score 4.9
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 9.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
complianz-gdpr
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
CVE-2026-0740
CRITICAL
9.8
WordPress
ninja-form
Wiz
CVE-2025-69099 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2025-69099 [HIGH] CVE-2025-69099 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-69099 :
WordPress vulnerability analysis and mitigation
Deserialization of Untrusted Data vulnerability in fuelthemes North north-wp allows Object Injection.This issue affects North: from n/a through <= 5.7.5.
Source : NVD
## 8.8
Score
Published January 22, 2026
Severity HIGH
CNA Score 8.8
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 21.7
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
north-wp
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Score
Tec
Wiz
CVE-2025-12448 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.4
CVE-2025-12448 [MEDIUM] CVE-2025-12448 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-12448 :
WordPress vulnerability analysis and mitigation
The Smartsupp – live chat, AI shopping assistant and chatbots plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'code' parameter in all versions up to, and including, 3.9.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Source : NVD
## 6.4
Score
Published February 19, 2026
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 14.3
Explo
Wiz
CVE-2025-68579 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2025-68579 [HIGH] CVE-2025-68579 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68579 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in FolioVision FV Simpler SEO fv-all-in-one-seo-pack allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects FV Simpler SEO: from n/a through <= 1.9.6.
Source : NVD
## 8.1
Score
Published December 24, 2025
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 12.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
fv-all-in-one-seo-pack
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just w
Wiz
CVE-2026-0745 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-0745 [CRITICAL] CVE-2026-0745 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-0745 :
WordPress vulnerability analysis and mitigation
The User Language Switch plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.6.10 due to missing URL validation on the 'download_language()' function. This makes it possible for authenticated attackers, with Administrator-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
Source : NVD
## 7.2
Score
Published February 14, 2026
Severity HIGH
CNA Score 7.2
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.1
Exploi
Wiz
CVE-2026-32461 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-32461 [CRITICAL] CVE-2026-32461 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32461 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in Really Simple Plugins Really Simple SSL really-simple-ssl allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Really Simple SSL: from n/a through <= 9.5.7.
Source : NVD
## 5.3
Score
Published March 13, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 10.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
really-simple-ssl
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not j
Wiz
CVE-2025-14076 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2025-14076 [MEDIUM] CVE-2025-14076 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14076 :
WordPress vulnerability analysis and mitigation
The iXML – Google XML sitemap generator plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'iXML_email' parameter in all versions up to, and including, 0.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Source : NVD
## 6.1
Score
Published February 19, 2026
Severity MEDIUM
CNA Score 6.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 26.5
Exploitation Pr
Wiz
CVE-2026-3617 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-3617 [CRITICAL] CVE-2026-3617 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-3617 :
WordPress vulnerability analysis and mitigation
The Paypal Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'amount' and 'name' shortcode attributes in all versions up to, and including, 0.3. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes. The swer_paypal_shortcode() function extracts shortcode attributes using extract() and shortcode_atts() at line 89, then directly concatenates the $name and $amount values into HTML input element value attributes at lines 105-106 without applying esc_attr() or any other escaping function. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute when
Wiz
CVE-2025-12980 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2025-12980 [HIGH] CVE-2025-12980 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-12980 :
WordPress vulnerability analysis and mitigation
The Post Grid Gutenberg Blocks for News, Magazines, Blog Websites – PostX plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the '/ultp/v2/get_dynamic_content/' REST API endpoint in all versions up to, and including, 5.0.3. This makes it possible for unauthenticated attackers to retrieve sensitive user metadata, including password hashes.
Source : NVD
## 7.5
Score
Published December 21, 2025
Severity HIGH
CNA Score 7.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 30
Exploitation Probability (EPSS) 0.1
Affected packages and librarie
Wiz
CVE-2026-22398 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-22398 [CRITICAL] CVE-2026-22398 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22398 :
WordPress vulnerability analysis and mitigation
Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes Fleur fleur allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Fleur: from n/a through <= 2.0.
Source : NVD
## 5.4
Score
Published January 22, 2026
Severity MEDIUM
CNA Score 5.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
fluer
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Relat
Wiz
CVE-2025-14314 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.5
CVE-2025-14314 [HIGH] CVE-2025-14314 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14314 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Roxnor PopupKit popup-builder-block allows Blind SQL Injection.This issue affects PopupKit: from n/a through <= 2.1.5.
Source : NVD
## 8.5
Score
Published December 18, 2025
Severity HIGH
CNA Score 8.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.5
Exploitation Probability (EPSS) N/A
Affected packages and libraries
popup-builder-block
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's
Wiz
CVE-2026-1455 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-1455 [CRITICAL] CVE-2026-1455 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1455 :
WordPress vulnerability analysis and mitigation
The Whatsiplus Scheduled Notification for Woocommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.1. This is due to missing nonce validation on the 'wsnfw_save_users_settings' AJAX action. This makes it possible for unauthenticated attackers to modify plugin configuration settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Source : NVD
## 4.3
Score
Published February 19, 2026
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS)
Wiz
CVE-2026-28045 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-28045 [CRITICAL] CVE-2026-28045 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-28045 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX N7 | Golf Club Sports & Events n7-golf-club allows PHP Local File Inclusion.This issue affects N7 | Golf Club Sports & Events: from n/a through <= 2.16.0.
Source : NVD
## 8.1
Score
Published March 5, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 37.5
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
n7-golf-club
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so
Wiz
CVE-2025-12002 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.9
CVE-2025-12002 [MEDIUM] CVE-2025-12002 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-12002 :
WordPress vulnerability analysis and mitigation
The Feeds for YouTube Pro plugin for WordPress is vulnerable to arbitrary file read in all versions up to, and including, 2.6.0 via the 'sby_check_wp_submit' AJAX action. This is due to insufficient sanitization of user-supplied data and the use of that data in a file operation. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information, granted the 'Save Featured Images' setting is enabled and 'Disable WP Posts' is disabled. Note: This vulnerability only affects the Pro version of Feeds for YouTube.
Source : NVD
## 5.9
Score
Published January 17, 2026
Severity MEDIUM
CNA Score 5.9
Affected Technologies
WordPress
Has Publi
Wiz
CVE-2025-68061 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2025-68061 [HIGH] CVE-2025-68061 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68061 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeMove EduMall edumall allows PHP Local File Inclusion.This issue affects EduMall: from n/a through <= 4.4.7.
Source : NVD
## 7.5
Score
Published December 16, 2025
Severity HIGH
CNA Score 7.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 19.8
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
edumall
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what'
Wiz
CVE-2025-14448 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.4
CVE-2025-14448 [MEDIUM] CVE-2025-14448 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14448 :
WordPress vulnerability analysis and mitigation
The WP-Members Membership Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Multiple Checkbox and Multiple Select user profile fields in all versions up to, and including, 3.5.4.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Source : NVD
## 5.4
Score
Published January 15, 2026
Severity MEDIUM
CNA Score 5.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS
Wiz
CVE-2025-68902 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.3
CVE-2025-68902 [HIGH] CVE-2025-68902 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68902 :
WordPress vulnerability analysis and mitigation
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in AivahThemes Anona anona allows Path Traversal.This issue affects Anona: from n/a through <= 8.0.
Source : NVD
## 7.3
Score
Published January 22, 2026
Severity HIGH
CNA Score 7.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 6.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
anona
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilit
Wiz
CVE-2025-12934 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2025-12934 [HIGH] CVE-2025-12934 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-12934 :
WordPress vulnerability analysis and mitigation
The Beaver Builder – WordPress Page Builder plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on the 'duplicate_wpml_layout' function in all versions up to, and including, 2.9.4.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary posts with the content of other existing posts, potentially exposing private and password-protected content and deleting any content that is not saved in revisions or backups. Posts must have been created with Beaver Builder to be copied or updated.
Source : NVD
## 8.1
Score
Published December 23, 2025
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPr
Wiz
CVE-2025-67984 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2025-67984 [HIGH] CVE-2025-67984 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67984 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in calliko NPS computy nps-computy allows DOM-Based XSS.This issue affects NPS computy: from n/a through <= 2.8.2.
Source : NVD
## 7.1
Score
Published February 20, 2026
Severity HIGH
CNA Score 7.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
nps-computy
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## R
Wiz
CVE-2025-53233 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2025-53233 [HIGH] CVE-2025-53233 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-53233 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in RylanH Storyform storyform allows Reflected XSS.This issue affects Storyform: from n/a through <= 0.6.14.
Source : NVD
## 7.1
Score
Published February 20, 2026
Severity HIGH
CNA Score 7.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
storyform
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related W
Wiz
CVE-2026-1866 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-1866 [CRITICAL] CVE-2026-1866 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1866 :
WordPress vulnerability analysis and mitigation
html_entity_decode()
wp_kses()
html_entity_decode()
Source : NVD
## 7.2
Score
Published February 10, 2026
Severity HIGH
CNA Score 7.2
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 39.3
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
name-directory
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
CVE-2026-0740
CRITICAL
Wiz
CVE-2025-47600 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2025-47600 [MEDIUM] CVE-2025-47600 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-47600 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in xtemos WoodMart woodmart allows Code Injection.This issue affects WoodMart: from n/a through <= 8.3.7.
Source : NVD
## 6.1
Score
Published January 22, 2026
Severity MEDIUM
CNA Score 6.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
woodmart
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress v
Wiz
CVE-2026-2949 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-2949 [CRITICAL] CVE-2026-2949 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-2949 :
WordPress vulnerability analysis and mitigation
The Xpro Addons — 140+ Widgets for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Icon Box widget in versions up to, and including, 1.4.24 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Source : NVD
## 6.4
Score
Published April 4, 2026
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 8.2
Exploitation Probability (EPSS)
Wiz
CVE-2025-62121 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-62121 [CRITICAL] CVE-2025-62121 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-62121 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Imran Emu Logo Slider , Logo Carousel , Logo showcase , Client Logo tc-logo-slider allows Stored XSS.This issue affects Logo Slider , Logo Carousel , Logo showcase , Client Logo: from n/a through <= 1.8.1.
Source : NVD
Published December 31, 2025
CNA Score N/A
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
tc-logo-slider
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you
Wiz
CVE-2026-24627 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-24627 [CRITICAL] CVE-2026-24627 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24627 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in Trusona Trusona for WordPress trusona allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Trusona for WordPress: from n/a through <= 2.0.0.
Source : NVD
## 4.3
Score
Published January 23, 2026
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
trusona
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
##
Wiz
CVE-2026-2294 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-2294 [CRITICAL] CVE-2026-2294 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-2294 :
WordPress vulnerability analysis and mitigation
The UiPress lite | Effortless custom dashboards, admin themes and pages plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'uip_save_global_settings' function in all versions up to, and including, 3.5.09. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change arbitrary plugin settings.
Source : NVD
## 4.3
Score
Published March 21, 2026
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 8.4
Exploitation Probability (EPSS) N/A
Affected packages and librar
Wiz
CVE-2025-69371 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-69371 [CRITICAL] CVE-2025-69371 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-69371 :
WordPress vulnerability analysis and mitigation
Deserialization of Untrusted Data vulnerability in AncoraThemes KindlyCare kindlycare allows Object Injection.This issue affects KindlyCare: from n/a through <= 1.6.1.
Source : NVD
## 9.8
Score
Published February 20, 2026
Severity CRITICAL
CNA Score 9.8
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 18.2
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
kindlycare
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Wiz
CVE-2026-1780 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-1780 [CRITICAL] CVE-2026-1780 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1780 :
WordPress vulnerability analysis and mitigation
The [CR]Paid Link Manager plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the URL path in all versions up to, and including, 0.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Source : NVD
## 6.1
Score
Published March 18, 2026
Severity MEDIUM
CNA Score 6.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 18.7
Exploitation Probability (EPSS) 0.1
Affected p
Wiz
CVE-2026-2282 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-2282 [CRITICAL] CVE-2026-2282 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-2282 :
WordPress vulnerability analysis and mitigation
The Slidorion plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Source : NVD
## 4.4
Score
Published February 19, 2026
Severity MEDIUM
CNA Score 4.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Wiz
CVE-2026-22434 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-22434 [CRITICAL] CVE-2026-22434 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22434 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Crown Art crown-art allows PHP Local File Inclusion.This issue affects Crown Art: from n/a through <= 1.2.11.
Source : NVD
## 8.1
Score
Published March 5, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 37.5
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
crown-art
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not ju
Wiz
CVE-2026-22513 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-22513 [CRITICAL] CVE-2026-22513 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22513 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Triompher triompher allows PHP Local File Inclusion.This issue affects Triompher: from n/a through <= 1.1.0.
Source : NVD
## 8.1
Score
Published March 25, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 35.7
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
triompher
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not ju
Wiz
CVE-2025-14160 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2025-14160 [MEDIUM] CVE-2025-14160 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14160 :
WordPress vulnerability analysis and mitigation
The Upcoming for Calendly plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.4. This is due to missing nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to update the plugin's Calendly API key via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Source : NVD
## 4.3
Score
Published December 12, 2025
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 4.4
Exploitation Probability (EPSS)
Wiz
CVE-2026-32507 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-32507 [CRITICAL] CVE-2026-32507 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32507 :
WordPress vulnerability analysis and mitigation
Deserialization of Untrusted Data vulnerability in Elated-Themes Leroux leroux allows Object Injection.This issue affects Leroux: from n/a through < 1.4.
Source : NVD
## 5.4
Score
Published March 25, 2026
Severity MEDIUM
CNA Score 5.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 17.2
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
leroux
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Score
Techn
Wiz
CVE-2025-13126 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2025-13126 [HIGH] CVE-2025-13126 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-13126 :
WordPress vulnerability analysis and mitigation
post_args
topic_args
Source : NVD
## 7.5
Score
Published December 14, 2025
Severity HIGH
CNA Score 7.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 29.6
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
wpforo
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
CVE-2026-0740
CRITICAL
9.8
WordPress
ninja-forms-uploads
N
Wiz
CVE-2026-24548 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-24548 [CRITICAL] CVE-2026-24548 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24548 :
WordPress vulnerability analysis and mitigation
Server-Side Request Forgery (SSRF) vulnerability in princeahmed Radio Player radio-player allows Server Side Request Forgery.This issue affects Radio Player: from n/a through <= 2.0.91.
Source : NVD
## 5.3
Score
Published January 23, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 12.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
radio-player
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabi
Wiz
CVE-2026-32491 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-32491 [CRITICAL] CVE-2026-32491 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32491 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in jgwhite33 WP Review Slider wp-facebook-reviews allows Stored XSS.This issue affects WP Review Slider: from n/a through <= 13.9.
Source : NVD
## 6.5
Score
Published March 25, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 9.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
wp-facebook-reviews
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just
Wiz
CVE-2025-49345 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-49345 [CRITICAL] CVE-2025-49345 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-49345 :
WordPress vulnerability analysis and mitigation
Cross-Site Request Forgery (CSRF) vulnerability in mg12 WP-EasyArchives wp-easyarchives allows Stored XSS.This issue affects WP-EasyArchives: from n/a through <= 3.1.2.
Source : NVD
Published December 31, 2025
CNA Score N/A
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
wp-easyarchives
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Score
Technologies
Wiz
CVE-2025-64631 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.0
CVE-2025-64631 [MEDIUM] CVE-2025-64631 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-64631 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in WC Lovers WCFM Marketplace wc-multivendor-marketplace allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WCFM Marketplace: from n/a through <= 3.7.1.
Source : NVD
## 5
Score
Published December 16, 2025
Severity MEDIUM
CNA Score 5.0
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 16.6
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
wc-multivendor-marketplace
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable,
Wiz
CVE-2026-24949 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-24949 [CRITICAL] CVE-2026-24949 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24949 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeGoods PhotoMe photome allows DOM-Based XSS.This issue affects PhotoMe: from n/a through <= 5.7.1.
Source : NVD
## 7.1
Score
Published February 20, 2026
Severity HIGH
CNA Score 7.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
photome
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPr
Wiz
CVE-2026-24990 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-24990 [CRITICAL] CVE-2026-24990 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24990 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in Fahad Mahmood WP Docs wp-docs allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Docs: from n/a through <= 2.2.8.
Source : NVD
## 5.4
Score
Published February 3, 2026
Severity MEDIUM
CNA Score 5.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 14
Exploitation Probability (EPSS) N/A
Affected packages and libraries
wp-docs
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulner
Wiz
CVE-2025-13612 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.4
CVE-2025-13612 [MEDIUM] CVE-2025-13612 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-13612 :
WordPress vulnerability analysis and mitigation
aigpl-gallery-album
Source : NVD
## 6.4
Score
Published February 19, 2026
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 12.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
album-and-image-gallery-plus-lightbox
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
CVE-2026-0740
CRITICAL
9.8
Wo
Wiz
CVE-2025-68601 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2025-68601 [HIGH] CVE-2025-68601 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68601 :
WordPress vulnerability analysis and mitigation
Cross-Site Request Forgery (CSRF) vulnerability in Rustaurius Five Star Restaurant Reservations restaurant-reservations allows Cross Site Request Forgery.This issue affects Five Star Restaurant Reservations: from n/a through <= 2.7.8.
Source : NVD
## 8.8
Score
Published December 24, 2025
Severity HIGH
CNA Score 8.8
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 6.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
restaurant-reservations
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable
Wiz
CVE-2026-1228 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-1228 [CRITICAL] CVE-2026-1228 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1228 :
WordPress vulnerability analysis and mitigation
The Timeline Block – Beautiful Timeline Builder for WordPress (Vertical & Horizontal Timelines) plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.3.3 via the tlgb_shortcode() function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Author-level access and above, to disclose private timeline content via the id attribute supplied to the 'timeline_block' shortcode.
Source : NVD
## 4.3
Score
Published February 6, 2026
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probabi
Wiz
CVE-2025-13153 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2025-13153 [MEDIUM] CVE-2025-13153 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-13153 :
WordPress vulnerability analysis and mitigation
The Logo Slider WordPress plugin before 4.9.0 does not validate and escape some of its slider options before outputting them back in the dashboard, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
Source : NVD
## 6.1
Score
Published January 2, 2026
Severity MEDIUM
CNA Score 6.1
Affected Technologies
WordPress
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
logo-slider-wp
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's
Wiz
CVE-2026-22424 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-22424 [CRITICAL] CVE-2026-22424 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22424 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Shaha shaha allows PHP Local File Inclusion.This issue affects Shaha: from n/a through <= 1.1.2.
Source : NVD
## 8.1
Score
Published March 5, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 37.5
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
shaha
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
Wiz
CVE-2026-27341 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-27341 [CRITICAL] CVE-2026-27341 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27341 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes TopScorer - Sports WordPress Theme topscorer allows PHP Local File Inclusion.This issue affects TopScorer - Sports WordPress Theme: from n/a through <= 1.2.
Source : NVD
## 8.1
Score
Published March 5, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 37.5
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
topscorer
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your clou
Wiz
CVE-2026-1086 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-1086 [CRITICAL] CVE-2026-1086 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1086 :
WordPress vulnerability analysis and mitigation
The Font Pairing Preview For Landing Pages plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3. This is due to missing nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to modify the plugin's font pairing settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Source : NVD
## 4.3
Score
Published March 7, 2026
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1.9
Exploitation Pro
Wiz
CVE-2026-32504 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-32504 [CRITICAL] CVE-2026-32504 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32504 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in CreativeWS VintWood vintwood allows PHP Local File Inclusion.This issue affects VintWood: from n/a through <= 1.1.8.
Source : NVD
## 8.1
Score
Published March 25, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 35.7
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
vintwood
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just wha
Wiz
CVE-2025-15516 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2025-15516 [MEDIUM] CVE-2025-15516 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-15516 :
WordPress vulnerability analysis and mitigation
The All-in-One Video Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_callback_store_user_meta() function in versions 4.1.0 to 4.6.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary string-based user meta keys for their own account.
Source : NVD
## 4.3
Score
Published January 24, 2026
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
all-in-one-vi
Wiz
CVE-2025-9488 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.4
CVE-2025-9488 [MEDIUM] CVE-2025-9488 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-9488 :
WordPress vulnerability analysis and mitigation
The Redux Framework plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘data’ parameter in all versions up to, and including, 4.5.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Source : NVD
## 6.4
Score
Published December 13, 2025
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.9
Exploitation Probability (EPSS) N/A
Affected p
Wiz
CVE-2026-27336 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-27336 [CRITICAL] CVE-2026-27336 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27336 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Consultor | Consulting, Accounting & Legal Counsel WordPress Theme consultor allows PHP Local File Inclusion.This issue affects Consultor | Consulting, Accounting & Legal Counsel WordPress Theme: from n/a through <= 1.2.4.
Source : NVD
## 8.1
Score
Published March 5, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 37.5
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
consultor
Sources
NVD
## Get a
Wiz
CVE-2026-24562 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-24562 [CRITICAL] CVE-2026-24562 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24562 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in Ryviu Ryviu – Product Reviews for WooCommerce ryviu allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ryviu – Product Reviews for WooCommerce: from n/a through <= 3.1.26.
Source : NVD
## 5.3
Score
Published January 23, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2.3
Exploitation Probability (EPSS) N/A
Affected packages and libraries
ryviu
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable,
Wiz
CVE-2026-25032 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-25032 [CRITICAL] CVE-2026-25032 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25032 :
WordPress vulnerability analysis and mitigation
Deserialization of Untrusted Data vulnerability in park_of_ideas Ricky ricky allows Object Injection.This issue affects Ricky: from n/a through < 2.31.
Source : NVD
## 9.8
Score
Published March 25, 2026
Severity CRITICAL
CNA Score 9.8
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 16.9
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
ricky
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Score
Techno
Wiz
CVE-2025-13407 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.8
CVE-2025-13407 [MEDIUM] CVE-2025-13407 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-13407 :
WordPress vulnerability analysis and mitigation
The Gravity Forms WordPress plugin before 2.9.23.1 does not properly prevent users from uploading dangerous files through its chunked upload functionality, allowing attackers to upload PHP files to affected sites and achieve Remote Code Execution, granted they can discover or enumerate the upload path.
Source : NVD
## 6.8
Score
Published December 24, 2025
Severity MEDIUM
CNA Score 6.8
Affected Technologies
WordPress
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 30.2
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
gravityforms
Sources
NVD
## Get a CVE risk assessment
Get a prioritized vie
Wiz
CVE-2025-69096 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2025-69096 [HIGH] CVE-2025-69096 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-69096 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in G5Theme Zorka zorka allows Reflected XSS.This issue affects Zorka: from n/a through <= 1.5.7.
Source : NVD
## 7.1
Score
Published March 25, 2026
Severity HIGH
CNA Score 7.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 10.6
Exploitation Probability (EPSS) N/A
Affected packages and libraries
zorka
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabil
Wiz
CVE-2026-4120 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-4120 [CRITICAL] CVE-2026-4120 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-4120 :
WordPress vulnerability analysis and mitigation
The Info Cards – Add Text and Media in Card Layouts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'btnUrl' parameter within the Info Cards block in all versions up to, and including, 2.0.7. This is due to insufficient input validation on URL schemes, specifically the lack of javascript: protocol filtering. The block's render.php passes all attributes as JSON to the frontend via a data-attributes HTML attribute using esc_attr(wp_json_encode()), which prevents HTML attribute injection but does not validate URL protocols within the JSON data. The client-side view.js then renders the btnUrl value directly as an href attribute on anchor elements without any protocol sanitization. This makes it possi
Wiz
CVE-2025-13641 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2025-13641 [HIGH] CVE-2025-13641 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-13641 :
WordPress vulnerability analysis and mitigation
The Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.59.12 via the 'template' shortcode parameter. This is due to insufficient path validation that allows absolute paths to be provided. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary PHP files on the server, bypassing web server restrictions like .htaccess. Successful exploitation could lead to information disclosure, code execution in the WordPress context, and potential remote code execution if combined with arbitrary file upload capabilities.
Source : NVD
## 8.8
Score
Publish
Wiz
CVE-2026-28117 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-28117 [CRITICAL] CVE-2026-28117 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-28117 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes smart SEO smartSEO allows PHP Local File Inclusion.This issue affects smart SEO: from n/a through <= 2.9.
Source : NVD
## 8.1
Score
Published March 5, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 37.5
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
smartseo
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just wha
Wiz
CVE-2026-4268 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-4268 [CRITICAL] CVE-2026-4268 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-4268 :
WordPress vulnerability analysis and mitigation
The WP Go Maps (formerly WP Google Maps) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘wpgmza_custom_js’ parameter in all versions up to, and including, 10.0.05 due to insufficient input sanitization and output escaping and missing capability check in the 'admin_post_wpgmza_save_settings' hook anonymous function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Source : NVD
## 6.4
Score
Published March 18, 2026
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date
Wiz
CVE-2025-69401 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2025-69401 [HIGH] CVE-2025-69401 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-69401 :
WordPress vulnerability analysis and mitigation
Authentication Bypass by Spoofing vulnerability in mdalabar WooODT Lite byconsole-woo-order-delivery-time allows Identity Spoofing.This issue affects WooODT Lite: from n/a through <= 2.5.2.
Source : NVD
## 7.5
Score
Published February 20, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 17.7
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
byconsole-woo-order-delivery-time
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Rel
Wiz
CVE-2026-1566 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-1566 [CRITICAL] CVE-2026-1566 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1566 :
WordPress vulnerability analysis and mitigation
The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to privilege escalation via password reset in all versions up to, and including, 5.2.7. This is due to the plugin allowing users with a LatePoint Agent role, who are creating new customers to set the 'wordpress_user_id' field. This makes it possible for authenticated attackers, with Agent-level access and above, to gain elevated privileges by linking a customer to the arbitrary user ID, including administrators, and then resetting the password.
Source : NVD
## 8.8
Score
Published March 3, 2026
Severity HIGH
CNA Score 8.8
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV R
Wiz
CVE-2025-14384 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2025-14384 [MEDIUM] CVE-2025-14384 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14384 :
WordPress vulnerability analysis and mitigation
/aioseo/v1/ai/credits
Source : NVD
## 4.3
Score
Published January 16, 2026
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 3
Exploitation Probability (EPSS) N/A
Affected packages and libraries
all-in-one-seo-pack
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
CVE-2026-0740
CRITICAL
9.8
WordPress
ninja-forms
Wiz
CVE-2024-30516 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2024-30516 [HIGH] CVE-2024-30516 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2024-30516 :
WordPress vulnerability analysis and mitigation
Improper Validation of Specified Quantity in Input vulnerability in SaasProject Booking Package allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Booking Package: from n/a through 1.6.27.
Source : NVD
## 7.5
Score
Published January 5, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 29.6
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
booking-package
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's liste
Wiz
CVE-2025-13320 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.8
CVE-2025-13320 [MEDIUM] CVE-2025-13320 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-13320 :
WordPress vulnerability analysis and mitigation
The WP User Manager plugin for WordPress is vulnerable to Arbitrary File Deletion in all versions up to, and including, 2.9.12. This is due to insufficient validation of user-supplied file paths in the profile update functionality combined with improper handling of array inputs by PHP's filter_input() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server via the 'current_user_avatar' parameter in a two-stage attack which can make remote code execution possible. This only affects sites with the custom avatar setting enabled.
Source : NVD
## 6.8
Score
Published December 12, 2025
Severity MEDIUM
CNA Score 6.8
Affected Technologi
Wiz
CVE-2026-24962 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-24962 [CRITICAL] CVE-2026-24962 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24962 :
WordPress vulnerability analysis and mitigation
Cross-Site Request Forgery (CSRF) vulnerability in Brainstorm Force Sigmize sigmize allows Cross Site Request Forgery.This issue affects Sigmize: from n/a through <= 0.0.9.
Source : NVD
## 4.3
Score
Published February 3, 2026
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 4.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
sigmize
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
S
Wiz
CVE-2026-24377 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-24377 [CRITICAL] CVE-2026-24377 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24377 :
WordPress vulnerability analysis and mitigation
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in POSIMYTH Nexter Blocks the-plus-addons-for-block-editor allows Retrieve Embedded Sensitive Data.This issue affects Nexter Blocks: from n/a through <= 4.6.3.
Source : NVD
## 7.5
Score
Published January 22, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 14.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
the-plus-addons-for-block-editor
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focu
Wiz
CVE-2025-53437 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2025-53437 [HIGH] CVE-2025-53437 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-53437 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ApusTheme Greenorganic greenorganic allows PHP Local File Inclusion.This issue affects Greenorganic: from n/a through <= 2.45.
Source : NVD
## 8.1
Score
Published December 18, 2025
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 38.5
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
greenorganic
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploita
Wiz
CVE-2026-28101 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-28101 [CRITICAL] CVE-2026-28101 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-28101 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup UberSlider MouseInteraction uberSlider_mouseinteraction allows Reflected XSS.This issue affects UberSlider MouseInteraction: from n/a through <= 2.3.
Source : NVD
## 7.1
Score
Published March 5, 2026
Severity HIGH
CNA Score 7.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
uberSlider_mouseinteraction
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you
Wiz
CVE-2026-24950 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-24950 [CRITICAL] CVE-2026-24950 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24950 :
WordPress vulnerability analysis and mitigation
Authorization Bypass Through User-Controlled Key vulnerability in themeplugs Authorsy authorsy allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Authorsy: from n/a through <= 1.0.6.
Source : NVD
## 7.5
Score
Published February 20, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
authorsy
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
Wiz
CVE-2026-22397 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-22397 [CRITICAL] CVE-2026-22397 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22397 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Fleur fleur allows PHP Local File Inclusion.This issue affects Fleur: from n/a through <= 2.0.
Source : NVD
## 8.1
Score
Published March 5, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 37.5
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
fleur
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
Wiz
CVE-2026-1648 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-1648 [CRITICAL] CVE-2026-1648 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1648 :
WordPress vulnerability analysis and mitigation
The Performance Monitor plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.0.6. This is due to insufficient validation of the 'url' parameter in the '/wp-json/performance-monitor/v1/curl_data' REST API endpoint. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations, including internal services, via the Gopher protocol and other dangerous protocols. This can be exploited to achieve Remote Code Execution by chaining with services like Redis.
Source : NVD
## 7.2
Score
Published March 21, 2026
Severity HIGH
CNA Score 7.2
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Da
Wiz
CVE-2025-14339 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2025-14339 [MEDIUM] CVE-2025-14339 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14339 :
WordPress vulnerability analysis and mitigation
Forms::permission()
X-WP-Nonce
weMail
Source : NVD
## 6.5
Score
Published February 21, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 30.8
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
wemail
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
CVE-2026-0740
CRITICAL
9.8
WordPress
ni
Wiz
CVE-2025-69317 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2025-69317 [MEDIUM] CVE-2025-69317 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-69317 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in scriptsbundle CarSpot carspot allows Reflected XSS.This issue affects CarSpot: from n/a through < 2.4.6.
Source : NVD
## 6.1
Score
Published January 22, 2026
Severity MEDIUM
CNA Score 6.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
carspot
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Wor
Wiz
CVE-2026-0909 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-0909 [CRITICAL] CVE-2026-0909 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-0909 :
WordPress vulnerability analysis and mitigation
wp_ulike_delete_history_api
Source : NVD
## 5.3
Score
Published February 3, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
wp-ulike
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
CVE-2026-0740
CRITICAL
9.8
WordPress
ninja-forms-upl
Wiz
CVE-2026-0829 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-0829 [CRITICAL] CVE-2026-0829 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-0829 :
WordPress vulnerability analysis and mitigation
The Frontend File Manager Plugin WordPress plugin through 23.5 allows unauthenticated users to send emails through the site without any security checks. This lets attackers use the WordPress site as an open relay for spam or phishing emails to anyone. Attackers can also guess file IDs to access and share uploaded files without permission, exposing sensitive information.
Source : NVD
## 5.8
Score
Published February 17, 2026
Severity MEDIUM
CNA Score 5.8
Affected Technologies
WordPress
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 85.2
Exploitation Probability (EPSS) 2.5
Affected packages and libraries
nmedia-user-f
Wiz
CVE-2025-14366 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2025-14366 [MEDIUM] CVE-2025-14366 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14366 :
WordPress vulnerability analysis and mitigation
The Eyewear prescription form plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 6.0.1. This is due to missing authorization checks on the SubmitCatProductRequest AJAX action. This makes it possible for unauthenticated attackers to create arbitrary WooCommerce products with custom names, prices, and category assignments via the 'Name', 'Price', and 'Parent' parameters.
Source : NVD
## 5.3
Score
Published December 13, 2025
Severity MEDIUM
CNA Score 5.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 25.3
Exploitation Probability (EPSS) 0.1
Wiz
CVE-2026-28128 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-28128 [CRITICAL] CVE-2026-28128 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-28128 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Verse verse allows PHP Local File Inclusion.This issue affects Verse: from n/a through <= 1.7.0.
Source : NVD
## 8.1
Score
Published March 5, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 37.5
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
verse
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
#
Wiz
CVE-2026-23975 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-23975 [CRITICAL] CVE-2026-23975 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-23975 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in uxper Golo golo allows PHP Local File Inclusion.This issue affects Golo: from n/a through < 1.7.5.
Source : NVD
## 9.8
Score
Published January 22, 2026
Severity CRITICAL
CNA Score 9.8
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 38.5
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
golo
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
##
Wiz
CVE-2025-67921 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-67921 [CRITICAL] CVE-2025-67921 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67921 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in VanKarWai Lobo lobo allows Blind SQL Injection.This issue affects Lobo: from n/a through < 2.8.6.
Source : NVD
## 9.8
Score
Published January 8, 2026
Severity CRITICAL
CNA Score 9.8
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 14.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
lobo
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vu
Wiz
CVE-2025-13657 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2025-13657 [MEDIUM] CVE-2025-13657 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-13657 :
WordPress vulnerability analysis and mitigation
The HelpDesk contact form plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.5. This is due to missing or incorrect nonce validation on the handle_query_args() function. This makes it possible for unauthenticated attackers to update the plugin's license ID and contact form ID settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Source : NVD
## 4.3
Score
Published January 7, 2026
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 3.5
Wiz
CVE-2026-1720 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-1720 [CRITICAL] CVE-2026-1720 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1720 :
WordPress vulnerability analysis and mitigation
The WowOptin: Next-Gen Popup Maker – Create Stunning Popups and Optins for Lead Generation plugin for WordPress is vulnerable to unauthorized arbitrary plugin installation due to a missing capability check on the 'install_and_active_plugin' function in all versions up to, and including, 1.4.24. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install and activate arbitrary plugins.
Source : NVD
## 8.8
Score
Published March 5, 2026
Severity HIGH
CNA Score 8.8
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 14.6
Exploitation Probability (EPSS)
Wiz
CVE-2025-58933 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2025-58933 [HIGH] CVE-2025-58933 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-58933 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Anubis anubis allows PHP Local File Inclusion.This issue affects Anubis: from n/a through <= 1.25.
Source : NVD
## 8.1
Score
Published December 18, 2025
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Homebrew
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 18.1
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
anubis
Sources
NVD
Alpine 3.23 Severity HIGH No Fix Added at: Jan 28, 2026
Alpine edge Severity HIGH No Fix Added at: Dec 25, 2025
Homebrew S
Wiz
CVE-2025-12067 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.4
CVE-2025-12067 [MEDIUM] CVE-2025-12067 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-12067 :
WordPress vulnerability analysis and mitigation
The Table Field Add-on for ACF and SCF plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Table Cell Content in all versions up to, and including, 1.3.30 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Source : NVD
## 6.4
Score
Published January 6, 2026
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.1
Exploitation Probability (EPSS)
Wiz
CVE-2026-22366 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-22366 [CRITICAL] CVE-2026-22366 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22366 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Jude jude allows PHP Local File Inclusion.This issue affects Jude: from n/a through <= 1.3.0.
Source : NVD
## 8.1
Score
Published February 20, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 37.5
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
jude
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
Wiz
CVE-2025-69051 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2025-69051 [HIGH] CVE-2025-69051 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-69051 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CridioStudio ListingPro Reviews listingpro-reviews allows Reflected XSS.This issue affects ListingPro Reviews: from n/a through < 2.9.11.
Source : NVD
## 7.1
Score
Published January 22, 2026
Severity HIGH
CNA Score 7.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
listingpro-reviews
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable
Wiz
CVE-2025-69295 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.3
CVE-2025-69295 [CRITICAL] CVE-2025-69295 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-69295 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in TeconceTheme Coven Core coven-core allows Blind SQL Injection.This issue affects Coven Core: from n/a through <= 1.3.
Source : NVD
## 9.3
Score
Published February 20, 2026
Severity CRITICAL
CNA Score 9.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13
Exploitation Probability (EPSS) N/A
Affected packages and libraries
coven-core
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
Wiz
CVE-2026-27541 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-27541 [CRITICAL] CVE-2026-27541 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27541 :
WordPress vulnerability analysis and mitigation
Incorrect Privilege Assignment vulnerability in Josh Kohlbach Wholesale Suite woocommerce-wholesale-prices allows Privilege Escalation.This issue affects Wholesale Suite: from n/a through <= 2.2.6.
Source : NVD
## 7.1
Score
Published March 5, 2026
Severity HIGH
CNA Score 7.1
Affected Technologies
WordPress
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 15.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
woocommerce-wholesale-prices
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Rel
Wiz
CVE-2025-14632 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.4
CVE-2025-14632 [MEDIUM] CVE-2025-14632 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14632 :
WordPress vulnerability analysis and mitigation
The Filr – Secure document library plugin for WordPress is vulnerable to Stored Cross-Site Scripting via unrestricted file upload in all versions up to, and including, 1.2.11 due to insufficient file type restrictions in the FILR_Uploader class. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload malicious HTML files containing JavaScript that will execute whenever a user accesses the uploaded file, granted they have permission to create or edit posts with the 'filr' post type.
Source : NVD
## 4.4
Score
Published January 17, 2026
Severity MEDIUM
CNA Score 4.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Dat
Wiz
CVE-2026-22476 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-22476 [CRITICAL] CVE-2026-22476 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22476 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes Etchy etchy allows PHP Local File Inclusion.This issue affects Etchy: from n/a through <= 1.0.
Source : NVD
## 8.1
Score
Published March 5, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 37.5
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
etchy
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
Wiz
CVE-2025-69402 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2025-69402 [HIGH] CVE-2025-69402 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-69402 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX R&F rf allows PHP Local File Inclusion.This issue affects R&F: from n/a through <= 1.5.
Source : NVD
## 8.1
Score
Published February 20, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 37.5
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
rf
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Relate
Wiz
CVE-2025-67909 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2025-67909 [HIGH] CVE-2025-67909 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67909 :
WordPress vulnerability analysis and mitigation
Authorization Bypass Through User-Controlled Key vulnerability in WP Swings Membership For WooCommerce membership-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Membership For WooCommerce: from n/a through <= 3.0.3.
Source : NVD
## 8.1
Score
Published December 24, 2025
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 12.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
membership-for-woocommerce
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your
Wiz
CVE-2026-25386 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-25386 [CRITICAL] CVE-2026-25386 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25386 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in Elementor Ally pojo-accessibility allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ally: from n/a through <= 4.0.2.
Source : NVD
## 5.3
Score
Published February 19, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 12.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
pojo-accessibility
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related W
Wiz
CVE-2026-22352 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-22352 [CRITICAL] CVE-2026-22352 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22352 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PersianScript Persian Woocommerce SMS persian-woocommerce-sms allows Reflected XSS.This issue affects Persian Woocommerce SMS: from n/a through <= 7.1.1.
Source : NVD
## 7.1
Score
Published February 20, 2026
Severity HIGH
CNA Score 7.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
persian-woocommerce-sms
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus
Wiz
CVE-2025-68006 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2025-68006 [MEDIUM] CVE-2025-68006 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68006 :
WordPress vulnerability analysis and mitigation
Insertion of Sensitive Information Into Sent Data vulnerability in Deetronix Booking Ultra Pro booking-ultra-pro allows Retrieve Embedded Sensitive Data.This issue affects Booking Ultra Pro: from n/a through <= 1.1.23.
Source : NVD
## 6.5
Score
Published January 22, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 14
Exploitation Probability (EPSS) N/A
Affected packages and libraries
booking-ultra-pro
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's list
Wiz
CVE-2025-13355 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2025-13355 [HIGH] CVE-2025-13355 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-13355 :
WordPress vulnerability analysis and mitigation
The URL Shortify WordPress plugin before 1.11.4 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
Source : NVD
## 7.1
Score
Published December 15, 2025
Severity HIGH
CNA Score 7.1
Affected Technologies
WordPress
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
url-shortify
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not ju
Wiz
CVE-2023-41656 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.4
CVE-2023-41656 [MEDIUM] CVE-2023-41656 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2023-41656 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in wpdive Better Elementor Addons allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Better Elementor Addons: from n/a through 1.3.7.
Source : NVD
## 5.4
Score
Published December 30, 2025
Severity MEDIUM
CNA Score 5.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 22.7
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
better-elementor-addons
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's list
Wiz
CVE-2025-69386 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2025-69386 [HIGH] CVE-2025-69386 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-69386 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in realvirtualmx RVCFDI para Woocommerce rvcfdi-para-woocommerce allows Reflected XSS.This issue affects RVCFDI para Woocommerce: from n/a through <= 8.1.8.
Source : NVD
## 7.1
Score
Published February 20, 2026
Severity HIGH
CNA Score 7.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
rvcfdi-para-woocommerce
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus
Wiz
CVE-2025-66054 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2025-66054 [HIGH] CVE-2025-66054 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-66054 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in ThimPress LearnPress learnpress allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects LearnPress: from n/a through <= 4.2.9.4.
Source : NVD
## 7.5
Score
Published December 18, 2025
Severity HIGH
CNA Score 7.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 12.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
learnpress
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordP
Wiz
CVE-2025-22728 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-22728 [CRITICAL] CVE-2025-22728 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-22728 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in AmentoTech Workreap (theme's plugin) workreap allows SQL Injection.This issue affects Workreap (theme's plugin): from n/a through <= 3.3.6.
Source : NVD
## 9.8
Score
Published January 8, 2026
Severity CRITICAL
CNA Score 9.8
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 14.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
workreap
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not
Wiz
CVE-2025-62123 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-62123 [CRITICAL] CVE-2025-62123 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-62123 :
WordPress vulnerability analysis and mitigation
Cross-Site Request Forgery (CSRF) vulnerability in inkthemes WP Gmail SMTP wp-gmail-smtp allows Cross Site Request Forgery.This issue affects WP Gmail SMTP: from n/a through <= 1.0.7.
Source : NVD
Published December 31, 2025
CNA Score N/A
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 0.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
wp-gmail-smtp
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Score
Wiz
CVE-2025-68544 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-68544 [CRITICAL] CVE-2025-68544 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68544 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Diza diza allows PHP Local File Inclusion.This issue affects Diza: from n/a through <= 1.3.15.
Source : NVD
Published December 23, 2025
CNA Score N/A
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 23.6
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
diza
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilit
Wiz
CVE-2025-62115 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-62115 [CRITICAL] CVE-2025-62115 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-62115 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in ThemeBoy Hide Plugins hide-plugins allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Hide Plugins: from n/a through <= 1.0.4.
Source : NVD
Published December 31, 2025
CNA Score N/A
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 0.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
hide-plugins
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE
Wiz
CVE-2025-62741 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.1
CVE-2025-62741 [CRITICAL] CVE-2025-62741 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-62741 :
WordPress vulnerability analysis and mitigation
Server-Side Request Forgery (SSRF) vulnerability in SmartDataSoft Pool Services pool-services allows Server Side Request Forgery.This issue affects Pool Services: from n/a through <= 3.3.
Source : NVD
## 9.1
Score
Published January 22, 2026
Severity CRITICAL
CNA Score 9.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
pool-services
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vuln
Wiz
CVE-2026-28013 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-28013 [CRITICAL] CVE-2026-28013 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-28013 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Kratz kratz allows PHP Local File Inclusion.This issue affects Kratz: from n/a through <= 1.0.12.
Source : NVD
## 8.1
Score
Published March 5, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 37.5
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
kratz
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
Wiz
CVE-2025-69294 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2025-69294 [HIGH] CVE-2025-69294 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-69294 :
WordPress vulnerability analysis and mitigation
Deserialization of Untrusted Data vulnerability in fuelthemes PeakShops peakshops allows Object Injection.This issue affects PeakShops: from n/a through <= 1.5.9.
Source : NVD
## 8.8
Score
Published February 20, 2026
Severity HIGH
CNA Score 8.8
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 19.1
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
peakshops
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Wiz
CVE-2025-12898 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2025-12898 [MEDIUM] CVE-2025-12898 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-12898 :
WordPress vulnerability analysis and mitigation
The Pretty Google Calendar plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the pgcal_ajax_handler() function in all versions up to, and including, 2.0.0. This makes it possible for unauthenticated attackers to retrieve the Google API key set in the plugin's settings.
Source : NVD
## 5.3
Score
Published December 20, 2025
Severity MEDIUM
CNA Score 5.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 21.3
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
pretty-google-calendar
Sources
NVD
## Get a CVE risk assess
Wiz
CVE-2026-24568 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-24568 [CRITICAL] CVE-2026-24568 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24568 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in WP Travel WP Travel wp-travel allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Travel: from n/a through <= 11.1.0.
Source : NVD
## 5.3
Score
Published January 23, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 12.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
wp-travel
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress
Wiz
CVE-2026-1906 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-1906 [CRITICAL] CVE-2026-1906 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1906 :
WordPress vulnerability analysis and mitigation
wpo_ips_edi_save_order_customer_peppol_identifiers
peppol_endpoint_id
peppol_endpoint_eas
order_id
Source : NVD
## 4.3
Score
Published February 18, 2026
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
woocommerce-pdf-invoices-packing-slips
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Score
Technologies
Component
Wiz
CVE-2026-32536 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-32536 [CRITICAL] CVE-2026-32536 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32536 :
WordPress vulnerability analysis and mitigation
Unrestricted Upload of File with Dangerous Type vulnerability in halfdata Green Downloads halfdata-paypal-green-downloads allows Using Malicious Files.This issue affects Green Downloads: from n/a through <= 2.08.
Source : NVD
## 9.9
Score
Published March 25, 2026
Severity CRITICAL
CNA Score 9.9
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 14.6
Exploitation Probability (EPSS) N/A
Affected packages and libraries
halfdata-paypal-green-downloads
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just w
Wiz
CVE-2025-67519 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-67519 [CRITICAL] CVE-2025-67519 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67519 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Shahjahan Jewel Ninja Tables ninja-tables allows SQL Injection.This issue affects Ninja Tables: from n/a through <= 5.2.3.
Source : NVD
## 9.8
Score
Published December 9, 2025
Severity CRITICAL
CNA Score 9.8
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 14.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
ninja-tables
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's
Wiz
CVE-2026-1825 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-1825 [CRITICAL] CVE-2026-1825 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1825 :
WordPress vulnerability analysis and mitigation
The Show YouTube video plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'syv' shortcode in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Source : NVD
## 6.4
Score
Published March 7, 2026
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 9.1
Exploitation Pr
Wiz
CVE-2025-8779 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.4
CVE-2025-8779 [MEDIUM] CVE-2025-8779 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-8779 :
WordPress vulnerability analysis and mitigation
The All-in-One Addons for Elementor – WidgetKit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Team and Countdown widgets in all versions up to, and including, 2.5.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Source : NVD
## 6.4
Score
Published December 13, 2025
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probabil
Wiz
CVE-2025-14798 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2025-14798 [MEDIUM] CVE-2025-14798 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14798 :
WordPress vulnerability analysis and mitigation
The LearnPress – WordPress LMS Plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 4.3.2.4 via the get_item_permissions_check function. This makes it possible for unauthenticated attackers to extract sensitive data including user first names and last names. Other information such as social profile links and enrollment are also included.
Source : NVD
## 5.3
Score
Published January 20, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 17.5
Exploitation Probability (EPSS) 0.1
Affected packages and librarie
Wiz
CVE-2025-13910 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2025-13910 [MEDIUM] CVE-2025-13910 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-13910 :
WordPress vulnerability analysis and mitigation
wwa_auth
Source : NVD
## 6.1
Score
Published March 21, 2026
Severity MEDIUM
CNA Score 6.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 21.6
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
wp-webauthn
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
CVE-2026-0740
CRITICAL
9.8
WordPress
ninja-forms-uploads
No
Yes
A
Wiz
CVE-2025-67949 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2025-67949 [HIGH] CVE-2025-67949 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67949 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in designingmedia Hostiko hostiko allows Reflected XSS.This issue affects Hostiko: from n/a through < 94.3.6.
Source : NVD
## 7.1
Score
Published January 22, 2026
Severity HIGH
CNA Score 7.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
hostiko
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Wor
Wiz
CVE-2026-22370 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-22370 [CRITICAL] CVE-2026-22370 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22370 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Marveland marveland allows PHP Local File Inclusion.This issue affects Marveland: from n/a through <= 1.3.0.
Source : NVD
## 8.1
Score
Published February 20, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 37.5
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
marveland
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not
Wiz
CVE-2026-4261 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-4261 [CRITICAL] CVE-2026-4261 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-4261 :
WordPress vulnerability analysis and mitigation
The Expire Users plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.2.2. This is due to the plugin allowing a user to update the 'on_expire_default_to_role' meta through the 'save_extra_user_profile_fields' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to elevate their privileges to that of an administrator.
Source : NVD
## 8.8
Score
Published March 21, 2026
Severity HIGH
CNA Score 8.8
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.3
Exploitation Probability (EPSS) N/A
Affected pa
Wiz
CVE-2025-69042 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.2
CVE-2025-69042 [HIGH] CVE-2025-69042 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-69042 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in goalthemes Lindo lindo allows PHP Local File Inclusion.This issue affects Lindo: from n/a through <= 1.2.5.
Source : NVD
## 8.2
Score
Published January 22, 2026
Severity HIGH
CNA Score 8.2
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 19.8
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
lindo
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed
Wiz
CVE-2025-11754 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2025-11754 [HIGH] CVE-2025-11754 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-11754 :
WordPress vulnerability analysis and mitigation
The GDPR Cookie Consent plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'gdpr/v1/settings' REST API endpoint in all versions up to, and including, 4.1.2. This makes it possible for unauthenticated attackers to retrieve sensitive plugin settings including API tokens, email addresses, account IDs, and site keys.
Source : NVD
## 7.5
Score
Published February 19, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 17.7
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
gdpr-cookie-conse
Wiz
CVE-2025-68506 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-68506 [CRITICAL] CVE-2025-68506 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68506 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Nawawi Jamili Docket Cache docket-cache allows PHP Local File Inclusion.This issue affects Docket Cache: from n/a through <= 24.07.03.
Source : NVD
## 9.8
Score
Published December 24, 2025
Severity CRITICAL
CNA Score 9.8
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 38.5
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
docket-cache
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on wha
Wiz
CVE-2026-0736 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.4
CVE-2026-0736 [MEDIUM] CVE-2026-0736 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-0736 :
WordPress vulnerability analysis and mitigation
The Chatbot for WordPress by Collect.chat plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the '_inpost_head_script[synth_header_script]' post meta field in all versions up to, and including, 2.4.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Source : NVD
## 6.4
Score
Published February 14, 2026
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percent
Wiz
CVE-2025-62120 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-62120 [CRITICAL] CVE-2025-62120 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-62120 :
WordPress vulnerability analysis and mitigation
Cross-Site Request Forgery (CSRF) vulnerability in Rick Beckman OpenHook thesis-openhook allows Cross Site Request Forgery.This issue affects OpenHook: from n/a through <= 4.3.1.
Source : NVD
Published December 31, 2025
CNA Score N/A
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
thesis-openhook
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Score
Tec
Wiz
CVE-2026-23976 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-23976 [CRITICAL] CVE-2026-23976 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-23976 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP Chill Modula Image Gallery modula-best-grid-gallery allows Stored XSS.This issue affects Modula Image Gallery: from n/a through <= 2.13.4.
Source : NVD
## 7.1
Score
Published January 22, 2026
Severity HIGH
CNA Score 7.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
modula-best-grid-gallery
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's e
Wiz
CVE-2025-46434 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2025-46434 [MEDIUM] CVE-2025-46434 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-46434 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in POSIMYTH Innovation The Plus Addons for Elementor Pro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects The Plus Addons for Elementor Pro: from n/a before 6.3.7.
Source : NVD
## 6.5
Score
Published January 7, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
theplus_elementor_addon
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exp
Wiz
CVE-2026-22349 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-22349 [CRITICAL] CVE-2026-22349 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22349 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in linux4me2 Menu In Post menu-in-post allows DOM-Based XSS.This issue affects Menu In Post: from n/a through <= 1.4.1.
Source : NVD
## 5.4
Score
Published January 22, 2026
Severity MEDIUM
CNA Score 5.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
menu-in-post
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
Wiz
CVE-2026-22445 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-22445 [CRITICAL] CVE-2026-22445 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22445 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in Proptech Plugin Apimo Connector apimo allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Apimo Connector: from n/a through <= 2.6.5.1.
Source : NVD
## 5.3
Score
Published January 22, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 12.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
apimo
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Relate
Wiz
CVE-2025-14165 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2025-14165 [MEDIUM] CVE-2025-14165 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14165 :
WordPress vulnerability analysis and mitigation
The Kirim.Email WooCommerce Integration plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.9. This is due to missing nonce validation on the plugin's settings page. This makes it possible for unauthenticated attackers to modify the plugin's API credentials and integration settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Source : NVD
## 4.3
Score
Published December 12, 2025
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 4.4
Wiz
CVE-2025-54004 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 2.6
CVE-2025-54004 [LOW] CVE-2025-54004 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-54004 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in WC Lovers WCFM – Frontend Manager for WooCommerce wc-frontend-manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WCFM – Frontend Manager for WooCommerce: from n/a through <= 6.7.24.
Source : NVD
## 2.6
Score
Published December 16, 2025
Severity LOW
CNA Score 2.6
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 10
Exploitation Probability (EPSS) N/A
Affected packages and libraries
wc-frontend-manager
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can
Wiz
CVE-2026-28135 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-28135 [CRITICAL] CVE-2026-28135 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-28135 :
WordPress vulnerability analysis and mitigation
Inclusion of Functionality from Untrusted Control Sphere vulnerability in WP Royal Royal Elementor Addons royal-elementor-addons allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Royal Elementor Addons: from n/a through <= 1.7.1052.
Source : NVD
## 8.2
Score
Published March 5, 2026
Severity HIGH
CNA Score 8.2
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 17.8
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
royal-elementor-addons
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can
Wiz
CVE-2026-22508 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-22508 [CRITICAL] CVE-2026-22508 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22508 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Dentalux dentalux allows PHP Local File Inclusion.This issue affects Dentalux: from n/a through <= 3.3.
Source : NVD
## 8.1
Score
Published March 25, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 35.7
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
dentalux
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just wha
Wiz
CVE-2025-68498 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-68498 [CRITICAL] CVE-2025-68498 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68498 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in Crocoblock JetTabs jet-tabs allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects JetTabs: from n/a through <= 2.2.12.
Source : NVD
Published December 30, 2025
CNA Score N/A
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
jet-tabs
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Sco
Wiz
CVE-2026-22447 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-22447 [CRITICAL] CVE-2026-22447 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22447 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in Select-Themes Prowess prowess allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Prowess: from n/a through <= 1.8.1.
Source : NVD
## 5.3
Score
Published January 22, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
prowess
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulne
Wiz
CVE-2025-68602 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2025-68602 [MEDIUM] CVE-2025-68602 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68602 :
WordPress vulnerability analysis and mitigation
URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Scott Paterson Accept Donations with PayPal & Stripe easy-paypal-donation allows Phishing.This issue affects Accept Donations with PayPal & Stripe: from n/a through <= 1.5.2.
Source : NVD
## 6.1
Score
Published December 24, 2025
Severity MEDIUM
CNA Score 6.1
Affected Technologies
WordPress
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 80.7
Exploitation Probability (EPSS) 1.4
Affected packages and libraries
easy-paypal-donation
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's e
Wiz
CVE-2025-68895 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2025-68895 [MEDIUM] CVE-2025-68895 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68895 :
WordPress vulnerability analysis and mitigation
Authentication Bypass Using an Alternate Path or Channel vulnerability in ahachat AhaChat Messenger Marketing ahachat-messenger-marketing allows Password Recovery Exploitation.This issue affects AhaChat Messenger Marketing: from n/a through <= 1.1.
Source : NVD
## 6.5
Score
Published February 20, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 21.1
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
ahachat-messenger-marketing
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus
Wiz
CVE-2025-69385 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2025-69385 [MEDIUM] CVE-2025-69385 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-69385 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in AgniHD Cartify - WooCommerce Gutenberg WordPress Theme cartify allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Cartify - WooCommerce Gutenberg WordPress Theme: from n/a through <= 1.3.
Source : NVD
## 6.5
Score
Published February 20, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 10.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cartify
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on
Wiz
CVE-2026-1304 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-1304 [CRITICAL] CVE-2026-1304 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1304 :
WordPress vulnerability analysis and mitigation
The Membership Plugin – Restrict Content for WordPress is vulnerable to Stored Cross-Site Scripting via multiple invoice settings fields in all versions up to, and including, 3.2.18 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Source : NVD
## 4.4
Score
Published February 18, 2026
Severity MEDIUM
CNA Score 4.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 10.1
Exploitation Proba
Wiz
CVE-2026-3178 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-3178 [CRITICAL] CVE-2026-3178 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-3178 :
WordPress vulnerability analysis and mitigation
The Name Directory plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'name_directory_name' parameter in all versions up to, and including, 1.32.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability was partially patched in versions 1.30.3 and 1.32.1.
Source : NVD
## 7.2
Score
Published March 11, 2026
Severity HIGH
CNA Score 7.2
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 25.8
Exploi
Wiz
CVE-2025-69321 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2025-69321 [HIGH] CVE-2025-69321 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-69321 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeGoods Grand Spa grandspa allows Reflected XSS.This issue affects Grand Spa: from n/a through <= 3.5.5.
Source : NVD
## 7.1
Score
Published January 22, 2026
Severity HIGH
CNA Score 7.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
grandspa
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Wo
Wiz
CVE-2026-2899 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-2899 [CRITICAL] CVE-2026-2899 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-2899 :
WordPress vulnerability analysis and mitigation
deleteFile()
Uploader
addPublicAjaxAction()
wp_ajax_
wp_ajax_nopriv_
attachment_id
path
sanitize_file_name()
Protector::decrypt()
attachment_id
Source : NVD
## 6.5
Score
Published March 5, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 36.4
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
fluentformpro
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Score
T
Wiz
CVE-2025-67954 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2025-67954 [MEDIUM] CVE-2025-67954 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67954 :
WordPress vulnerability analysis and mitigation
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Dimitri Grassi Salon booking system salon-booking-system allows Retrieve Embedded Sensitive Data.This issue affects Salon booking system: from n/a through <= 10.30.3.
Source : NVD
## 6.5
Score
Published January 22, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 14
Exploitation Probability (EPSS) N/A
Affected packages and libraries
salon-booking-system
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus
Wiz
CVE-2025-12361 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2025-12361 [MEDIUM] CVE-2025-12361 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-12361 :
WordPress vulnerability analysis and mitigation
The myCred – Points Management System For Gamification, Ranks, Badges, and Loyalty Program plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 2.9.7.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve sensitive information including user IDs, display names, and email addresses of all users on the site via the get_bank_accounts AJAX action. Passwords are not exposed.
Source : NVD
## 4.3
Score
Published December 19, 2025
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Expl
Wiz
CVE-2026-25350 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-25350 [CRITICAL] CVE-2026-25350 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25350 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in skygroup Miti miti allows Reflected XSS.This issue affects Miti: from n/a through < 1.5.3.
Source : NVD
## 7.1
Score
Published March 25, 2026
Severity HIGH
CNA Score 7.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 10.6
Exploitation Probability (EPSS) N/A
Affected packages and libraries
miti
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilitie
Wiz
CVE-2025-68029 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-68029 [CRITICAL] CVE-2025-68029 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68029 :
WordPress vulnerability analysis and mitigation
Insertion of Sensitive Information Into Sent Data vulnerability in WP Swings Wallet System for WooCommerce wallet-system-for-woocommerce allows Retrieve Embedded Sensitive Data.This issue affects Wallet System for WooCommerce: from n/a through <= 2.7.3.
Source : NVD
Published January 5, 2026
CNA Score N/A
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 7.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
wallet-system-for-woocommerce
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not jus
Wiz
CVE-2025-13608 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.4
CVE-2025-13608 [MEDIUM] CVE-2025-13608 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-13608 :
WordPress vulnerability analysis and mitigation
The CC Child Pages plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'child_pages' shortcode in all versions up to, and including, 2.0.0. This is due to insufficient input sanitization and output escaping on four user-supplied attributes (use_custom_link, use_custom_link_target, use_custom_thumbs, and use_custom_excerpt) in the 'show_child_pages' function. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Source : NVD
## 6.4
Score
Published December 15, 2025
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Ha
Wiz
CVE-2025-68990 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-68990 [CRITICAL] CVE-2025-68990 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68990 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in xenioushk BWL Pro Voting Manager bwl-pro-voting-manager allows Blind SQL Injection.This issue affects BWL Pro Voting Manager: from n/a through <= 1.4.9.
Source : NVD
## 9.8
Score
Published December 30, 2025
Severity CRITICAL
CNA Score 9.8
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 14.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
bwl-pro-voting-manager
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can foc
Wiz
CVE-2026-1298 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-1298 [CRITICAL] CVE-2026-1298 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1298 :
WordPress vulnerability analysis and mitigation
image_replacement_from_url
eri_from_url
Source : NVD
## 5.3
Score
Published January 28, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
easy-replace-image
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
CVE-2026-0740
CRITICAL
9.8
Wor
Wiz
CVE-2025-54003 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-54003 [CRITICAL] CVE-2025-54003 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-54003 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Depot depot allows PHP Local File Inclusion.This issue affects Depot: from n/a through <= 1.16.
Source : NVD
## 9.8
Score
Published January 22, 2026
Severity CRITICAL
CNA Score 9.8
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 38.5
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
depot
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's
Wiz
CVE-2025-67931 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2025-67931 [HIGH] CVE-2025-67931 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67931 :
WordPress vulnerability analysis and mitigation
Insertion of Sensitive Information Into Sent Data vulnerability in AITpro BulletProof Security bulletproof-security allows Retrieve Embedded Sensitive Data.This issue affects BulletProof Security: from n/a through <= 6.9.
Source : NVD
## 7.5
Score
Published January 8, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 14.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
bulletproof-security
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's
Wiz
CVE-2025-64635 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.4
CVE-2025-64635 [MEDIUM] CVE-2025-64635 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-64635 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in Syed Balkhi Feeds for YouTube feeds-for-youtube allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Feeds for YouTube: from n/a through <= 2.4.0.
Source : NVD
## 5.4
Score
Published December 16, 2025
Severity MEDIUM
CNA Score 5.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
feeds-for-youtube
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just wha
Wiz
CVE-2025-69363 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2025-69363 [MEDIUM] CVE-2025-69363 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-69363 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in CyberChimps Responsive Addons for Elementor responsive-addons-for-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Responsive Addons for Elementor: from n/a through <= 2.0.8.
Source : NVD
## 6.5
Score
Published January 6, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
responsive-addons-for-elementor
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your clou
Wiz
CVE-2025-67626 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2025-67626 [MEDIUM] CVE-2025-67626 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67626 :
WordPress vulnerability analysis and mitigation
Cross-Site Request Forgery (CSRF) vulnerability in Angel Costa WP SEO Search wp-seo-search allows Cross Site Request Forgery.This issue affects WP SEO Search: from n/a through <= 1.1.
Source : NVD
## 4.3
Score
Published January 22, 2026
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 5.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
wp-seo-search
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabili
Wiz
CVE-2025-67547 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2025-67547 [MEDIUM] CVE-2025-67547 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67547 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in uixthemes Konte konte allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Konte: from n/a through <= 2.4.6.
Source : NVD
## 6.5
Score
Published February 20, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 17.1
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
konte
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities
Wiz
CVE-2026-25451 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-25451 [CRITICAL] CVE-2026-25451 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25451 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in boldthemes Bold Page Builder bold-page-builder allows Stored XSS.This issue affects Bold Page Builder: from n/a through <= 5.6.9.
Source : NVD
## 6.5
Score
Published February 19, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.6
Exploitation Probability (EPSS) N/A
Affected packages and libraries
bold-page-builder
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not
Wiz
CVE-2026-22410 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-22410 [CRITICAL] CVE-2026-22410 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22410 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Dolcino dolcino allows PHP Local File Inclusion.This issue affects Dolcino: from n/a through <= 1.6.
Source : NVD
## 8.1
Score
Published March 5, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 37.5
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
dolcino
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's
Wiz
CVE-2026-1393 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-1393 [CRITICAL] CVE-2026-1393 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1393 :
WordPress vulnerability analysis and mitigation
The Add Google Social Profiles to Knowledge Graph Box plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to update the plugin's Knowledge Graph settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Source : NVD
## 4.3
Score
Published March 21, 2026
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1.9
E
Wiz
CVE-2025-64188 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-64188 [CRITICAL] CVE-2025-64188 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-64188 :
WordPress vulnerability analysis and mitigation
Incorrect Privilege Assignment vulnerability in PenciDesign Soledad soledad allows Privilege Escalation.This issue affects Soledad: from n/a through <= 8.6.9.
Source : NVD
## 9.8
Score
Published December 18, 2025
Severity CRITICAL
CNA Score 9.8
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 19.3
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
soledad
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
S
Wiz
CVE-2026-3496 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-3496 [CRITICAL] CVE-2026-3496 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-3496 :
WordPress vulnerability analysis and mitigation
The JetBooking plugin for WordPress is vulnerable to SQL Injection via the 'check_in_date' parameter in all versions up to, and including, 4.0.3. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Source : NVD
## 7.5
Score
Published March 11, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 24.5
E
Wiz
CVE-2025-68041 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2025-68041 [HIGH] CVE-2025-68041 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68041 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in codisto Omnichannel for WooCommerce codistoconnect allows Stored XSS.This issue affects Omnichannel for WooCommerce: from n/a through <= 1.3.65.
Source : NVD
## 7.1
Score
Published January 22, 2026
Severity HIGH
CNA Score 7.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
codistoconnect
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploita
Wiz
CVE-2025-14118 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2025-14118 [MEDIUM] CVE-2025-14118 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14118 :
WordPress vulnerability analysis and mitigation
The Starred Review plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the PHP_SELF variable in all versions up to, and including, 1.4.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Source : NVD
## 6.1
Score
Published January 7, 2026
Severity MEDIUM
CNA Score 6.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 10.3
Exploitation Probability (EPSS) N/A
Affe
Wiz
CVE-2025-14977 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2025-14977 [HIGH] CVE-2025-14977 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14977 :
WordPress vulnerability analysis and mitigation
/wp-json/dokan/v1/settings
Source : NVD
## 8.1
Score
Published January 20, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 10.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
dokan-lite
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
CVE-2026-0740
CRITICAL
9.8
WordPress
ninja-forms-up
Wiz
CVE-2026-32490 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-32490 [CRITICAL] CVE-2026-32490 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32490 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in jgwhite33 WP TripAdvisor Review Slider wp-tripadvisor-review-slider allows Stored XSS.This issue affects WP TripAdvisor Review Slider: from n/a through <= 14.1.
Source : NVD
## 6.5
Score
Published March 25, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 9.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
wp-tripadvisor-review-slider
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you
Wiz
CVE-2026-27082 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-27082 [CRITICAL] CVE-2026-27082 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27082 :
WordPress vulnerability analysis and mitigation
Deserialization of Untrusted Data vulnerability in ThemeREX Love Story lovestory allows Object Injection.This issue affects Love Story: from n/a through <= 1.3.12.
Source : NVD
## 9.8
Score
Published March 25, 2026
Severity CRITICAL
CNA Score 9.8
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 16.9
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
lovestory
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severit
Wiz
CVE-2026-28108 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-28108 [CRITICAL] CVE-2026-28108 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-28108 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup LambertGroup - AllInOne - Banner with Thumbnails all-in-one-thumbnailsBanner allows Reflected XSS.This issue affects LambertGroup - AllInOne - Banner with Thumbnails: from n/a through <= 3.8.
Source : NVD
## 7.1
Score
Published March 5, 2026
Severity HIGH
CNA Score 7.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
all-in-one-thumbnailsBanner
Sources
NVD
## Get a CVE risk assessment
Get a prio
Wiz
CVE-2025-63007 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2025-63007 [MEDIUM] CVE-2025-63007 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-63007 :
WordPress vulnerability analysis and mitigation
Insertion of Sensitive Information Into Sent Data vulnerability in Metagauss EventPrime eventprime-event-calendar-management allows Retrieve Embedded Sensitive Data.This issue affects EventPrime: from n/a through <= 4.2.4.1.
Source : NVD
## 4.3
Score
Published December 9, 2025
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 12.3
Exploitation Probability (EPSS) N/A
Affected packages and libraries
eventprime-event-calendar-management
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploi
Wiz
CVE-2025-69044 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2025-69044 [HIGH] CVE-2025-69044 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-69044 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in goalthemes Vango vango allows PHP Local File Inclusion.This issue affects Vango: from n/a through <= 1.3.3.
Source : NVD
## 8.1
Score
Published January 22, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 38.5
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
vango
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed
Wiz
CVE-2025-63055 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2025-63055 [MEDIUM] CVE-2025-63055 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-63055 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Liton Arefin Master Addons for Elementor master-addons allows Stored XSS.This issue affects Master Addons for Elementor: from n/a through <= 2.0.9.9.4.
Source : NVD
## 6.5
Score
Published December 9, 2025
Severity MEDIUM
CNA Score 6.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
master-addons
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's
Wiz
CVE-2026-4077 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-4077 [CRITICAL] CVE-2026-4077 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-4077 :
WordPress vulnerability analysis and mitigation
The Ecover Builder For Dummies plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' parameter of the 'ecover' shortcode in all versions up to and including 1.0. This is due to insufficient input sanitization and output escaping on the user-supplied 'id' shortcode attribute. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Source : NVD
## 6.4
Score
Published March 21, 2026
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation
Wiz
CVE-2026-2723 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-2723 [CRITICAL] CVE-2026-2723 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-2723 :
WordPress vulnerability analysis and mitigation
The Post Snippits plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing nonce validation on the settings page handlers for saving, adding, and deleting snippets. This makes it possible for unauthenticated attackers to modify plugin settings and inject malicious scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Source : NVD
## 6.1
Score
Published March 21, 2026
Severity MEDIUM
CNA Score 6.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS)
Wiz
CVE-2026-32512 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-32512 [CRITICAL] CVE-2026-32512 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32512 :
WordPress vulnerability analysis and mitigation
Deserialization of Untrusted Data vulnerability in Edge-Themes Pelicula pelicula-video-production-and-movie-theme allows Object Injection.This issue affects Pelicula: from n/a through < 1.10.
Source : NVD
## 9.8
Score
Published March 25, 2026
Severity CRITICAL
CNA Score 9.8
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 16.9
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
pelicula-video-production-and-movie-theme
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's liste
Wiz
CVE-2025-67941 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2025-67941 [HIGH] CVE-2025-67941 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67941 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes The Aisle theaisle allows PHP Local File Inclusion.This issue affects The Aisle: from n/a through < 2.9.1.
Source : NVD
## 8.1
Score
Published January 22, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 38.5
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
theaisle
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not ju
Wiz
CVE-2026-3222 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-3222 [CRITICAL] CVE-2026-3222 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-3222 :
WordPress vulnerability analysis and mitigation
FlipperCode_Model_Base::is_column()
esc_sql()
wpgmp_ajax_call
wp_ajax_nopriv
wpgmp_return_final_capability
location_id
Source : NVD
## 7.5
Score
Published March 11, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 43
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
wp-google-map-plugin
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Score
Technologies
Component na
Wiz
CVE-2026-22483 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-22483 [CRITICAL] CVE-2026-22483 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22483 :
WordPress vulnerability analysis and mitigation
Cross-Site Request Forgery (CSRF) vulnerability in winkm89 teachPress teachpress allows Cross Site Request Forgery.This issue affects teachPress: from n/a through <= 9.0.12.
Source : NVD
## 5.4
Score
Published January 22, 2026
Severity MEDIUM
CNA Score 5.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 0.5
Exploitation Probability (EPSS) N/A
Affected packages and libraries
teachpress
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE I
Wiz
CVE-2026-27440 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-27440 [CRITICAL] CVE-2026-27440 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27440 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Saad Iqbal myCred mycred allows Stored XSS.This issue affects myCred: from n/a through <= 2.9.7.6.
Source : NVD
## 6.5
Score
Published February 19, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.6
Exploitation Probability (EPSS) N/A
Affected packages and libraries
mycred
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress
Wiz
CVE-2025-66533 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.8
CVE-2025-66533 [HIGH] CVE-2025-66533 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-66533 :
WordPress vulnerability analysis and mitigation
Improper Control of Generation of Code ('Code Injection') vulnerability in StellarWP GiveWP give allows Code Injection.This issue affects GiveWP: from n/a through <= 4.13.1.
Source : NVD
## 7.8
Score
Published December 9, 2025
Severity HIGH
CNA Score 7.8
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 8.5
Exploitation Probability (EPSS) N/A
Affected packages and libraries
give
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Sever
Wiz
CVE-2026-22470 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-22470 [CRITICAL] CVE-2026-22470 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22470 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in FireStorm Plugins FireStorm Professional Real Estate fs-real-estate-plugin allows Blind SQL Injection.This issue affects FireStorm Professional Real Estate: from n/a through <= 2.7.11.
Source : NVD
## 7.6
Score
Published January 22, 2026
Severity HIGH
CNA Score 7.6
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 12.3
Exploitation Probability (EPSS) N/A
Affected packages and libraries
fs-real-estate-plugin
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in
Wiz
CVE-2025-12834 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2025-12834 [MEDIUM] CVE-2025-12834 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-12834 :
WordPress vulnerability analysis and mitigation
The Accept Stripe Payments Using Contact Form 7 plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'failure_message' parameter in versions up to, and including, 3.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Source : NVD
## 6.1
Score
Published December 12, 2025
Severity MEDIUM
CNA Score 6.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 33
Exploita
Wiz
CVE-2026-22487 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-22487 [CRITICAL] CVE-2026-22487 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22487 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in baqend Speed Kit baqend allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Speed Kit: from n/a through <= 2.0.2.
Source : NVD
Published January 8, 2026
CNA Score N/A
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
baqend
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Score
Tec
Wiz
CVE-2025-49355 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-49355 [CRITICAL] CVE-2025-49355 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-49355 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ikaes Accessibility Press ilogic-accessibility allows Stored XSS.This issue affects Accessibility Press: from n/a through <= 1.0.2.
Source : NVD
Published December 31, 2025
CNA Score N/A
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
ilogic-accessibility
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Rela
Wiz
CVE-2025-62142 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-62142 [CRITICAL] CVE-2025-62142 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-62142 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in nicashmu Post Video Players video-playlist-and-gallery-plugin allows Stored XSS.This issue affects Post Video Players: from n/a through <= 1.163.
Source : NVD
Published December 31, 2025
CNA Score N/A
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
video-playlist-and-gallery-plugin
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not jus
Wiz
CVE-2025-62146 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-62146 [CRITICAL] CVE-2025-62146 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-62146 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Maksym Marko MX Time Zone Clocks mx-time-zone-clocks allows Stored XSS.This issue affects MX Time Zone Clocks: from n/a through <= 5.1.1.
Source : NVD
Published December 31, 2025
CNA Score N/A
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
mx-time-zone-clocks
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
##
Wiz
CVE-2025-14168 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2025-14168 [MEDIUM] CVE-2025-14168 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14168 :
WordPress vulnerability analysis and mitigation
The WP DB Booster plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.1. This is due to missing nonce validation on the cleanup_all AJAX action. This makes it possible for unauthenticated attackers to delete database records including post drafts, revisions, comments, and metadata via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Source : NVD
## 4.3
Score
Published December 20, 2025
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 3.5
E
Wiz
CVE-2026-0734 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.4
CVE-2026-0734 [MEDIUM] CVE-2026-0734 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-0734 :
WordPress vulnerability analysis and mitigation
The WP Allowed Hosts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'allowed-hosts' parameter in all versions up to, and including, 1.0.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Source : NVD
## 4.4
Score
Published January 14, 2026
Severity MEDIUM
CNA Score 4.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA K
Wiz
CVE-2025-69365 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.3
CVE-2025-69365 [CRITICAL] CVE-2025-69365 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-69365 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in TeconceTheme Uroan Core uroan-core allows Blind SQL Injection.This issue affects Uroan Core: from n/a through <= 1.4.4.
Source : NVD
## 9.3
Score
Published February 20, 2026
Severity CRITICAL
CNA Score 9.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13
Exploitation Probability (EPSS) N/A
Affected packages and libraries
uroan-core
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's liste
Wiz
CVE-2026-2424 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-2424 [CRITICAL] CVE-2026-2424 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-2424 :
WordPress vulnerability analysis and mitigation
The Reward Video Ad for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.6. This is due to insufficient input sanitization and output escaping on plugin settings such as the 'Account ID', 'Message before the video', and color fields. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Source : NVD
## 4.4
Score
Published March 21, 2026
Severity MEDIUM
CNA Score 4.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Da
Wiz
CVE-2025-13773 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-13773 [CRITICAL] CVE-2025-13773 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-13773 :
WordPress vulnerability analysis and mitigation
The Print Invoice & Delivery Notes for WooCommerce plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 5.8.0 via the 'WooCommerce_Delivery_Notes::update' function. This is due to missing capability check in the 'WooCommerce_Delivery_Notes::update' function, PHP enabled in Dompdf, and missing escape in the 'template.php' file. This makes it possible for unauthenticated attackers to execute code on the server.
Source : NVD
## 9.8
Score
Published December 24, 2025
Severity CRITICAL
CNA Score 9.8
Affected Technologies
WordPress
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 6
Wiz
CVE-2025-67998 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2025-67998 [HIGH] CVE-2025-67998 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67998 :
WordPress vulnerability analysis and mitigation
Authentication Bypass Using an Alternate Path or Channel vulnerability in kamleshyadav Miraculous Elementor miraculous-el allows Authentication Abuse.This issue affects Miraculous Elementor: from n/a through <= 2.0.7.
Source : NVD
## 8.8
Score
Published February 20, 2026
Severity HIGH
CNA Score 8.8
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 20.8
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
miraculous-el
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
Wiz
CVE-2026-3666 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-3666 [CRITICAL] CVE-2026-3666 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-3666 :
WordPress vulnerability analysis and mitigation
The wpForo Forum plugin for WordPress is vulnerable to arbitrary file deletion in all versions up to, and including, 2.4.16. This is due to a missing file name/path validation against path traversal sequences. This makes it possible for authenticated attackers, with subscriber level access and above, to delete arbitrary files on the server by embedding a crafted path traversal string in a forum post body and then deleting the post.
Source : NVD
## 8.8
Score
Published April 4, 2026
Severity HIGH
CNA Score 8.8
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 8.3
Exploitation Probability (EP
Wiz
CVE-2025-62114 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-62114 [CRITICAL] CVE-2025-62114 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-62114 :
WordPress vulnerability analysis and mitigation
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in marcelotorres Download Media Library download-media-library allows Retrieve Embedded Sensitive Data.This issue affects Download Media Library: from n/a through <= 0.2.1.
Source : NVD
Published December 31, 2025
CNA Score N/A
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 7.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
download-media-library
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not
Wiz
CVE-2025-67994 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2025-67994 [HIGH] CVE-2025-67994 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67994 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in YayCommerce YayCurrency yaycurrency allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects YayCurrency: from n/a through <= 3.3.
Source : NVD
## 7.5
Score
Published February 20, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
yaycurrency
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Wor
Wiz
CVE-2026-27067 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-27067 [CRITICAL] CVE-2026-27067 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27067 :
WordPress vulnerability analysis and mitigation
Unrestricted Upload of File with Dangerous Type vulnerability in Syarif Mobile App Editor mobile-app-editor allows Upload a Web Shell to a Web Server.This issue affects Mobile App Editor: from n/a through <= 1.3.1.
Source : NVD
Published March 19, 2026
CNA Score N/A
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 6.5
Exploitation Probability (EPSS) N/A
Affected packages and libraries
mobile-app-editor
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilit
Wiz
CVE-2025-62092 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-62092 [CRITICAL] CVE-2025-62092 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-62092 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in Wiremo Wiremo woo-reviews-by-wiremo allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Wiremo: from n/a through <= 1.4.99.
Source : NVD
Published December 31, 2025
CNA Score N/A
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
woo-reviews-by-wiremo
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
C
Wiz
CVE-2026-22515 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-22515 [CRITICAL] CVE-2026-22515 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22515 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes VegaDays vegadays allows PHP Local File Inclusion.This issue affects VegaDays: from n/a through <= 1.2.0.
Source : NVD
## 8.1
Score
Published March 25, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 35.7
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
vegadays
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just w
Wiz
CVE-2025-13966 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.4
CVE-2025-13966 [MEDIUM] CVE-2025-13966 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-13966 :
WordPress vulnerability analysis and mitigation
The Paypal Payment Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'buttom_image' parameter of the [paypal-shortcode] shortcode in all versions up to, and including, 1.01 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Source : NVD
## 6.4
Score
Published December 12, 2025
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS)
Wiz
CVE-2025-68071 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2025-68071 [MEDIUM] CVE-2025-68071 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68071 :
WordPress vulnerability analysis and mitigation
Authorization Bypass Through User-Controlled Key vulnerability in g5theme Essential Real Estate essential-real-estate allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Essential Real Estate: from n/a through <= 5.2.9.
Source : NVD
## 6.5
Score
Published December 16, 2025
Severity MEDIUM
CNA Score 6.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 12.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
essential-real-estate
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can fo
Wiz
CVE-2025-59129 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-59129 [CRITICAL] CVE-2025-59129 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-59129 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in appointify Appointify appointify allows Blind SQL Injection.This issue affects Appointify: from n/a through <= 1.0.8.
Source : NVD
Published December 30, 2025
CNA Score N/A
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
appointify
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabiliti
Wiz
CVE-2024-52387 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.9
CVE-2024-52387 [MEDIUM] CVE-2024-52387 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2024-52387 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Liton Arefin Master Addons for Elementor master-addons allows Stored XSS.This issue affects Master Addons for Elementor: from n/a through <= 2.0.9.9.4.
Source : NVD
## 5.9
Score
Published February 20, 2026
Severity MEDIUM
CNA Score 5.9
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 29.3
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
master-addons
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's
Wiz
CVE-2025-14835 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2025-14835 [HIGH] CVE-2025-14835 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14835 :
WordPress vulnerability analysis and mitigation
The WP Photo Album Plus plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘shortcode’ parameter in all versions up to, and including, 9.1.05.008 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Source : NVD
## 7.1
Score
Published January 7, 2026
Severity HIGH
CNA Score 7.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 34.9
Exploitation Probability (EPS
Wiz
CVE-2026-28091 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-28091 [CRITICAL] CVE-2026-28091 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-28091 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Coleo coleo allows PHP Local File Inclusion.This issue affects Coleo: from n/a through <= 1.1.7.
Source : NVD
## 8.1
Score
Published March 5, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 37.5
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
coleo
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
#
Wiz
CVE-2026-27396 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-27396 [CRITICAL] CVE-2026-27396 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27396 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in e-plugins Directory Pro directory-pro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Directory Pro: from n/a through <= 2.5.6.
Source : NVD
## 7.3
Score
Published March 5, 2026
Severity HIGH
CNA Score 7.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 16.1
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
directory-pro
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related
Wiz
CVE-2026-25384 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-25384 [CRITICAL] CVE-2026-25384 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25384 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in WP Lab WP-Lister Lite for eBay wp-lister-for-ebay allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP-Lister Lite for eBay: from n/a through <= 3.8.5.
Source : NVD
## 5.3
Score
Published February 19, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 12.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
wp-lister-for-ebay
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not
Wiz
CVE-2025-63005 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-63005 [CRITICAL] CVE-2025-63005 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-63005 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Tomas WordPress Tooltips wordpress-tooltips allows Stored XSS.This issue affects WordPress Tooltips: from n/a through <= 10.9.3.
Source : NVD
Published December 31, 2025
CNA Score N/A
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
wordpress-tooltips
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related W
Wiz
CVE-2025-69376 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.6
CVE-2025-69376 [HIGH] CVE-2025-69376 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-69376 :
WordPress vulnerability analysis and mitigation
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in vanquish User Extra Fields wp-user-extra-fields allows Path Traversal.This issue affects User Extra Fields: from n/a through <= 17.0.
Source : NVD
## 8.6
Score
Published February 20, 2026
Severity HIGH
CNA Score 8.6
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 21
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
wp-user-extra-fields
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not jus
Wiz
CVE-2025-13592 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.2
CVE-2025-13592 [HIGH] CVE-2025-13592 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-13592 :
WordPress vulnerability analysis and mitigation
The Advanced Ads plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 2.0.14 via the 'change-ad__content' shortcode parameter. This allows authenticated attackers with editor-level permissions or above, to execute code on the server.
Source : NVD
## 7.2
Score
Published December 29, 2025
Severity HIGH
CNA Score 7.2
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 52.3
Exploitation Probability (EPSS) 0.3
Affected packages and libraries
advanced-ads
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you c
Wiz
CVE-2025-69089 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2025-69089 [MEDIUM] CVE-2025-69089 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-69089 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in autolistings Auto Listings auto-listings allows Stored XSS.This issue affects Auto Listings: from n/a through <= 2.7.1.
Source : NVD
## 6.5
Score
Published December 30, 2025
Severity MEDIUM
CNA Score 6.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
auto-listings
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's li
Wiz
CVE-2026-1073 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-1073 [CRITICAL] CVE-2026-1073 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1073 :
WordPress vulnerability analysis and mitigation
inc/purchase-btn-options-page.php
Source : NVD
## 4.3
Score
Published March 7, 2026
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
purchase-button
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
CVE-2026-0740
CRITICAL
9.8
WordPress
ninja
Wiz
CVE-2025-14037 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2025-14037 [HIGH] CVE-2025-14037 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14037 :
WordPress vulnerability analysis and mitigation
The Invelity Product Feeds plugin for WordPress is vulnerable to arbitrary file deletion via path traversal in all versions up to, and including, 1.2.6. This is due to missing validation and sanitization in the 'createManageFeedPage' function. This makes it possible for authenticated administrator-level attackers to delete arbitrary files on the server via specially crafted requests that include path traversal sequences, granted they can trick an admin into clicking a malicious link.
Source : NVD
## 8.1
Score
Published March 21, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probabil
Wiz
CVE-2025-14120 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.4
CVE-2025-14120 [MEDIUM] CVE-2025-14120 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14120 :
WordPress vulnerability analysis and mitigation
The URL Image Importer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.0.7 due to insufficient sanitization of SVG files. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
Source : NVD
## 6.4
Score
Published January 6, 2026
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
u
Wiz
CVE-2025-62119 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-62119 [CRITICAL] CVE-2025-62119 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-62119 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ViitorCloud Technologies Pvt Ltd Add Featured Image Custom Link custom-url-to-featured-image allows DOM-Based XSS.This issue affects Add Featured Image Custom Link: from n/a through <= 2.0.0.
Source : NVD
Published December 31, 2025
CNA Score N/A
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
custom-url-to-featured-image
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you
Wiz
CVE-2026-28009 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-28009 [CRITICAL] CVE-2026-28009 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-28009 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX DroneX dronex allows PHP Local File Inclusion.This issue affects DroneX: from n/a through <= 1.1.12.
Source : NVD
## 8.1
Score
Published March 5, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 37.5
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
dronex
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed
Wiz
CVE-2025-68880 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2025-68880 [HIGH] CVE-2025-68880 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68880 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in peterwsterling Simple Archive Generator simple-archive-generator allows Reflected XSS.This issue affects Simple Archive Generator: from n/a through <= 5.2.
Source : NVD
## 7.1
Score
Published February 20, 2026
Severity HIGH
CNA Score 7.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
simple-archive-generator
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can fo
Wiz
CVE-2026-4347 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-4347 [CRITICAL] CVE-2026-4347 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-4347 :
WordPress vulnerability analysis and mitigation
The MW WP Form plugin for WordPress is vulnerable to arbitrary file moving due to insufficient file path validation via the 'generate_user_filepath' function and the 'move_temp_file_to_upload_dir' function in all versions up to, and including, 5.1.0. This makes it possible for unauthenticated attackers to move arbitrary files on the server, which can easily lead to remote code execution when the right file is moved (such as wp-config.php). The vulnerability is only exploitable if a file upload field is added to the form and the “Saving inquiry data in database” option is enabled.
Source : NVD
## 8.1
Score
Published April 2, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Wiz
CVE-2026-22324 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-22324 [CRITICAL] CVE-2026-22324 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22324 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Melania allows PHP Local File Inclusion.This issue affects Melania: from n/a through 2.5.0.
Source : NVD
## 8.1
Score
Published March 20, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 35.7
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
melania
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
##
Wiz
CVE-2026-27097 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-27097 [CRITICAL] CVE-2026-27097 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27097 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes CasaMia | Property Rental Real Estate WordPress Theme casamia allows PHP Local File Inclusion.This issue affects CasaMia | Property Rental Real Estate WordPress Theme: from n/a through <= 1.1.2.
Source : NVD
## 8.1
Score
Published March 5, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 16.9
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
casamia
Sources
NVD
## Get a CVE risk assessment
Get a pr
Wiz
CVE-2025-69191 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.3
CVE-2025-69191 [HIGH] CVE-2025-69191 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-69191 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in e-plugins ListingHub listinghub allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ListingHub: from n/a through <= 1.2.7.
Source : NVD
## 7.3
Score
Published January 22, 2026
Severity HIGH
CNA Score 7.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 16.8
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
listinghub
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPres
Wiz
CVE-2025-68043 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.3
CVE-2025-68043 [HIGH] CVE-2025-68043 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68043 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in LottieFiles LottieFiles lottiefiles allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects LottieFiles: from n/a through <= 3.0.0.
Source : NVD
## 7.3
Score
Published February 20, 2026
Severity HIGH
CNA Score 7.3
Affected Technologies
WordPress
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 85.2
Exploitation Probability (EPSS) 2.5
Affected packages and libraries
lottiefiles
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related
Wiz
CVE-2026-28069 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-28069 [CRITICAL] CVE-2026-28069 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-28069 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Le Truffe letruffe allows PHP Local File Inclusion.This issue affects Le Truffe: from n/a through <= 1.1.7.
Source : NVD
## 8.1
Score
Published March 5, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 37.5
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
letruffe
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what
Wiz
CVE-2025-13089 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2025-13089 [HIGH] CVE-2025-13089 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-13089 :
WordPress vulnerability analysis and mitigation
The WP Directory Kit plugin for WordPress is vulnerable to SQL Injection via the 'hide_fields' and the 'attr_search' parameter in all versions up to, and including, 1.4.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Source : NVD
## 7.5
Score
Published December 13, 2025
Severity HIGH
CNA Score 7.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Perc
Wiz
CVE-2025-69061 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2025-69061 [HIGH] CVE-2025-69061 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-69061 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes MoveMe moveme allows PHP Local File Inclusion.This issue affects MoveMe: from n/a through <= 1.2.15.
Source : NVD
## 8.1
Score
Published January 22, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 38.5
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
moveme
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's
Wiz
CVE-2026-28056 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-28056 [CRITICAL] CVE-2026-28056 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-28056 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX MCKinney's Politics mckinney-politics allows PHP Local File Inclusion.This issue affects MCKinney's Politics: from n/a through <= 1.2.8.
Source : NVD
## 8.1
Score
Published March 5, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 37.5
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
mckinney-politics
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focu
Wiz
CVE-2026-22425 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-22425 [CRITICAL] CVE-2026-22425 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22425 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes Sweet Jane sweetjane allows PHP Local File Inclusion.This issue affects Sweet Jane: from n/a through <= 1.2.
Source : NVD
## 8.1
Score
Published March 5, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 37.5
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
sweetjane
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not ju
Wiz
CVE-2026-1492 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-1492 [CRITICAL] CVE-2026-1492 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1492 :
WordPress vulnerability analysis and mitigation
The User Registration & Membership – Custom Registration Form Builder, Custom Login Form, User Profile, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to improper privilege management in all versions up to, and including, 5.1.2. This is due to the plugin accepting a user-supplied role during membership registration without properly enforcing a server-side allowlist. This makes it possible for unauthenticated attackers to create administrator accounts by supplying a role value during membership registration.
Source : NVD
## 9.8
Score
Published March 3, 2026
Severity CRITICAL
CNA Score 9.8
Affected Technologies
WordPress
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release
Wiz
CVE-2025-69382 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-69382 [CRITICAL] CVE-2025-69382 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-69382 :
WordPress vulnerability analysis and mitigation
Deserialization of Untrusted Data vulnerability in themesflat Themesflat Elementor themesflat-elementor allows Object Injection.This issue affects Themesflat Elementor: from n/a through <= 1.0.1.
Source : NVD
## 9.8
Score
Published February 20, 2026
Severity CRITICAL
CNA Score 9.8
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 18.2
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
themesflat-elementor
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Relate
Wiz
CVE-2025-13642 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.4
CVE-2025-13642 [MEDIUM] CVE-2025-13642 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-13642 :
WordPress vulnerability analysis and mitigation
type
pp_preview_form
Source : NVD
## 5.4
Score
Published December 9, 2025
Severity MEDIUM
CNA Score 5.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 19.3
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
wp-user-avatar
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
CVE-2026-0740
CRITICAL
9.8
WordPress
ninja-forms-u
Wiz
CVE-2025-67599 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2025-67599 [MEDIUM] CVE-2025-67599 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67599 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in WebToffee WebToffee eCommerce Marketing Automation decorator-woocommerce-email-customizer allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WebToffee eCommerce Marketing Automation: from n/a through <= 2.1.1.
Source : NVD
## 4.3
Score
Published December 9, 2025
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
decorator-woocommerce-email-customizer
Sources
NVD
## Get a CVE risk assessment
Get a priori
Wiz
CVE-2026-25027 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-25027 [CRITICAL] CVE-2026-25027 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25027 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeMove Unicamp unicamp allows PHP Local File Inclusion.This issue affects Unicamp: from n/a through <= 2.7.1.
Source : NVD
## 7.5
Score
Published February 3, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 35.1
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
unicamp
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's
Wiz
CVE-2025-64248 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2025-64248 [MEDIUM] CVE-2025-64248 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-64248 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in emarket-design Request a Quote request-a-quote allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Request a Quote: from n/a through <= 2.5.3.
Source : NVD
## 4.3
Score
Published December 16, 2025
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
request-a-quote
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's l
Wiz
CVE-2026-23979 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-23979 [CRITICAL] CVE-2026-23979 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-23979 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Softwebmedia Gyan Elements gyan-elements allows Reflected XSS.This issue affects Gyan Elements: from n/a through <= 2.2.1.
Source : NVD
## 7.1
Score
Published March 25, 2026
Severity HIGH
CNA Score 7.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 10.6
Exploitation Probability (EPSS) N/A
Affected packages and libraries
gyan-elements
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's list
Wiz
CVE-2026-1808 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-1808 [CRITICAL] CVE-2026-1808 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1808 :
WordPress vulnerability analysis and mitigation
The Orange Confort+ accessibility toolbar for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'style' parameter of the ocplus_button shortcode in all versions up to, and including, 0.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Source : NVD
## 6.4
Score
Published February 6, 2026
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percen
Wiz
CVE-2026-4335 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-4335 [CRITICAL] CVE-2026-4335 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-4335 :
WordPress vulnerability analysis and mitigation
The ShortPixel Image Optimizer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the attachment post_title in all versions up to, and including, 6.4.3. This is due to insufficient output escaping in the getEditorPopup() function and its corresponding media-popup.php template. Specifically, the attachment's post_title is retrieved from the database via get_post() in AjaxController.php (line 435) and passed directly to the view template (line 449), where it is rendered into an HTML input element's value attribute without esc_attr() escaping (media-popup.php line 139). Since WordPress allows Authors to set arbitrary attachment titles (including double-quote characters) via the REST API, a malicious author
Wiz
CVE-2026-27386 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-27386 [CRITICAL] CVE-2026-27386 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27386 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in designthemes DesignThemes Directory Addon designthemes-directory-addon allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects DesignThemes Directory Addon: from n/a through <= 1.8.
Source : NVD
## 7.5
Score
Published March 5, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
designthemes-directory-addon
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focu
Wiz
CVE-2026-31914 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-31914 [CRITICAL] CVE-2026-31914 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-31914 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in hookandhook WP Courses LMS wp-courses allows DOM-Based XSS.This issue affects WP Courses LMS: from n/a through <= 3.2.26.
Source : NVD
## 6.5
Score
Published March 25, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 9.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
wp-courses
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
Wiz
CVE-2026-2580 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-2580 [CRITICAL] CVE-2026-2580 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-2580 :
WordPress vulnerability analysis and mitigation
The WP Maps – Store Locator,Google Maps,OpenStreetMap,Mapbox,Listing,Directory & Filters plugin for WordPress is vulnerable to time-based SQL Injection via the ‘orderby’ parameter in all versions up to, and including, 4.9.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Source : NVD
## 7.5
Score
Published March 23, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CIS
Wiz
CVE-2025-14428 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2025-14428 [MEDIUM] CVE-2025-14428 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14428 :
WordPress vulnerability analysis and mitigation
The All-in-one Sticky Floating Contact Form, Call, Click to Chat, and 50+ Social Icon Tabs - My Sticky Elements plugin for WordPress is vulnerable to unauthorized data loss due to a missing capability check on the 'my_sticky_elements_bulks' function in all versions up to, and including, 2.3.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete all contact form leads stored by the plugin.
Source : NVD
## 4.3
Score
Published January 1, 2026
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 12.9
Exploitation Pro
Wiz
CVE-2026-1503 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-1503 [CRITICAL] CVE-2026-1503 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1503 :
WordPress vulnerability analysis and mitigation
The login_register plugin for WordPress is vulnerable to Cross-Site Request Forgery to Stored Cross-Site Scripting in all versions up to, and including, 1.2.0. This is due to missing nonce validation on the settings page and insufficient input sanitization and output escaping on the 'login_register_login_post' parameter. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page via a forged request granted they can trick an administrator into performing an action such as clicking on a link.
Source : NVD
## 4.3
Score
Published March 21, 2026
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Expl
Wiz
CVE-2026-32583 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-32583 [CRITICAL] CVE-2026-32583 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32583 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in Webnus Inc. Modern Events Calendar allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Modern Events Calendar: from n/a through 7.29.0.
Source : NVD
## 5.3
Score
Published March 16, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
WordPress
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 85.9
Exploitation Probability (EPSS) 2.7
Affected packages and libraries
modern-events-calendar
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's lis
Wiz
CVE-2026-3831 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-3831 [CRITICAL] CVE-2026-3831 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-3831 :
WordPress vulnerability analysis and mitigation
The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the entries_shortcode() function in all versions up to, and including, 1.4.9. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract all form submissions - including names, emails, phone numbers.
Source : NVD
## 4.3
Score
Published April 1, 2026
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 9.7
Exploitation Probability (EPSS) N/A
Affected packages a
Wiz
CVE-2025-12030 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2025-12030 [MEDIUM] CVE-2025-12030 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-12030 :
WordPress vulnerability analysis and mitigation
The ACF to REST API plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.3.4. This is due to insufficient capability checks in the update_item_permissions_check() method, which only verifies that the current user has the edit_posts capability without checking object-specific permissions (e.g., edit_post($id), edit_user($id), manage_options). This makes it possible for authenticated attackers, with Contributor-level access and above, to modify ACF fields on posts they do not own, any user account, comments, taxonomy terms, and even the global options page via the /wp-json/acf/v3/{type}/{id} endpoints, granted they can authenticate to the site.
Source : NVD
## 4.
Wiz
CVE-2025-52739 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2025-52739 [HIGH] CVE-2025-52739 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-52739 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in uxper Sala allows Reflected XSS.This issue affects Sala: from n/a through 1.1.3.
Source : NVD
## 7.1
Score
Published December 31, 2025
Severity HIGH
CNA Score 7.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
sala
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CV
Wiz
CVE-2025-12166 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2025-12166 [HIGH] CVE-2025-12166 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-12166 :
WordPress vulnerability analysis and mitigation
order
append_where_sql
Source : NVD
## 7.5
Score
Published January 14, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 26.5
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
simply-schedule-appointments
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
CVE-2026-0740
CRITICAL
9.8
WordPress
Wiz
CVE-2025-49028 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-49028 [CRITICAL] CVE-2025-49028 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-49028 :
WordPress vulnerability analysis and mitigation
Cross-Site Request Forgery (CSRF) vulnerability in Zoho Mail Zoho ZeptoMail transmail allows Stored XSS.This issue affects Zoho ZeptoMail: from n/a through <= 3.3.1.
Source : NVD
Published December 31, 2025
CNA Score N/A
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
transmail
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Score
Technologies
Componen
Wiz
CVE-2025-12109 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.4
CVE-2025-12109 [MEDIUM] CVE-2025-12109 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-12109 :
WordPress vulnerability analysis and mitigation
The Header Footer Script Adder – Insert Code in Header, Body & Footer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the script adder present in posts in all versions up to, and including, 2.0.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Source : NVD
## 6.4
Score
Published December 13, 2025
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percent
Wiz
CVE-2025-14613 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.2
CVE-2025-14613 [HIGH] CVE-2025-14613 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14613 :
WordPress vulnerability analysis and mitigation
The GetContentFromURL plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.0. This is due to the plugin using wp_remote_get() instead of wp_safe_remote_get() to fetch content from a user-supplied URL in the 'url' parameter of the [gcfu] shortcode. This makes it possible for authenticated attackers, with Contributor-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
Source : NVD
## 7.2
Score
Published January 14, 2026
Severity HIGH
CNA Score 7.2
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Re
Wiz
CVE-2025-67938 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2025-67938 [HIGH] CVE-2025-67938 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67938 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Biagiotti biagiotti allows PHP Local File Inclusion.This issue affects Biagiotti: from n/a through < 3.5.2.
Source : NVD
## 8.1
Score
Published January 22, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 17.6
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
biagiotti
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not
Wiz
CVE-2025-69361 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2025-69361 [MEDIUM] CVE-2025-69361 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-69361 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in PublishPress Post Expirator post-expirator allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Post Expirator: from n/a through <= 4.9.3.
Source : NVD
## 4.3
Score
Published January 6, 2026
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
post-expirator
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
Wiz
CVE-2025-30631 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2025-30631 [HIGH] CVE-2025-30631 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-30631 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in AA-Team Woocommerce Sales Funnel Builder, AA-Team Amazon Affiliates Addon for WPBakery Page Builder (formerly Visual Composer) allows Reflected XSS.This issue affects Woocommerce Sales Funnel Builder: from n/a through 1.1; Amazon Affiliates Addon for WPBakery Page Builder (formerly Visual Composer): from n/a through 1.2.
Source : NVD
## 7.1
Score
Published January 6, 2026
Severity HIGH
CNA Score 7.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 5.6
Exploitation Probability (EPSS) N/A
Wiz
CVE-2026-22362 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-22362 [CRITICAL] CVE-2026-22362 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22362 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Photolia photolia allows PHP Local File Inclusion.This issue affects Photolia: from n/a through <= 1.0.3.
Source : NVD
## 8.1
Score
Published February 20, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 37.5
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
photolia
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just
Wiz
CVE-2025-67942 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2025-67942 [MEDIUM] CVE-2025-67942 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67942 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in peachpayments Peach Payments Gateway wc-peach-payments-gateway allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Peach Payments Gateway: from n/a through <= 3.3.6.
Source : NVD
## 6.5
Score
Published January 22, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 12
Exploitation Probability (EPSS) N/A
Affected packages and libraries
wc-peach-payments-gateway
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's
Wiz
CVE-2026-23974 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-23974 [CRITICAL] CVE-2026-23974 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-23974 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in uxper Golo golo allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Golo: from n/a through < 1.7.5.
Source : NVD
## 8.8
Score
Published January 22, 2026
Severity HIGH
CNA Score 8.8
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 18.2
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
golo
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Wiz
CVE-2025-67967 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.6
CVE-2025-67967 [HIGH] CVE-2025-67967 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67967 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in e-plugins Lawyer Directory lawyer-directory allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Lawyer Directory: from n/a through <= 1.3.3.
Source : NVD
## 7.6
Score
Published January 22, 2026
Severity HIGH
CNA Score 7.6
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
lawyer-directory
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
Wiz
CVE-2025-69381 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2025-69381 [HIGH] CVE-2025-69381 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-69381 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in vanquish WooCommerce Bulk Product Editor woocommerce-quick-product-editor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WooCommerce Bulk Product Editor: from n/a through <= 3.0.
Source : NVD
## 7.1
Score
Published February 20, 2026
Severity HIGH
CNA Score 7.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 14.5
Exploitation Probability (EPSS) N/A
Affected packages and libraries
woocommerce-quick-product-editor
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—s
Wiz
CVE-2026-1378 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-1378 [CRITICAL] CVE-2026-1378 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1378 :
WordPress vulnerability analysis and mitigation
cpt_plugin_options()
Source : NVD
## 4.3
Score
Published March 21, 2026
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
wp-posts-re-order
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
CVE-2026-0740
CRITICAL
9.8
WordPress
ninja-forms-upl
Wiz
CVE-2026-2716 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-2716 [CRITICAL] CVE-2026-2716 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-2716 :
WordPress vulnerability analysis and mitigation
The Client Testimonial Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Testimonial Heading' setting in all versions up to, and including, 2.0. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Source : NVD
## 4.4
Score
Published February 19, 2026
Severity MEDIUM
CNA Score 4.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Rel
Wiz
CVE-2026-22481 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-22481 [CRITICAL] CVE-2026-22481 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22481 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in Rasedul Haque Rumi BD Courier Order Ratio Checker bd-courier-order-ratio-checker allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects BD Courier Order Ratio Checker: from n/a through <= 2.0.1.
Source : NVD
## 8.8
Score
Published January 22, 2026
Severity HIGH
CNA Score 8.8
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 18.2
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
bd-courier-order-ratio-checker
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cl
Wiz
CVE-2026-1899 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-1899 [CRITICAL] CVE-2026-1899 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1899 :
WordPress vulnerability analysis and mitigation
The Any Post Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's aps_slider shortcode in all versions up to, and including, 1.0.4 due to insufficient input sanitization and output escaping on the 'post_type' attribute. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Source : NVD
## 6.4
Score
Published March 21, 2026
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 9.9
Exploitat
Wiz
CVE-2025-68848 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2025-68848 [HIGH] CVE-2025-68848 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68848 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in anmari amr cron manager amr-cron-manager allows Reflected XSS.This issue affects amr cron manager: from n/a through <= 2.3.
Source : NVD
## 7.1
Score
Published February 20, 2026
Severity HIGH
CNA Score 7.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
amr-cron-manager
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what
Wiz
CVE-2025-13969 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.4
CVE-2025-13969 [MEDIUM] CVE-2025-13969 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-13969 :
WordPress vulnerability analysis and mitigation
The Reviews Sorted plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'space' parameter of the [reviews-slider] shortcode in all versions up to, and including, 2.4.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Source : NVD
## 6.4
Score
Published December 12, 2025
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 24.5
Exploitation
Wiz
CVE-2025-14984 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.4
CVE-2025-14984 [MEDIUM] CVE-2025-14984 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14984 :
WordPress vulnerability analysis and mitigation
The Gutenverse Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG file upload in all versions up to, and including, 2.3.2. This is due to the plugin's framework component adding SVG to the allowed MIME types via the upload_mimes filter without implementing any sanitization of SVG file contents. This makes it possible for authenticated attackers, with Author-level access and above, to upload SVG files containing malicious JavaScript that executes when the file is viewed, leading to arbitrary JavaScript execution in victims' browsers.
Source : NVD
## 6.4
Score
Published January 8, 2026
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Ex
Wiz
CVE-2026-22503 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-22503 [CRITICAL] CVE-2026-22503 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22503 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Nelson nelson allows PHP Local File Inclusion.This issue affects Nelson: from n/a through <= 1.2.0.
Source : NVD
## 8.1
Score
Published March 25, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 35.7
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
nelson
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed
Wiz
CVE-2026-22440 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-22440 [CRITICAL] CVE-2026-22440 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22440 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in foreverpinetree Thecs thecs allows Reflected XSS.This issue affects Thecs: from n/a through <= 1.4.7.
Source : NVD
## 7.1
Score
Published March 5, 2026
Severity HIGH
CNA Score 7.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
thecs
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vul
Wiz
CVE-2025-69293 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2025-69293 [HIGH] CVE-2025-69293 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-69293 :
WordPress vulnerability analysis and mitigation
Incorrect Privilege Assignment vulnerability in e-plugins Final User final-user allows Privilege Escalation.This issue affects Final User: from n/a through <= 1.2.5.
Source : NVD
## 8.8
Score
Published January 22, 2026
Severity HIGH
CNA Score 8.8
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 18.2
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
final-user
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severi
Wiz
CVE-2025-7733 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2025-7733 [MEDIUM] CVE-2025-7733 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-7733 :
WordPress vulnerability analysis and mitigation
The WP JobHunt plugin for WordPress, used by the JobCareer theme, is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 7.7 via the 'cs_update_application_status_callback' due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Candidate-level access and above, to send a site-generated email with injected HTML to any user.
Source : NVD
## 4.3
Score
Published December 20, 2025
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.8
Exploitation Probability (EPSS) N/A
Affected
Wiz
CVE-2026-24383 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-24383 [CRITICAL] CVE-2026-24383 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24383 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in bPlugins B Slider b-slider allows DOM-Based XSS.This issue affects B Slider: from n/a through <= 2.0.6.
Source : NVD
## 6.5
Score
Published January 22, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
b-slider
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Wor
Wiz
CVE-2025-14077 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2025-14077 [MEDIUM] CVE-2025-14077 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14077 :
WordPress vulnerability analysis and mitigation
The Simcast plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.0. This is due to missing or incorrect nonce validation on the settingsPage function. This makes it possible for unauthenticated attackers to modify plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Source : NVD
## 4.3
Score
Published January 7, 2026
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 3.5
Exploitation Probability (EPSS) N/A
Affected packages a
Wiz
CVE-2025-68000 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2025-68000 [MEDIUM] CVE-2025-68000 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68000 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in PickPlugins Testimonial Slider testimonial allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Testimonial Slider: from n/a through <= 2.0.15.
Source : NVD
## 6.5
Score
Published February 20, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 9.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
testimonial
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed
Wiz
CVE-2026-1932 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-1932 [CRITICAL] CVE-2026-1932 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1932 :
WordPress vulnerability analysis and mitigation
The Appointment Booking Calendar Plugin – Bookr plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the update-appointment REST API endpoint in all versions up to, and including, 1.0.2. This makes it possible for unauthenticated attackers to modify the status of any appointment.
Source : NVD
## 5.3
Score
Published February 14, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 8.3
Exploitation Probability (EPSS) N/A
Affected packages and libraries
bookr
Sources
NVD
## Get a CVE risk assessment
Wiz
CVE-2025-67525 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-67525 [CRITICAL] CVE-2025-67525 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67525 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Opal_WP ekommart ekommart allows PHP Local File Inclusion.This issue affects ekommart: from n/a through < 4.3.1.
Source : NVD
## 9.8
Score
Published December 9, 2025
Severity CRITICAL
CNA Score 9.8
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 38.5
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
ekommart
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just w
Wiz
CVE-2025-66116 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2025-66116 [HIGH] CVE-2025-66116 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-66116 :
WordPress vulnerability analysis and mitigation
Insertion of Sensitive Information Into Sent Data vulnerability in UserElements Ultimate Member Widgets for Elementor ultimate-member-widgets-for-elementor allows Retrieve Embedded Sensitive Data.This issue affects Ultimate Member Widgets for Elementor: from n/a through <= 2.3.
Source : NVD
## 7.5
Score
Published December 18, 2025
Severity HIGH
CNA Score 7.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 14.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
ultimate-member-widgets-for-elementor
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view o
Wiz
CVE-2026-27411 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-27411 [CRITICAL] CVE-2026-27411 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27411 :
WordPress vulnerability analysis and mitigation
Guessable CAPTCHA vulnerability in jp-secure SiteGuard WP Plugin siteguard allows Functionality Bypass.This issue affects SiteGuard WP Plugin: from n/a through <= 1.7.9.
Source : NVD
## 5.3
Score
Published March 5, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 12.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
siteguard
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Seve
Wiz
CVE-2026-28010 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-28010 [CRITICAL] CVE-2026-28010 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-28010 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Scientia scientia allows PHP Local File Inclusion.This issue affects Scientia: from n/a through <= 1.2.4.
Source : NVD
## 8.1
Score
Published March 5, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 37.5
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
scientia
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's
Wiz
CVE-2025-64260 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2025-64260 [HIGH] CVE-2025-64260 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-64260 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Marco Milesi ANAC XML Bandi di Gara avcp allows Reflected XSS.This issue affects ANAC XML Bandi di Gara: from n/a through <= 7.7.
Source : NVD
## 7.1
Score
Published December 18, 2025
Severity HIGH
CNA Score 7.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
avcp
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's lis
Wiz
CVE-2026-27984 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-27984 [CRITICAL] CVE-2026-27984 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27984 :
WordPress vulnerability analysis and mitigation
Improper Control of Generation of Code ('Code Injection') vulnerability in Marketing Fire Widget Options widget-options allows Code Injection.This issue affects Widget Options: from n/a through <= 4.1.3.
Source : NVD
## 9
Score
Published March 5, 2026
Severity CRITICAL
CNA Score 9.0
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 14.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
widget-options
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Wo
Wiz
CVE-2026-0742 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-0742 [CRITICAL] CVE-2026-0742 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-0742 :
WordPress vulnerability analysis and mitigation
The Smart Appointment & Booking plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the saab_save_form_data AJAX action in all versions up to, and including, 1.0.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Source : NVD
## 6.4
Score
Published February 4, 2026
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS)
Wiz
CVE-2025-14997 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2025-14997 [HIGH] CVE-2025-14997 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14997 :
WordPress vulnerability analysis and mitigation
The BuddyPress Xprofile Custom Field Types plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'delete_field' function in all versions up to, and including, 1.2.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
Source : NVD
## 7.2
Score
Published January 6, 2026
Severity HIGH
CNA Score 7.2
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 76.2
Ex
Wiz
CVE-2025-14903 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2025-14903 [MEDIUM] CVE-2025-14903 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14903 :
WordPress vulnerability analysis and mitigation
The Simple Crypto Shortcodes plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0.2. This is due to missing nonce validation on the scs_backend function. This makes it possible for unauthenticated attackers to update plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Source : NVD
## 4.3
Score
Published January 24, 2026
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 0.4
Exploitation Probability (EPSS) N/A
Affected packages a
Wiz
CVE-2025-69337 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.3
CVE-2025-69337 [CRITICAL] CVE-2025-69337 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-69337 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in don-themes Wolmart Core wolmart-core allows Blind SQL Injection.This issue affects Wolmart Core: from n/a through <= 1.9.6.
Source : NVD
## 9.3
Score
Published February 20, 2026
Severity CRITICAL
CNA Score 9.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13
Exploitation Probability (EPSS) N/A
Affected packages and libraries
wolmart-core
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's
Wiz
CVE-2025-67526 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-67526 [CRITICAL] CVE-2025-67526 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67526 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThimPress Sailing sailing allows PHP Local File Inclusion.This issue affects Sailing: from n/a through < 4.4.6.
Source : NVD
## 9.8
Score
Published December 9, 2025
Severity CRITICAL
CNA Score 9.8
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 38.5
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
sailing
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just wha
Wiz
CVE-2025-54743 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2025-54743 [MEDIUM] CVE-2025-54743 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-54743 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in mkscripts Download After Email download-after-email allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Download After Email: from n/a through 2.1.5-2.1.6.
Source : NVD
## 5.3
Score
Published December 18, 2025
Severity MEDIUM
CNA Score 5.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 18.6
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
download-after-email
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable,
Wiz
CVE-2025-14904 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2025-14904 [MEDIUM] CVE-2025-14904 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14904 :
WordPress vulnerability analysis and mitigation
The Newsletter Email Subscribe plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.4. This is due to incorrect nonce validation on the nels_settings_page function. This makes it possible for unauthenticated attackers to update plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Source : NVD
## 4.3
Score
Published January 7, 2026
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 4.3
Exploitation Probability (EPSS) N/A
Affected pa
Wiz
CVE-2025-13889 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.4
CVE-2025-13889 [MEDIUM] CVE-2025-13889 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-13889 :
WordPress vulnerability analysis and mitigation
The Simple Nivo Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' shortcode parameter in all versions up to, and including, 0.5.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Source : NVD
## 6.4
Score
Published December 12, 2025
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13
Exploitation Probability (EPSS) N/A
Wiz
CVE-2025-69047 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2025-69047 [HIGH] CVE-2025-69047 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-69047 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in magentech MaxShop sw_maxshop allows PHP Local File Inclusion.This issue affects MaxShop: from n/a through <= 3.6.20.
Source : NVD
## 8.1
Score
Published January 22, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 38.5
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
sw_maxshop
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just
Wiz
CVE-2025-62888 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-62888 [CRITICAL] CVE-2025-62888 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-62888 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in Marco Milesi WP Attachments wp-attachments allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Attachments: from n/a through <= 5.2.
Source : NVD
Published December 31, 2025
CNA Score N/A
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
wp-attachments
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities
Wiz
CVE-2026-28113 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-28113 [CRITICAL] CVE-2026-28113 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-28113 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in azzaroco Ultimate Learning Pro indeed-learning-pro allows Reflected XSS.This issue affects Ultimate Learning Pro: from n/a through <= 3.9.1.
Source : NVD
## 7.1
Score
Published March 5, 2026
Severity HIGH
CNA Score 7.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
indeed-learning-pro
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitabl
Wiz
CVE-2025-69091 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2025-69091 [MEDIUM] CVE-2025-69091 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-69091 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in Kraft Plugins Demo Importer Plus demo-importer-plus allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Demo Importer Plus: from n/a through <= 2.0.8.
Source : NVD
## 4.3
Score
Published December 30, 2025
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
demo-importer-plus
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not ju
Wiz
CVE-2026-28107 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-28107 [CRITICAL] CVE-2026-28107 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-28107 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Muzicon muzicon allows PHP Local File Inclusion.This issue affects Muzicon: from n/a through <= 1.9.0.
Source : NVD
## 8.1
Score
Published March 5, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 37.5
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
muzicon
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's lis
Wiz
CVE-2025-67927 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2025-67927 [MEDIUM] CVE-2025-67927 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67927 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Spencer Haws Link Whisper Free link-whisper allows Reflected XSS.This issue affects Link Whisper Free: from n/a through <= 0.8.8.
Source : NVD
## 6.1
Score
Published January 8, 2026
Severity MEDIUM
CNA Score 6.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
link-whisper
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just wh
Wiz
CVE-2025-0969 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2025-0969 [MEDIUM] CVE-2025-0969 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-0969 :
WordPress vulnerability analysis and mitigation
The Brizy – Page Builder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.7.16 via the get_users() function. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive data including email addresses and hashed passwords of administrators.
Source : NVD
## 6.5
Score
Published December 13, 2025
Severity MEDIUM
CNA Score 6.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
brizy
Sources
NVD
## Get a CV
Wiz
CVE-2026-24390 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-24390 [CRITICAL] CVE-2026-24390 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24390 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in QantumThemes Kentha Elementor Widgets kentha-elementor allows PHP Local File Inclusion.This issue affects Kentha Elementor Widgets: from n/a through < 3.1.
Source : NVD
## 7.5
Score
Published January 22, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 19.8
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
kentha-elementor
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so
Wiz
CVE-2025-58934 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2025-58934 [HIGH] CVE-2025-58934 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-58934 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes The Gig thegig allows PHP Local File Inclusion.This issue affects The Gig: from n/a through <= 1.18.0.
Source : NVD
## 8.1
Score
Published December 18, 2025
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 18.1
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
thegig
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what
Wiz
CVE-2025-68035 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2025-68035 [HIGH] CVE-2025-68035 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68035 :
WordPress vulnerability analysis and mitigation
Insertion of Sensitive Information Into Sent Data vulnerability in tabbyai Tabby Checkout tabby-checkout allows Retrieve Embedded Sensitive Data.This issue affects Tabby Checkout: from n/a through <= 5.8.4.
Source : NVD
## 7.5
Score
Published January 22, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 14.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
tabby-checkout
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Relate
Wiz
CVE-2025-67943 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2025-67943 [HIGH] CVE-2025-67943 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67943 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wphocus My auctions allegro my-auctions-allegro-free-edition allows Reflected XSS.This issue affects My auctions allegro: from n/a through <= 3.6.32.
Source : NVD
## 7.1
Score
Published January 22, 2026
Severity HIGH
CNA Score 7.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
my-auctions-allegro-free-edition
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can f
Wiz
CVE-2025-68079 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2025-68079 [MEDIUM] CVE-2025-68079 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68079 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeNectar Salient Shortcodes salient-shortcodes allows Stored XSS.This issue affects Salient Shortcodes: from n/a through <= 1.5.4.
Source : NVD
## 6.5
Score
Published December 16, 2025
Severity MEDIUM
CNA Score 6.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
salient-shortcodes
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable,
Wiz
CVE-2026-22495 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-22495 [CRITICAL] CVE-2026-22495 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22495 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Greenville greenville allows PHP Local File Inclusion.This issue affects Greenville: from n/a through <= 1.3.2.
Source : NVD
## 8.1
Score
Published March 25, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 35.7
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
greenville
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, no
Wiz
CVE-2025-68883 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2025-68883 [HIGH] CVE-2025-68883 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68883 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in extremeidea bidorbuy Store Integrator bidorbuystoreintegrator allows Reflected XSS.This issue affects bidorbuy Store Integrator: from n/a through <= 2.12.0.
Source : NVD
## 7.1
Score
Published January 22, 2026
Severity HIGH
CNA Score 7.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
bidorbuystoreintegrator
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can foc
Wiz
CVE-2026-1573 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-1573 [CRITICAL] CVE-2026-1573 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1573 :
WordPress vulnerability analysis and mitigation
omigo_donate_button
Source : NVD
## 6.4
Score
Published February 7, 2026
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11
Exploitation Probability (EPSS) N/A
Affected packages and libraries
omigo
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
CVE-2026-0740
CRITICAL
9.8
WordPress
ninja-forms-uploads
No
Ye
Wiz
CVE-2026-3352 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-3352 [CRITICAL] CVE-2026-3352 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-3352 :
WordPress vulnerability analysis and mitigation
update_wp_memory_constants()
wp_memory_limit
wp_max_memory_limit
wp-config.php
sanitize_text_field()
define()
wp-config.php
Source : NVD
## 7.2
Score
Published March 7, 2026
Severity HIGH
CNA Score 7.2
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 18.4
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
easy-php-settings
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Score
Technologies
Componen
Wiz
CVE-2025-58888 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.2
CVE-2025-58888 [HIGH] CVE-2025-58888 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-58888 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes The Flash theflash allows PHP Local File Inclusion.This issue affects The Flash: from n/a through <= 1.15.
Source : NVD
## 8.2
Score
Published December 18, 2025
Severity HIGH
CNA Score 8.2
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 19.8
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
theflash
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not ju
Wiz
CVE-2026-23977 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-23977 [CRITICAL] CVE-2026-23977 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-23977 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in WPFactory Helpdesk Support Ticket System for WooCommerce support-ticket-system-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Helpdesk Support Ticket System for WooCommerce: from n/a through <= 2.1.2.
Source : NVD
## 7.5
Score
Published March 25, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 10.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
support-ticket-system-for-woocommerce
Sources
NVD
## Get a CVE risk assessment
Get a
Wiz
CVE-2025-50003 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-50003 [CRITICAL] CVE-2025-50003 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-50003 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Amuli amuli allows PHP Local File Inclusion.This issue affects Amuli: from n/a through <= 2.3.0.
Source : NVD
## 9.8
Score
Published January 22, 2026
Severity CRITICAL
CNA Score 9.8
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 38.5
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
amuli
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's l
Wiz
CVE-2026-28032 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-28032 [CRITICAL] CVE-2026-28032 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-28032 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Tuning tuning allows PHP Local File Inclusion.This issue affects Tuning: from n/a through <= 1.3.
Source : NVD
## 8.1
Score
Published March 5, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 37.5
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
tuning
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
Wiz
CVE-2025-60063 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.2
CVE-2025-60063 [HIGH] CVE-2025-60063 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-60063 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Rosalinda rosalinda allows PHP Local File Inclusion.This issue affects Rosalinda: from n/a through <= 1.2.3.
Source : NVD
## 8.2
Score
Published December 18, 2025
Severity HIGH
CNA Score 8.2
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 19.8
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
rosalinda
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not
Wiz
CVE-2025-64227 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-64227 [CRITICAL] CVE-2025-64227 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-64227 :
WordPress vulnerability analysis and mitigation
Deserialization of Untrusted Data vulnerability in BoldGrid Client Invoicing by Sprout Invoices sprout-invoices allows Object Injection.This issue affects Client Invoicing by Sprout Invoices: from n/a through <= 20.8.7.
Source : NVD
## 9.8
Score
Published December 18, 2025
Severity CRITICAL
CNA Score 9.8
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 19
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
sprout-invoices
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's li
Wiz
CVE-2025-15158 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2025-15158 [HIGH] CVE-2025-15158 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-15158 :
WordPress vulnerability analysis and mitigation
The WP Enable WebP plugin for WordPress is vulnerable to arbitrary file uploads due to improper file type validation in the 'wpse_file_and_ext_webp' function in all versions up to, and including, 1.0. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
Source : NVD
## 8.8
Score
Published January 7, 2026
Severity HIGH
CNA Score 8.8
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 54.4
Exploitation Probability (EPSS) 0.3
Affected packages and libraries
Wiz
CVE-2025-14720 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2025-14720 [MEDIUM] CVE-2025-14720 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14720 :
WordPress vulnerability analysis and mitigation
The Booking for Appointments and Events Calendar – Amelia plugin for WordPress is vulnerable to unauthorized access due to missing capability checks on multiple AJAX actions in all versions up to, and including, 1.2.38. This makes it possible for unauthenticated attackers to mark payments as refunded, trigger sending of queued notifications (emails/SMS/WhatsApp), and access debug information among other things.
Source : NVD
## 5.3
Score
Published January 9, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 12.3
Exploitation Probability (EPSS) N/A
Affect
Wiz
CVE-2026-4373 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-4373 [CRITICAL] CVE-2026-4373 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-4373 :
WordPress vulnerability analysis and mitigation
The JetFormBuilder plugin for WordPress is vulnerable to arbitrary file read via path traversal in all versions up to, and including, 3.5.6.2. This is due to the 'Uploaded_File::set_from_array' method accepting user-supplied file paths from the Media Field preset JSON payload without validating that the path belongs to the WordPress uploads directory. Combined with an insufficient same-file check in 'File_Tools::is_same_file' that only compares basenames, this makes it possible for unauthenticated attackers to exfiltrate arbitrary local files as email attachments by submitting a crafted form request when the form is configured with a Media Field and a Send Email action with file attachment.
Source : NVD
## 7.5
Score
Wiz
CVE-2026-28077 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-28077 [CRITICAL] CVE-2026-28077 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-28077 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Vapester vapester allows PHP Local File Inclusion.This issue affects Vapester: from n/a through <= 1.1.10.
Source : NVD
## 8.1
Score
Published March 5, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 37.5
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
vapester
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what'
Wiz
CVE-2025-68593 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2025-68593 [HIGH] CVE-2025-68593 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68593 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in Liton Arefin WP Adminify adminify allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Adminify: from n/a through <= 4.0.6.1.
Source : NVD
## 8.8
Score
Published December 24, 2025
Severity HIGH
CNA Score 8.8
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 18.2
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
adminify
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Word
Wiz
CVE-2025-14891 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.4
CVE-2025-14891 [MEDIUM] CVE-2025-14891 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14891 :
WordPress vulnerability analysis and mitigation
The Customer Reviews for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'displayName' parameter in all versions up to, and including, 5.93.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with customer-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. While it is possible to invoke the AJAX action without authentication, the attacker would need to know a valid form ID, which requires them to place an order. This vulnerability can be exploited by unauthenticated attackers if guest checkout is enabled. However, the form ID still needs to be obtai
Wiz
CVE-2025-15521 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-15521 [CRITICAL] CVE-2025-15521 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-15521 :
WordPress vulnerability analysis and mitigation
The Academy LMS – WordPress LMS Plugin for Complete eLearning Solution plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.5.0. This is due to the plugin not properly validating a user's identity prior to updating their password and relying solely on a publicly-exposed nonce for authorization. This makes it possible for unauthenticated attackers to change arbitrary user's password, including administrators, and gain access to their account.
Source : NVD
## 9.8
Score
Published January 21, 2026
Severity CRITICAL
CNA Score 9.8
Affected Technologies
WordPress
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due
Wiz
CVE-2025-62097 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-62097 [CRITICAL] CVE-2025-62097 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-62097 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in seothemes SEO Slider seo-slider allows DOM-Based XSS.This issue affects SEO Slider: from n/a through <= 1.1.1.
Source : NVD
Published December 31, 2025
CNA Score N/A
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
seo-slider
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
Wiz
CVE-2026-24543 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-24543 [CRITICAL] CVE-2026-24543 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24543 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in Horea Radu Materialis Companion materialis-companion allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Materialis Companion: from n/a through <= 1.3.52.
Source : NVD
## 4.3
Score
Published January 23, 2026
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
materialis-companion
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, n
Wiz
CVE-2025-13419 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2025-13419 [MEDIUM] CVE-2025-13419 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-13419 :
WordPress vulnerability analysis and mitigation
The Guest posting / Frontend Posting / Front Editor – WP Front User Submit plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the '/wp-json/bfe/v1/revert' REST API endpoint in all versions up to, and including, 5.0.0. This makes it possible for unauthenticated attackers to delete arbitrary media attachments.
Source : NVD
## 5.3
Score
Published January 7, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 22.5
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
front-editor
Source
Wiz
CVE-2026-1447 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-1447 [CRITICAL] CVE-2026-1447 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1447 :
WordPress vulnerability analysis and mitigation
The Mail Mint plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.19.2. This is due to missing nonce validation on the create_or_update_note function. This makes it possible for unauthenticated attackers to create or update contact notes via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Due to missing sanitization and escaping this can lead to stored Cross-Site Scripting.
Source : NVD
## 5.4
Score
Published February 3, 2026
Severity MEDIUM
CNA Score 5.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitati
Wiz
CVE-2026-2628 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-2628 [CRITICAL] CVE-2026-2628 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-2628 :
WordPress vulnerability analysis and mitigation
The All-in-One Microsoft 365 & Entra ID / Azure AD SSO Login plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.2.5. This makes it possible for unauthenticated attackers to bypass authentication and log in as other users, including administrators.
Source : NVD
## 9.8
Score
Published March 3, 2026
Severity CRITICAL
CNA Score 9.8
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 62
Exploitation Probability (EPSS) 0.4
Affected packages and libraries
login-with-azure
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs
Wiz
CVE-2026-25376 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-25376 [CRITICAL] CVE-2026-25376 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25376 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in eyecix Addon Jobsearch Chat addon-jobsearch-chat allows Reflected XSS.This issue affects Addon Jobsearch Chat: from n/a through <= 3.0.
Source : NVD
## 7.1
Score
Published March 25, 2026
Severity HIGH
CNA Score 7.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 10.6
Exploitation Probability (EPSS) N/A
Affected packages and libraries
addon-jobsearch-chat
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable,
Wiz
CVE-2025-68036 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-68036 [CRITICAL] CVE-2025-68036 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68036 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in Imran Tauqeer CubeWP cubewp-framework allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects CubeWP: from n/a through <= 1.1.27.
Source : NVD
Published December 30, 2025
CNA Score N/A
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cubewp-framework
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Seve
Wiz
CVE-2025-14976 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.4
CVE-2025-14976 [MEDIUM] CVE-2025-14976 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14976 :
WordPress vulnerability analysis and mitigation
The User Registration & Membership – Custom Registration Form Builder, Custom Login Form, User Profile, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.4.8. This is due to missing or incorrect nonce validation on the 'process_row_actions' function with the 'delete' action. This makes it possible for unauthenticated attackers to delete arbitrary post via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Source : NVD
## 5.4
Score
Published January 10, 2026
Severity MEDIUM
CNA Score 5.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV
Wiz
CVE-2025-11453 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.4
CVE-2025-11453 [MEDIUM] CVE-2025-11453 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-11453 :
WordPress vulnerability analysis and mitigation
The Header and Footer Scripts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the _inpost_head_script parameter in all versions up to, and including, 2.2.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Source : NVD
## 6.4
Score
Published January 9, 2026
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2.7
Exploitation Probability (
Wiz
CVE-2025-49364 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2025-49364 [HIGH] CVE-2025-49364 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-49364 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Ludos Paradise ludos-paradise allows PHP Local File Inclusion.This issue affects Ludos Paradise: from n/a through <= 2.1.3.
Source : NVD
## 8.1
Score
Published December 18, 2025
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 18.1
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
ludos-paradise
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on wha
Wiz
CVE-2025-69183 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2025-69183 [HIGH] CVE-2025-69183 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-69183 :
WordPress vulnerability analysis and mitigation
Incorrect Privilege Assignment vulnerability in e-plugins Hospital Doctor Directory hospital-doctor-directory allows Privilege Escalation.This issue affects Hospital Doctor Directory: from n/a through <= 1.3.9.
Source : NVD
## 8.8
Score
Published January 22, 2026
Severity HIGH
CNA Score 8.8
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 18.2
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
hospital-doctor-directory
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's list
Wiz
CVE-2025-69348 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.4
CVE-2025-69348 [MEDIUM] CVE-2025-69348 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-69348 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in CoolHappy The Events Calendar Countdown Addon countdown-for-the-events-calendar allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects The Events Calendar Countdown Addon: from n/a through <= 1.4.15.
Source : NVD
## 5.4
Score
Published January 6, 2026
Severity MEDIUM
CNA Score 5.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
countdown-for-the-events-calendar
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs i
Wiz
CVE-2025-13920 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2025-13920 [MEDIUM] CVE-2025-13920 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-13920 :
WordPress vulnerability analysis and mitigation
The WP Directory Kit plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.4.9 via the wdk_public_action AJAX handler. This makes it possible for unauthenticated attackers to extract email addresses for users with Directory Kit-specific user roles.
Source : NVD
## 5.3
Score
Published January 24, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
WordPress
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 75.3
Exploitation Probability (EPSS) 0.9
Affected packages and libraries
wpdirectorykit
Sources
NVD
## Get a CVE risk assessment
Get a prioritized vi
Wiz
CVE-2025-69014 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.9
CVE-2025-69014 [MEDIUM] CVE-2025-69014 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-69014 :
WordPress vulnerability analysis and mitigation
Server-Side Request Forgery (SSRF) vulnerability in Youzify Youzify youzify allows Server Side Request Forgery.This issue affects Youzify: from n/a through <= 1.3.7.
Source : NVD
## 4.9
Score
Published December 30, 2025
Severity MEDIUM
CNA Score 4.9
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.6
Exploitation Probability (EPSS) N/A
Affected packages and libraries
youzify
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severi
Wiz
CVE-2025-13493 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2025-13493 [HIGH] CVE-2025-13493 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-13493 :
WordPress vulnerability analysis and mitigation
The Latest Registered Users plugin for WordPress is vulnerable to unauthorized user data export in all versions up to, and including, 1.4. This is due to missing authorization and nonce validation in the rnd_handle_form_submit function hooked to both admin_post_my_simple_form and admin_post_nopriv_my_simple_form actions. This makes it possible for unauthenticated attackers to export complete user details (excluding passwords and sensitive tokens) in CSV format via the 'action' parameter.
Source : NVD
## 7.5
Score
Published January 7, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Pro
Wiz
CVE-2025-67553 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2025-67553 [MEDIUM] CVE-2025-67553 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67553 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeHigh Advanced FAQ Manager advanced-faq-manager allows DOM-Based XSS.This issue affects Advanced FAQ Manager: from n/a through <= 1.5.2.
Source : NVD
## 6.5
Score
Published December 9, 2025
Severity MEDIUM
CNA Score 6.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
advanced-faq-manager
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's expl
Wiz
CVE-2025-60183 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.9
CVE-2025-60183 [MEDIUM] CVE-2025-60183 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-60183 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in silence Silencesoft RSS Reader external-rss-reader allows Stored XSS.This issue affects Silencesoft RSS Reader: from n/a through <= 0.6.
Source : NVD
## 5.9
Score
Published February 20, 2026
Severity MEDIUM
CNA Score 5.9
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 10.6
Exploitation Probability (EPSS) N/A
Affected packages and libraries
external-rss-reader
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploita
Wiz
CVE-2025-15487 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.9
CVE-2025-15487 [MEDIUM] CVE-2025-15487 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-15487 :
WordPress vulnerability analysis and mitigation
The Code Explorer plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.4.6 via the 'file' parameter. This makes it possible for authenticated attackers, with Administrator-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.
Source : NVD
## 4.9
Score
Published February 4, 2026
Severity MEDIUM
CNA Score 4.9
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
code-explorer
Sources
NVD
## Get a CVE risk assessment
Wiz
CVE-2026-24983 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-24983 [CRITICAL] CVE-2026-24983 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24983 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in UpSolution UpSolution Core us-core allows Reflected XSS.This issue affects UpSolution Core: from n/a through <= 8.41.
Source : NVD
## 7.1
Score
Published March 25, 2026
Severity HIGH
CNA Score 7.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 10.6
Exploitation Probability (EPSS) N/A
Affected packages and libraries
us-core
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Re
Wiz
CVE-2025-69297 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2025-69297 [HIGH] CVE-2025-69297 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-69297 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in GhostPool Aardvark Plugin aardvark-plugin allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Aardvark Plugin: from n/a through <= 2.19.
Source : NVD
## 7.5
Score
Published February 20, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 12.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
aardvark-plugin
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
Wiz
CVE-2025-22726 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.1
CVE-2025-22726 [CRITICAL] CVE-2025-22726 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-22726 :
WordPress vulnerability analysis and mitigation
Server-Side Request Forgery (SSRF) vulnerability in _nK nK Themes Helper nk-themes-helper allows Server Side Request Forgery.This issue affects nK Themes Helper: from n/a through <= 1.7.9.
Source : NVD
## 9.1
Score
Published January 8, 2026
Severity CRITICAL
CNA Score 9.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
nk-themes-helper
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress v
Wiz
CVE-2025-13613 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-13613 [CRITICAL] CVE-2025-13613 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-13613 :
WordPress vulnerability analysis and mitigation
The Elated Membership plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.2. This is due to the plugin not properly logging in a user with the data that was previously verified through the 'eltdf_membership_check_facebook_user' and the 'eltdf_membership_login_user_from_social_network' function. This makes it possible for unauthenticated attackers to log in as administrative users, as long as they have an existing account on the site which can easily be created by default through the temp user functionality, and access to the administrative user's email.
Source : NVD
## 9.8
Score
Published December 10, 2025
Severity CRITICAL
CNA Score 9.8
Affected Technologies
Word
Wiz
CVE-2026-0692 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-0692 [HIGH] CVE-2026-0692 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-0692 :
WordPress vulnerability analysis and mitigation
WC_Geolocation::get_ip_address()
Source : NVD
## 7.5
Score
Published February 14, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 29.6
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
bluesnap-payment-gateway-for-woocommerce
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
CVE-2026-0740
CRIT
Wiz
CVE-2026-24941 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-24941 [CRITICAL] CVE-2026-24941 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24941 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in wpjobportal WP Job Portal wp-job-portal allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Job Portal: from n/a through <= 2.4.4.
Source : NVD
## 7.5
Score
Published February 20, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
wp-job-portal
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## R
Wiz
CVE-2025-62145 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-62145 [CRITICAL] CVE-2025-62145 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-62145 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in NewClarity DMCA Protection Badge dmca-badge allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects DMCA Protection Badge: from n/a through <= 2.2.0.
Source : NVD
Published December 31, 2025
CNA Score N/A
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
dmca-badge
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabi
Wiz
CVE-2026-1657 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-1657 [CRITICAL] CVE-2026-1657 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1657 :
WordPress vulnerability analysis and mitigation
The EventPrime plugin for WordPress is vulnerable to unauthorized image file upload in all versions up to, and including, 4.2.8.4. This is due to the plugin registering the upload_file_media AJAX action as publicly accessible (nopriv-enabled) without implementing any authentication, authorization, or nonce verification despite a nonce being created. This makes it possible for unauthenticated attackers to upload image files to the WordPress uploads directory and create Media Library attachments via the ep_upload_file_media endpoint.
Source : NVD
## 5.3
Score
Published February 17, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
WordPress
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release
Wiz
CVE-2025-68078 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2025-68078 [MEDIUM] CVE-2025-68078 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68078 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeNectar Salient Portfolio salient-portfolio allows Stored XSS.This issue affects Salient Portfolio: from n/a through <= 1.8.2.
Source : NVD
## 6.5
Score
Published December 16, 2025
Severity MEDIUM
CNA Score 6.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
salient-portfolio
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not
Wiz
CVE-2026-28031 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-28031 [CRITICAL] CVE-2026-28031 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-28031 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Invetex invetex allows PHP Local File Inclusion.This issue affects Invetex: from n/a through <= 2.18.
Source : NVD
## 8.1
Score
Published March 5, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 37.5
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
invetex
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's list
Wiz
CVE-2026-2602 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-2602 [CRITICAL] CVE-2026-2602 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-2602 :
WordPress vulnerability analysis and mitigation
The Twentig plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'featuredImageSizeWidth' parameter in versions up to, and including, 1.9.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Source : NVD
## 6.4
Score
Published March 29, 2026
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 9.2
Exploitation Probability (EPSS) N/A
Affected
Wiz
CVE-2026-3459 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-3459 [CRITICAL] CVE-2026-3459 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-3459 :
WordPress vulnerability analysis and mitigation
The Drag and Drop Multiple File Upload - Contact Form 7 plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'dnd_upload_cf7_upload' function in versions up to, and including, 1.3.7.3. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. This can be exploited if the form includes a multiple file upload field with ‘*’ as the accepted file type.
Source : NVD
## 8.1
Score
Published March 5, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploit
Wiz
CVE-2025-69084 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-69084 [CRITICAL] CVE-2025-69084 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-69084 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in gt3themes Photo Gallery gt3-photo-video-gallery allows Reflected XSS.This issue affects Photo Gallery: from n/a through <= 2.7.7.26.
Source : NVD
Published January 6, 2026
CNA Score N/A
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
gt3-photo-video-gallery
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Re
Wiz
CVE-2026-24534 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-24534 [CRITICAL] CVE-2026-24534 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24534 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in uPress Booter booter-bots-crawlers-manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Booter: from n/a through <= 1.5.7.
Source : NVD
## 8.8
Score
Published January 23, 2026
Severity HIGH
CNA Score 8.8
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 5.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
booter-bots-crawlers-manager
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's liste
Wiz
CVE-2026-1512 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-1512 [CRITICAL] CVE-2026-1512 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1512 :
WordPress vulnerability analysis and mitigation
The Essential Addons for Elementor – Popular Elementor Templates & Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Info Box widget in all versions up to, and including, 6.5.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Source : NVD
## 6.4
Score
Published February 14, 2026
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Explo
Wiz
CVE-2025-63072 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2025-63072 [MEDIUM] CVE-2025-63072 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-63072 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in THEMECO Cornerstone cornerstone allows Stored XSS.This issue affects Cornerstone: from n/a through <= 7.7.3.
Source : NVD
## 6.5
Score
Published December 9, 2025
Severity MEDIUM
CNA Score 6.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cornerstone
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Rel
Wiz
CVE-2026-25030 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-25030 [CRITICAL] CVE-2026-25030 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25030 :
WordPress vulnerability analysis and mitigation
Deserialization of Untrusted Data vulnerability in park_of_ideas Goldish goldish allows Object Injection.This issue affects Goldish: from n/a through < 3.47.
Source : NVD
## 9.8
Score
Published March 25, 2026
Severity CRITICAL
CNA Score 9.8
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 16.9
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
goldish
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Score
Wiz
CVE-2026-22435 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-22435 [CRITICAL] CVE-2026-22435 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22435 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes ElectroServ electroserv allows PHP Local File Inclusion.This issue affects ElectroServ: from n/a through <= 1.3.2.
Source : NVD
## 8.1
Score
Published March 5, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 37.5
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
electroserv
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable,
Wiz
CVE-2025-13091 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2025-13091 [MEDIUM] CVE-2025-13091 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-13091 :
WordPress vulnerability analysis and mitigation
The Shopire theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the shopire_admin_install_plugin() function in all versions up to, and including, 1.0.57. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install the 'fable-extra' plugin.
Source : NVD
## 4.3
Score
Published February 19, 2026
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
shopire
Sources
NVD
## Get a CVE risk asses
Wiz
CVE-2025-58879 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.2
CVE-2025-58879 [HIGH] CVE-2025-58879 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-58879 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Festy festy allows PHP Local File Inclusion.This issue affects Festy: from n/a through <= 1.13.0.
Source : NVD
## 8.2
Score
Published December 18, 2025
Severity HIGH
CNA Score 8.2
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 19.8
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
festy
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's li
Wiz
CVE-2026-24981 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-24981 [CRITICAL] CVE-2026-24981 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24981 :
WordPress vulnerability analysis and mitigation
Deserialization of Untrusted Data vulnerability in NooTheme Visionary Core noo-visionary-core allows Object Injection.This issue affects Visionary Core: from n/a through <= 1.4.9.
Source : NVD
## 8.8
Score
Published March 25, 2026
Severity HIGH
CNA Score 8.8
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 16.8
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
noo-visionary-core
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabiliti
Wiz
CVE-2025-62128 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-62128 [CRITICAL] CVE-2025-62128 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-62128 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in SiteLock SiteLock Security – WP Hardening, Login Security & Malware Scans sitelock allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects SiteLock Security – WP Hardening, Login Security & Malware Scans: from n/a through <= 5.0.1.
Source : NVD
Published December 30, 2025
CNA Score N/A
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
sitelock
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus
Wiz
CVE-2025-23707 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-23707 [CRITICAL] CVE-2025-23707 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-23707 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Matamko En Masse en-masse-wp allows Reflected XSS.This issue affects En Masse: from n/a through <= 1.0.
Source : NVD
Published December 31, 2025
CNA Score N/A
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
en-masse-wp
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE
Wiz
CVE-2026-0604 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2026-0604 [MEDIUM] CVE-2026-0604 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-0604 :
WordPress vulnerability analysis and mitigation
The FastDup – Fastest WordPress Migration & Duplicator plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 2.7 via the 'dir_path' parameter in the 'njt-fastdup/v1/template/directory-tree' REST API endpoint. This makes it possible for authenticated attackers, with Contributor-level access and above, to read the contents of arbitrary directories on the server, which can contain sensitive information.
Source : NVD
## 6.5
Score
Published January 6, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 18.6
Exploitation Proba
Wiz
CVE-2026-27361 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-27361 [CRITICAL] CVE-2026-27361 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27361 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in WebCodingPlace Responsive Posts Carousel Pro responsive-posts-carousel-pro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Responsive Posts Carousel Pro: from n/a through <= 15.1.
Source : NVD
## 7.5
Score
Published March 5, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
responsive-posts-carousel-pro
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you c
Wiz
CVE-2025-15000 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.4
CVE-2025-15000 [MEDIUM] CVE-2025-15000 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-15000 :
WordPress vulnerability analysis and mitigation
The Page Keys plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘page_key’ parameter in all versions up to, and including, 1.3.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Source : NVD
## 4.4
Score
Published January 7, 2026
Severity MEDIUM
CNA Score 4.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Explo
Wiz
CVE-2025-67580 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2025-67580 [MEDIUM] CVE-2025-67580 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67580 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in Constant Contact Constant Contact + WooCommerce constant-contact-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Constant Contact + WooCommerce: from n/a through <= 2.4.1.
Source : NVD
## 5.3
Score
Published December 9, 2025
Severity MEDIUM
CNA Score 5.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 12.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
constant-contact-woocommerce
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—
Wiz
CVE-2026-28093 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-28093 [CRITICAL] CVE-2026-28093 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-28093 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Ozisti ozisti allows PHP Local File Inclusion.This issue affects Ozisti: from n/a through <= 1.1.10.
Source : NVD
## 8.1
Score
Published March 5, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 37.5
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
ozisti
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed
Wiz
CVE-2025-13747 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.4
CVE-2025-13747 [MEDIUM] CVE-2025-13747 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-13747 :
WordPress vulnerability analysis and mitigation
The NewStatPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via a regex bypass in nsp_shortcode function in all versions up to, and including, 1.4.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Source : NVD
## 6.4
Score
Published December 12, 2025
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.1
E
Wiz
CVE-2026-32514 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-32514 [CRITICAL] CVE-2026-32514 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32514 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in Anton Voytenko Petitioner petitioner allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Petitioner: from n/a through <= 0.7.3.
Source : NVD
## 6.5
Score
Published March 25, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 8.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
petitioner
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Word
Wiz
CVE-2026-28037 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-28037 [CRITICAL] CVE-2026-28037 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-28037 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ashanjay EventON eventon allows Reflected XSS.This issue affects EventON: from n/a through <= 4.9.12.
Source : NVD
## 7.1
Score
Published March 5, 2026
Severity HIGH
CNA Score 7.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
eventON
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress v
Wiz
CVE-2025-62124 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-62124 [CRITICAL] CVE-2025-62124 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-62124 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Soli WP Post Signature wp-post-signature allows Stored XSS.This issue affects WP Post Signature: from n/a through <= 0.4.1.
Source : NVD
Published December 31, 2025
CNA Score N/A
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
wp-post-signature
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPres
Wiz
CVE-2025-14047 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2025-14047 [MEDIUM] CVE-2025-14047 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14047 :
WordPress vulnerability analysis and mitigation
The Registration, User Profile, Membership, Content Restriction, User Directory, and Frontend Post Submission – WP User Frontend plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'Frontend_Form_Ajax::submit_post' function in all versions up to, and including, 4.2.4. This makes it possible for unauthenticated attackers to delete attachment.
Source : NVD
## 5.3
Score
Published January 2, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 29.9
Exploitation Probability (EPSS) 0.1
Affected packages and li
Wiz
CVE-2025-30628 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.5
CVE-2025-30628 [HIGH] CVE-2025-30628 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-30628 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in AA-Team Amazon Affiliates Addon for WPBakery Page Builder (formerly Visual Composer) allows SQL Injection.This issue affects Amazon Affiliates Addon for WPBakery Page Builder (formerly Visual Composer): from n/a through 1.2.
Source : NVD
## 8.5
Score
Published December 31, 2025
Severity HIGH
CNA Score 8.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.5
Exploitation Probability (EPSS) N/A
Affected packages and libraries
azon-addon-js-composer
Sources
NVD
## Get a CVE risk asse
Wiz
CVE-2025-69300 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.4
CVE-2025-69300 [MEDIUM] CVE-2025-69300 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-69300 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in Leap13 Premium Addons for Elementor premium-addons-for-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Premium Addons for Elementor: from n/a through <= 4.11.63.
Source : NVD
## 5.4
Score
Published January 22, 2026
Severity MEDIUM
CNA Score 5.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
premium-addons-for-elementor
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can f
Wiz
CVE-2026-22373 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-22373 [CRITICAL] CVE-2026-22373 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22373 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Fooddy fooddy allows PHP Local File Inclusion.This issue affects Fooddy: from n/a through <= 1.3.10.
Source : NVD
## 8.1
Score
Published February 20, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 37.5
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
fooddy
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what'
Wiz
CVE-2025-39484 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.3
CVE-2025-39484 [CRITICAL] CVE-2025-39484 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-39484 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Waituk Entrada allows SQL Injection.This issue affects Entrada: from n/a through 5.7.7.
Source : NVD
## 9.3
Score
Published January 5, 2026
Severity CRITICAL
CNA Score 9.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.6
Exploitation Probability (EPSS) N/A
Affected packages and libraries
entrada
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabi
Wiz
CVE-2026-27362 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-27362 [CRITICAL] CVE-2026-27362 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27362 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in kamleshyadav WP Bakery Autoresponder Addon vc-autoresponder-addon allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Bakery Autoresponder Addon: from n/a through <= 1.0.6.
Source : NVD
## 6.5
Score
Published March 5, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
vc-autoresponder-addon
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on w
Wiz
CVE-2026-22436 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-22436 [CRITICAL] CVE-2026-22436 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22436 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes Helvig helvig allows PHP Local File Inclusion.This issue affects Helvig: from n/a through <= 1.0.
Source : NVD
## 8.1
Score
Published March 5, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 37.5
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
helvig
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's list
Wiz
CVE-2025-14657 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.2
CVE-2025-14657 [HIGH] CVE-2025-14657 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14657 :
WordPress vulnerability analysis and mitigation
The Eventin – Event Manager, Events Calendar, Event Tickets and Registrations plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'post_settings' function in all versions up to, and including, 4.0.51. This makes it possible for unauthenticated attackers to modify plugin settings. Furthermore, due to insufficient input sanitization and output escaping on the 'etn_primary_color' setting, this enables unauthenticated attackers to inject arbitrary web scripts that will execute whenever a user accesses a page where Eventin styles are loaded.
Source : NVD
## 7.2
Score
Published January 9, 2026
Severity HIGH
CNA Score 7.2
Affected Technologies
WordPress
Has
Wiz
CVE-2026-1540 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-1540 [CRITICAL] CVE-2026-1540 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1540 :
WordPress vulnerability analysis and mitigation
The Spam Protect for Contact Form 7 WordPress plugin before 1.2.10 allows logging to a PHP file, which could allow an attacker with editor access to achieve Remote Code Execution by using a crafted header
Source : NVD
## 7.2
Score
Published April 2, 2026
Severity HIGH
CNA Score 7.2
Affected Technologies
WordPress
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 23.4
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
wp-contact-form-7-spam-blocker
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
Wiz
CVE-2026-28038 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-28038 [CRITICAL] CVE-2026-28038 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-28038 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in Brainstorm_Force Ultimate Addons for WPBakery Page Builder ultimate_vc_addons allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ultimate Addons for WPBakery Page Builder: from n/a through < 3.21.1.
Source : NVD
## 6.5
Score
Published March 5, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 9.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
Ultimate_VC_Addons
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so
Wiz
CVE-2025-14444 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2025-14444 [MEDIUM] CVE-2025-14444 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14444 :
WordPress vulnerability analysis and mitigation
The RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login plugin for WordPress is vulnerable to payment bypass due to insufficient verification of data authenticity on the 'process_paypal_sdk_payment' function in all versions up to, and including, 6.0.6.9. This is due to the plugin trusting client-supplied values for payment verification without validating that the payment actually went through PayPal. This makes it possible for unauthenticated attackers to bypass paid registration by manipulating payment status and activating their account without completing a real PayPal payment.
Source : NVD
## 5.3
Score
Published February 18, 2026
Severity MEDIUM
CNA Score 5.3
Affected Tec
Wiz
CVE-2026-1426 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-1426 [CRITICAL] CVE-2026-1426 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1426 :
WordPress vulnerability analysis and mitigation
The Advanced AJAX Product Filters plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.1.9.6 via deserialization of untrusted input in the shortcode_check function within the Live Composer compatibility layer. This makes it possible for authenticated attackers, with Author-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensi
Wiz
CVE-2025-63049 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2025-63049 [MEDIUM] CVE-2025-63049 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-63049 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in CridioStudio ListingPro Lead Form listingpro-lead-form allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects ListingPro Lead Form: from n/a through <= 1.0.2.
Source : NVD
## 5.3
Score
Published December 9, 2025
Severity MEDIUM
CNA Score 5.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 12.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
listingpro-lead-form
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just
Wiz
CVE-2025-68592 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2025-68592 [HIGH] CVE-2025-68592 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68592 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in Liton Arefin WP Adminify adminify allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Adminify: from n/a through <= 4.0.6.1.
Source : NVD
## 8.8
Score
Published December 24, 2025
Severity HIGH
CNA Score 8.8
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 18.2
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
adminify
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Word
Wiz
CVE-2025-68989 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2025-68989 [HIGH] CVE-2025-68989 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68989 :
WordPress vulnerability analysis and mitigation
Insertion of Sensitive Information Into Sent Data vulnerability in Renzo Johnson contact-form-7-mailchimp-extension contact-form-7-mailchimp-extension allows Retrieve Embedded Sensitive Data.This issue affects contact-form-7-mailchimp-extension: from n/a through <= 0.9.68.
Source : NVD
## 7.5
Score
Published December 30, 2025
Severity HIGH
CNA Score 7.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 14.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
contact-form-7-mailchimp-extension
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs i
Wiz
CVE-2026-2720 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-2720 [CRITICAL] CVE-2026-2720 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-2720 :
WordPress vulnerability analysis and mitigation
hrp-fetch-employees
Source : NVD
## 6.5
Score
Published March 21, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 9.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
hr-press-lite
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
CVE-2026-0740
CRITICAL
9.8
WordPress
ninja-forms-uploads
Wiz
CVE-2025-14907 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2025-14907 [MEDIUM] CVE-2025-14907 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14907 :
WordPress vulnerability analysis and mitigation
The Moderate Selected Posts plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4. This is due to missing nonce verification on the msp_admin_page() function. This makes it possible for unauthenticated attackers to modify plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Source : NVD
## 4.3
Score
Published January 24, 2026
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 9.1
Exploitation Probability (EPSS) N/A
Affected pa
Wiz
CVE-2025-14476 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2025-14476 [HIGH] CVE-2025-14476 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14476 :
WordPress vulnerability analysis and mitigation
The Doubly – Cross Domain Copy Paste for WordPress plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.0.46 via deserialization of untrusted input from the content.txt file within uploaded ZIP archives. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject a PHP Object. The additional presence of a POP chain allows attackers to execute arbitrary code, delete files, retrieve sensitive data, or perform other actions depending on the available gadgets. This is only exploitable by subscribers, when administrators have explicitly enabled that access.
Source : NVD
## 8.8
Score
Published December 13, 2025
Severity HIGH
CNA Sco
Wiz
CVE-2025-68871 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2025-68871 [HIGH] CVE-2025-68871 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68871 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in noCreativity Dooodl dooodl allows Reflected XSS.This issue affects Dooodl: from n/a through <= 2.3.0.
Source : NVD
## 7.1
Score
Published January 22, 2026
Severity HIGH
CNA Score 7.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
dooodl
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress
Wiz
CVE-2025-69301 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-69301 [CRITICAL] CVE-2025-69301 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-69301 :
WordPress vulnerability analysis and mitigation
Deserialization of Untrusted Data vulnerability in ThemeGoods PhotoMe photome allows Object Injection.This issue affects PhotoMe: from n/a through <= 5.6.11.
Source : NVD
## 9.8
Score
Published February 20, 2026
Severity CRITICAL
CNA Score 9.8
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 18.2
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
photome
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Sc
Wiz
CVE-2025-68992 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2025-68992 [MEDIUM] CVE-2025-68992 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68992 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in xenioushk BWL Knowledge Base Manager bwl-kb-manager allows Stored XSS.This issue affects BWL Knowledge Base Manager: from n/a through <= 1.6.3.
Source : NVD
## 6.5
Score
Published December 30, 2025
Severity MEDIUM
CNA Score 6.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
bwl-kb-manager
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploi
Wiz
CVE-2026-24532 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-24532 [CRITICAL] CVE-2026-24532 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24532 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in SiteLock SiteLock Security – WP Hardening, Login Security & Malware Scans sitelock allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects SiteLock Security – WP Hardening, Login Security & Malware Scans: from n/a through <= 5.0.2.
Source : NVD
## 8.8
Score
Published January 23, 2026
Severity HIGH
CNA Score 8.8
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 5.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
sitelock
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CV
Wiz
CVE-2025-49358 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-49358 [CRITICAL] CVE-2025-49358 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-49358 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ruhul Amin Content Fetcher content-fetcher allows DOM-Based XSS.This issue affects Content Fetcher: from n/a through <= 1.1.
Source : NVD
Published December 31, 2025
CNA Score N/A
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
content-fetcher
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress
Wiz
CVE-2024-54263 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2024-54263 [HIGH] CVE-2024-54263 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2024-54263 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Talemy Spirit Framework allows PHP Local File Inclusion.This issue affects Spirit Framework: from n/a through 1.2.13.
Source : NVD
## 7.5
Score
Published February 2, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 35.1
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
spirit-framework
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, n
Wiz
CVE-2025-13416 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2025-13416 [MEDIUM] CVE-2025-13416 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-13416 :
WordPress vulnerability analysis and mitigation
The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to unauthorized user suspension due to a missing capability check on the pm_deactivate_user_from_group() function in all versions up to, and including, 5.9.7.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to suspend arbitrary users from groups, including administrators, via the pm_deactivate_user_from_group AJAX action.
Source : NVD
## 4.3
Score
Published February 5, 2026
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1.
Wiz
CVE-2025-68069 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2025-68069 [HIGH] CVE-2025-68069 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68069 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in wpWax Directorist directorist allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Directorist: from n/a through <= 8.6.6.
Source : NVD
## 7.1
Score
Published February 20, 2026
Severity HIGH
CNA Score 7.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 9.3
Exploitation Probability (EPSS) N/A
Affected packages and libraries
directorist
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPres
Wiz
CVE-2025-67593 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2025-67593 [MEDIUM] CVE-2025-67593 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67593 :
WordPress vulnerability analysis and mitigation
Cross-Site Request Forgery (CSRF) vulnerability in Stiofan UsersWP userswp allows Cross Site Request Forgery.This issue affects UsersWP: from n/a through <= 1.2.48.
Source : NVD
## 4.3
Score
Published December 9, 2025
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 4.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
userswp
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Wiz
CVE-2025-53448 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2025-53448 [HIGH] CVE-2025-53448 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-53448 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Rally rally allows PHP Local File Inclusion.This issue affects Rally: from n/a through <= 1.1.
Source : NVD
## 8.1
Score
Published December 18, 2025
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 38.5
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
rally
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed
Wiz
CVE-2026-32453 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-32453 [CRITICAL] CVE-2026-32453 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32453 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in ThemeFusion Avada Core fusion-core allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Avada Core: from n/a through < 5.15.0.
Source : NVD
## 5.3
Score
Published March 13, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 10.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
fusion-core
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Word
Wiz
CVE-2025-12705 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.2
CVE-2025-12705 [HIGH] CVE-2025-12705 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-12705 :
WordPress vulnerability analysis and mitigation
The Social Reviews & Recommendations plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several parameters in the 'trim_text' function in all versions up to, and including, 2.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability was partially patched in version 2.5.
Source : NVD
## 7.2
Score
Published December 9, 2025
Severity HIGH
CNA Score 7.2
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS
Wiz
CVE-2025-13892 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2025-13892 [MEDIUM] CVE-2025-13892 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-13892 :
WordPress vulnerability analysis and mitigation
$_SERVER['PHP_SELF']
Source : NVD
## 6.1
Score
Published January 9, 2026
Severity MEDIUM
CNA Score 6.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 14.5
Exploitation Probability (EPSS) N/A
Affected packages and libraries
mg-advancedoptions
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
CVE-2026-0740
CRITICAL
9.8
WordPress
ninja-forms
Wiz
CVE-2025-68494 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2025-68494 [HIGH] CVE-2025-68494 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68494 :
WordPress vulnerability analysis and mitigation
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Leap13 Premium Addons for Elementor premium-addons-for-elementor allows Retrieve Embedded Sensitive Data.This issue affects Premium Addons for Elementor: from n/a through <= 4.11.53.
Source : NVD
## 7.5
Score
Published December 24, 2025
Severity HIGH
CNA Score 7.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 14.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
premium-addons-for-elementor
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in you
Wiz
CVE-2025-68876 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-68876 [CRITICAL] CVE-2025-68876 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68876 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in INVELITY Invelity SPS connect invelity-sps-connect allows Reflected XSS.This issue affects Invelity SPS connect: from n/a through <= 1.0.8.
Source : NVD
Published December 29, 2025
CNA Score N/A
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
invelity-sps-connect
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
Wiz
CVE-2026-28067 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-28067 [CRITICAL] CVE-2026-28067 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-28067 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Bassein bassein allows PHP Local File Inclusion.This issue affects Bassein: from n/a through <= 1.0.15.
Source : NVD
## 8.1
Score
Published March 5, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 37.5
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
bassein
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's li
Wiz
CVE-2025-68985 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-68985 [CRITICAL] CVE-2025-68985 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68985 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Aora aora allows PHP Local File Inclusion.This issue affects Aora: from n/a through <= 1.3.15.
Source : NVD
## 9.8
Score
Published December 30, 2025
Severity CRITICAL
CNA Score 9.8
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 38.5
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
aora
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
Wiz
CVE-2026-24587 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-24587 [CRITICAL] CVE-2026-24587 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24587 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in kutsy AJAX Hits Counter + Popular Posts Widget ajax-hits-counter allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AJAX Hits Counter + Popular Posts Widget: from n/a through <= 0.10.210305.
Source : NVD
## 5.4
Score
Published January 23, 2026
Severity MEDIUM
CNA Score 5.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
ajax-hits-counter
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you c
Wiz
CVE-2026-2707 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-2707 [CRITICAL] CVE-2026-2707 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-2707 :
WordPress vulnerability analysis and mitigation
/wp-json/weforms/v1/forms/{id}/entries/
prepare_entry()
class-abstract-fields.php
$args
weforms_clean()
$_POST
trim()
v-html
Source : NVD
## 6.4
Score
Published March 11, 2026
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 12.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
weforms
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Score
Technologies
Component nam
Wiz
CVE-2026-3138 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-3138 [CRITICAL] CVE-2026-3138 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-3138 :
WordPress vulnerability analysis and mitigation
wp_ajax_nopriv_
__call()
havePermissions()
true
wp_wpf_filters
action=delete
Source : NVD
## 6.5
Score
Published March 24, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 16.1
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
woo-product-filter
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published
Wiz
CVE-2026-2433 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-2433 [CRITICAL] CVE-2026-2433 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-2433 :
WordPress vulnerability analysis and mitigation
The RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging plugin for WordPress is vulnerable to DOM-Based Cross-Site Scripting via postMessage in all versions up to, and including, 5.0.11. This is due to the plugin's admin-shell.js registering a global message event listener without origin validation (missing event.origin check) and directly passing user-controlled URLs to window.open() without URL scheme validation. This makes it possible for unauthenticated attackers to execute arbitrary JavaScript in the context of an authenticated administrator's session by tricking them into visiting a malicious website that sends crafted postMessage payloads to the plugin's admin page.
Source : NVD
## 6.1
Scor
Wiz
CVE-2025-58936 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2025-58936 [HIGH] CVE-2025-58936 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-58936 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Catamaran catamaran allows PHP Local File Inclusion.This issue affects Catamaran: from n/a through <= 1.15.
Source : NVD
## 8.1
Score
Published December 18, 2025
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 18.1
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
catamaran
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not j
Wiz
CVE-2025-13766 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.4
CVE-2025-13766 [MEDIUM] CVE-2025-13766 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-13766 :
WordPress vulnerability analysis and mitigation
The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability checks on multiple REST API endpoints in all versions up to, and including, 3.7.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload or delete arbitrary media files, delete or modify posts, and create/manage course templates
Source : NVD
## 5.4
Score
Published January 6, 2026
Severity MEDIUM
CNA Score 5.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11
Wiz
CVE-2025-14344 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-14344 [CRITICAL] CVE-2025-14344 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14344 :
WordPress vulnerability analysis and mitigation
The Multi Uploader for Gravity Forms plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'plupload_ajax_delete_file' function in all versions up to, and including, 1.1.7. This makes it possible for unauthenticated attackers to delete arbitrary files on the server.
Source : NVD
## 9.8
Score
Published December 12, 2025
Severity CRITICAL
CNA Score 9.8
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 58.5
Exploitation Probability (EPSS) 0.4
Affected packages and libraries
gf-multi-uploader
Sources
NVD
## Get a CVE risk assessmen
Wiz
CVE-2026-1258 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-1258 [CRITICAL] CVE-2026-1258 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1258 :
WordPress vulnerability analysis and mitigation
The Mail Mint plugin for WordPress is vulnerable to blind SQL Injection via the 'forms', 'automation', 'email/templates', and 'contacts/import/tutorlms/map' API endpoints in all versions up to, and including, 1.19.2 . This is due to insufficient escaping on the user supplied 'order-by', 'order-type', and 'selectedCourses' parameters and lack of sufficient preparation on the existing SQL queries. This makes it possible for authenticated attackers, with administrator level access and above, to append additional SQL queries into already existing queries.
Source : NVD
## 4.9
Score
Published February 14, 2026
Severity MEDIUM
CNA Score 4.9
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
Wiz
CVE-2025-14395 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2025-14395 [MEDIUM] CVE-2025-14395 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14395 :
WordPress vulnerability analysis and mitigation
The Popover Windows plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on multiple ajax actions (e.g., pop_submit, poptheme_submit) in all versions up to, and including, 1.2. This makes it possible for authenticated attackers, with subscriber-level access and above, to modify the plugin's settings and content.
Source : NVD
## 4.3
Score
Published December 13, 2025
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
popover-windows
So
Wiz
CVE-2026-28015 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-28015 [CRITICAL] CVE-2026-28015 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-28015 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX ShiftCV shift-cv allows PHP Local File Inclusion.This issue affects ShiftCV: from n/a through <= 3.0.14.
Source : NVD
## 8.1
Score
Published March 5, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 37.5
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
shift-cv
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's
Wiz
CVE-2025-13930 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2025-13930 [MEDIUM] CVE-2025-13930 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-13930 :
WordPress vulnerability analysis and mitigation
The Checkout Field Manager (Checkout Manager) for WooCommerce plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 7.8.5. This is due to the plugin not properly verifying that a user is authorized to delete an attachment combined with flawed guest order ownership validation. This makes it possible for unauthenticated attackers to delete attachments associated with guest orders using only the publicly available wooccm_upload nonce and attachment ID.
Source : NVD
## 5.3
Score
Published February 19, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation
Wiz
CVE-2025-50007 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2025-50007 [HIGH] CVE-2025-50007 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-50007 :
WordPress vulnerability analysis and mitigation
Incorrect Privilege Assignment vulnerability in Jthemes xSmart xsmart allows Privilege Escalation.This issue affects xSmart: from n/a through <= 1.2.9.4.
Source : NVD
## 8.8
Score
Published January 22, 2026
Severity HIGH
CNA Score 8.8
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 18.2
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
xsmart
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Score
Techn
Wiz
CVE-2025-62961 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-62961 [CRITICAL] CVE-2025-62961 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-62961 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in sparklewpthemes Sparkle FSE sparkle-fse allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Sparkle FSE: from n/a through <= 1.0.9.
Source : NVD
Published December 18, 2025
CNA Score N/A
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
sparkle-fse
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE
Wiz
CVE-2025-12398 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2025-12398 [MEDIUM] CVE-2025-12398 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-12398 :
WordPress vulnerability analysis and mitigation
The Product Table for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'search_key' parameter in all versions up to, and including, 5.0.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Source : NVD
## 6.1
Score
Published December 21, 2025
Severity MEDIUM
CNA Score 6.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 33
Exploitation Probabil
Wiz
CVE-2026-22473 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-22473 [CRITICAL] CVE-2026-22473 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22473 :
WordPress vulnerability analysis and mitigation
Deserialization of Untrusted Data vulnerability in designthemes Dental Clinic dental allows Object Injection.This issue affects Dental Clinic: from n/a through <= 3.7.
Source : NVD
## 8.8
Score
Published March 5, 2026
Severity HIGH
CNA Score 8.8
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 19.1
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
dental
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
S
Wiz
CVE-2025-15491 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.5
CVE-2025-15491 [MEDIUM] CVE-2025-15491 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-15491 :
WordPress vulnerability analysis and mitigation
The Post Slides WordPress plugin through 1.0.1 does not validate some shortcode attributes before using them to generate paths passed to include function/s, allowing any authenticated users such as with contributor or higher roles to perform LFI attacks
Source : NVD
## 5.5
Score
Published February 7, 2026
Severity MEDIUM
CNA Score 5.5
Affected Technologies
WordPress
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
post-slides
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's expl
Wiz
CVE-2025-13962 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.4
CVE-2025-13962 [MEDIUM] CVE-2025-13962 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-13962 :
WordPress vulnerability analysis and mitigation
The Divelogs Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'latestdive' shortcode in all versions up to, and including, 1.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Source : NVD
## 6.4
Score
Published December 12, 2025
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.9
Explo
Wiz
CVE-2025-53335 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2025-53335 [HIGH] CVE-2025-53335 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-53335 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Berger berger allows PHP Local File Inclusion.This issue affects Berger: from n/a through <= 1.1.1.
Source : NVD
## 8.1
Score
Published March 5, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 37.5
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
berger
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
Wiz
CVE-2023-47232 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2023-47232 [MEDIUM] CVE-2023-47232 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2023-47232 :
WordPress vulnerability analysis and mitigation
Vulnerability in mojofywp WP Affiliate Disclosure wp-affiliate-disclosure.This issue affects WP Affiliate Disclosure: from n/a through 1.2.6.
Source : NVD
## 4.3
Score
Published December 21, 2025
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 28.5
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
wp-affiliate-disclosure
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Scor
Wiz
CVE-2026-1569 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-1569 [CRITICAL] CVE-2026-1569 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1569 :
WordPress vulnerability analysis and mitigation
wueen-blocket
Source : NVD
## 6.4
Score
Published March 7, 2026
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 9.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
wueen
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
CVE-2026-0740
CRITICAL
9.8
WordPress
ninja-forms-uploads
No
Yes
Apr 0
Wiz
CVE-2026-0693 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.4
CVE-2026-0693 [MEDIUM] CVE-2026-0693 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-0693 :
WordPress vulnerability analysis and mitigation
wp_kses_data
Source : NVD
## 4.4
Score
Published February 14, 2026
Severity MEDIUM
CNA Score 4.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
allow-html-in-category-descriptions
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
CVE-2026-0740
CRITICAL
9.8
WordPress
n
Wiz
CVE-2025-69008 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.9
CVE-2025-69008 [MEDIUM] CVE-2025-69008 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-69008 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Inboxify Inboxify Sign Up Form inboxify-sign-up-form allows Stored XSS.This issue affects Inboxify Sign Up Form: from n/a through <= 1.0.4.
Source : NVD
## 5.9
Score
Published December 30, 2025
Severity MEDIUM
CNA Score 5.9
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 12.6
Exploitation Probability (EPSS) N/A
Affected packages and libraries
inboxify-sign-up-form
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exp
Wiz
CVE-2025-47555 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2025-47555 [HIGH] CVE-2025-47555 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-47555 :
WordPress vulnerability analysis and mitigation
Authorization Bypass Through User-Controlled Key vulnerability in Themeum Tutor LMS tutor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Tutor LMS: from n/a through <= 3.9.4.
Source : NVD
## 8.1
Score
Published January 22, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 12.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
tutor
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Rel
Wiz
CVE-2025-67916 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2025-67916 [MEDIUM] CVE-2025-67916 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67916 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Astoundify Jobify jobify allows Reflected XSS.This issue affects Jobify: from n/a through <= 4.3.0.
Source : NVD
## 6.1
Score
Published January 8, 2026
Severity MEDIUM
CNA Score 6.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
jobify
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress
Wiz
CVE-2026-25372 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-25372 [CRITICAL] CVE-2026-25372 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25372 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in Kodezen LLC Academy LMS academy allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Academy LMS: from n/a through <= 3.5.3.
Source : NVD
## 6.5
Score
Published February 19, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 9.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
academy
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPres
Wiz
CVE-2026-1983 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-1983 [CRITICAL] CVE-2026-1983 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1983 :
WordPress vulnerability analysis and mitigation
The SEATT: Simple Event Attendance plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5.0. This is due to missing nonce validation on the event deletion functionality. This makes it possible for unauthenticated attackers to delete arbitrary events via a forged request granted they can trick an administrator into performing an action such as clicking on a link.
Source : NVD
## 4.3
Score
Published February 14, 2026
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2.4
Exploitation Probability (EPSS) N/A
Affe
Wiz
CVE-2025-68890 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2025-68890 [MEDIUM] CVE-2025-68890 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68890 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in hands01 e-shops e-shops-cart2 allows DOM-Based XSS.This issue affects e-shops: from n/a through <= 1.0.4.
Source : NVD
## 6.1
Score
Published January 8, 2026
Severity MEDIUM
CNA Score 6.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
e-shops-cart2
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Relat
Wiz
CVE-2026-22406 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-22406 [CRITICAL] CVE-2026-22406 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22406 :
WordPress vulnerability analysis and mitigation
Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes Overton overton allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Overton: from n/a through <= 1.3.
Source : NVD
## 5.4
Score
Published January 22, 2026
Severity MEDIUM
CNA Score 5.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
overton
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
Wiz
CVE-2026-24524 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-24524 [CRITICAL] CVE-2026-24524 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24524 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in Essekia Tablesome tablesome allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Tablesome: from n/a through <= 1.2.6.
Source : NVD
## 8.1
Score
Published January 23, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 3.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
tablesome
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulne
Wiz
CVE-2025-67576 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2025-67576 [MEDIUM] CVE-2025-67576 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67576 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in QuantumCloud Simple Link Directory simple-link-directory allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Simple Link Directory: from n/a through <= 8.8.3.
Source : NVD
## 5.3
Score
Published December 9, 2025
Severity MEDIUM
CNA Score 5.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 12.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
simple-link-directory
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitab
Wiz
CVE-2025-11363 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2025-11363 [MEDIUM] CVE-2025-11363 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-11363 :
WordPress vulnerability analysis and mitigation
The Royal Addons for Elementor WordPress plugin before 1.7.1037 does not have proper authorisation, allowing unauthenticated users to upload media files via the wpr_addons_upload_file action.
Source : NVD
## 5.3
Score
Published December 15, 2025
Severity MEDIUM
CNA Score 5.3
Affected Technologies
WordPress
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 28.3
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
royal-elementor-addons
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related W
Wiz
CVE-2025-13843 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.4
CVE-2025-13843 [MEDIUM] CVE-2025-13843 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-13843 :
WordPress vulnerability analysis and mitigation
The VigLink SpotLight By ShortCode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'float' parameter of the 'spotlight' shortcode in all versions up to, and including, 1.0.a due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Source : NVD
## 6.4
Score
Published December 12, 2025
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probabili
Wiz
CVE-2026-1127 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-1127 [CRITICAL] CVE-2026-1127 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1127 :
WordPress vulnerability analysis and mitigation
id
Source : NVD
## 6.1
Score
Published January 24, 2026
Severity MEDIUM
CNA Score 6.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 33
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
timeline-event-history
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
CVE-2026-0740
CRITICAL
9.8
WordPress
ninja-forms-uploads
No
Ye
Wiz
CVE-2025-67952 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2025-67952 [HIGH] CVE-2025-67952 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67952 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeGoods Grand Tour grandtour allows Reflected XSS.This issue affects Grand Tour: from n/a through < 5.6.2.
Source : NVD
## 7.1
Score
Published January 22, 2026
Severity HIGH
CNA Score 7.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
grandtour
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Relate
Wiz
CVE-2026-1748 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-1748 [CRITICAL] CVE-2026-1748 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1748 :
WordPress vulnerability analysis and mitigation
The Invoct – PDF Invoices & Billing for WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on multiple functions in all versions up to, and including, 1.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve invoice clients, invoice items, and list of WordPress users along with their emails.
Source : NVD
## 4.3
Score
Published February 11, 2026
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1.7
Exploitation Probability (EPSS) N/A
Affected packag
Wiz
CVE-2025-49334 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-49334 [CRITICAL] CVE-2025-49334 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-49334 :
WordPress vulnerability analysis and mitigation
Authorization Bypass Through User-Controlled Key vulnerability in Eduardo Villão MyD Delivery myd-delivery allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects MyD Delivery: from n/a through <= 1.7.1.
Source : NVD
Published December 31, 2025
CNA Score N/A
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
myd-delivery
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Wo
Wiz
CVE-2026-2893 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-2893 [CRITICAL] CVE-2026-2893 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-2893 :
WordPress vulnerability analysis and mitigation
The Page and Post Clone plugin for WordPress is vulnerable to SQL Injection via the 'meta_key' parameter in the content_clone() function in all versions up to, and including, 6.3. This is due to insufficient escaping on the user-supplied meta_key value and insufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. The injection is second-order: the malicious payload is stored as a post meta key and executed when the post is cloned.
Source : NVD
## 6.5
Score
Published March 5, 2026
Severity MEDIUM
CNA
Wiz
CVE-2025-53431 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2025-53431 [HIGH] CVE-2025-53431 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-53431 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Emberlyn emberlyn allows PHP Local File Inclusion.This issue affects Emberlyn: from n/a through <= 1.3.1.
Source : NVD
## 8.1
Score
Published December 18, 2025
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 38.5
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
emberlyn
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not jus
Wiz
CVE-2026-22479 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-22479 [CRITICAL] CVE-2026-22479 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22479 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in ThemeRuby Easy Post Submission easy-post-submission allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Easy Post Submission: from n/a through <= 2.4.0.
Source : NVD
## 7.5
Score
Published March 5, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
easy-post-submission
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just
Wiz
CVE-2025-60067 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2025-60067 [HIGH] CVE-2025-60067 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-60067 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Giardino giardino allows PHP Local File Inclusion.This issue affects Giardino: from n/a through <= 1.1.10.
Source : NVD
## 8.1
Score
Published December 18, 2025
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 18.1
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
giardino
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not jus
Wiz
CVE-2026-0751 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-0751 [CRITICAL] CVE-2026-0751 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-0751 :
WordPress vulnerability analysis and mitigation
The Payment Page | Payment Form for Stripe plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'pricing_plan_select_text_font_family' parameter in all versions up to, and including, 1.4.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Source : NVD
## 6.4
Score
Published February 14, 2026
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1.8
Wiz
CVE-2026-28043 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-28043 [CRITICAL] CVE-2026-28043 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-28043 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Healer - Doctor, Clinic & Medical WordPress Theme healer allows PHP Local File Inclusion.This issue affects Healer - Doctor, Clinic & Medical WordPress Theme: from n/a through <= 1.0.0.
Source : NVD
## 9.8
Score
Published March 5, 2026
Severity CRITICAL
CNA Score 9.8
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 37.5
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
healer
Sources
NVD
## Get a CVE risk assessment
Get a prioritized
Wiz
CVE-2025-64282 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-64282 [CRITICAL] CVE-2025-64282 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-64282 :
WordPress vulnerability analysis and mitigation
Authorization Bypass Through User-Controlled Key vulnerability in RadiusTheme Radius Blocks radius-blocks allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Radius Blocks: from n/a through <= 2.2.1.
Source : NVD
Published December 18, 2025
CNA Score N/A
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
radius-blocks
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related W
Wiz
CVE-2025-69336 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2025-69336 [MEDIUM] CVE-2025-69336 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-69336 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in bdthemes Ultimate Store Kit Elementor Addons ultimate-store-kit allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ultimate Store Kit Elementor Addons: from n/a through <= 2.9.4.
Source : NVD
## 4.3
Score
Published January 6, 2026
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
ultimate-store-kit
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on
Wiz
CVE-2025-69015 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 3.8
CVE-2025-69015 [LOW] CVE-2025-69015 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-69015 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in Automattic Crowdsignal Forms crowdsignal-forms allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Crowdsignal Forms: from n/a through <= 1.7.2.
Source : NVD
## 3.8
Score
Published December 30, 2025
Severity LOW
CNA Score 3.8
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 10.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
crowdsignal-forms
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's
Wiz
CVE-2026-2890 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-2890 [CRITICAL] CVE-2026-2890 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-2890 :
WordPress vulnerability analysis and mitigation
handle_one_time_stripe_link_return_url
verify_intent()
Source : NVD
## 7.5
Score
Published March 13, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 19.1
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
formidable
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
CVE-2026-0740
CRITICAL
9.8
Wiz
CVE-2025-67615 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2025-67615 [HIGH] CVE-2025-67615 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67615 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in bslthemes Myour myour allows PHP Local File Inclusion.This issue affects Myour: from n/a through <= 1.5.1.
Source : NVD
## 8.1
Score
Published January 22, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 38.5
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
myour
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
Wiz
CVE-2025-14034 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2025-14034 [MEDIUM] CVE-2025-14034 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14034 :
WordPress vulnerability analysis and mitigation
The ilGhera Support System for WooCommerce plugin for WordPress is vulnerable to unauthorized modification and loss of data due to a missing capability check on the 'delete_single_ticket_callback' and 'change_ticket_status_callback' functions in all versions up to, and including, 1.2.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary support tickets and modify their status.
Source : NVD
## 5.3
Score
Published January 6, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 15.5
Exploitation Prob
Wiz
CVE-2025-69325 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2025-69325 [MEDIUM] CVE-2025-69325 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-69325 :
WordPress vulnerability analysis and mitigation
Path Traversal: '.../...//' vulnerability in primersoftware Primer MyData for Woocommerce primer-mydata allows Path Traversal.This issue affects Primer MyData for Woocommerce: from n/a through <= 4.2.8.
Source : NVD
## 5.3
Score
Published February 20, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 17.3
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
primer-mydata
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related
Wiz
CVE-2026-1336 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-1336 [CRITICAL] CVE-2026-1336 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1336 :
WordPress vulnerability analysis and mitigation
The AI ChatBot with ChatGPT and Content Generator by AYS plugin for WordPress is vulnerable to unauthorized access and modification of data due to missing capability checks on the store_data() and get_chatgpt_api_key() functions in all versions up to, and including, 2.7.5. This makes it possible for unauthenticated attackers to view, modify or delete the plugin's ChatGPT API key.
The vulnerability was partially fixed in version 2.7.5 and fully fixed in version 2.7.6
Source : NVD
## 5.3
Score
Published March 3, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EP
Wiz
CVE-2025-23705 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-23705 [CRITICAL] CVE-2025-23705 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-23705 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Terry Zielke Zielke Design Project Gallery zielke-design-project-gallery allows Reflected XSS.This issue affects Zielke Design Project Gallery: from n/a through <= 2.5.0.
Source : NVD
Published December 31, 2025
CNA Score N/A
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
zielke-design-project-gallery
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what'
Wiz
CVE-2026-22392 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-22392 [CRITICAL] CVE-2026-22392 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22392 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Cortex cortex allows PHP Local File Inclusion.This issue affects Cortex: from n/a through <= 1.5.
Source : NVD
## 8.1
Score
Published March 5, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 37.5
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
cortex
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's list
Wiz
CVE-2026-25007 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-25007 [CRITICAL] CVE-2026-25007 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25007 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Element Invader ElementInvader Addons for Elementor elementinvader-addons-for-elementor allows Blind SQL Injection.This issue affects ElementInvader Addons for Elementor: from n/a through <= 1.4.2.
Source : NVD
## 8.5
Score
Published March 25, 2026
Severity HIGH
CNA Score 8.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 9.5
Exploitation Probability (EPSS) N/A
Affected packages and libraries
elementinvader-addons-for-elementor
Sources
NVD
## Get a CVE risk assessment
Get a pri
Wiz
CVE-2026-22407 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-22407 [CRITICAL] CVE-2026-22407 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22407 :
WordPress vulnerability analysis and mitigation
Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes Roam roam allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Roam: from n/a through <= 2.1.1.
Source : NVD
## 5.4
Score
Published January 22, 2026
Severity MEDIUM
CNA Score 5.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
roam
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related
Wiz
CVE-2026-24564 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-24564 [CRITICAL] CVE-2026-24564 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24564 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Israpil Textmetrics webtexttool allows Code Injection.This issue affects Textmetrics: from n/a through <= 3.6.5.
Source : NVD
## 4.3
Score
Published January 23, 2026
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 12.6
Exploitation Probability (EPSS) N/A
Affected packages and libraries
webtexttool
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Relate
Wiz
CVE-2025-68546 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-68546 [CRITICAL] CVE-2025-68546 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68546 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Nika nika allows PHP Local File Inclusion.This issue affects Nika: from n/a through <= 1.2.14.
Source : NVD
Published December 23, 2025
CNA Score N/A
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 23.6
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
nika
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilit
Wiz
CVE-2025-68913 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2025-68913 [HIGH] CVE-2025-68913 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68913 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in zozothemes Miion miion allows PHP Local File Inclusion.This issue affects Miion: from n/a through <= 1.2.7.
Source : NVD
## 7.5
Score
Published January 22, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 38.3
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
miion
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed
Wiz
CVE-2025-64239 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2025-64239 [MEDIUM] CVE-2025-64239 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-64239 :
WordPress vulnerability analysis and mitigation
Cross-Site Request Forgery (CSRF) vulnerability in Yoav Farhi RTL Tester rtl-tester allows Cross Site Request Forgery.This issue affects RTL Tester: from n/a through <= 1.2.
Source : NVD
## 4.3
Score
Published December 16, 2025
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 4.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
rtl-tester
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE
Wiz
CVE-2026-24940 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-24940 [CRITICAL] CVE-2026-24940 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24940 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in Themefic Travelfic Toolkit travelfic-toolkit allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Travelfic Toolkit: from n/a through <= 1.3.3.
Source : NVD
## 4.3
Score
Published February 3, 2026
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 9.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
travelfic-toolkit
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's l
Wiz
CVE-2025-14719 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.9
CVE-2025-14719 [MEDIUM] CVE-2025-14719 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14719 :
WordPress vulnerability analysis and mitigation
The Relevanssi WordPress plugin before 4.26.0, Relevanssi Premium WordPress plugin before 2.29.0 do not sanitize and escape a parameter before using it in a SQL statement, allowing contributor and above roles to perform SQL injection attacks
Source : NVD
## 4.9
Score
Published January 7, 2026
Severity MEDIUM
CNA Score 4.9
Affected Technologies
WordPress
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 10.5
Exploitation Probability (EPSS) N/A
Affected packages and libraries
relevanssi
relevanssi-premium
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on wh
Wiz
CVE-2026-22456 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-22456 [CRITICAL] CVE-2026-22456 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22456 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes Askka askka allows PHP Local File Inclusion.This issue affects Askka: from n/a through <= 1.0.
Source : NVD
## 8.1
Score
Published March 5, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 37.5
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
askka
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
Wiz
CVE-2025-14342 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2025-14342 [MEDIUM] CVE-2025-14342 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14342 :
WordPress vulnerability analysis and mitigation
The SEO Plugin by Squirrly SEO plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the sq_ajax_uninstall function in all versions up to, and including, 12.4.14. This makes it possible for authenticated attackers, with Subscriber-level access and above, to disconnect the site from Squirrly's cloud service.
Source : NVD
## 4.3
Score
Published February 19, 2026
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 9.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
squirrly-seo
Sources
Wiz
CVE-2025-68847 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2025-68847 [HIGH] CVE-2025-68847 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68847 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in itex iSape isape allows Reflected XSS.This issue affects iSape: from n/a through <= 0.72.
Source : NVD
## 7.1
Score
Published February 20, 2026
Severity HIGH
CNA Score 7.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
isape
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabili
Wiz
CVE-2026-27338 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-27338 [CRITICAL] CVE-2026-27338 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27338 :
WordPress vulnerability analysis and mitigation
Deserialization of Untrusted Data vulnerability in AivahThemes Car Zone carzone allows Object Injection.This issue affects Car Zone: from n/a through <= 3.7.
Source : NVD
## 8.8
Score
Published March 5, 2026
Severity HIGH
CNA Score 8.8
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 19.1
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
carzone
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Score
Tec
Wiz
CVE-2026-2499 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-2499 [CRITICAL] CVE-2026-2499 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-2499 :
WordPress vulnerability analysis and mitigation
The Custom Logo plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Source : NVD
## 4.4
Score
Published February 26, 2026
Severity MEDIUM
CNA Score 4.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Wiz
CVE-2026-3554 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-3554 [CRITICAL] CVE-2026-3554 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-3554 :
WordPress vulnerability analysis and mitigation
Source : NVD
## 6.4
Score
Published March 21, 2026
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 10.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
sherk-custom-post-type-displays
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
CVE-2026-0740
CRITICAL
9.8
WordPress
ninja-forms-uploads
N
Wiz
CVE-2025-69016 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2025-69016 [MEDIUM] CVE-2025-69016 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-69016 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in averta Shortcodes and extra features for Phlox theme auxin-elements allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Shortcodes and extra features for Phlox theme: from n/a through <= 2.17.15.
Source : NVD
## 4.3
Score
Published December 30, 2025
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
auxin-elements
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so yo
Wiz
CVE-2025-58928 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2025-58928 [HIGH] CVE-2025-58928 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-58928 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Heart heart allows PHP Local File Inclusion.This issue affects Heart: from n/a through <= 1.8.
Source : NVD
## 8.1
Score
Published December 18, 2025
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 38.5
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
heart
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed
Wiz
CVE-2025-68894 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2025-68894 [HIGH] CVE-2025-68894 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68894 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in shoutoutglobal ShoutOut shoutout allows Reflected XSS.This issue affects ShoutOut: from n/a through <= 4.0.2.
Source : NVD
## 7.1
Score
Published January 22, 2026
Severity HIGH
CNA Score 7.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
shoutout
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related
Wiz
CVE-2025-14721 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.5
CVE-2025-14721 [MEDIUM] CVE-2025-14721 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14721 :
WordPress vulnerability analysis and mitigation
The Responsive and Swipe slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's rsSlider shortcode in all versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Source : NVD
## 5.5
Score
Published December 20, 2025
Severity MEDIUM
CNA Score 5.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1
Wiz
CVE-2026-27069 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-27069 [CRITICAL] CVE-2026-27069 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27069 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PenciDesign Soledad soledad allows DOM-Based XSS.This issue affects Soledad: from n/a through <= 8.7.2.
Source : NVD
## 6.5
Score
Published February 19, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.6
Exploitation Probability (EPSS) N/A
Affected packages and libraries
soledad
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Wor
Wiz
CVE-2025-14364 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2025-14364 [HIGH] CVE-2025-14364 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14364 :
WordPress vulnerability analysis and mitigation
The Demo Importer Plus plugin for WordPress is vulnerable to unauthorized modification of data, loss of data, and privilege escalation due to a missing capability check on the Ajax::handle_request() function in all versions up to, and including, 2.0.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to trigger a full site reset, dropping all database tables except users/usermeta and re-running wp_install(), which also assigns the Administrator role to the attacking subscriber account.
Source : NVD
## 8.8
Score
Published December 18, 2025
Severity HIGH
CNA Score 8.8
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N
Wiz
CVE-2025-13194 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2025-13194 [MEDIUM] CVE-2025-13194 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-13194 :
WordPress vulnerability analysis and mitigation
The SurveyJS: Drag & Drop WordPress Form Builder to create, style and embed multiple forms of any complexity plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.12.20. This is due to missing nonce verification on the 'SurveyJS_RenameSurvey' AJAX action. This makes it possible for unauthenticated attackers to rename surveys via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Source : NVD
## 4.3
Score
Published January 24, 2026
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitat
Wiz
CVE-2026-0559 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.4
CVE-2026-0559 [MEDIUM] CVE-2026-0559 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-0559 :
WordPress vulnerability analysis and mitigation
The MasterStudy LMS WordPress Plugin – for Online Courses and Education plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'stm_lms_courses_grid_display' shortcode in all versions up to, and including, 3.7.11 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Source : NVD
## 6.4
Score
Published February 14, 2026
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA
Wiz
CVE-2025-68070 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2025-68070 [MEDIUM] CVE-2025-68070 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68070 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Vektor,Inc. VK Google Job Posting Manager vk-google-job-posting-manager allows Stored XSS.This issue affects VK Google Job Posting Manager: from n/a through <= 1.2.22.
Source : NVD
## 6.5
Score
Published December 16, 2025
Severity MEDIUM
CNA Score 6.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
vk-google-job-posting-manager
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your
Wiz
CVE-2025-66527 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2025-66527 [MEDIUM] CVE-2025-66527 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-66527 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in VanKarWai Lobo lobo allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Lobo: from n/a through <= 2.8.6.
Source : NVD
## 4.3
Score
Published December 9, 2025
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
lobo
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
C
Wiz
CVE-2026-23541 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-23541 [CRITICAL] CVE-2026-23541 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-23541 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in WPFunnels Mail Mint mail-mint allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Mail Mint: from n/a through <= 1.19.4.
Source : NVD
Published February 19, 2026
CNA Score N/A
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 6.6
Exploitation Probability (EPSS) N/A
Affected packages and libraries
mail-mint
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Scor
Wiz
CVE-2026-1581 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-1581 [CRITICAL] CVE-2026-1581 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1581 :
WordPress vulnerability analysis and mitigation
The wpForo Forum plugin for WordPress is vulnerable to time-based SQL Injection via the 'wpfob' parameter in all versions up to, and including, 2.4.14 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Source : NVD
## 7.5
Score
Published February 19, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
WordPress
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 95.1
Wiz
CVE-2025-68003 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2025-68003 [MEDIUM] CVE-2025-68003 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68003 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in renatoatshown Shown Connector shown-connector allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Shown Connector: from n/a through <= 1.2.10.
Source : NVD
## 6.5
Score
Published January 22, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 12
Exploitation Probability (EPSS) N/A
Affected packages and libraries
shown-connector
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's list
Wiz
CVE-2025-49049 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2025-49049 [HIGH] CVE-2025-49049 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-49049 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ZoomIt DZS Video Gallery dzs-videogallery allows SQL Injection.This issue affects DZS Video Gallery: from n/a through <= 12.39.
Source : NVD
## 8.8
Score
Published January 22, 2026
Severity HIGH
CNA Score 8.8
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 3.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
dzs-videogallery
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just wh
Wiz
CVE-2025-53446 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2025-53446 [HIGH] CVE-2025-53446 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-53446 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Beautique beautique allows PHP Local File Inclusion.This issue affects Beautique: from n/a through <= 1.5.
Source : NVD
## 8.1
Score
Published December 18, 2025
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 38.5
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
beautique
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not ju
Wiz
CVE-2025-10734 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2025-10734 [MEDIUM] CVE-2025-10734 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-10734 :
WordPress vulnerability analysis and mitigation
The ReviewX – WooCommerce Product Reviews with Multi-Criteria, Reminder Emails, Google Reviews, Schema & More plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.2.12 via the syncedData function. This makes it possible for unauthenticated attackers to extract sensitive data including user names, emails, phone numbers, addresses.
Source : NVD
## 5.3
Score
Published March 23, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
r
Wiz
CVE-2025-68551 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-68551 [CRITICAL] CVE-2025-68551 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68551 :
WordPress vulnerability analysis and mitigation
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Vikas Ratudi VPSUForm v-form allows Retrieve Embedded Sensitive Data.This issue affects VPSUForm: from n/a through <= 3.2.24.
Source : NVD
Published December 23, 2025
CNA Score N/A
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 7.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
v-form
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
Wiz
CVE-2025-14509 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.2
CVE-2025-14509 [HIGH] CVE-2025-14509 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14509 :
WordPress vulnerability analysis and mitigation
The Lucky Wheel for WooCommerce – Spin a Sale plugin for WordPress is vulnerable to PHP Code Injection in all versions up to, and including, 1.1.13. This is due to the plugin using eval() to execute user-supplied input from the 'Conditional Tags' setting without proper validation or sanitization. This makes it possible for authenticated attackers, with Administrator-level access and above, to execute arbitrary PHP code on the server. In WordPress multisite installations, this allows Site Administrators to execute arbitrary code, a capability they should not have since plugin/theme file editing is disabled for non-Super Admins in multisite environments.
Source : NVD
## 7.2
Score
Published December 30, 2025
Severity
Wiz
CVE-2025-67520 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-67520 [CRITICAL] CVE-2025-67520 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67520 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Tiny Solutions Media Library Tools media-library-tools allows SQL Injection.This issue affects Media Library Tools: from n/a through <= 1.6.15.
Source : NVD
## 9.8
Score
Published December 9, 2025
Severity CRITICAL
CNA Score 9.8
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 14.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
media-library-tools
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's
Wiz
CVE-2025-12885 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.4
CVE-2025-12885 [MEDIUM] CVE-2025-12885 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-12885 :
WordPress vulnerability analysis and mitigation
The Embed Any Document – Embed PDF, Word, PowerPoint and Excel Files plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the sanitize_pdf_src function regex bypass in all versions up to, and including, 2.7.10 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Source : NVD
## 6.4
Score
Published December 18, 2025
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probabilit
Wiz
CVE-2026-3225 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-3225 [CRITICAL] CVE-2026-3225 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-3225 :
WordPress vulnerability analysis and mitigation
The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to unauthorized deletion of quiz question answers due to a missing capability check in the delete_question_answer() function of the EditQuestionAjax class in all versions up to, and including, 4.3.2.8. The AbstractAjax::catch_lp_ajax() dispatcher verifies a wp_rest nonce but performs no current_user_can() check, and the QuestionAnswerModel::delete() method only validates minimum answer counts without checking user capabilities. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete answer options from any quiz question on the site.
Source : NVD
## 4.3
Score
Published March 23, 2026
Severity MEDIUM
Wiz
CVE-2025-68595 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2025-68595 [HIGH] CVE-2025-68595 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68595 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in Trustindex Widgets for Social Photo Feed social-photo-feed-widget allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Widgets for Social Photo Feed: from n/a through <= 1.8.
Source : NVD
## 8.8
Score
Published December 24, 2025
Severity HIGH
CNA Score 8.8
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 18.2
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
social-photo-feed-widget
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on
Wiz
CVE-2026-31921 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-31921 [CRITICAL] CVE-2026-31921 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-31921 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in Devteam HaywoodTech Product Rearrange for WooCommerce products-rearrange-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Product Rearrange for WooCommerce: from n/a through <= 1.2.2.
Source : NVD
## 8.2
Score
Published March 25, 2026
Severity HIGH
CNA Score 8.2
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 15.8
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
products-rearrange-woocommerce
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in yo
Wiz
CVE-2025-9218 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 3.7
CVE-2025-9218 [LOW] CVE-2025-9218 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-9218 :
WordPress vulnerability analysis and mitigation
The rtMedia for WordPress, BuddyPress and bbPress plugin for WordPress is vulnerable to to Information Disclosure due to missing authorization in the handle_rest_pre_dispatch() function when the Godam plugin is active, in versions 4.7.0 to 4.7.3. This makes it possible for unauthenticated attackers to retrieve media items associated with draft or private posts.
Source : NVD
## 3.7
Score
Published December 13, 2025
Severity LOW
CNA Score 3.7
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 17.1
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
buddypress-media
Sources
Wiz
CVE-2025-68997 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2025-68997 [MEDIUM] CVE-2025-68997 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68997 :
WordPress vulnerability analysis and mitigation
Authorization Bypass Through User-Controlled Key vulnerability in AdvancedCoding wpDiscuz wpdiscuz allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects wpDiscuz: from n/a through <= 7.6.43.
Source : NVD
## 5.3
Score
Published December 30, 2025
Severity MEDIUM
CNA Score 5.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 12.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
wpdiscuz
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's l
Wiz
CVE-2026-22478 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-22478 [CRITICAL] CVE-2026-22478 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22478 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes FindAll findall allows PHP Local File Inclusion.This issue affects FindAll: from n/a through <= 1.4.
Source : NVD
## 8.1
Score
Published March 5, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 37.5
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
findall
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's
Wiz
CVE-2025-68974 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-68974 [CRITICAL] CVE-2025-68974 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68974 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in miniOrange WordPress Social Login and Register miniorange-login-openid allows PHP Local File Inclusion.This issue affects WordPress Social Login and Register: from n/a through <= 7.7.0.
Source : NVD
## 9.8
Score
Published December 30, 2025
Severity CRITICAL
CNA Score 9.8
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 38.5
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
miniorange-login-openid
Sources
NVD
## Get a CVE risk assessment
Get a
Wiz
CVE-2025-8617 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.4
CVE-2025-8617 [MEDIUM] CVE-2025-8617 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-8617 :
WordPress vulnerability analysis and mitigation
The YITH WooCommerce Quick View plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's yith_quick_view shortcode in all versions up to, and including, 2.7.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Source : NVD
## 6.4
Score
Published December 13, 2025
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (E
Wiz
CVE-2025-64371 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.5
CVE-2025-64371 [HIGH] CVE-2025-64371 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-64371 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in shinetheme Traveler traveler allows Blind SQL Injection.This issue affects Traveler: from n/a through < 3.2.6.
Source : NVD
## 8.5
Score
Published December 18, 2025
Severity HIGH
CNA Score 8.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.5
Exploitation Probability (EPSS) N/A
Affected packages and libraries
traveler
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Relat
Wiz
CVE-2025-62752 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-62752 [CRITICAL] CVE-2025-62752 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-62752 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in kalender.digital Kalender.digital kalender-digital allows DOM-Based XSS.This issue affects Kalender.digital: from n/a through <= 1.0.13.
Source : NVD
Published December 31, 2025
CNA Score N/A
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
kalender-digital
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Rela
Wiz
CVE-2025-63062 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.6
CVE-2025-63062 [HIGH] CVE-2025-63062 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-63062 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AndonDesign UDesign Core u-design-core allows PHP Local File Inclusion.This issue affects UDesign Core: from n/a through <= 4.14.0.
Source : NVD
## 7.6
Score
Published December 9, 2025
Severity HIGH
CNA Score 7.6
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 18
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
u-design-core
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's explo
Wiz
CVE-2025-12027 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2025-12027 [MEDIUM] CVE-2025-12027 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-12027 :
WordPress vulnerability analysis and mitigation
The Mesmerize Companion plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on the "openPageInCustomizer" and "openPageInDefaultEditor" functions in all versions up to, and including, 1.6.158. This makes it possible for authenticated attackers - with subscriber level access and above, on websites with the Mesmerize theme activated - to mark arbitrary pages as maintainable, wrap their content in custom sections, change page template metadata, and toggle the default editor flag without proper authorization.
Source : NVD
## 4.3
Score
Published February 19, 2026
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit No
Has
Wiz
CVE-2026-1575 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-1575 [CRITICAL] CVE-2026-1575 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1575 :
WordPress vulnerability analysis and mitigation
itemscope
Source : NVD
## 6.4
Score
Published March 21, 2026
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 9.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
schema-shortcode
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
CVE-2026-0740
CRITICAL
9.8
WordPress
ninja-forms-uploads
No
Ye
Wiz
CVE-2025-9343 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.2
CVE-2025-9343 [HIGH] CVE-2025-9343 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-9343 :
WordPress vulnerability analysis and mitigation
The ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress is vulnerable to Stored Cross-Site Scripting via ticket subjects in all versions up to, and including, 3.3.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Source : NVD
## 7.2
Score
Published December 21, 2025
Severity HIGH
CNA Score 7.2
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 35.2
Exploitation Probability (EPSS) 0.1
Affected packages and
Wiz
CVE-2026-1831 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-1831 [CRITICAL] CVE-2026-1831 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1831 :
WordPress vulnerability analysis and mitigation
/yaymail/v1/addons/activate
Source : NVD
## 2.7
Score
Published February 18, 2026
Severity LOW
CNA Score 2.7
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
yaymail
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
CVE-2026-0740
CRITICAL
9.8
WordPress
ninja-forms-upload
Wiz
CVE-2025-13908 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.4
CVE-2025-13908 [MEDIUM] CVE-2025-13908 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-13908 :
WordPress vulnerability analysis and mitigation
The The Tooltip plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'the_tooltip' shortcode in all versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Source : NVD
## 6.4
Score
Published January 9, 2026
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2.7
Exploitat
Wiz
CVE-2026-0862 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-0862 [CRITICAL] CVE-2026-0862 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-0862 :
WordPress vulnerability analysis and mitigation
The Save as PDF Plugin by PDFCrowd plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘options’ parameter in all versions up to, and including, 4.5.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. NOTE: Successful exploitation of this vulnerability requires that the PDFCrowd API key is blank (also known as "demo mode", which is the default configuration when the plugin is installed) or known.
Source : NVD
## 6.1
Score
Published January 24, 2026
Severity MEDIUM
CNA Score 6.1
Affec
Wiz
CVE-2025-54001 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-54001 [CRITICAL] CVE-2025-54001 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-54001 :
WordPress vulnerability analysis and mitigation
Deserialization of Untrusted Data vulnerability in ThemeREX Classter classter allows Object Injection.This issue affects Classter: from n/a through <= 2.5.
Source : NVD
## 9.8
Score
Published March 5, 2026
Severity CRITICAL
CNA Score 9.8
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 18.2
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
classter
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Score
Wiz
CVE-2026-27397 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-27397 [CRITICAL] CVE-2026-27397 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27397 :
WordPress vulnerability analysis and mitigation
Authorization Bypass Through User-Controlled Key vulnerability in Really Simple Plugins B.V. Really Simple Security Pro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Really Simple Security Pro: from n/a through 9.5.4.0.
Source : NVD
## 6.5
Score
Published March 19, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 15.3
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
really-simple-ssl-pro
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can
Wiz
CVE-2025-67991 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2025-67991 [HIGH] CVE-2025-67991 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67991 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in vanquish User Extra Fields wp-user-extra-fields allows Reflected XSS.This issue affects User Extra Fields: from n/a through <= 16.8.
Source : NVD
## 7.1
Score
Published February 20, 2026
Severity HIGH
CNA Score 7.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
wp-user-extra-fields
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable,
Wiz
CVE-2026-1988 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-1988 [CRITICAL] CVE-2026-1988 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1988 :
WordPress vulnerability analysis and mitigation
flexipsg_carousel
theme
theme
Source : NVD
## 7.5
Score
Published February 14, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 36.7
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
flexi-product-slider-grid
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
CVE-2026-0740
CRITICAL
9.8
WordP
Wiz
CVE-2025-49354 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-49354 [CRITICAL] CVE-2025-49354 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-49354 :
WordPress vulnerability analysis and mitigation
Cross-Site Request Forgery (CSRF) vulnerability in Mindstien Technologies Recent Posts From Each Category recent-posts-from-each-category allows Stored XSS.This issue affects Recent Posts From Each Category: from n/a through <= 1.4.
Source : NVD
Published December 31, 2025
CNA Score N/A
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
recent-posts-from-each-category
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
Wiz
CVE-2025-68846 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2025-68846 [HIGH] CVE-2025-68846 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68846 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Paris Holley Asynchronous Javascript asynchronous-javascript allows Reflected XSS.This issue affects Asynchronous Javascript: from n/a through <= 1.3.5.
Source : NVD
## 7.1
Score
Published February 20, 2026
Severity HIGH
CNA Score 7.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
asynchronous-javascript
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus
Wiz
CVE-2025-67937 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2025-67937 [HIGH] CVE-2025-67937 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67937 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Hendon hendon allows PHP Local File Inclusion.This issue affects Hendon: from n/a through < 1.7.
Source : NVD
## 8.1
Score
Published January 8, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 17.6
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
hendon
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's lis
Wiz
CVE-2026-25011 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-25011 [CRITICAL] CVE-2026-25011 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25011 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in Northern Beaches Websites WP Custom Admin Interface wp-custom-admin-interface allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Custom Admin Interface: from n/a through <= 7.41.
Source : NVD
## 4.3
Score
Published February 3, 2026
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 9.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
wp-custom-admin-interface
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you ca
Wiz
CVE-2025-13679 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2025-13679 [MEDIUM] CVE-2025-13679 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-13679 :
WordPress vulnerability analysis and mitigation
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the get_order_by_id() function in all versions up to, and including, 3.9.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to enumerate order IDs and exfiltrate sensitive data (PII), such as student name, email address, phone number, and billing address.
Source : NVD
## 6.5
Score
Published January 8, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 15.5
Ex
Wiz
CVE-2025-58942 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.2
CVE-2025-58942 [HIGH] CVE-2025-58942 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-58942 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Dwell dwell allows PHP Local File Inclusion.This issue affects Dwell: from n/a through <= 1.7.0.
Source : NVD
## 8.2
Score
Published December 18, 2025
Severity HIGH
CNA Score 8.2
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 19.8
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
dwell
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's list
Wiz
CVE-2025-67541 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2025-67541 [HIGH] CVE-2025-67541 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67541 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Lester Chan WP-ShowHide wp-showhide allows Stored XSS.This issue affects WP-ShowHide: from n/a through <= 1.05.
Source : NVD
## 7.1
Score
Published December 9, 2025
Severity HIGH
CNA Score 7.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
wp-showhide
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Re
Wiz
CVE-2026-25379 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-25379 [CRITICAL] CVE-2026-25379 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25379 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in jwsthemes StreamVid streamvid allows PHP Local File Inclusion.This issue affects StreamVid: from n/a through < 6.8.6.
Source : NVD
## 8.1
Score
Published March 25, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 35.7
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
streamvid
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just w
Wiz
CVE-2026-24380 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-24380 [CRITICAL] CVE-2026-24380 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24380 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in Metagauss EventPrime eventprime-event-calendar-management allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects EventPrime: from n/a through <= 4.2.8.0.
Source : NVD
## 8.8
Score
Published January 22, 2026
Severity HIGH
CNA Score 8.8
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 18.2
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
eventprime-event-calendar-management
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's expl
Wiz
CVE-2025-22713 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-22713 [CRITICAL] CVE-2025-22713 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-22713 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in vanquish WooCommerce Orders & Customers Exporter woocommerce-orders-ei allows SQL Injection.This issue affects WooCommerce Orders & Customers Exporter: from n/a through <= 5.4.
Source : NVD
## 9.8
Score
Published January 8, 2026
Severity CRITICAL
CNA Score 9.8
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 14.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
woocommerce-orders-ei
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your
Wiz
CVE-2026-25380 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-25380 [CRITICAL] CVE-2026-25380 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25380 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in jwsthemes Feedy feedy allows PHP Local File Inclusion.This issue affects Feedy: from n/a through < 2.1.5.
Source : NVD
## 8.1
Score
Published March 25, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 35.7
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
feedy
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
Wiz
CVE-2026-1804 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-1804 [CRITICAL] CVE-2026-1804 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1804 :
WordPress vulnerability analysis and mitigation
The WDES Responsive Popup plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wdes-popup-title' shortcode in all versions up to, and including, 1.3.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Source : NVD
## 6.4
Score
Published February 11, 2026
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS
Wiz
CVE-2026-2413 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-2413 [CRITICAL] CVE-2026-2413 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-2413 :
WordPress vulnerability analysis and mitigation
get_global_remediations()
esc_url_raw()
Source : NVD
## 7.5
Score
Published March 11, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
WordPress
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 96.4
Exploitation Probability (EPSS) 27.9
Affected packages and libraries
pojo-accessibility
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
CVE-2026-0740
CRITICAL
9.8
Word
Wiz
CVE-2026-3334 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-3334 [CRITICAL] CVE-2026-3334 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-3334 :
WordPress vulnerability analysis and mitigation
The CMS Commander plugin for WordPress is vulnerable to SQL Injection via the 'or_blogname', 'or_blogdescription', and 'or_admin_email' parameters in all versions up to, and including, 2.288. This is due to insufficient escaping on the user supplied parameters and lack of sufficient preparation on the existing SQL queries in the restore workflow. This makes it possible for authenticated attackers, with CMS Commander API key access, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Source : NVD
## 8.8
Score
Published March 21, 2026
Severity HIGH
CNA Score 8.8
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Explo
Wiz
CVE-2025-67532 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-67532 [CRITICAL] CVE-2025-67532 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67532 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Hara hara allows PHP Local File Inclusion.This issue affects Hara: from n/a through <= 1.2.17.
Source : NVD
## 9.8
Score
Published December 9, 2025
Severity CRITICAL
CNA Score 9.8
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 38.5
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
hara
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
Wiz
CVE-2026-2440 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-2440 [CRITICAL] CVE-2026-2440 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-2440 :
WordPress vulnerability analysis and mitigation
The SurveyJS plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.5.3 via survey result submissions. This is due to insufficient input sanitization and output escaping. The public survey page exposes the nonce required for submission, allowing unauthenticated attackers to submit HTML-encoded payloads that are decoded and rendered as executable HTML when an administrator views survey results, leading to stored XSS in the admin context.
Source : NVD
## 7.2
Score
Published March 21, 2026
Severity HIGH
CNA Score 7.2
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probab
Wiz
CVE-2025-14734 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.4
CVE-2025-14734 [MEDIUM] CVE-2025-14734 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14734 :
WordPress vulnerability analysis and mitigation
The Amazon affiliate lite Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.0. This is due to missing or incorrect nonce validation on the 'ADAL_settings_page' function. This makes it possible for unauthenticated attackers to update plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Source : NVD
## 5.4
Score
Published December 20, 2025
Severity MEDIUM
CNA Score 5.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 4.7
Exploitation Probability
Wiz
CVE-2026-28026 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-28026 [CRITICAL] CVE-2026-28026 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-28026 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Motorix motorix allows PHP Local File Inclusion.This issue affects Motorix: from n/a through <= 1.6.
Source : NVD
## 8.1
Score
Published March 5, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 37.5
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
motorix
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's liste
Wiz
CVE-2025-58950 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2025-58950 [HIGH] CVE-2025-58950 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-58950 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Lione lione allows PHP Local File Inclusion.This issue affects Lione: from n/a through <= 1.16.
Source : NVD
## 8.1
Score
Published December 18, 2025
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 18.1
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
lione
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's liste
Wiz
CVE-2026-27087 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-27087 [CRITICAL] CVE-2026-27087 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27087 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in G5Theme Wolverine Framework wolverine-framework allows Reflected XSS.This issue affects Wolverine Framework: from n/a through <= 1.9.
Source : NVD
## 7.1
Score
Published March 25, 2026
Severity HIGH
CNA Score 7.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 10.6
Exploitation Probability (EPSS) N/A
Affected packages and libraries
wolverine-framework
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not
Wiz
CVE-2025-14166 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2025-14166 [MEDIUM] CVE-2025-14166 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14166 :
WordPress vulnerability analysis and mitigation
The WPMasterToolKit plugin for WordPress is vulnerable to PHP Code Injection in all versions up to, and including, 2.13.0. This is due to the plugin allowing Author-level users to create and execute arbitrary PHP code through the Code Snippets feature without proper capability checks. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute arbitrary PHP code on the server, leading to remote code execution, privilege escalation, and complete site compromise.
Source : NVD
## 5.3
Score
Published December 12, 2025
Severity MEDIUM
CNA Score 5.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date
Wiz
CVE-2026-1557 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-1557 [CRITICAL] CVE-2026-1557 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1557 :
WordPress vulnerability analysis and mitigation
The WP Responsive Images plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.0 via the 'src' parameter. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information.
Source : NVD
## 7.5
Score
Published February 26, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
WordPress
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 96.5
Exploitation Probability (EPSS) 28.7
Affected packages and libraries
wp-responsive-images
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of
Wiz
CVE-2025-68528 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.4
CVE-2025-68528 [MEDIUM] CVE-2025-68528 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68528 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPFactory Free Shipping Bar: Amount Left for Free Shipping for WooCommerce amount-left-free-shipping-woocommerce allows Stored XSS.This issue affects Free Shipping Bar: Amount Left for Free Shipping for WooCommerce: from n/a through <= 2.4.9.
Source : NVD
## 5.4
Score
Published December 24, 2025
Severity MEDIUM
CNA Score 5.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
amount-left-free-shipping-woocommerce
So
Wiz
CVE-2025-69049 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2025-69049 [HIGH] CVE-2025-69049 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-69049 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes Töbel tobel allows PHP Local File Inclusion.This issue affects Töbel: from n/a through <= 1.6.
Source : NVD
## 8.1
Score
Published January 22, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 38.5
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
tobel
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's liste
Wiz
CVE-2025-69030 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.4
CVE-2025-69030 [MEDIUM] CVE-2025-69030 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-69030 :
WordPress vulnerability analysis and mitigation
Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes Backpack Traveler backpacktraveler allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Backpack Traveler: from n/a through <= 2.10.3.
Source : NVD
## 5.4
Score
Published December 30, 2025
Severity MEDIUM
CNA Score 5.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
backpacktraveler
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what
Wiz
CVE-2025-12718 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.8
CVE-2025-12718 [MEDIUM] CVE-2025-12718 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-12718 :
WordPress vulnerability analysis and mitigation
The Quick Contact Form plugin for WordPress is vulnerable to Open Mail Relay in all versions up to, and including, 8.2.6. This is due to the 'qcf_validate_form' AJAX endpoint allowing a user controlled parameter to set the 'from' email address. This makes it possible for unauthenticated attackers to send emails to arbitrary recipients utilizing the server. The information is limited to the contact form submission details.
Source : NVD
## 5.8
Score
Published January 17, 2026
Severity MEDIUM
CNA Score 5.8
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 36.1
Exploitation Probability (EPSS)
Wiz
CVE-2025-69303 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2025-69303 [HIGH] CVE-2025-69303 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-69303 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in modeltheme ModelTheme Framework modeltheme-framework allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ModelTheme Framework: from n/a through <= 1.9.2.
Source : NVD
## 7.5
Score
Published February 20, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
modeltheme-framework
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not
Wiz
CVE-2026-22367 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-22367 [CRITICAL] CVE-2026-22367 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22367 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Coworking coworking allows PHP Local File Inclusion.This issue affects Coworking: from n/a through <= 1.6.1.
Source : NVD
## 8.1
Score
Published February 20, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 37.5
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
coworking
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not
Wiz
CVE-2025-68017 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2025-68017 [HIGH] CVE-2025-68017 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68017 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Antideo Antideo Email Validator antideo-email-validator allows Blind SQL Injection.This issue affects Antideo Email Validator: from n/a through <= 1.0.10.
Source : NVD
## 7.5
Score
Published January 22, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 16.5
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
antideo-email-validator
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus
Wiz
CVE-2025-62989 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-62989 [CRITICAL] CVE-2025-62989 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-62989 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Gora Tech Cooked cooked allows Stored XSS.This issue affects Cooked: from n/a through <= 1.11.3.
Source : NVD
Published December 31, 2025
CNA Score N/A
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cooked
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Wiz
CVE-2026-25001 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-25001 [CRITICAL] CVE-2026-25001 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25001 :
WordPress vulnerability analysis and mitigation
Improper Control of Generation of Code ('Code Injection') vulnerability in Saad Iqbal Post Snippets post-snippets allows Remote Code Inclusion.This issue affects Post Snippets: from n/a through <= 4.0.12.
Source : NVD
## 8.5
Score
Published March 25, 2026
Severity HIGH
CNA Score 8.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 16.6
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
post-snippets
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Wor
Wiz
CVE-2025-67530 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-67530 [CRITICAL] CVE-2025-67530 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67530 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Besa besa allows PHP Local File Inclusion.This issue affects Besa: from n/a through <= 2.3.15.
Source : NVD
## 9.8
Score
Published December 9, 2025
Severity CRITICAL
CNA Score 9.8
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 38.5
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
besa
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
Wiz
CVE-2026-1614 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-1614 [CRITICAL] CVE-2026-1614 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1614 :
WordPress vulnerability analysis and mitigation
The Rise Blocks – A Complete Gutenberg Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘logoTag’ Site Identity block attribute in all versions up to, and including, 3.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Source : NVD
## 6.4
Score
Published February 25, 2026
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS)
Wiz
CVE-2025-66162 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.4
CVE-2025-66162 [MEDIUM] CVE-2025-66162 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-66162 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in merkulove Spoter for Elementor spoter-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Spoter for Elementor: from n/a through <= 1.04.
Source : NVD
## 5.4
Score
Published December 16, 2025
Severity MEDIUM
CNA Score 5.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
spoter-elementor
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just wh
Wiz
CVE-2026-27339 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-27339 [CRITICAL] CVE-2026-27339 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27339 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Buzz Stone | Magazine & Viral Blog WordPress Theme buzzstone allows PHP Local File Inclusion.This issue affects Buzz Stone | Magazine & Viral Blog WordPress Theme: from n/a through <= 1.0.2.
Source : NVD
## 8.1
Score
Published March 5, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 37.5
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
buzzstone
Sources
NVD
## Get a CVE risk assessment
Get a prio
Wiz
CVE-2026-1805 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-1805 [CRITICAL] CVE-2026-1805 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1805 :
WordPress vulnerability analysis and mitigation
The DA Media GigList plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's damedia_giglist shortcode in all versions up to, and including, 1.9.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Source : NVD
## 6.4
Score
Published March 7, 2026
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 10.7
Expl
Wiz
CVE-2026-1128 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-1128 [CRITICAL] CVE-2026-1128 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1128 :
WordPress vulnerability analysis and mitigation
The WP eCommerce WordPress plugin through 3.15.1 does not have CSRF check in place when deleting coupons, which could allow attackers to make a logged in admin remove them via a CSRF attack
Source : NVD
## 4.3
Score
Published March 6, 2026
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 4.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
wp-e-commerce
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerab
Wiz
CVE-2025-13110 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2025-13110 [MEDIUM] CVE-2025-13110 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-13110 :
WordPress vulnerability analysis and mitigation
The HUSKY – Products Filter Professional for WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.3.7.3 via the "woof_add_subscr" function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with subscriber level access and above, to create product messenger subscriptions on behalf of arbitrary users, including administrators.
Source : NVD
## 4.3
Score
Published December 18, 2025
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11
Exploit
Wiz
CVE-2026-1722 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-1722 [CRITICAL] CVE-2026-1722 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1722 :
WordPress vulnerability analysis and mitigation
wcfm-refund-requests-form
Source : NVD
## 5.3
Score
Published February 10, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 8.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
wc-multivendor-marketplace
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
CVE-2026-0740
CRITICAL
9.8
WordPress
Wiz
CVE-2025-66131 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.1
CVE-2025-66131 [CRITICAL] CVE-2025-66131 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-66131 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in yaadsarig Yaad Sarig Payment Gateway For WC yaad-sarig-payment-gateway-for-wc allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Yaad Sarig Payment Gateway For WC: from n/a through <= 2.2.11.
Source : NVD
## 9.1
Score
Published December 16, 2025
Severity CRITICAL
CNA Score 9.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
yaad-sarig-payment-gateway-for-wc
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs i
Wiz
CVE-2026-3641 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-3641 [CRITICAL] CVE-2026-3641 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-3641 :
WordPress vulnerability analysis and mitigation
The Appmax plugin for WordPress is vulnerable to Improper Input Validation in all versions up to, and including, 1.0.3. This is due to the plugin registering a public REST API webhook endpoint at /webhook-system without implementing webhook signature validation, secret verification, or any mechanism to authenticate that incoming webhook requests genuinely originate from the legitimate Appmax payment service. The plugin directly processes untrusted attacker-controlled input from the 'event' and 'data' parameters without verifying the webhook's authenticity. This makes it possible for unauthenticated attackers to craft malicious webhook payloads that can modify the status of existing WooCommerce orders (e.g., changing them
Wiz
CVE-2025-14888 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.4
CVE-2025-14888 [MEDIUM] CVE-2025-14888 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14888 :
WordPress vulnerability analysis and mitigation
The Simple User Meta Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the user meta value field in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Source : NVD
## 4.4
Score
Published January 7, 2026
Severity MEDIUM
CNA Score 4.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due
Wiz
CVE-2026-24539 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-24539 [CRITICAL] CVE-2026-24539 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24539 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in ABCdatos Protección de datos – RGPD proteccion-datos-rgpd allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Protección de datos – RGPD: from n/a through <= 0.68.
Source : NVD
## 5.3
Score
Published January 23, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
proteccion-datos-rgpd
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's explo
Wiz
CVE-2025-13215 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2025-13215 [MEDIUM] CVE-2025-13215 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-13215 :
WordPress vulnerability analysis and mitigation
The Shortcodes and extra features for Phlox theme plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 2.17.13 via the auxels_ajax_search due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract titles of draft posts that they should not have access to.
Source : NVD
## 5.3
Score
Published January 6, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 17.8
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
auxin-elements
So
Wiz
CVE-2026-25385 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-25385 [CRITICAL] CVE-2026-25385 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25385 :
WordPress vulnerability analysis and mitigation
Server-Side Request Forgery (SSRF) vulnerability in KaizenCoders URL Shortify url-shortify allows Server Side Request Forgery.This issue affects URL Shortify: from n/a through <= 1.12.3.
Source : NVD
## 5.5
Score
Published February 19, 2026
Severity MEDIUM
CNA Score 5.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 9.5
Exploitation Probability (EPSS) N/A
Affected packages and libraries
url-shortify
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerab
Wiz
CVE-2025-14053 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.4
CVE-2025-14053 [MEDIUM] CVE-2025-14053 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14053 :
WordPress vulnerability analysis and mitigation
The Wish To Go plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcode attributes in all versions up to, and including, 0.5.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Source : NVD
## 6.4
Score
Published January 7, 2026
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2.7
Exploitation Probability (
Wiz
CVE-2026-1390 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-1390 [CRITICAL] CVE-2026-1390 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1390 :
WordPress vulnerability analysis and mitigation
countdown_settings_content()
Source : NVD
## 4.3
Score
Published March 21, 2026
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
redirect-countdown
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
CVE-2026-0740
CRITICAL
9.8
WordPress
ninja-
Wiz
CVE-2025-14506 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.4
CVE-2025-14506 [MEDIUM] CVE-2025-14506 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14506 :
WordPress vulnerability analysis and mitigation
entrance_animation
Source : NVD
## 6.4
Score
Published January 10, 2026
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
convertforce-popup-builder
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
CVE-2026-0740
CRITICAL
9.8
WordPress
ninj
Wiz
CVE-2025-68596 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2025-68596 [HIGH] CVE-2025-68596 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68596 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in Bit Apps Bit Assist bit-assist allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Bit Assist: from n/a through <= 1.5.11.
Source : NVD
## 8.8
Score
Published December 24, 2025
Severity HIGH
CNA Score 8.8
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 18.2
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
bit-assist
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPre
Wiz
CVE-2025-69101 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-69101 [CRITICAL] CVE-2025-69101 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-69101 :
WordPress vulnerability analysis and mitigation
Authentication Bypass Using an Alternate Path or Channel vulnerability in AmentoTech Workreap Core workreap_core allows Authentication Abuse.This issue affects Workreap Core: from n/a through <= 3.4.1.
Source : NVD
## 9.8
Score
Published January 22, 2026
Severity CRITICAL
CNA Score 9.8
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 27.7
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
workreap_core
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related
Wiz
CVE-2025-67925 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2025-67925 [HIGH] CVE-2025-67925 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67925 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in zozothemes Corpkit corpkit allows PHP Local File Inclusion.This issue affects Corpkit: from n/a through <= 2.0.
Source : NVD
## 8.1
Score
Published January 8, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 17.6
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
corpkit
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's l
Wiz
CVE-2026-24604 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-24604 [CRITICAL] CVE-2026-24604 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24604 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in themebeez Simple GDPR Cookie Compliance simple-gdpr-cookie-compliance allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Simple GDPR Cookie Compliance: from n/a through <= 2.0.0.
Source : NVD
## 5.3
Score
Published January 23, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
simple-gdpr-cookie-compliance
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you c
Wiz
CVE-2026-25026 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-25026 [CRITICAL] CVE-2026-25026 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25026 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in RadiusTheme Team tlp-team allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Team: from n/a through <= 5.0.11.
Source : NVD
## 7.5
Score
Published March 25, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 12.6
Exploitation Probability (EPSS) N/A
Affected packages and libraries
tlp-team
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabiliti
Wiz
CVE-2025-13886 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2025-13886 [HIGH] CVE-2025-13886 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-13886 :
WordPress vulnerability analysis and mitigation
book
Source : NVD
## 7.5
Score
Published December 12, 2025
Severity HIGH
CNA Score 7.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 31.9
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
lt-unleashed
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
CVE-2026-0740
CRITICAL
9.8
WordPress
ninja-forms-uploads
No
Yes
Apr
Wiz
CVE-2025-68561 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-68561 [CRITICAL] CVE-2025-68561 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68561 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Ruben Garcia AutomatorWP automatorwp allows SQL Injection.This issue affects AutomatorWP: from n/a through <= 5.2.4.
Source : NVD
Published December 23, 2025
CNA Score N/A
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
automatorwp
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabiliti
Wiz
CVE-2026-3512 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-3512 [CRITICAL] CVE-2026-3512 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-3512 :
WordPress vulnerability analysis and mitigation
The Writeprint Stylometry plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'p' GET parameter in all versions up to and including 0.1. This is due to insufficient input sanitization and output escaping in the bjl_wprintstylo_comments_nav() function. The function directly outputs the $_GET['p'] parameter into an HTML href attribute without any escaping. This makes it possible for authenticated attackers with Contributor-level permissions or higher to inject arbitrary web scripts in pages that execute if they can successfully trick another user into performing an action such as clicking on a link.
Source : NVD
## 6.1
Score
Published March 18, 2026
Severity MEDIUM
CNA Score 6.1
Affected Te
Wiz
CVE-2025-15347 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2025-15347 [HIGH] CVE-2025-15347 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-15347 :
WordPress vulnerability analysis and mitigation
The Creator LMS – The LMS for Creators, Coaches, and Trainers plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check in the get_items_permissions_check function in all versions up to, and including, 1.1.12. This makes it possible for authenticated attackers, with contributor level access and above, to update arbitrary WordPress options.
Source : NVD
## 8.8
Score
Published January 20, 2026
Severity HIGH
CNA Score 8.8
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 14.7
Exploitation Probability (EPSS)
Wiz
CVE-2025-69079 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-69079 [CRITICAL] CVE-2025-69079 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-69079 :
WordPress vulnerability analysis and mitigation
Deserialization of Untrusted Data vulnerability in ThemeREX Sound | Musical Instruments Online Store musicplace allows Object Injection.This issue affects Sound | Musical Instruments Online Store: from n/a through <= 1.6.9.
Source : NVD
## 9.8
Score
Published January 22, 2026
Severity CRITICAL
CNA Score 9.8
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 19
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
musicplace
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's list
Wiz
CVE-2025-63040 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-63040 [CRITICAL] CVE-2025-63040 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-63040 :
WordPress vulnerability analysis and mitigation
Cross-Site Request Forgery (CSRF) vulnerability in Saad Iqbal Post Snippets post-snippets allows Cross Site Request Forgery.This issue affects Post Snippets: from n/a through <= 4.0.11.
Source : NVD
Published December 31, 2025
CNA Score N/A
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
post-snippets
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Score
Wiz
CVE-2019-25297 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.1
CVE-2019-25297 [MEDIUM] CVE-2019-25297 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2019-25297 :
WordPress vulnerability analysis and mitigation
Poll, Survey & Quiz Maker Plugin by Opinion Stage Wordpress plugin versions prior to 19.6.25 contain a stored cross-site scripting (XSS) vulnerability via multiple parameters due to insufficient input validation and output escaping. An unauthenticated attacker can inject arbitrary script into content that executes when a victim views an affected page.
Source : NVD
## 5.1
Score
Published January 16, 2026
Severity MEDIUM
CNA Score 5.1
Affected Technologies
WordPress
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
social-polls-by-opinionstage
So
Wiz
CVE-2026-27383 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-27383 [CRITICAL] CVE-2026-27383 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27383 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in RadiusTheme Metro metro allows PHP Local File Inclusion.This issue affects Metro: from n/a through <= 2.13.
Source : NVD
## 8.1
Score
Published March 5, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 16.9
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
metro
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
Wiz
CVE-2025-14452 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.2
CVE-2025-14452 [HIGH] CVE-2025-14452 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14452 :
WordPress vulnerability analysis and mitigation
The WP Customer Reviews plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'wpcr3_fname' parameter in all versions up to, and including, 3.7.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Source : NVD
## 7.2
Score
Published February 19, 2026
Severity HIGH
CNA Score 7.2
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 35.2
Exploitation Probability (EPSS
Wiz
CVE-2025-68984 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-68984 [CRITICAL] CVE-2025-68984 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68984 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Puca puca allows PHP Local File Inclusion.This issue affects Puca: from n/a through <= 2.6.39.
Source : NVD
## 9.8
Score
Published December 30, 2025
Severity CRITICAL
CNA Score 9.8
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 38.5
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
puca
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
Wiz
CVE-2025-69335 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.4
CVE-2025-69335 [MEDIUM] CVE-2025-69335 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-69335 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themepoints Team Showcase team-showcase allows Stored XSS.This issue affects Team Showcase: from n/a through <= 2.9.
Source : NVD
## 5.4
Score
Published January 6, 2026
Severity MEDIUM
CNA Score 5.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
team-showcase
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
Wiz
CVE-2025-15525 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2025-15525 [MEDIUM] CVE-2025-15525 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-15525 :
WordPress vulnerability analysis and mitigation
The Ajax Load More – Infinite Scroll, Load More, & Lazy Load plugin for WordPress is vulnerable to unauthorized access of data due to incorrect authorization on the parse_custom_args() function in all versions up to, and including, 7.8.1. This makes it possible for unauthenticated attackers to expose the titles and excerpts of private, draft, pending, scheduled, and trashed posts.
Source : NVD
## 5.3
Score
Published January 31, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 6.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
ajax
Wiz
CVE-2026-1189 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-1189 [CRITICAL] CVE-2026-1189 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1189 :
WordPress vulnerability analysis and mitigation
The LeadBI Plugin for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'form_id' parameter of the 'leadbi_form' shortcode in all versions up to, and including, 1.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Source : NVD
## 6.4
Score
Published January 24, 2026
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability
Wiz
CVE-2025-67934 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2025-67934 [HIGH] CVE-2025-67934 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67934 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Wellspring wellspring allows PHP Local File Inclusion.This issue affects Wellspring: from n/a through < 2.8.
Source : NVD
## 8.1
Score
Published January 8, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 5.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
wellspring
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not
Wiz
CVE-2025-13537 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.4
CVE-2025-13537 [MEDIUM] CVE-2025-13537 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-13537 :
WordPress vulnerability analysis and mitigation
The Live Composer – Free WordPress Website Builder plugin for WordPress is vulnerable to multiple Stored Cross-Site Scripting vulnerabilities via DOM manipulation in all versions up to, and including, 2.0.2 due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Source : NVD
## 6.4
Score
Published December 17, 2025
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Pr
Wiz
CVE-2026-25364 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-25364 [CRITICAL] CVE-2026-25364 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25364 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in BoldGrid Client Invoicing by Sprout Invoices sprout-invoices allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Client Invoicing by Sprout Invoices: from n/a through <= 20.8.8.
Source : NVD
## 5.3
Score
Published February 19, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 12.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
sprout-invoices
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on wh
Wiz
CVE-2026-32457 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-32457 [CRITICAL] CVE-2026-32457 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32457 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in Wombat Plugins Advanced Product Fields (Product Addons) for WooCommerce advanced-product-fields-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Advanced Product Fields (Product Addons) for WooCommerce: from n/a through <= 1.6.18.
Source : NVD
## 5.3
Score
Published March 13, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 10.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
advanced-product-fields-for-woocommerce
Sources
NVD
## Ge
Wiz
CVE-2026-3228 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-3228 [CRITICAL] CVE-2026-3228 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-3228 :
WordPress vulnerability analysis and mitigation
[nxs_fbembed]
snapFB
Source : NVD
## 6.4
Score
Published March 10, 2026
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 9.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
social-networks-auto-poster-facebook-twitter-g
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
CVE-2026-0740
CRITICAL
Wiz
CVE-2025-69323 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2025-69323 [HIGH] CVE-2025-69323 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-69323 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in VeronaLabs Slimstat Analytics wp-slimstat allows Reflected XSS.This issue affects Slimstat Analytics: from n/a through <= 5.3.2.
Source : NVD
## 7.1
Score
Published February 20, 2026
Severity HIGH
CNA Score 7.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
wp-slimstat
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what
Wiz
CVE-2025-66531 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2025-66531 [HIGH] CVE-2025-66531 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-66531 :
WordPress vulnerability analysis and mitigation
Cross-Site Request Forgery (CSRF) vulnerability in Dimitri Grassi Salon booking system salon-booking-system allows Cross Site Request Forgery.This issue affects Salon booking system: from n/a through <= 10.30.3.
Source : NVD
## 8.8
Score
Published December 9, 2025
Severity HIGH
CNA Score 8.8
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 6.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
salon-booking-system
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
Wiz
CVE-2026-24374 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-24374 [CRITICAL] CVE-2026-24374 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24374 :
WordPress vulnerability analysis and mitigation
Cross-Site Request Forgery (CSRF) vulnerability in Metagauss RegistrationMagic custom-registration-form-builder-with-submission-manager allows Cross Site Request Forgery.This issue affects RegistrationMagic: from n/a through <= 6.0.6.9.
Source : NVD
## 5.4
Score
Published January 22, 2026
Severity MEDIUM
CNA Score 5.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 4.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
custom-registration-form-builder-with-submission-manager
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so
Wiz
CVE-2026-32460 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-32460 [CRITICAL] CVE-2026-32460 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32460 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themefic Ultimate Addons for Contact Form 7 ultimate-addons-for-contact-form-7 allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ultimate Addons for Contact Form 7: from n/a through <= 3.5.36.
Source : NVD
## 6.5
Score
Published March 13, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 9.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
ultimate-addons-for-contact-form-7
Sources
NVD
##
Wiz
CVE-2026-3997 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-3997 [CRITICAL] CVE-2026-3997 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-3997 :
WordPress vulnerability analysis and mitigation
The Text Toggle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title' shortcode attribute of the [tt_part] and [tt] shortcodes in all versions up to and including 1.1. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes. Specifically, in the avp_texttoggle_part_shortcode() function, the 'title' attribute is extracted from shortcode attributes and concatenated directly into HTML output without any escaping — both within an HTML attribute context (title="...") on line 116 and in HTML content on line 119. While the 'class' attribute is properly validated using ctype_alnum(), the 'title' attribute has no sanitization whatsoever. An attacker can i
Wiz
CVE-2026-28089 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-28089 [CRITICAL] CVE-2026-28089 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-28089 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Daiquiri daiquiri allows PHP Local File Inclusion.This issue affects Daiquiri: from n/a through <= 1.2.4.
Source : NVD
## 8.1
Score
Published March 5, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 37.5
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
daiquiri
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's
Wiz
CVE-2025-69064 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2025-69064 [HIGH] CVE-2025-69064 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-69064 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Pets Land petsland allows PHP Local File Inclusion.This issue affects Pets Land: from n/a through <= 1.2.8.
Source : NVD
## 8.1
Score
Published January 22, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 38.5
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
petsland
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not ju
Wiz
CVE-2026-1781 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-1781 [CRITICAL] CVE-2026-1781 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1781 :
WordPress vulnerability analysis and mitigation
_mc4wp_action
_mc4wp_action
Source : NVD
## 6.5
Score
Published March 11, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 15.5
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
mailchimp-for-wp
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
CVE-2026-0740
CRITICAL
9.8
WordPress
ninja-f
Wiz
CVE-2025-14399 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2025-14399 [MEDIUM] CVE-2025-14399 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14399 :
WordPress vulnerability analysis and mitigation
wp-content/uploads/
Source : NVD
## 4.3
Score
Published December 17, 2025
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 4.3
Exploitation Probability (EPSS) N/A
Affected packages and libraries
download-plugins-dashboard
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
CVE-2026-0740
CRITICAL
9.8
WordPress
nin
Wiz
CVE-2026-1095 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-1095 [CRITICAL] CVE-2026-1095 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1095 :
WordPress vulnerability analysis and mitigation
The Canto Testimonials plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'fx' shortcode attribute in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Source : NVD
## 6.4
Score
Published January 24, 2026
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2.7
Exploitation
Wiz
CVE-2026-24376 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-24376 [CRITICAL] CVE-2026-24376 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24376 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in Javier Casares WPVulnerability wpvulnerability allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WPVulnerability: from n/a through <= 4.2.1.
Source : NVD
## 6.5
Score
Published March 25, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 8.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
wpvulnerability
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's liste
Wiz
CVE-2025-67574 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2025-67574 [MEDIUM] CVE-2025-67574 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67574 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in wpdevart Booking calendar, Appointment Booking System booking-calendar allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Booking calendar, Appointment Booking System: from n/a through <= 3.2.30.
Source : NVD
## 5.3
Score
Published December 9, 2025
Severity MEDIUM
CNA Score 5.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 12.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
booking-calendar
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so
Wiz
CVE-2026-24606 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-24606 [CRITICAL] CVE-2026-24606 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24606 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in Web Impian Bayarcash WooCommerce bayarcash-wc allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Bayarcash WooCommerce: from n/a through <= 4.3.13.
Source : NVD
## 5.3
Score
Published January 23, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
bayarcash-wc
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's
Wiz
CVE-2025-12655 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2025-12655 [MEDIUM] CVE-2025-12655 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-12655 :
WordPress vulnerability analysis and mitigation
/wp-json/hippoo/v1/wc/token/save_callback/{token_id}
permission_callback => '__return_true'
Source : NVD
## 5.3
Score
Published December 12, 2025
Severity MEDIUM
CNA Score 5.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 26.4
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
hippoo
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Publis
Wiz
CVE-2026-32455 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-32455 [CRITICAL] CVE-2026-32455 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32455 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in RealMag777 MDTF wp-meta-data-filter-and-taxonomy-filter allows DOM-Based XSS.This issue affects MDTF: from n/a through <= 1.3.5.
Source : NVD
## 6.5
Score
Published March 13, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 9.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
wp-meta-data-filter-and-taxonomy-filter
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's
Wiz
CVE-2025-14109 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.4
CVE-2025-14109 [MEDIUM] CVE-2025-14109 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14109 :
WordPress vulnerability analysis and mitigation
The AH Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'column' shortcode attribute in all versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Source : NVD
## 6.4
Score
Published January 7, 2026
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2.7
Exploitation Probability (EPSS) N/A
Af
Wiz
CVE-2025-58901 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2025-58901 [HIGH] CVE-2025-58901 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-58901 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Takeout takeout allows PHP Local File Inclusion.This issue affects Takeout: from n/a through <= 1.3.0.
Source : NVD
## 8.1
Score
Published December 18, 2025
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 38.5
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
takeout
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just wh
Wiz
CVE-2025-66525 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2025-66525 [MEDIUM] CVE-2025-66525 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-66525 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in Elastic Email Elastic Email Sender elastic-email-sender allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Elastic Email Sender: from n/a through <= 1.2.20.
Source : NVD
## 4.3
Score
Published December 9, 2025
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
elastic-email-sender
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable
Wiz
CVE-2026-2324 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-2324 [CRITICAL] CVE-2026-2324 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-2324 :
WordPress vulnerability analysis and mitigation
The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.2.7. This is due to missing or incorrect nonce validation on the reload_preview() function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Source : NVD
## 6.1
Score
Published March 11, 2026
Severity MEDIUM
CNA Score 6.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probabi
Wiz
CVE-2025-14149 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.4
CVE-2025-14149 [MEDIUM] CVE-2025-14149 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14149 :
WordPress vulnerability analysis and mitigation
The Xpro Addons — 140+ Widgets for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Image Scroller widget box link attribute in all versions up to, and including, 1.4.24 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Source : NVD
## 6.4
Score
Published February 27, 2026
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploita
Wiz
CVE-2025-68047 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2025-68047 [HIGH] CVE-2025-68047 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68047 :
WordPress vulnerability analysis and mitigation
Deserialization of Untrusted Data vulnerability in Arraytics Eventin wp-event-solution allows Object Injection.This issue affects Eventin: from n/a through <= 4.1.3.
Source : NVD
## 8.8
Score
Published January 22, 2026
Severity HIGH
CNA Score 8.8
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 21.7
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
wp-event-solution
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Wiz
CVE-2025-68995 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2025-68995 [MEDIUM] CVE-2025-68995 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68995 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in Premio My Sticky Elements mystickyelements allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects My Sticky Elements: from n/a through <= 2.3.3.
Source : NVD
## 4.3
Score
Published December 30, 2025
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
mystickyelements
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's l
Wiz
CVE-2026-1244 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-1244 [CRITICAL] CVE-2026-1244 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1244 :
WordPress vulnerability analysis and mitigation
The Forms Bridge – Infinite integrations plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' shortcode attribute in the 'financoop_campaign' shortcode in all versions up to, and including, 4.2.5. This is due to insufficient input sanitization and output escaping on the user-supplied 'id' parameter in the forms_bridge_financoop_shortcode_error function. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Source : NVD
## 6.4
Score
Published January 28, 2026
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has C
Wiz
CVE-2026-1187 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-1187 [CRITICAL] CVE-2026-1187 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1187 :
WordPress vulnerability analysis and mitigation
The ZoomifyWP Free plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'filename' parameter of the 'zoomify' shortcode in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Source : NVD
## 6.4
Score
Published February 14, 2026
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPS
Wiz
CVE-2026-32521 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-32521 [CRITICAL] CVE-2026-32521 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32521 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Northern Beaches Websites WP Custom Admin Interface wp-custom-admin-interface allows DOM-Based XSS.This issue affects WP Custom Admin Interface: from n/a through <= 7.42.
Source : NVD
## 6.5
Score
Published March 25, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 9.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
wp-custom-admin-interface
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud
Wiz
CVE-2025-53439 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2025-53439 [HIGH] CVE-2025-53439 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-53439 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Harper harper allows PHP Local File Inclusion.This issue affects Harper: from n/a through <= 1.13.
Source : NVD
## 8.1
Score
Published December 18, 2025
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Homebrew
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 38.5
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
harper
Sources
NVD
Homebrew Severity HIGH No Fix Added at: Jan 08, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your
Wiz
CVE-2025-9207 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2025-9207 [MEDIUM] CVE-2025-9207 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-9207 :
WordPress vulnerability analysis and mitigation
The TI WooCommerce Wishlist plugin for WordPress is vulnerable to HTML Injection in all versions up to, and including, 2.10.0. This is due to the plugin accepting hidden fields and not limiting the values or data that can input and is later output. This makes it possible for unauthenticated attackers to inject arbitrary HTML into wishlist items.
Source : NVD
## 5.3
Score
Published December 13, 2025
Severity MEDIUM
CNA Score 5.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 34.6
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
ti-woocommerce-wishlist
Sources
NVD
Wiz
CVE-2026-1903 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-1903 [CRITICAL] CVE-2026-1903 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1903 :
WordPress vulnerability analysis and mitigation
The Ravelry Designs Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'layout' attribute of the 'sb_ravelry_designs' shortcode in all versions up to, and including, 1.0.0. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Source : NVD
## 6.4
Score
Published February 14, 2026
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation
Wiz
CVE-2026-28051 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-28051 [CRITICAL] CVE-2026-28051 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-28051 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Yacht Rental yacht-rental allows PHP Local File Inclusion.This issue affects Yacht Rental: from n/a through <= 2.6.
Source : NVD
## 8.1
Score
Published March 5, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 37.5
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
yacht-rental
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, n
Wiz
CVE-2025-69338 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.3
CVE-2025-69338 [CRITICAL] CVE-2025-69338 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-69338 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in don-themes Riode Core riode-core allows Blind SQL Injection.This issue affects Riode Core: from n/a through <= 1.6.26.
Source : NVD
## 9.3
Score
Published March 5, 2026
Severity CRITICAL
CNA Score 9.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13
Exploitation Probability (EPSS) N/A
Affected packages and libraries
riode-core
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
Wiz
CVE-2024-51915 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2024-51915 [MEDIUM] CVE-2024-51915 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2024-51915 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LiteSpeed Technologies LiteSpeed Cache litespeed-cache allows Stored XSS.This issue affects LiteSpeed Cache: from n/a through <= 6.5.2.
Source : NVD
## 6.5
Score
Published February 20, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 24.7
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
litespeed-cache
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable,
Wiz
CVE-2025-23469 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-23469 [CRITICAL] CVE-2025-23469 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-23469 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in sleekplan Sleekplan sleekplan allows Reflected XSS.This issue affects Sleekplan: from n/a through <= 0.2.0.
Source : NVD
Published December 30, 2025
CNA Score N/A
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
sleekplan
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CV
Wiz
CVE-2026-0550 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.4
CVE-2026-0550 [MEDIUM] CVE-2026-0550 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-0550 :
WordPress vulnerability analysis and mitigation
The myCred plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'mycred_load_coupon' shortcode in all versions up to, and including, 2.9.7.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Source : NVD
## 6.4
Score
Published February 14, 2026
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11
Explo
Wiz
CVE-2025-66088 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2025-66088 [HIGH] CVE-2025-66088 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-66088 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in Property Hive PropertyHive propertyhive allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects PropertyHive: from n/a through <= 2.1.12.
Source : NVD
## 7.5
Score
Published December 18, 2025
Severity HIGH
CNA Score 7.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 12.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
propertyhive
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Re
Wiz
CVE-2026-3572 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-3572 [CRITICAL] CVE-2026-3572 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-3572 :
WordPress vulnerability analysis and mitigation
The iTracker360 plugin for WordPress is vulnerable to Cross-Site Request Forgery leading to Stored Cross-Site Scripting in all versions up to and including 2.2.0. This is due to missing nonce verification on the settings form submission and insufficient input sanitization combined with missing output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts via a forged request granted they can trick an administrator into performing an action such as clicking on a link.
Source : NVD
## 6.1
Score
Published March 21, 2026
Severity MEDIUM
CNA Score 6.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/
Wiz
CVE-2026-3571 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-3571 [CRITICAL] CVE-2026-3571 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-3571 :
WordPress vulnerability analysis and mitigation
The Pie Register – User Registration, Profiles & Content Restriction plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the pie_main() function in all versions up to, and including, 3.8.4.8. This makes it possible for unauthenticated attackers to change registration form status.
Source : NVD
## 6.5
Score
Published April 4, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 3.5
Exploitation Probability (EPSS) N/A
Affected packages and libraries
pie-register
Sources
NVD
## Get a CVE risk assessm
Wiz
CVE-2026-25359 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-25359 [CRITICAL] CVE-2026-25359 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25359 :
WordPress vulnerability analysis and mitigation
Deserialization of Untrusted Data vulnerability in rascals Pendulum pendulum allows Object Injection.This issue affects Pendulum: from n/a through < 3.1.5.
Source : NVD
## 8.8
Score
Published March 25, 2026
Severity HIGH
CNA Score 8.8
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 16.8
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
pendulum
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Score
Tec
Wiz
CVE-2026-3658 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-3658 [CRITICAL] CVE-2026-3658 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-3658 :
WordPress vulnerability analysis and mitigation
The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to SQL Injection via the 'fields' parameter in all versions up to, and including, 1.6.10.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database, including usernames, email addresses, and password hashes.
Source : NVD
## 7.5
Score
Published March 19, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Ex
Wiz
CVE-2025-69296 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2025-69296 [HIGH] CVE-2025-69296 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-69296 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in GhostPool Aardvark aardvark allows Reflected XSS.This issue affects Aardvark: from n/a through <= 4.6.3.
Source : NVD
## 7.1
Score
Published February 20, 2026
Severity HIGH
CNA Score 7.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
aardvark
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Wor
Wiz
CVE-2026-32516 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-32516 [CRITICAL] CVE-2026-32516 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32516 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in kamleshyadav Miraculous Core Plugin miraculouscore allows Blind SQL Injection.This issue affects Miraculous Core Plugin: from n/a through < 2.1.2.
Source : NVD
## 8.5
Score
Published March 25, 2026
Severity HIGH
CNA Score 8.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 9.5
Exploitation Probability (EPSS) N/A
Affected packages and libraries
miraculouscore
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitab
Wiz
CVE-2025-67971 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2025-67971 [HIGH] CVE-2025-67971 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67971 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPManageNinja FluentCart fluent-cart allows Reflected XSS.This issue affects FluentCart: from n/a through < 1.3.0.
Source : NVD
## 7.1
Score
Published February 20, 2026
Severity HIGH
CNA Score 7.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
fluent-cart
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
#
Wiz
CVE-2025-12648 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2025-12648 [MEDIUM] CVE-2025-12648 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-12648 :
WordPress vulnerability analysis and mitigation
The WP-Members Membership Plugin for WordPress is vulnerable to unauthorized file access in versions up to, and including, 3.5.4.4. This is due to storing user-uploaded files in predictable directories (wp-content/uploads/wpmembers/user_files//) without implementing proper access controls beyond basic directory listing protection (.htaccess with Options -Indexes). This makes it possible for unauthenticated attackers to directly access and download sensitive documents uploaded by site users via direct URL access, granted they can guess or enumerate user IDs and filenames.
Source : NVD
## 5.3
Score
Published January 7, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
WordPress
Has Public Exploit No
Has
Wiz
CVE-2026-3072 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-3072 [CRITICAL] CVE-2026-3072 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-3072 :
WordPress vulnerability analysis and mitigation
The Media Library Assistant plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the mla_update_compat_fields_action() function in all versions up to, and including, 3.33. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify taxonomy terms on arbitrary attachments.
Source : NVD
## 4.3
Score
Published March 5, 2026
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 9.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
media-library-assista
Wiz
CVE-2026-2284 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-2284 [CRITICAL] CVE-2026-2284 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-2284 :
WordPress vulnerability analysis and mitigation
The News Element Elementor Blog Magazine plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.0.8. This is due to a missing capability check and nonce verification on the 'ne_clean_data' AJAX action. This makes it possible for authenticated attackers, with Subscriber-level access and above, to truncate 8 core WordPress database tables (posts, comments, terms, term_relationships, term_taxonomy, postmeta, commentmeta, termmeta) and delete the entire WordPress uploads directory, resulting in complete data loss.
Source : NVD
## 5.4
Score
Published February 19, 2026
Severity MEDIUM
CNA Score 5.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit
Wiz
CVE-2026-0677 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-0677 [CRITICAL] CVE-2026-0677 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-0677 :
WordPress vulnerability analysis and mitigation
Deserialization of Untrusted Data vulnerability in TotalSuite TotalContest Lite totalcontest-lite allows Object Injection.This issue affects TotalContest Lite: from n/a through <= 2.9.1.
Source : NVD
Published March 20, 2026
CNA Score N/A
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
totalcontest-lite
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Score
Wiz
CVE-2025-62098 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-62098 [CRITICAL] CVE-2025-62098 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-62098 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in totalsoft Portfolio Gallery gallery-portfolio allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Portfolio Gallery: from n/a through <= 1.4.8.
Source : NVD
Published December 31, 2025
CNA Score N/A
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
gallery-portfolio
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vuln
Wiz
CVE-2026-0556 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.4
CVE-2026-0556 [MEDIUM] CVE-2026-0556 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-0556 :
WordPress vulnerability analysis and mitigation
The XO Event Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'xo_event_field' shortcode in all versions up to, and including, 3.2.10 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Source : NVD
## 6.4
Score
Published February 19, 2026
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 10.
Wiz
CVE-2025-66104 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2025-66104 [MEDIUM] CVE-2025-66104 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-66104 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in Anton Vanyukov Offload, AI & Optimize with Cloudflare Images cf-images allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Offload, AI & Optimize with Cloudflare Images: from n/a through <= 1.9.5.
Source : NVD
## 6.5
Score
Published December 18, 2025
Severity MEDIUM
CNA Score 6.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cf-images
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you ca
Wiz
CVE-2026-4072 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-4072 [CRITICAL] CVE-2026-4072 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-4072 :
WordPress vulnerability analysis and mitigation
The WordPress PayPal Donation plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'donate' shortcode in all versions up to, and including, 1.01. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes such as 'amount', 'email', 'title', 'return_url', 'cancel_url', 'ccode', and 'image'. The wordpress_paypal_donation_create() function uses extract(shortcode_atts(...)) to process shortcode attributes and then directly interpolates these values into HTML output within single-quoted attribute values without any escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that
Wiz
CVE-2026-27084 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-27084 [CRITICAL] CVE-2026-27084 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27084 :
WordPress vulnerability analysis and mitigation
Deserialization of Untrusted Data vulnerability in ThemeREX Buisson buisson allows Object Injection.This issue affects Buisson: from n/a through <= 1.1.11.
Source : NVD
## 9.8
Score
Published March 25, 2026
Severity CRITICAL
CNA Score 9.8
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 16.9
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
buisson
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Score
Wiz
CVE-2025-13849 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.4
CVE-2025-13849 [MEDIUM] CVE-2025-13849 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-13849 :
WordPress vulnerability analysis and mitigation
The Cool YT Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'videoid' parameter in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Source : NVD
## 6.4
Score
Published January 7, 2026
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13
Exploitation Probability (EPSS) N/A
Affected pack
Wiz
CVE-2026-24362 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-24362 [CRITICAL] CVE-2026-24362 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24362 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in bdthemes Ultimate Post Kit ultimate-post-kit allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ultimate Post Kit: from n/a through <= 4.0.21.
Source : NVD
## 6.4
Score
Published March 25, 2026
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
ultimate-post-kit
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's list
Wiz
CVE-2025-14795 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2025-14795 [MEDIUM] CVE-2025-14795 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14795 :
WordPress vulnerability analysis and mitigation
The Stop Spammers Classic plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2026.1. This is due to missing nonce validation in the ss_addtoallowlist class. This makes it possible for unauthenticated attackers to add arbitrary email addresses to the spam allowlist via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. The vulnerability was partially patched in version 2026.1.
Source : NVD
## 4.3
Score
Published January 28, 2026
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitatio
Wiz
CVE-2025-14454 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2025-14454 [MEDIUM] CVE-2025-14454 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14454 :
WordPress vulnerability analysis and mitigation
The Image Slider by Ays- Responsive Slider and Carousel plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.7.0. This is due to missing or incorrect nonce validation on the bulk delete functionality. This makes it possible for unauthenticated attackers to delete arbitrary sliders via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Source : NVD
## 4.3
Score
Published December 13, 2025
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 3.9
Expl
Wiz
CVE-2026-24617 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-24617 [CRITICAL] CVE-2026-24617 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24617 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Daniel Iser Easy Modal easy-modal allows Stored XSS.This issue affects Easy Modal: from n/a through <= 2.1.0.
Source : NVD
## 6.5
Score
Published January 23, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
easy-modal
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Rel
Wiz
CVE-2025-62873 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2025-62873 [MEDIUM] CVE-2025-62873 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-62873 :
WordPress vulnerability analysis and mitigation
Cross-Site Request Forgery (CSRF) vulnerability in Flashyapp WP Flashy Marketing Automation wp-flashy-marketing-automation allows Cross Site Request Forgery.This issue affects WP Flashy Marketing Automation: from n/a through <= 2.0.8.
Source : NVD
## 4.3
Score
Published December 9, 2025
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 5.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
wp-flashy-marketing-automation
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exp
Wiz
CVE-2026-24382 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-24382 [CRITICAL] CVE-2026-24382 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24382 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in wproyal News Magazine X news-magazine-x allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects News Magazine X: from n/a through <= 1.2.50.
Source : NVD
## 7.5
Score
Published March 25, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 10.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
news-magazine-x
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
##
Wiz
CVE-2025-14851 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.4
CVE-2025-14851 [MEDIUM] CVE-2025-14851 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14851 :
WordPress vulnerability analysis and mitigation
yamap
Source : NVD
## 6.4
Score
Published February 19, 2026
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
yamaps
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
CVE-2026-0740
CRITICAL
9.8
WordPress
ninja-forms-uploads
No
Yes
Apr 07
Wiz
CVE-2025-13839 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.4
CVE-2025-13839 [MEDIUM] CVE-2025-13839 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-13839 :
WordPress vulnerability analysis and mitigation
The LJUsers plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'name' parameter of the 'ljuser' shortcode in all versions up to, and including, 1.2.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Source : NVD
## 6.4
Score
Published December 12, 2025
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13
Ex
Wiz
CVE-2025-13935 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2025-13935 [MEDIUM] CVE-2025-13935 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-13935 :
WordPress vulnerability analysis and mitigation
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized course completion in all versions up to, and including, 3.9.2. This is due to missing enrollment verification in the 'mark_course_complete' function. This makes it possible for authenticated attackers, with subscriber level access and above, to mark any course as completed.
Source : NVD
## 4.3
Score
Published January 9, 2026
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
tutor
Sou
Wiz
CVE-2025-67951 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2025-67951 [MEDIUM] CVE-2025-67951 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67951 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPZOOM WPZOOM Addons for Elementor wpzoom-elementor-addons allows DOM-Based XSS.This issue affects WPZOOM Addons for Elementor: from n/a through <= 1.2.10.
Source : NVD
## 6.5
Score
Published December 16, 2025
Severity MEDIUM
CNA Score 6.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
wpzoom-elementor-addons
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can f
Wiz
CVE-2026-3333 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-3333 [CRITICAL] CVE-2026-3333 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-3333 :
WordPress vulnerability analysis and mitigation
The MinhNhut Link Gateway plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'linkgate' shortcode in all versions up to, and including, 3.6.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Source : NVD
## 6.4
Score
Published March 21, 2026
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 9.1
Expl
Wiz
CVE-2025-49357 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-49357 [CRITICAL] CVE-2025-49357 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-49357 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in audiomack Audiomack audiomack allows Stored XSS.This issue affects Audiomack: from n/a through <= 1.4.8.
Source : NVD
Published December 31, 2025
CNA Score N/A
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
audiomack
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE I
Wiz
CVE-2026-25387 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-25387 [CRITICAL] CVE-2026-25387 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25387 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in Elementor Image Optimizer by Elementor image-optimization allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Image Optimizer by Elementor: from n/a through <= 1.7.1.
Source : NVD
## 4.3
Score
Published February 19, 2026
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 9.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
image-optimization
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's expl
Wiz
CVE-2026-2281 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-2281 [CRITICAL] CVE-2026-2281 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-2281 :
WordPress vulnerability analysis and mitigation
The Private Comment plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Label text' setting in all versions up to, and including, 0.0.4. This is due to insufficient input sanitization and output escaping on the plugin's label text option. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Source : NVD
## 4.4
Score
Published February 18, 2026
Severity MEDIUM
CNA Score 4.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit
Wiz
CVE-2026-24571 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-24571 [CRITICAL] CVE-2026-24571 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24571 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in boxnow BOX NOW Delivery box-now-delivery allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects BOX NOW Delivery: from n/a through <= 3.0.2.
Source : NVD
## 4.3
Score
Published January 23, 2026
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
box-now-delivery
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed
Wiz
CVE-2025-62136 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-62136 [CRITICAL] CVE-2025-62136 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-62136 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in thinkupthemes Melos melos allows Stored XSS.This issue affects Melos: from n/a through <= 1.6.0.
Source : NVD
Published December 31, 2025
CNA Score N/A
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
melos
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Wiz
CVE-2025-67538 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2025-67538 [MEDIUM] CVE-2025-67538 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67538 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in jegtheme JNews Gallery jnews-gallery allows Stored XSS.This issue affects JNews Gallery: from n/a through < 12.0.1.
Source : NVD
## 6.5
Score
Published December 9, 2025
Severity MEDIUM
CNA Score 6.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
jnews-gallery
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
Wiz
CVE-2026-3226 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-3226 [CRITICAL] CVE-2026-3226 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-3226 :
WordPress vulnerability analysis and mitigation
The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to unauthorized email notification triggering due to missing capability checks on all 10 functions in the SendEmailAjax class in all versions up to, and including, 4.3.2.8. The AbstractAjax::catch_lp_ajax() dispatcher verifies a wp_rest nonce but performs no current_user_can() check before dispatching to handler functions. The wp_rest nonce is embedded in the frontend JavaScript for all authenticated users. This makes it possible for authenticated attackers, with Subscriber-level access and above, to trigger arbitrary email notifications to admins, instructors, and users, enabling email flooding, social engineering, and impersonation of admin decisio
Wiz
CVE-2025-13652 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2025-13652 [MEDIUM] CVE-2025-13652 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-13652 :
WordPress vulnerability analysis and mitigation
The CBX Bookmark & Favorite plugin for WordPress is vulnerable to generic SQL Injection via the ‘orderby’ parameter in all versions up to, and including, 2.0.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Source : NVD
## 6.5
Score
Published January 6, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
E
Wiz
CVE-2026-24952 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-24952 [CRITICAL] CVE-2026-24952 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24952 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Craig Hewitt Seriously Simple Podcasting seriously-simple-podcasting allows Stored XSS.This issue affects Seriously Simple Podcasting: from n/a through <= 3.14.1.
Source : NVD
## 6.5
Score
Published February 3, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.6
Exploitation Probability (EPSS) N/A
Affected packages and libraries
seriously-simple-podcasting
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so
Wiz
CVE-2026-1916 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-1916 [CRITICAL] CVE-2026-1916 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1916 :
WordPress vulnerability analysis and mitigation
wpgsi_callBackFuncAccept
wpgsi_callBackFuncUpdate
permission_callback => '__return_true'
Source : NVD
## 7.5
Score
Published February 25, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 37.6
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
wpgsi
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published da
Wiz
CVE-2025-62132 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-62132 [CRITICAL] CVE-2025-62132 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-62132 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in Strategy11 Team Tasty Recipes Lite tasty-recipes-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Tasty Recipes Lite: from n/a through <= 1.1.5.
Source : NVD
Published December 31, 2025
CNA Score N/A
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
tasty-recipes-lite
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Word
Wiz
CVE-2025-13673 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2025-13673 [HIGH] CVE-2025-13673 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-13673 :
WordPress vulnerability analysis and mitigation
The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to SQL Injection via the 'coupon_code' parameter in all versions up to, and including, 3.9.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. NOTE: This vulnerability was partially mitigated in versions 3.9.4 and 3.9.6.
Source : NVD
## 7.5
Score
Published February 28, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exp
Wiz
CVE-2025-67572 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2025-67572 [MEDIUM] CVE-2025-67572 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67572 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in PenciDesign PenNews pennews allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects PenNews: from n/a through < 6.7.4.
Source : NVD
## 5.3
Score
Published December 9, 2025
Severity MEDIUM
CNA Score 5.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 12.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
pennews
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnera
Wiz
CVE-2026-22348 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-22348 [CRITICAL] CVE-2026-22348 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22348 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in Tasos Fel Civic Cookie Control civic-cookie-control-8 allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Civic Cookie Control: from n/a through <= 1.53.
Source : NVD
## 5.3
Score
Published January 22, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 12.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
civic-cookie-control-8
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable,
Wiz
CVE-2025-67996 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-67996 [CRITICAL] CVE-2025-67996 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67996 :
WordPress vulnerability analysis and mitigation
Deserialization of Untrusted Data vulnerability in BoldThemes Nestin nestin allows Object Injection.This issue affects Nestin: from n/a through < 1.2.6.
Source : NVD
## 9.8
Score
Published February 20, 2026
Severity CRITICAL
CNA Score 9.8
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 18.2
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
nestin
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Score
T
Wiz
CVE-2026-0664 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.4
CVE-2026-0664 [MEDIUM] CVE-2026-0664 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-0664 :
WordPress vulnerability analysis and mitigation
The Royal Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'button_text' parameter in all versions up to, and including, 1.7.1049 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Source : NVD
## 6.4
Score
Published April 4, 2026
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1
Exploitation Probability (EPSS) N
Wiz
CVE-2025-15513 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2025-15513 [MEDIUM] CVE-2025-15513 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-15513 :
WordPress vulnerability analysis and mitigation
The Float Payment Gateway plugin for WordPress is vulnerable to unauthorized modification of data due to improper error handling in the verifyFloatResponse() function in all versions up to, and including, 1.1.9. This makes it possible for unauthenticated attackers to mark any WooCommerce order as failed.
Source : NVD
## 5.3
Score
Published January 14, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 27.7
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
float-gateway
Sources
NVD
## Get a CVE risk assessment
Get a prioritized vi
Wiz
CVE-2025-68574 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2025-68574 [MEDIUM] CVE-2025-68574 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68574 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in voidcoders WPBakery Visual Composer WHMCS Elements void-visual-whmcs-element allows DOM-Based XSS.This issue affects WPBakery Visual Composer WHMCS Elements: from n/a through <= 1.0.4.3.
Source : NVD
## 6.1
Score
Published December 24, 2025
Severity MEDIUM
CNA Score 6.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
void-visual-whmcs-element
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view o
Wiz
CVE-2025-13842 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2025-13842 [MEDIUM] CVE-2025-13842 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-13842 :
WordPress vulnerability analysis and mitigation
The Breadcrumb NavXT plugin for WordPress is vulnerable to authorization bypass through user-controlled key in versions up to and including 7.5.0. This is due to the Gutenberg block renderer trusting the $_REQUEST['post_id'] parameter without verification in the includes/blocks/build/breadcrumb-trail/render.php file. This makes it possible for unauthenticated attackers to enumerate and view breadcrumb trails for draft or private posts by manipulating the post_id parameter, revealing post titles and hierarchy that should remain hidden.
Source : NVD
## 5.3
Score
Published February 19, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Relea
Wiz
CVE-2026-25378 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-25378 [CRITICAL] CVE-2026-25378 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25378 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Nelio Software Nelio AB Testing nelio-ab-testing allows Blind SQL Injection.This issue affects Nelio AB Testing: from n/a through <= 8.2.4.
Source : NVD
## 7.6
Score
Published February 19, 2026
Severity HIGH
CNA Score 7.6
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
nelio-ab-testing
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitabl
Wiz
CVE-2025-62748 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-62748 [CRITICAL] CVE-2025-62748 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-62748 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Genetech Products Web and WooCommerce Addons for WPBakery Builder vc-addons-by-bit14 allows DOM-Based XSS.This issue affects Web and WooCommerce Addons for WPBakery Builder: from n/a through <= 1.5.
Source : NVD
Published December 31, 2025
CNA Score N/A
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
vc-addons-by-bit14
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you ca
Wiz
CVE-2026-1613 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-1613 [CRITICAL] CVE-2026-1613 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1613 :
WordPress vulnerability analysis and mitigation
list_class
Source : NVD
## 6.4
Score
Published February 7, 2026
Severity MEDIUM
CNA Score 6.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
wonka-slide
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
CVE-2026-0740
CRITICAL
9.8
WordPress
ninja-forms-uploads
No
Yes
Wiz
CVE-2026-25401 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-25401 [CRITICAL] CVE-2026-25401 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25401 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in Arni Cinco WPCargo Track & Trace wpcargo allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WPCargo Track & Trace: from n/a through <= 8.0.2.
Source : NVD
## 7.5
Score
Published March 25, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 12.6
Exploitation Probability (EPSS) N/A
Affected packages and libraries
wpcargo
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## R
Wiz
CVE-2025-68556 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-68556 [CRITICAL] CVE-2025-68556 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68556 :
WordPress vulnerability analysis and mitigation
Missing Authorization vulnerability in VillaTheme HAPPY happy-helpdesk-support-ticket-system allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects HAPPY: from n/a through <= 1.0.9.
Source : NVD
Published December 23, 2025
CNA Score N/A
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
happy-helpdesk-support-ticket-system
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related
Wiz
CVE-2025-68066 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2025-68066 [HIGH] CVE-2025-68066 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68066 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in PenciDesign Soledad soledad allows PHP Local File Inclusion.This issue affects Soledad: from n/a through <= 8.7.0.
Source : NVD
## 7.5
Score
Published December 16, 2025
Severity HIGH
CNA Score 7.5
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 38.3
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
soledad
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just wha
Wiz
CVE-2025-14783 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2025-14783 [MEDIUM] CVE-2025-14783 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14783 :
WordPress vulnerability analysis and mitigation
The Easy Digital Downloads plugin for WordPress is vulnerable to Unvalidated Redirect in all versions up to, and including, 3.6.2. This is due to insufficient validation on the redirect url supplied via the 'edd_redirect' parameter. This makes it possible for unauthenticated attackers to redirect users with the password reset email to potentially malicious sites if they can successfully trick them into performing an action.
Source : NVD
## 4.3
Score
Published December 31, 2025
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 5
Exploitation Probability (EPSS)
Wiz
CVE-2025-23458 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-23458 [CRITICAL] CVE-2025-23458 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-23458 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Rakessh Ads24 Lite wp-ad-management allows Reflected XSS.This issue affects Ads24 Lite: from n/a through <= 1.0.
Source : NVD
Published December 30, 2025
CNA Score N/A
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
wp-ad-management
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related WordPress vulnerabi
Wiz
CVE-2025-58709 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2025-58709 [HIGH] CVE-2025-58709 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-58709 :
WordPress vulnerability analysis and mitigation
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Legacy legacy allows PHP Local File Inclusion.This issue affects Legacy: from n/a through <= 1.9.
Source : NVD
## 8.1
Score
Published December 18, 2025
Severity HIGH
CNA Score 8.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 38.5
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
legacy
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's li
Wiz
CVE-2025-27002 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2025-27002 [MEDIUM] CVE-2025-27002 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-27002 :
WordPress vulnerability analysis and mitigation
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup CountDown With Image or Video Background countdown-with-background allows Reflected XSS.This issue affects CountDown With Image or Video Background: from n/a through <= 1.5.
Source : NVD
## 6.1
Score
Published January 8, 2026
Severity MEDIUM
CNA Score 6.1
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
countdown-with-background
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of
Wiz
CVE-2025-14618 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2025-14618 [MEDIUM] CVE-2025-14618 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14618 :
WordPress vulnerability analysis and mitigation
The Sweet Energy Efficiency plugin for WordPress is vulnerable to unauthorized access, modification, and loss of data due to a missing capability check on the 'sweet_energy_efficiency_action' AJAX handler in all versions up to, and including, 1.0.6. This makes it possible for authenticated attackers, with subscriber level access and above, to read, modify, and delete arbitrary graphs.
Source : NVD
## 4.3
Score
Published December 18, 2025
Severity MEDIUM
CNA Score 4.3
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11
Exploitation Probability (EPSS) N/A
Affected packages and libraries
Wiz
CVE-2025-15483 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.4
CVE-2025-15483 [MEDIUM] CVE-2025-15483 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-15483 :
WordPress vulnerability analysis and mitigation
The Link Hopper plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘hop_name’ parameter in all versions up to, and including, 2.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Source : NVD
## 4.4
Score
Published February 14, 2026
Severity MEDIUM
CNA Score 4.4
Affected Technologies
WordPress
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exp
2026-03-02
Published