• New Page 1

    RSSFacebookInstagramTwitterYouTubeYouTubeYouTubeYouTubeYouTubeYouTubeYouTube  

    AGÊNCIA JF | Social - Repositório

Wordfence Intelligence Weekly WordPress Vulnerability Report (June 2, 2025 to June 8, 2025)

por | |

📢 Calling all Vulnerability Researchers and Bug Bounty Hunters! 📢 

🌞 Spring into Summer with Wordfence! Now through August 4, 2025, earn 2X bounty rewards for all in-scope submissions from our ‘High Threat’ list in software with fewer than 5 million active installs. Bounties up to $31,200 per vulnerability. Submit bold. Earn big!

Last week, there were 257 vulnerabilities disclosed in 233 WordPress Plugins and 13 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 66 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to implement layered security, aligning with our overarching mission to secure WordPress with defense in depth strategies. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report. As the world’s leading quality vulnerability database provider for WordPress, site owners can rest assured knowing Wordfence has their back.

Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 27,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

New Firewall Rules Deployed Last Week

The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.

The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:

  • WAF-RULE-844 – Data redacted while we work with the vendor on a patch.

Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.

Total Unpatched & Patched Vulnerabilities Last Week

Patch Status Number of Vulnerabilities
Patched 103
Unpatched 154

Total Vulnerabilities by CVSS Severity Last Week

Severity Rating Number of Vulnerabilities
Low Severity 2
Medium Severity 216
High Severity 26
Critical Severity 13

Total Vulnerabilities by CWE Type Last Week

Vulnerability Type by CWE Number of Vulnerabilities
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) 94
Missing Authorization 53
Cross-Site Request Forgery (CSRF) 47
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) 21
Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) 10
Deserialization of Untrusted Data 5
Exposure of Sensitive Information to an Unauthorized Actor 4
Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) 3
Server-Side Request Forgery (SSRF) 3
Unrestricted Upload of File with Dangerous Type 3
URL Redirection to Untrusted Site (‘Open Redirect’) 3
Authentication Bypass Using an Alternate Path or Channel 2
Authorization Bypass Through User-Controlled Key 1
Improper Control of Generation of Code (‘Code Injection’) 1
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) 1
Improper Restriction of XML External Entity Reference 1
Improper Validation of Specified Quantity in Input 1
Insertion of Sensitive Information into Log File 1
Insertion of Sensitive Information Into Sent Data 1
Plaintext Storage of a Password 1
Unverified Password Change 1

Researchers That Contributed to WordPress Security Last Week

Researcher Name Number of Vulnerabilities

muhammad yudha

25

Nguyen Xuan Chien

19

Tran Nguyen Bao Khanh

19

Nabil Irawan

18

domiee13

16

Chu The Anh

14

ch4r0n

13

Bonds

9

Peter Thaleikis

9

HLog

7

Nguyen Ngoc Quang Bach (maysbachs)

6

Hiro

6

Trương Hữu Phúc (truonghuuphuc)

5

Nguyen Kim Sang

4

Martino Spagnuolo

4

Nguyễn Trung Kiên

4

Skalucy

4

theviper17y

3

haudayroi

3

Phat RiO – BlueRock

3

0xd4rk5id3

3

Rafie Muhammad

3

Prissy

3

Kévin Mosbahi (Mika)

3

Annn

3

Foxyyy

3

LVT-tholv2k

2

0x1ceKing

2

Asaf Mozes

2

Vo Thi Ngoc Nhi

2

zer0gh0st

2

timomangcut

2

rajanhoyr

2

István Márton

2

Denver Jackson

2

sterva

1

Matteo Leonelli

1

David D.

1

Marek Mikita

1

Webbernaut

1

Jang Jeong Ahn (Jhanks)

1

bintable

1

Martin Martin

1

ghsinfosec

1

johska

1

Brian Sans-Souci (liardom)

1

the sneaky squirrel

1

l33ch

1

zaim

1

TANG Cheuk Hei (siunam)

1

Naveen H N

1

siavashvafshar

1

Ryan Novotny

1

Noah Stead (TurtleBurg)

1

Blair Crawford

1

lucky_buddy

1

kr0d

1

Drew Webber (mcdruid)

1

Chuck

1

Shivam Khanna

1

Abdullah Shittu

1

Christie BOUTIER

1

Nguyen Quang Minh

1

Abdulaziz Alzamil

1

Mohamed Ali

1

Jorgson

1

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through our Bug Bounty Program. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.

WordPress Plugins with Reported Vulnerabilities Last Week

Software Name Software Slug
404 Page by SeedProd 404-page
6Storage Rentals 6storage-rentals
Abbie Expander abbie-expander
Accessibility Suite by Ability, Inc online-accessibility
ACF: Yandex Maps Field acf-yandex-maps-field
Activity Plus Reloaded for BuddyPress bp-activity-plus-reloaded
Admin Notes admin-note
Advanced Post List advanced-post-list
AI Mortgage Calculator ai-mortgage-calculator
All Currencies for WooCommerce woocommerce-all-currencies
Anti-spam, Spam protection, ReCaptcha for all forms and GDPR-compliant gdpr-compliant-recaptcha-for-all-forms
Anti-Spam: Spam Protection | Block Spam Users, Comments, Forms stop-spammer-registrations-plugin
AppBanners appbanners
Atelier Create CV atelier-create-cv
Backup and Staging by WP Time Capsule wp-time-capsule
Backwp backwp
Bacon Ipsum bacon-ipsum
Bang tinh vay bang-tinh-lai-suat
bbPress API bbp-api
Behance Portfolio Manager portfolio-manager-powered-by-behance
Bellows Accordion Menu bellows-accordion-menu
Bg Orthodox Calendar bg-orthodox-calendar
Bit File Manager – 100% Free & Open Source File Manager and Code Editor for WordPress file-manager
Bitly URL Shortener codehaveli-bitly-url-shortener
BlockStrap Page Builder – Bootstrap Blocks blockstrap-page-builder-blocks
BM Content Builder bm-builder
BNS Featured Category bns-featured-category
Booking Ultra Pro Appointments Booking Calendar Plugin booking-ultra-pro
Booqable Rental Plugin booqable-rental-reservations
BP Profile as Homepage bp-profile-as-homepage
Broadly for WordPress broadly
Broken Link Checker broken-link-checker
BRW – Booking Rental Plugin WooCommerce ova-brw
Calculated Fields Form calculated-fields-form
Campus Directory – Faculty, Staff & Student Directory Plugin for WordPress campus-directory
Category Icon category-icon
Complete Google Seo Scan complete-google-seo-scan
Contact Form contact-form-ready
Cookie Banner, Cookie Consent, Consent Log, Cookie Scanner, Script Blocker (for GDPR, CCPA & ePrivacy) : WP Cookie Consent gdpr-cookie-consent
Crawlomatic Multipage Scraper Post Generator crawlomatic-multipage-scraper-post-generator
CubePoints cubepoints
CubeWP – All-in-One Dynamic Content Framework cubewp-framework
Custom Bulk/Quick Edit custom-bulkquick-edit
Custom Category/Post Type Post order custom-post-order-category
Developer Formatter devformatter
Direct Checkout for WooCommerce Lite woo-direct-checkout-lite
DocsPress – Online Documentation docspress
Domain For Sale, Domain appraisal, Domain auction, Domain marketplace – Best Domain For sale Plugin for WordPress domain-for-sale
Easy Mega Menu Plugin for WordPress – ThemeHunk themehunk-megamenu-plus
Elastic Email Subscribe Form elastic-email-subscribe-form
Elegant Visitor Counter elegant-visitor-counter
elfsight-contact-form elfsight-contact-form
Elite Video Player elite-video-player
Employee Directory – Staff Listing & Team Directory Plugin for WordPress employee-directory
Epicwin Plugin epicwin-subscribers
Essential Addons for Elementor – Popular Elementor Templates and Widgets essential-addons-for-elementor-lite
ESV Bible Shortcode for WordPress esv-bible-shortcode-for-wordpress
Event Manager and Tickets Selling Plugin for WooCommerce – WpEvently – WordPress Plugin mage-eventpress
Event post event-post
Everest Backup – WordPress Cloud Backup, Migration, Restore & Cloning Plugin everest-backup
FastBook – Responsive Appointment Booking and Scheduling System fastbook-responsive-appointment-booking-and-scheduling-system
Forminator Forms – Contact Form, Payment Form & Custom Form Builder forminator
Foxit eSign for WordPress esign-genie-for-wp
FraudLabs Pro for WooCommerce fraudlabs-pro-for-woocommerce
Free WP Mail SMTP (Official – 2019) free-wp-mail-smtp
Freemind Viewer wp-freemind
Frontend Dashboard frontend-dashboard
GamiPress – Gamification plugin to reward points, achievements, badges & ranks in WordPress gamipress
Global Translator global-translator
GPP Slideshow gpp-slideshow
Greenshift – animation and page builder blocks greenshift-animation-and-page-builder-blocks
Hide It hide-it
Hive Support | AI-Powered Help Desk, Live Chat & AI Chat Bot Plugin for WordPress hive-support
HR Management Lite hr-management-lite
Hydra Booking – All in One Appointment Booking System | Appointment Scheduling, Booking Calendar & WooCommerce Bookings hydra-booking
HyperComments hypercomments
Icegram Collect – Easy Form, Lead Collection and Subscription plugin icegram-rainmaker
IFrame Widget iframe-widget
Image Hover Effects Block image-hover-effects-block
Interactive Regional Map of Africa interactive-map-of-africa
Interactive Regional Map of Florida interactive-map-of-florida
Interactive UK Regional Map interactive-uk-regional-map
InWave Jobs iwjob
Job Board Manager job-board-manager
KI Live Video Conferences ki-live-video-conferences
Knowledge Base knowledgebase
Konami Easter Egg konami-easter-egg
Layouts for Elementor layouts-for-elementor
Libro de Reclamaciones y Quejas libro-de-reclamaciones-y-quejas
LTL Freight Quotes – Day & Ross Edition ltl-freight-quotes-day-ross-edition
LTL Freight Quotes – Daylight Edition ltl-freight-quotes-daylight-edition
LTL Freight Quotes – Freightview Edition ltl-freight-quotes-freightview-edition
Market Exporter market-exporter
Mediabay – WordPress Media Library Folders mediabay
Melipayamak melipayamak
Modern Events Calendar Lite modern-events-calendar-lite
Motors – Events stm-motors-events
Multi CryptoCurrency Payments multi-crypto-currency-payment
MultiVendorX – WooCommerce Multivendor Marketplace Solutions dc-woocommerce-multi-vendor
Music Player for Elementor – Audio Player & Podcast Player music-player-for-elementor
MyStyle Custom Product Designer mystyle-custom-product-designer
Nasa Core nasa-core
Newspack Newsletters newspack-newsletters
Nexa Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE nexa-blocks
Next Event Calendar next-event-calendar
Ninja Tables – Easy Data Table Builder ninja-tables
No Spam At All no-spam-at-all
oik oik
Paged Gallery paged-gallery
Password Policy Manager | Password Manager password-policy-manager
Pay with Contact Form 7 pay-with-contact-form-7
Payment QR WooCommerce payment-qr-woo
PayU CommercePro Plugin payu-india
PDF for WPForms + Drag and Drop Template Builder pdf-for-wpforms
Personal Favicon personal-favicon
Pinterest Verify Meta Tag pinterest-verify-meta-tag
POEditor poeditor
Popup Maker – Boost Sales, Conversions, Optins, Subscribers with the Ultimate WP Popups Builder popup-maker
Post Author post-author
Post Custom Templates Lite post-custom-templates-lite
Post Grid Master – Custom Post Types, Taxonomies & Ajax Filter Everything with Infinite Scroll, Load More, Pagination & Shortcode Builder ajax-filter-posts
Powie’s Uptime Robot Plugin powies-uptime-robot
Premium Packages – Sell Digital Products Securely wpdm-premium-packages
Product Catalog Simple post-type-x
Product Feed for WooCommerce – Google Shopping Feed, Pinterest Feed, TikTok Ads & More webtoffee-product-feed
Profiler – What Slowing Down Your WP profiler-what-slowing-down
Quick Event Calendar quick-event-calendar
Raychat raychat
Read More Login read-more-login
Recent Posts Slider Responsive recent-posts-slider-responsive
Recover abandoned cart for WooCommerce recover-wc-abandoned-cart
Responsify WP responsify-wp
Responsive Flipbooks responsive-flipbooks
Revolution Video Player With Bottom Playlist WordPress Plugin – YouTube/Vimeo/Self-Hosted Support revolution_video_player
RTMKit Addons for Elementor rometheme-for-elementor
Runners Log runners-log
Search with Typesense search-with-typesense
Seofy Core seofy-core
SEPA Girocode sepa-girocode
Shared Files – Frontend File Upload Form & Secure File Sharing shared-files
ShiftNav – Responsive Mobile Menu shiftnav-responsive-mobile-menu
ShortLinks Pro – Affiliate Links, Link Shortening, Click Tracking & Marketing shortlinkspro
SHOUT lbg-audio8-html5-radio_ads
Simple Contact Form Plugin for WordPress – WP Easy Contact wp-easy-contact
Simple Google Static Map simple-google-static-map
Simple History – Track, Log, and Audit WordPress Changes simple-history
Simple Keyword to Link simple-keyword-to-link
Simple Membership simple-membership
Simple Nested Menu simple-nested-menu
Sina Extension for Elementor (Header Builder, Footer Builter, Theme Builder, Slider, Gallery, Form, Modal, Data Table Free Elementor Widgets & Elementor Templates) sina-extension-for-elementor
Slack Notifications by dorzki dorzki-notifications-to-slack
Social Sharing Plugin – Sassy Social Share sassy-social-share
SocialMark – Easy Watermark/Logo on Social Media Post Link Share Preview socialmark
Sola Support Tickets sola-support-tickets
Spice Blocks spice-blocks
Spreadsheet Price Changer for WooCommerce and WP E-commerce – Light excel-like-price-change-for-woocommerce-and-wp-e-commerce-light
StageShow stageshow
Sticky Radio Player lbg-audio5-html5-shoutcast_sticky
Stock Locations for WooCommerce stock-locations-for-woocommerce
Store Locator WordPress agile-store-locator
Subscription Renewal Reminders for WooCommerce subscriptions-renewal-reminders
Sunshine Photo Cart: Free Client Photo Galleries for Photographers sunshine-photo-cart
Taskbuilder – WordPress Project & Task Management plugin taskbuilder
Team Builder — Meet The Team WordPress Plugin a-team-showcase
Team Showcase team-showcase-cm
Testimonials Showcase testimonials-showcase
The Events Calendar Countdown Addon countdown-for-the-events-calendar
The Holiday Calendar the-holiday-calendar
TicketBAI Facturas para WooCommerce wp-ticketbai
Trinity Audio – Text to Speech AI audio player to convert content into audio trinity-audio
Ultimate Gift Cards for WooCommerce woo-gift-cards-lite
Ultimate WP Mail ultimate-wp-mail
Uncanny Automator – Easy Automation, Integration, Webhooks & Workflow Builder Plugin uncanny-automator
Universal Video Player universal_video_player
Universal Video Player – WordPress Plugin elementor_widget_universal_video_player
User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor profile-builder
Vayu Blocks – Website Builder for the Block Editor vayu-blocks
Verge3D Publishing and E-Commerce verge3d
Video Embeds video-embeds
Viral Loops WP Integration viral-loops-wp-integration
WC MyParcel Belgium wc-myparcel-belgium
WC Vendors – WooCommerce Multivendor, WooCommerce Marketplace, Product Vendors wc-vendors
WebHotelier for WordPress webhotelier
Welcart e-Commerce usc-e-shop
Wishlist wishlist
WooCommerce Photo Reviews Premium woocommerce-photo-reviews
WooCommerce Product Filter woofilter-pro
WooCommerce Ultimate Gift Card woocommerce-ultimate-gift-card
WooCommerce Wishlist (High customization, fast setup,Free Elementor Wishlist, most features) smart-wishlist-for-more-convert
Wordapp wordapp
WordLift – AI powered SEO – Schema wordlift
WordPress Ajax Load More and Infinite Scroll cpt-ajax-load-more
WordPress Comments Import & Export comments-import-export-woocommerce
WordPress Contact Forms by Cimatti contact-forms
WordPress CRM Plugin – WP-CRM System wp-crm-system
WP AutoKeyword wp-autokeyword
WP Biographia wp-biographia
WP Compress for MainWP wp-compress-mainwp
WP Email Debug wp-email-debug
WP Featured Content Slider wp-featured-content-slider
WP Gravity Forms Constant Contact Plugin gf-constant-contact
WP Gravity Forms Salesforce gf-salesforce-crmperks
WP Lead Capturing Pages – WordPress Plugin leadcapture
WP Live Chat + Chatbots Plugin for WordPress – Chaport chaport
WP Mail Options wp-mail-options
WP Maintenance Mode & Site Under Construction wp-maintenance-mode-site-under-construction
WP Media File Type Manager wp-media-file-type-manager
WP Multilang – Translation and Multilingual Plugin wp-multilang
WP Online Users Stats wp-online-users-stats
WP Page Loading wp-page-loading
WP Plugin Info Card wp-plugin-info-card
WP Post Corrector wp-post-corrector
WP Security Master wp-security-master
WP Shopify wp-shopify
WP Shortcodes Plugin — Shortcodes Ultimate shortcodes-ultimate
WP Social Widget wp-social-widget
WP Table Builder – WordPress Table Plugin wp-table-builder
WP Team – WordPress Team Member Plugin ht-team-member
WP Text Expander wp-text-expander
WP Time Slots Booking Form wp-time-slots-booking-form
WP Tools Repair, Javascript errors, Jquery errors, Increase Maximum Limits, File Permissions, Transients, Error Log wptools
WP Travel Engine – Tour Booking Plugin – Tour Operator Software wp-travel-engine
WP User Frontend Pro wp-user-frontend-pro
WP-Addpub wp-addpub
WP-Recall – Registration, Profile, Commerce & More wp-recall
WPCHURCH – Church Management System for WordPress church-management
wpForo + wpForo Advanced Attachments wpforo-advanced-attachments
WPtouch – Make your WordPress Website Mobile-Friendly wptouch
YouTube Simple Gallery youtube-simple-gallery
ZoomSounds – WordPress Wave Audio Player with Playlist dzs-zoomsounds
«Подсказки» от DaData.ru dadata-ru
افزونه پیامک ووکامرس Persian WooCommerce SMS persian-woocommerce-sms
診断ジェネレータ作成プラグイン os-diagnosis-generator

WordPress Themes with Reported Vulnerabilities Last Week

Software Name Software Slug
Arlo | Portfolio WordPress Theme arlo
Art Theme art-theme
Car Repair Services & Auto Mechanic WordPress Theme + RTL car-repair-services
FLAP – Business WordPress Theme flap
FlatNews – Responsive Magazine WordPress Theme flatnews
Golo – City Travel Guide WordPress Theme golo
Krowd – Crowdfunding & Charity WordPress Theme krowd
PIMP – Creative MultiPurpose Theme pimp
PressGrid – Frontend Publish Reaction & Multimedia Theme press-grid
Revo – Multipurpose Elementor WooCommerce WordPress Theme (25+ Homepages & 5+ Mobile Layouts) revo
Soho Hotel Booking Calendar For WordPress soho-hotel
Spare – Ultimate MultiPurpose LESS Theme spare
Sweet Dessert | Candy Shop & Cafe WordPress Theme sweet-dessert

Vulnerability Details

Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.

Arlo <= 6.0.3 – Unauthenticated Local File Inclusion

9.8

CVSS Rating
Critical (9.8)
CVE-ID
CVE-2025-39475
Patch Status
Unpatched
Published
Jun 3, 2025

Affected Software
Arlo | Portfolio WordPress Theme
Researcher

Bonds

More Details >

FLAP – Business WordPress Theme <= 1.5 – Unauthenticated PHP Object Injection

9.8

CVSS Rating
Critical (9.8)
CVE-ID
CVE-2025-31396
Patch Status
Unpatched
Published
Jun 3, 2025

Affected Software
FLAP – Business WordPress Theme
Researcher

Tran Nguyen Bao Khanh

More Details >

Golo <= 1.7.0 – Authentication Bypass to Account Takeover

9.8

CVSS Rating
Critical (9.8)
CVE-ID
CVE-2025-4797
Patch Status
Patched
Published
Jun 2, 2025

Affected Software
Golo – City Travel Guide WordPress Theme
Researcher

Foxyyy

More Details >

HyperComments <= 1.2.2 – Unauthenticated (Subscriber+) Arbitrary Options Update

9.8

CVSS Rating
Critical (9.8)
CVE-ID
CVE-2025-5701
Patch Status
Unpatched
Published
Jun 4, 2025

Affected Software
HyperComments
Researchers

Matteo Leonelli
David D.

More Details >

Krowd <= 1.4.1 – Unauthenticated Local File Inclusion

9.8

CVSS Rating
Critical (9.8)
CVE-ID
CVE-2025-32595
Patch Status
Unpatched
Published
Jun 3, 2025

Affected Software
Krowd – Crowdfunding & Charity WordPress Theme
Researcher

Bonds

More Details >

Motors – Events <= 1.4.7 – Unauthenticated Local File Inclusion

9.8

CVSS Rating
Critical (9.8)
CVE-ID
CVE-2025-47586
Patch Status
Unpatched
Published
Jun 3, 2025

Affected Software
Motors – Events
Researcher

Rafie Muhammad

More Details >

PayU CommercePro Plugin <= 3.8.5 – Authentication Bypass

9.8

CVSS Rating
Critical (9.8)
CVE-ID
CVE-2025-31022
Patch Status
Unpatched
Published
Jun 5, 2025

Affected Software
PayU CommercePro Plugin
Researcher

Rafie Muhammad

More Details >

PIMP – Creative MultiPurpose <= 1.7 – Unauthenticated PHP Object Injection

9.8

CVSS Rating
Critical (9.8)
CVE-ID
CVE-2025-31398
Patch Status
Unpatched
Published
Jun 3, 2025

Affected Software
PIMP – Creative MultiPurpose Theme
Researcher

Tran Nguyen Bao Khanh

More Details >

PressGrid – Frontend Publish Reaction & Multimedia Theme <= 1.3.1 – Unauthenticated PHP Object Injection

9.8

CVSS Rating
Critical (9.8)
CVE-ID
CVE-2025-31429
Patch Status
Unpatched
Published
Jun 4, 2025

Affected Software
PressGrid – Frontend Publish Reaction & Multimedia Theme
Researcher

Tran Nguyen Bao Khanh

More Details >

Revo <= 4.0.26 – Unauthenticated Local File Inclusion

9.8

CVSS Rating
Critical (9.8)
CVE-ID
CVE-2025-39476
Patch Status
Unpatched
Published
Jun 3, 2025

Affected Software
Revo – Multipurpose Elementor WooCommerce WordPress Theme (25+ Homepages & 5+ Mobile Layouts)
Researcher

Bonds

More Details >

Seofy Core <= 1.4.5 – Unauthenticated Local File Inclusion

9.8

CVSS Rating
Critical (9.8)
CVE-ID
CVE-2025-39473
Patch Status
Unpatched
Published
Jun 3, 2025

Affected Software
Seofy Core
Researcher

Bonds

More Details >

Sweet Dessert < 1.1.13 – Unauthenticated PHP Object Injection

9.8

CVSS Rating
Critical (9.8)
CVE-ID
CVE-2025-49073
Patch Status
Patched
Published
Jun 3, 2025

Affected Software
Sweet Dessert | Candy Shop & Cafe WordPress Theme
Researcher

Tran Nguyen Bao Khanh

More Details >

WP Email Debug 1.0 – 1.1.0 – Missing Authorization to Unauthenticated Privilege Escalation via Password Reset

9.8

CVSS Rating
Critical (9.8)
CVE-ID
CVE-2025-5486
Patch Status
Unpatched
Published
Jun 5, 2025

Affected Software
WP Email Debug
Researcher

kr0d

More Details >

AI Mortgage Calculator <= 1.0.1 – Authenticated (Contributor+) Local File Inclusion

8.8

CVSS Rating
High (8.8)
CVE-ID
CVE-2023-25995
Patch Status
Unpatched
Published
Jun 5, 2025

Affected Software
AI Mortgage Calculator
Researcher

0x1ceKing

More Details >

BRW <= 1.8.6 – Authenticated (Contributor+) Local File Inclusion

8.8

CVSS Rating
High (8.8)
CVE-ID
CVE-2025-49313
Patch Status
Patched
Published
Jun 5, 2025

Affected Software
BRW – Booking Rental Plugin WooCommerce
Researcher

Phat RiO – BlueRock

More Details >

Password Policy Manager <= 2.0.4 – Authenticated (Subscriber+) Privilege Escalation via Account Takeover

8.8

CVSS Rating
High (8.8)
CVE-ID
CVE-2025-31019
Patch Status
Patched
Published
Jun 5, 2025

Affected Software
Password Policy Manager | Password Manager
Researcher

Rafie Muhammad

More Details >

Sunshine Photo Cart <= 3.4.11 – Authenticated (Subscriber+) Privilege Escalation

8.8

CVSS Rating
High (8.8)
CVE-ID
CVE-2025-5482
Patch Status
Patched
Published
Jun 3, 2025

Affected Software
Sunshine Photo Cart: Free Client Photo Galleries for Photographers
Researchers

Brian Sans-Souci (liardom)
the sneaky squirrel

More Details >

WP Multilang <= 2.4.19 – Authenticated (Contributor+) Local File Inclusion

8.8

CVSS Rating
High (8.8)
CVE-ID
CVE-2025-49307
Patch Status
Patched
Published
Jun 5, 2025

Affected Software
WP Multilang – Translation and Multilingual Plugin
Researcher

muhammad yudha

More Details >

WP Shopify <= 1.5.3 – Authenticated (Contributor+) Local File Inclusion

8.8

CVSS Rating
High (8.8)
CVE-ID
CVE-2025-30999
Patch Status
Unpatched
Published
Jun 5, 2025

Affected Software
WP Shopify
Researcher

timomangcut

More Details >

WP Travel Engine <= 6.5.1 – Authenticated (Contributor+) Local File Inclusion

8.8

CVSS Rating
High (8.8)
CVE-ID
CVE-2025-49308
Patch Status
Patched
Published
Jun 5, 2025

Affected Software
WP Travel Engine – Tour Booking Plugin – Tour Operator Software
Researcher

muhammad yudha

More Details >

WP User Frontend Pro <= 4.1.3 – Authenticated (Subscriber+) Arbitrary File Upload

8.8

CVSS Rating
High (8.8)
CVE-ID
CVE-2025-3054
Patch Status
Patched
Published
Jun 4, 2025

Affected Software
WP User Frontend Pro
Researcher

Foxyyy

More Details >

POEditor <= 0.9.10 – Cross-Site Request Forgery

8.1

CVSS Rating
High (8.1)
CVE-ID
CVE-2025-49237
Patch Status
Patched
Published
Jun 5, 2025

Affected Software
POEditor
Researcher

Nguyen Xuan Chien

More Details >

WP User Frontend Pro <= 4.1.3 – Authenticated (Subscriber+) Arbitrary File Deletion

8.1

CVSS Rating
High (8.1)
CVE-ID
CVE-2025-3055
Patch Status
Patched
Published
Jun 4, 2025

Affected Software
WP User Frontend Pro
Researcher

Foxyyy

More Details >

Multi CryptoCurrency Payments <= 2.0.3 – Unauthenticated SQL Injection

7.5

CVSS Rating
High (7.5)
CVE-ID
CVE-2025-48141
Patch Status
Unpatched
Published
Jun 3, 2025

Affected Software
Multi CryptoCurrency Payments
Researcher

ch4r0n

More Details >

MyStyle Custom Product Designer <= 3.21.1 – Unauthenticated SQL Injection

7.5

CVSS Rating
High (7.5)
CVE-ID
CVE-2025-48281
Patch Status
Patched
Published
Jun 3, 2025

Affected Software
MyStyle Custom Product Designer
Researcher

Martino Spagnuolo

More Details >

Product Filter Pro <= 2.7.6 – Unauthenticated SQL Injection

7.5

CVSS Rating
High (7.5)
CVE-ID
CVE-2025-39496
Patch Status
Unpatched
Published
Jun 3, 2025

Affected Software
WooCommerce Product Filter
Researcher

Trương Hữu Phúc (truonghuuphuc)

More Details >

Recover abandoned cart for WooCommerce <= 2.5 – Unauthenticated SQL Injection

7.5

CVSS Rating
High (7.5)
CVE-ID
CVE-2025-47608
Patch Status
Unpatched
Published
Jun 3, 2025

Affected Software
Recover abandoned cart for WooCommerce
Researcher

ch4r0n

More Details >

Spice Blocks <= 2.0.7.2 – Unauthenticated Arbitrary File Download

7.5

CVSS Rating
High (7.5)
CVE-ID
CVE-2025-48130
Patch Status
Unpatched
Published
Jun 4, 2025

Affected Software
Spice Blocks
Researcher

Martino Spagnuolo

More Details >

Spreadsheet Price Changer for WooCommerce and WP E-commerce – Light <= 2.4.37 – Unauthenticated SQL Injection

7.5

CVSS Rating
High (7.5)
CVE-ID
CVE-2025-48122
Patch Status
Unpatched
Published
Jun 3, 2025

Affected Software
Spreadsheet Price Changer for WooCommerce and WP E-commerce – Light
Researcher

ch4r0n

More Details >

WooCommerce Ultimate Gift Card – Create, Sell and Manage Gift Cards with Customized Email Templates <= 2.8.10 – Unauthenticated SQL Injection

7.5

CVSS Rating
High (7.5)
CVE-ID
CVE-2025-47569
Patch Status
Unpatched
Published
Jun 3, 2025

Affected Software
WooCommerce Ultimate Gift Card
Researcher

Bonds

More Details >

WP Lead Capturing Pages <= 2.3 – Unauthenticated SQL Injection

7.5

CVSS Rating
High (7.5)
CVE-ID
CVE-2025-31424
Patch Status
Unpatched
Published
Jun 3, 2025

Affected Software
WP Lead Capturing Pages – WordPress Plugin
Researcher

Tran Nguyen Bao Khanh

More Details >

WPCHURCH <= 2.7.0 – Unauthenticated SQL Injection

7.5

CVSS Rating
High (7.5)
CVE-ID
CVE-2025-32303
Patch Status
Unpatched
Published
Jun 3, 2025

Affected Software
WPCHURCH – Church Management System for WordPress
Researcher

Annn

More Details >

Car Repair Services <= 5.0 – Unauthenticated Server-Side Request Forgery

7.2

CVSS Rating
High (7.2)
CVE-ID
CVE-2025-30997
Patch Status
Unpatched
Published
Jun 5, 2025

Affected Software
Car Repair Services & Auto Mechanic WordPress Theme + RTL
Researcher

Bonds

More Details >

LTL Freight Quotes – Freightview Edition <= 1.0.11, LTL Freight Quotes – Daylight Edition <=2.2.6 and LTL Freight Quotes – Day & Ross Edition <= 2.1.10 – Unauthenticated Stored Cross-Site Scripting via `expiry_date` Parameter

7.2

CVSS Rating
High (7.2)
CVE-ID
CVE-2025-5303
Patch Status
Patched
Published
Jun 6, 2025

Affected Software
LTL Freight Quotes – Freightview Edition
LTL Freight Quotes – Day & Ross Edition
LTL Freight Quotes – Daylight Edition
Researcher

sterva

More Details >

Shared Files <= 1.7.48 – Unauthenticated Stored Cross-Site Scripting via sanitize_file Function

7.2

CVSS Rating
High (7.2)
CVE-ID
CVE-2025-4392
Patch Status
Patched
Published
Jun 2, 2025

Affected Software
Shared Files – Frontend File Upload Form & Secure File Sharing
Researcher

Martin Martin

More Details >

Store Locator WordPress <= 1.5.2 – Authenticated (Admin+) Arbitrary File Upload

7.2

CVSS Rating
High (7.2)
CVE-ID
CVE-2025-49329
Patch Status
Patched
Published
Jun 5, 2025

Affected Software
Store Locator WordPress
Researcher

Nguyen Kim Sang

More Details >

WP Gravity Forms Constant Contact Plugin <= 1.1.0 – Open Redirect

7.2

CVSS Rating
High (7.2)
CVE-ID
CVE-2025-30954
Patch Status
Unpatched
Published
Jun 5, 2025

Affected Software
WP Gravity Forms Constant Contact Plugin
Researcher

Bonds

More Details >

wpForo + wpForo Advanced Attachments <= 3.1.3 – Unauthenticated Stored Cross-Site Scripting

7.2

CVSS Rating
High (7.2)
CVE-ID
CVE-2025-4224
Patch Status
Patched
Published
Jun 2, 2025

Affected Software
wpForo + wpForo Advanced Attachments
Researcher

Christie BOUTIER

More Details >

Hive Support <= 1.2.4 – Authenticated (Subscriber+) Missing Authorization via hs_update_ai_chat_settings and hive_lite_support_get_all_binbox

7.1

CVSS Rating
High (7.1)
CVE-ID
CVE-2025-5018
Patch Status
Unpatched
Published
Jun 5, 2025

Affected Software
Hive Support | AI-Powered Help Desk, Live Chat & AI Chat Bot Plugin for WordPress
Researcher

Vo Thi Ngoc Nhi

More Details >

Hydra Booking <= 1.1.10 – Authenticated (Contributor+) SQL Injection

6.5

CVSS Rating
Medium (6.5)
CVE-ID
CVE-2025-49323
Patch Status
Patched
Published
Jun 5, 2025

Affected Software
Hydra Booking – All in One Appointment Booking System | Appointment Scheduling, Booking Calendar & WooCommerce Bookings
Researcher

Nguyen Ngoc Quang Bach (maysbachs)

More Details >

Uncanny Automator – Easy Automation, Integration, Webhooks & Workflow Builder Plugin <= 6.4.0.2 – Missing Authorization

6.5

CVSS Rating
Medium (6.5)
CVE-ID
CVE-2025-48133
Patch Status
Patched
Published
Jun 2, 2025

Affected Software
Uncanny Automator – Easy Automation, Integration, Webhooks & Workflow Builder Plugin
Researcher

Denver Jackson

More Details >

Welcart e-Commerce <= 2.11.13 – Authenticated (Editor+) Arbitrary File Deletion

6.5

CVSS Rating
Medium (6.5)
CVE-ID
CVE-2025-47511
Patch Status
Patched
Published
Jun 3, 2025

Affected Software
Welcart e-Commerce
Researcher

Martino Spagnuolo

More Details >

WP-Addpub <= 1.2.8 – Authenticated (Contributor+) SQL Injection

6.5

CVSS Rating
Medium (6.5)
CVE-ID
CVE-2025-5563
Patch Status
Unpatched
Published
Jun 5, 2025

Affected Software
WP-Addpub
Researcher

muhammad yudha

More Details >

Abbie Expander <= 1.0.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-49427
Patch Status
Unpatched
Published
Jun 5, 2025

Affected Software
Abbie Expander
Researcher

Chu The Anh

More Details >

All Currencies for WooCommerce <= 2.4.4 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-30950
Patch Status
Unpatched
Published
Jun 5, 2025

Affected Software
All Currencies for WooCommerce
Researcher

muhammad yudha

More Details >

Bacon Ipsum <= 2.4 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-49443
Patch Status
Unpatched
Published
Jun 5, 2025

Affected Software
Bacon Ipsum
Researcher

Chu The Anh

More Details >

Bellows Accordion Menu <= 1.4.3 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-49242
Patch Status
Patched
Published
Jun 5, 2025

Affected Software
Bellows Accordion Menu
Researcher

muhammad yudha

More Details >

Bit File Manager – 100% Free & Open Source File Manager and Code Editor for WordPress <= 6.7 – Authenticated (Subscriber+) Stored Cross-Site Scripting via SVG File Uploads

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-1725
Patch Status
Patched
Published
Jun 2, 2025

Affected Software
Bit File Manager – 100% Free & Open Source File Manager and Code Editor for WordPress
Researcher

TANG Cheuk Hei (siunam)

More Details >

BlockStrap Page Builder – Bootstrap Blocks <= 0.1.36 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-30951
Patch Status
Unpatched
Published
Jun 5, 2025

Affected Software
BlockStrap Page Builder – Bootstrap Blocks
Researcher

Prissy

More Details >

BM Content Builder <= 3.16.2.1 – Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting via ux_cb_page_options_save

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-1777
Patch Status
Patched
Published
Jun 5, 2025

Affected Software
BM Content Builder
Researcher

István Márton

More Details >

BNS Featured Category <= 2.8.2 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-5538
Patch Status
Unpatched
Published
Jun 5, 2025

Affected Software
BNS Featured Category
Researcher

muhammad yudha

More Details >

BRW <= 1.8.6 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-49314
Patch Status
Patched
Published
Jun 5, 2025

Affected Software
BRW – Booking Rental Plugin WooCommerce
Researcher

Phat RiO – BlueRock

More Details >

Contact Form <= 2.0.12 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-30935
Patch Status
Unpatched
Published
Jun 5, 2025

Affected Software
Contact Form
Researcher

theviper17y

More Details >

Domain For Sale <= 3.0.10 – Authenticated (Contributor+) Stored Cross-Site Scripting via class_name Parameter

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-5239
Patch Status
Patched
Published
Jun 5, 2025

Affected Software
Domain For Sale, Domain appraisal, Domain auction, Domain marketplace – Best Domain For sale Plugin for WordPress
Researcher

Peter Thaleikis

More Details >

Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders <= 6.1.12 – Authenticated(Contributor+) Stored Cross-Site Scripting via Event Calendar Widget

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-9993
Patch Status
Patched
Published
Jun 6, 2025

Affected Software
Essential Addons for Elementor – Popular Elementor Templates and Widgets
Researcher

zer0gh0st

More Details >

Essential Addons for Elementor – Best Elementor Templates, Widgets, Kits & WooCommerce Builders <= 6.1.12 – Authenticated(Contributor+) Stored Cross-Site Scripting via Pricing Table Widget

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2024-9994
Patch Status
Patched
Published
Jun 6, 2025

Affected Software
Essential Addons for Elementor – Popular Elementor Templates and Widgets
Researcher

zer0gh0st

More Details >

ESV Bible Shortcode for WordPress <= 1.0.2 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-5534
Patch Status
Unpatched
Published
Jun 5, 2025

Affected Software
ESV Bible Shortcode for WordPress
Researcher

muhammad yudha

More Details >

Event post <= 5.10.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-49298
Patch Status
Patched
Published
Jun 5, 2025

Affected Software
Event post
Researcher

Peter Thaleikis

More Details >

Faculty Staff and Student Directory Plugin – Campus Directory <= 1.9.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-5532
Patch Status
Patched
Published
Jun 3, 2025

Affected Software
Campus Directory – Faculty, Staff & Student Directory Plugin for WordPress
Researcher

muhammad yudha

More Details >

Forminator <= 1.44.1 – Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via id and data-size Parameters

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-5341
Patch Status
Patched
Published
Jun 4, 2025

Affected Software
Forminator Forms – Contact Form, Payment Form & Custom Form Builder
Researcher

Asaf Mozes

More Details >

Freemind Viewer <= 1.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-5536
Patch Status
Unpatched
Published
Jun 5, 2025

Affected Software
Freemind Viewer
Researcher

muhammad yudha

More Details >

Frontend Dashboard <= 2.2.8 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-49310
Patch Status
Patched
Published
Jun 5, 2025

Affected Software
Frontend Dashboard
Researcher

muhammad yudha

More Details >

Greenshift <= 11.5.5 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-49301
Patch Status
Patched
Published
Jun 5, 2025

Affected Software
Greenshift – animation and page builder blocks
Researcher

Peter Thaleikis

More Details >

Hide It <= 1.0.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-5565
Patch Status
Unpatched
Published
Jun 5, 2025

Affected Software
Hide It
Researcher

muhammad yudha

More Details >

HT Team Member <= 1.1.7 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-49309
Patch Status
Patched
Published
Jun 5, 2025

Affected Software
WP Team – WordPress Team Member Plugin
Researcher

muhammad yudha

More Details >

Image Hover Effects Block <= 1.4.5 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-31025
Patch Status
Unpatched
Published
Jun 5, 2025

Affected Software
Image Hover Effects Block
Researcher

zaim

More Details >

Knowledge Base <= 2.3.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-5533
Patch Status
Patched
Published
Jun 5, 2025

Affected Software
Knowledge Base
Researcher

muhammad yudha

More Details >

Music Player for Elementor <= 2.4.6 – Authenticated (Contributor+) Stored Cross-Site Scripting via album_buy_url Parameter

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-5340
Patch Status
Patched
Published
Jun 2, 2025

Affected Software
Music Player for Elementor – Audio Player & Podcast Player
Researcher

Webbernaut

More Details >

Nasa Core < 6.4.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-49067
Patch Status
Patched
Published
Jun 3, 2025

Affected Software
Nasa Core
Researcher

Phat RiO – BlueRock

More Details >

Nexa Blocks <= 1.1.0 – Authenticated (Contributor+) Server-Side Request Forgery

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-30976
Patch Status
Unpatched
Published
Jun 5, 2025

Affected Software
Nexa Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE
Researcher

theviper17y

More Details >

Nexa Blocks <= 1.1.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-30952
Patch Status
Unpatched
Published
Jun 5, 2025

Affected Software
Nexa Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE
Researcher

Prissy

More Details >

Next Event Calendar <= 1.2 – Authenticated (Author+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2023-26001
Patch Status
Unpatched
Published
Jun 5, 2025

Affected Software
Next Event Calendar
Researcher

Nguyen Ngoc Quang Bach (maysbachs)

More Details >

Paged Gallery <= 0.7 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-5686
Patch Status
Unpatched
Published
Jun 5, 2025

Affected Software
Paged Gallery
Researcher

muhammad yudha

More Details >

Popup Maker <= 1.20.4 – Authenticated (Contributor+) Stored Cross-Site Scripting via popupID Parameter

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-4205
Patch Status
Patched
Published
Jun 2, 2025

Affected Software
Popup Maker – Boost Sales, Conversions, Optins, Subscribers with the Ultimate WP Popups Builder
Researcher

Asaf Mozes

More Details >

Premium Packages <= 6.0.2 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-30991
Patch Status
Unpatched
Published
Jun 5, 2025

Affected Software
Premium Packages – Sell Digital Products Securely
Researcher

Peter Thaleikis

More Details >

Product Catalog Simple <= 1.8.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-49305
Patch Status
Patched
Published
Jun 5, 2025

Affected Software
Product Catalog Simple
Researcher

muhammad yudha

More Details >

Profile Builder <= 3.13.8 – Authenticated (Contributor+) Stored Cross-Site Scripting via user_meta and compare Shortcodes

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-4671
Patch Status
Patched
Published
Jun 2, 2025

Affected Software
User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor
Researcher

muhammad yudha

More Details >

RTMKit Addons for Elementor <= 1.6.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-49235
Patch Status
Patched
Published
Jun 5, 2025

Affected Software
RTMKit Addons for Elementor
Researcher

Prissy

More Details >

Runners Log <= 3.9.2 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-5541
Patch Status
Unpatched
Published
Jun 5, 2025

Affected Software
Runners Log
Researcher

muhammad yudha

More Details >

Search with Typesense <= 2.0.10 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-49304
Patch Status
Patched
Published
Jun 5, 2025

Affected Software
Search with Typesense
Researcher

muhammad yudha

More Details >

SEPA Girocode <= 0.5.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-49450
Patch Status
Unpatched
Published
Jun 5, 2025

Affected Software
SEPA Girocode
Researcher

Chu The Anh

More Details >

ShiftNav – Responsive Mobile Menu <= 1.8 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-49243
Patch Status
Patched
Published
Jun 5, 2025

Affected Software
ShiftNav – Responsive Mobile Menu
Researcher

muhammad yudha

More Details >

Shortcodes Ultimate <= 7.3.5 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-49244
Patch Status
Patched
Published
Jun 5, 2025

Affected Software
WP Shortcodes Plugin — Shortcodes Ultimate
Researcher

muhammad yudha

More Details >

Simple Google Static Map <= 1.0.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-27334
Patch Status
Unpatched
Published
Jun 5, 2025

Affected Software
Simple Google Static Map
Researcher

Chu The Anh

More Details >

Simple Nested Menu <= 1.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-49442
Patch Status
Unpatched
Published
Jun 5, 2025

Affected Software
Simple Nested Menu
Researcher

Chu The Anh

More Details >

Simplify Contact Management: WP Easy Contact <= 4.0.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-5539
Patch Status
Patched
Published
Jun 3, 2025

Affected Software
Simple Contact Form Plugin for WordPress – WP Easy Contact
Researcher

muhammad yudha

More Details >

SocialMark <= 2.0.7 – Authenticated (Subscriber+) Server-Side Request Forgery

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-29008
Patch Status
Unpatched
Published
Jun 5, 2025

Affected Software
SocialMark – Easy Watermark/Logo on Social Media Post Link Share Preview
Researcher

theviper17y

More Details >

Staff Directory – Employee Directory for WordPress <= 4.5.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-5531
Patch Status
Patched
Published
Jun 3, 2025

Affected Software
Employee Directory – Staff Listing & Team Directory Plugin for WordPress
Researcher

muhammad yudha

More Details >

StageShow <= 10.0.3 – Authenticated (Contributor+) Stored Cross-Site Scripting via anchor Parameter

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-5703
Patch Status
Unpatched
Published
Jun 5, 2025

Affected Software
StageShow
Researcher

Peter Thaleikis

More Details >

The Events Calendar Countdown Addon <= 1.4.9 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-49311
Patch Status
Patched
Published
Jun 5, 2025

Affected Software
The Events Calendar Countdown Addon
Researcher

muhammad yudha

More Details >

The Holiday Calendar <= 1.18.2.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-29003
Patch Status
Unpatched
Published
Jun 5, 2025

Affected Software
The Holiday Calendar
Researcher

Nguyen Xuan Chien

More Details >

Vayu Blocks <= 1.3.1 – Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting via containerWidth Parameter

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-4420
Patch Status
Patched
Published
Jun 2, 2025

Affected Software
Vayu Blocks – Website Builder for the Block Editor
Researcher

Chuck

More Details >

Video Embeds <= 0.1.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-49429
Patch Status
Unpatched
Published
Jun 5, 2025

Affected Software
Video Embeds
Researcher

Chu The Anh

More Details >

WebHotelier <= 1.9.2 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-49299
Patch Status
Patched
Published
Jun 5, 2025

Affected Software
WebHotelier for WordPress
Researcher

Peter Thaleikis

More Details >

WordPress Ajax Load More and Infinite Scroll <= 1.6.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via id Parameter

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-5586
Patch Status
Unpatched
Published
Jun 5, 2025

Affected Software
WordPress Ajax Load More and Infinite Scroll
Researcher

Peter Thaleikis

More Details >

WordPress Comments Import & Export <= 2.4.3 – Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-3919
Patch Status
Patched
Published
Jun 2, 2025

Affected Software
WordPress Comments Import & Export
Researcher

Jorgson

More Details >

WP Plugin Info Card <= 5.3.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via containerid Parameter

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-5116
Patch Status
Patched
Published
Jun 2, 2025

Affected Software
WP Plugin Info Card
Researcher

Peter Thaleikis

More Details >

WP Social Widget <= 2.3 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-49306
Patch Status
Patched
Published
Jun 5, 2025

Affected Software
WP Social Widget
Researcher

muhammad yudha

More Details >

WpEvently <= 4.4.2 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-5568
Patch Status
Patched
Published
Jun 6, 2025

Affected Software
Event Manager and Tickets Selling Plugin for WooCommerce – WpEvently – WordPress Plugin
Researcher

siavashvafshar

More Details >

YouTube Simple Gallery <= 2.2.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)
CVE-ID
CVE-2025-29011
Patch Status
Unpatched
Published
Jun 5, 2025

Affected Software
YouTube Simple Gallery
Researcher

Skalucy

More Details >

Category Icon <= 1.0.2 – Authenticated (Author+) XML External Entity Injection

6.3

CVSS Rating
Medium (6.3)
CVE-ID
CVE-2025-31039
Patch Status
Unpatched
Published
Jun 3, 2025

Affected Software
Category Icon
Researcher

Drew Webber (mcdruid)

More Details >

Backup and Staging by WP Time Capsule <= 1.22.23 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-47477
Patch Status
Patched
Published
Jun 4, 2025

Affected Software
Backup and Staging by WP Time Capsule
Researcher

Trương Hữu Phúc (truonghuuphuc)

More Details >

Bg Orthodox Calendar <= 0.13.10 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-28958
Patch Status
Unpatched
Published
Jun 5, 2025

Affected Software
Bg Orthodox Calendar
Researcher

Nguyen Xuan Chien

More Details >

BP Profile as Homepage <= 1.1 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-49453
Patch Status
Unpatched
Published
Jun 5, 2025

Affected Software
BP Profile as Homepage
Researcher

johska

More Details >

FlatNews <= 5.8 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-32305
Patch Status
Unpatched
Published
Jun 3, 2025

Affected Software
FlatNews – Responsive Magazine WordPress Theme
Researcher

Tran Nguyen Bao Khanh

More Details >

MC Woocommerce Wishlist <= 1.9.1 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-47487
Patch Status
Patched
Published
Jun 4, 2025

Affected Software
WooCommerce Wishlist (High customization, fast setup,Free Elementor Wishlist, most features)
Researcher

Peter Thaleikis

More Details >

Mediabay – WordPress Media Library Folders <= 1.4 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-28948
Patch Status
Unpatched
Published
Jun 5, 2025

Affected Software
Mediabay – WordPress Media Library Folders
Researcher

Tran Nguyen Bao Khanh

More Details >

Newspack Newsletters <= 3.13.0 – Open Redirect

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-49325
Patch Status
Patched
Published
Jun 5, 2025

Affected Software
Newspack Newsletters
Researcher

Hiro

More Details >

Personal Favicon <= 2.0 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-28964
Patch Status
Unpatched
Published
Jun 5, 2025

Affected Software
Personal Favicon
Researcher

Nguyen Xuan Chien

More Details >

Revolution Video Player <= 2.9.2 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-31058
Patch Status
Unpatched
Published
Jun 3, 2025

Affected Software
Revolution Video Player With Bottom Playlist WordPress Plugin – YouTube/Vimeo/Self-Hosted Support
Researcher

Tran Nguyen Bao Khanh

More Details >

SHOUT <= 3.5.3 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-31925
Patch Status
Unpatched
Published
Jun 3, 2025

Affected Software
SHOUT
Researcher

Tran Nguyen Bao Khanh

More Details >

Social Sharing Plugin – Sassy Social Share <= 3.3.75 – Reflected Cross-Site Scripting via ‘heateor_mastodon_share’ Parameter

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-5528
Patch Status
Patched
Published
Jun 6, 2025

Affected Software
Social Sharing Plugin – Sassy Social Share
Researcher

Naveen H N

More Details >

Soho Hotel <= 4.2.5 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-39539
Patch Status
Unpatched
Published
Jun 4, 2025

Affected Software
Soho Hotel Booking Calendar For WordPress
Researcher

Bonds

More Details >

Spare <= 1.7 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-31638
Patch Status
Unpatched
Published
Jun 4, 2025

Affected Software
Spare – Ultimate MultiPurpose LESS Theme
Researcher

Tran Nguyen Bao Khanh

More Details >

Sticky Radio Player <= 3.4 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-31426
Patch Status
Unpatched
Published
Jun 3, 2025

Affected Software
Sticky Radio Player
Researcher

Tran Nguyen Bao Khanh

More Details >

Universal Video Player <= 1.4.0 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-31057
Patch Status
Unpatched
Published
Jun 3, 2025

Affected Software
Universal Video Player – WordPress Plugin
Researcher

Tran Nguyen Bao Khanh

More Details >

Universal Video Player <= 3.8.3 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-31917
Patch Status
Unpatched
Published
Jun 5, 2025

Affected Software
Universal Video Player
Researcher

Chu The Anh

More Details >

WC MyParcel Belgium <= 4.5.5-beta – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-48279
Patch Status
Patched
Published
Jun 3, 2025

Affected Software
WC MyParcel Belgium
Researcher

Ryan Novotny

More Details >

Wishlist <= 2.1.0 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-31061
Patch Status
Unpatched
Published
Jun 4, 2025

Affected Software
Wishlist
Researcher

Tran Nguyen Bao Khanh

More Details >

WooCommerce Photo Reviews – Review Reminders – Review for Discounts <= 1.3.13 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-47570
Patch Status
Unpatched
Published
Jun 3, 2025

Affected Software
WooCommerce Photo Reviews Premium
Researcher

Bonds

More Details >

WP Gravity Forms Salesforce <= 1.4.7 – Open Redirect

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-30953
Patch Status
Unpatched
Published
Jun 5, 2025

Affected Software
WP Gravity Forms Salesforce
Researcher

Nguyen Xuan Chien

More Details >

WP Mail Options <= 0.2.3 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-28981
Patch Status
Unpatched
Published
Jun 5, 2025

Affected Software
WP Mail Options
Researcher

Nguyen Xuan Chien

More Details >

WP Online Users Stats <= 1.0.0 – Cross-Site Request Forgery to Stored Cross-Site Scripting via hk_dataset_results Function

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-4966
Patch Status
Unpatched
Published
Jun 5, 2025

Affected Software
WP Online Users Stats
Researcher

rajanhoyr

More Details >

ZoomSounds <= 6.91 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)
CVE-ID
CVE-2025-47566
Patch Status
Unpatched
Published
Jun 3, 2025

Affected Software
ZoomSounds – WordPress Wave Audio Player with Playlist
Researcher

Tran Nguyen Bao Khanh

More Details >

Ninja Tables – Easy Data Table Builder <= 5.0.18 – Unauthenticated PHP Object Injection to Limited Remote Code Execution

5.6

CVSS Rating
Medium (5.6)
CVE-ID
CVE-2025-2939
Patch Status
Patched
Published
Jun 2, 2025

Affected Software
Ninja Tables – Easy Data Table Builder
Researcher

Trương Hữu Phúc (truonghuuphuc)

More Details >

AppBanners <= 1.5.14 – Authenticated (Administrator+) Stored Cross-Site Scripting

5.5

CVSS Rating
Medium (5.5)
CVE-ID
CVE-2025-30625
Patch Status
Unpatched
Published
Jun 5, 2025

Affected Software
AppBanners
Researcher

Nabil Irawan

More Details >

Developer Formatter <= 2015.0.2.1 – Authenticated (Administrator+) Stored Cross-Site Scripting via Custom CSS

5.5

CVSS Rating
Medium (5.5)
CVE-ID
CVE-2025-5699
Patch Status
Unpatched
Published
Jun 5, 2025

Affected Software
Developer Formatter
Researcher

l33ch

More Details >

Sina Extension for Elementor <= 3.6.1 – Authenticated (Administrator+) Stored Cross-Site Scripting

5.5

CVSS Rating
Medium (5.5)
CVE-ID
CVE-2025-49262
Patch Status
Patched
Published
Jun 5, 2025

Affected Software
Sina Extension for Elementor (Header Builder, Footer Builter, Theme Builder, Slider, Gallery, Form, Modal, Data Table Free Elementor Widgets & Elementor Templates)
Researcher

Nabil Irawan

More Details >

WP Featured Content Slider <= 2.6 – Authenticated (Administrator+) Stored Cross-Site Scripting

5.5

CVSS Rating
Medium (5.5)
CVE-ID
CVE-2025-30634
Patch Status
Unpatched
Published
Jun 5, 2025

Affected Software
WP Featured Content Slider
Researcher

Nabil Irawan

More Details >

WP Live Chat + Chatbots Plugin for WordPress – Chaport <= 1.1.5 – Authenticated (Administrator+) Stored Cross-Site Scripting

5.5

CVSS Rating
Medium (5.5)
CVE-ID
CVE-2025-30977
Patch Status
Unpatched
Published
Jun 5, 2025

Affected Software
WP Live Chat + Chatbots Plugin for WordPress – Chaport
Researcher

haudayroi

More Details >

Anti-Spam: Spam Protection | Block Spam Users, Comments, Forms <= 2024.7 – Cross-Site Request Forgery to Multiple Administrative Actions

5.4

CVSS Rating
Medium (5.4)
CVE-ID
CVE-2025-2935
Patch Status
Unpatched
Published
Jun 5, 2025

Affected Software
Anti-Spam: Spam Protection | Block Spam Users, Comments, Forms
Researcher

Noah Stead (TurtleBurg)

More Details >

Hive Support <= 1.2.4 – Cross-Site Request Forgery via hs_update_ai_chat_settings Function

5.4

CVSS Rating
Medium (5.4)
CVE-ID
CVE-2025-5019
Patch Status
Unpatched
Published
Jun 5, 2025

Affected Software
Hive Support | AI-Powered Help Desk, Live Chat & AI Chat Bot Plugin for WordPress
Researcher

Vo Thi Ngoc Nhi

More Details >

Team Showcase < 25.05.13 – Authenticated (Subscriber+) Arbitrary Shortcode Execution

5.4

CVSS Rating
Medium (5.4)
CVE-ID
CVE-2025-49250
Patch Status
Patched
Published
Jun 5, 2025

Affected Software
Team Showcase
Researcher

Tran Nguyen Bao Khanh

More Details >

bbPress API <= 1.0.14 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-24763
Patch Status
Unpatched
Published
Jun 5, 2025

Affected Software
bbPress API
Researcher

ch4r0n

More Details >

Crawlomatic Multisite Scraper Post Generator <= 2.6.8.2 – Unauthenticated Information Exposure via Log Files

5.3

CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-49294
Patch Status
Patched
Published
Jun 5, 2025

Affected Software
Crawlomatic Multipage Scraper Post Generator
Researcher

Nguyễn Trung Kiên

More Details >

Direct Checkout for WooCommerce Lite <= 1.0.3 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-29006
Patch Status
Unpatched
Published
Jun 5, 2025

Affected Software
Direct Checkout for WooCommerce Lite
Researcher

HLog

More Details >

elfsight Contact Form widget <= 2.3.1 – Unauthenticated Information Exposure

5.3

CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-31045
Patch Status
Unpatched
Published
Jun 4, 2025

Affected Software
elfsight-contact-form
Researcher

Tran Nguyen Bao Khanh

More Details >

FraudLabs Pro for WooCommerce <= 2.22.11 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-49320
Patch Status
Patched
Published
Jun 5, 2025

Affected Software
FraudLabs Pro for WooCommerce
Researcher

ch4r0n

More Details >

Interactive Regional Map of Florida <= 1.0 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-49441
Patch Status
Unpatched
Published
Jun 5, 2025

Affected Software
Interactive Regional Map of Florida
Researcher

Chu The Anh

More Details >

InWave Jobs <= 3.5.8 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-39477
Patch Status
Unpatched
Published
Jun 4, 2025

Affected Software
InWave Jobs
Researcher

Mohamed Ali

More Details >

Job Board Manager <= 2.1.60 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-49324
Patch Status
Patched
Published
Jun 5, 2025

Affected Software
Job Board Manager
Researcher

Hiro

More Details >

KI Live Video Conferences <= 5.5.15 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-23971
Patch Status
Unpatched
Published
Jun 5, 2025

Affected Software
KI Live Video Conferences
Researcher

HLog

More Details >

KI Live Video Conferences <= 5.5.15 – Unauthenticated Information Disclosure

5.3

CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-23969
Patch Status
Unpatched
Published
Jun 5, 2025

Affected Software
KI Live Video Conferences
Researcher

HLog

More Details >

Modern Events Calendar <= 7.21.9 – Information Exposure

5.3

CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-5733
Patch Status
Patched
Published
Jun 5, 2025

Affected Software
Modern Events Calendar Lite
Researcher

Abdullah Shittu

More Details >

MultiVendorX <= 4.2.22 – Unauthenticated Information Exposure

5.3

CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-48261
Patch Status
Patched
Published
Jun 4, 2025

Affected Software
MultiVendorX – WooCommerce Multivendor Marketplace Solutions
Researcher

LVT-tholv2k

More Details >

Payment QR WooCommerce <= 1.1.6 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-31000
Patch Status
Unpatched
Published
Jun 5, 2025

Affected Software
Payment QR WooCommerce
Researcher

ch4r0n

More Details >

Profile Builder <= 3.13.8 – Unauthenticated Content Spoofing

5.3

CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-49292
Patch Status
Patched
Published
Jun 5, 2025

Affected Software
User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor
Researcher

Trương Hữu Phúc (truonghuuphuc)

More Details >

Profiler – What Slowing Down Your WP <= 1.0.0 – Missing Authentication to Unauthenticated Arbitrary Plugin Reactivation via State Restoration

5.3

CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-5814
Patch Status
Unpatched
Published
Jun 6, 2025

Affected Software
Profiler – What Slowing Down Your WP
Researcher

ch4r0n

More Details >

Raychat <= 2.1.0 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-49236
Patch Status
Patched
Published
Jun 5, 2025

Affected Software
Raychat
Researcher

Nguyen Xuan Chien

More Details >

Taskbuilder <= 4.0.3 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-30945
Patch Status
Unpatched
Published
Jun 5, 2025

Affected Software
Taskbuilder – WordPress Project & Task Management plugin
Researcher

Hiro

More Details >

TicketBAI Facturas para WooCommerce <= 3.19 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-24762
Patch Status
Unpatched
Published
Jun 5, 2025

Affected Software
TicketBAI Facturas para WooCommerce
Researcher

ch4r0n

More Details >

Trinity Audio <= 5.20.0 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-49272
Patch Status
Patched
Published
Jun 5, 2025

Affected Software
Trinity Audio – Text to Speech AI audio player to convert content into audio
Researcher

Nguyen Xuan Chien

More Details >

Verge3D <= 4.9.4 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-49268
Patch Status
Patched
Published
Jun 5, 2025

Affected Software
Verge3D Publishing and E-Commerce
Researcher

Kévin Mosbahi (Mika)

More Details >

Viral Loops WP Integration <= 3.8.1 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-28995
Patch Status
Unpatched
Published
Jun 5, 2025

Affected Software
Viral Loops WP Integration
Researcher

ch4r0n

More Details >

Wordapp <= 1.7.0 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-30927
Patch Status
Unpatched
Published
Jun 5, 2025

Affected Software
Wordapp
Researcher

HLog

More Details >

WP AutoKeyword <= 1.0 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-28997
Patch Status
Unpatched
Published
Jun 5, 2025

Affected Software
WP AutoKeyword
Researcher

Hiro

More Details >

WP-CRM System <= 3.4.2 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-49270
Patch Status
Patched
Published
Jun 5, 2025

Affected Software
WordPress CRM Plugin – WP-CRM System
Researcher

Kévin Mosbahi (Mika)

More Details >

診断ジェネレータ作成プラグイン <= 1.4.16 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)
CVE-ID
CVE-2025-30934
Patch Status
Unpatched
Published
Jun 5, 2025

Affected Software
診断ジェネレータ作成プラグイン
Researcher

Nguyen Xuan Chien

More Details >

Complete Google Seo Scan <= 3.5.1 – Authenticated (Administrator+) SQL Injection

4.9

CVSS Rating
Medium (4.9)
CVE-ID
CVE-2025-26590
Patch Status
Unpatched
Published
Jun 5, 2025

Affected Software
Complete Google Seo Scan
Researcher

Nguyen Quang Minh

More Details >

GamiPress <= 7.4.5 – Authenticated (Administrator+) SQL Injection

4.9

CVSS Rating
Medium (4.9)
CVE-ID
CVE-2025-49326
Patch Status
Patched
Published
Jun 5, 2025

Affected Software
GamiPress – Gamification plugin to reward points, achievements, badges & ranks in WordPress
Researcher

Nguyen Kim Sang

More Details >

Libro de Reclamaciones y Quejas <= 0.9 – Authenticated (Administrator+) SQL Injection

4.9

CVSS Rating
Medium (4.9)
CVE-ID
CVE-2025-30989
Patch Status
Patched
Published
Jun 5, 2025

Affected Software
Libro de Reclamaciones y Quejas
Researcher

0x1ceKing

More Details >

Persian Woocommerce SMS <= 7.0.10 – Authenticated (Shop manager+) SQL Injection

4.9

CVSS Rating
Medium (4.9)
CVE-ID
CVE-2025-49315
Patch Status
Patched
Published
Jun 5, 2025

Affected Software
افزونه پیامک ووکامرس Persian WooCommerce SMS
Researcher

Martino Spagnuolo

More Details >

ShortLinks Pro <= 1.0.7 – Authenticated (Administrator+) SQL Injection

4.9

CVSS Rating
Medium (4.9)
CVE-ID
CVE-2025-49327
Patch Status
Patched
Published
Jun 5, 2025

Affected Software
ShortLinks Pro – Affiliate Links, Link Shortening, Click Tracking & Marketing
Researcher

Nguyen Kim Sang

More Details >

Simple History <= 5.8.1 – Authenticated (Administrator+) Sensitive Information Exposure via Detective Mode

4.9

CVSS Rating
Medium (4.9)
CVE-ID
CVE-2025-5760
Patch Status
Patched
Published
Jun 5, 2025

Affected Software
Simple History – Track, Log, and Audit WordPress Changes
Researcher

Blair Crawford

More Details >

Store Locator WordPress <= 1.5.1 – Authenticated (Administrator+) SQL Injection

4.9

CVSS Rating
Medium (4.9)
CVE-ID
CVE-2025-49328
Patch Status
Patched
Published
Jun 5, 2025

Affected Software
Store Locator WordPress
Researcher

Nguyen Kim Sang

More Details >

Ultimate Gift Cards for WooCommerce <= 3.1.4 – Authenticated (Administrator+) SQL Injection via wps_wgm_save_post Function

4.9

CVSS Rating
Medium (4.9)
CVE-ID
CVE-2025-5103
Patch Status
Patched
Published
Jun 2, 2025

Affected Software
Ultimate Gift Cards for WooCommerce
Researcher

Abdulaziz Alzamil

More Details >

WC Vendors Marketplace <= 2.5.6 – Authenticated (Administrator+) SQL Injection

4.9

CVSS Rating
Medium (4.9)
CVE-ID
CVE-2025-49263
Patch Status
Patched
Published
Jun 5, 2025

Affected Software
WC Vendors – WooCommerce Multivendor, WooCommerce Marketplace, Product Vendors
Researcher

timomangcut

More Details >

WP Online Users Stats <= 1.0.0 – Authenticated (Editor+) SQL Injection via table_name Parameter

4.9

CVSS Rating
Medium (4.9)
CVE-ID
CVE-2025-4964
Patch Status
Unpatched
Published
Jun 5, 2025

Affected Software
WP Online Users Stats
Researcher

rajanhoyr

More Details >

WP Post Corrector <= 1.0.2 – Authenticated (Administrator+) SQL Injection

4.9

CVSS Rating
Medium (4.9)
CVE-ID
CVE-2023-26003
Patch Status
Unpatched
Published
Jun 5, 2025

Affected Software
WP Post Corrector
Researcher

Nguyen Ngoc Quang Bach (maysbachs)

More Details >

WP Text Expander <= 1.0.1 – Authenticated (Administrator+) SQL Injection

4.9

CVSS Rating
Medium (4.9)
CVE-ID
CVE-2025-49421
Patch Status
Unpatched
Published
Jun 5, 2025

Affected Software
WP Text Expander
Researcher

Chu The Anh

More Details >

«Подсказки» от DaData.ru <= 1.0.6 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)
CVE-ID
CVE-2025-30931
Patch Status
Unpatched
Published
Jun 5, 2025

Affected Software
«Подсказки» от DaData.ru
Researcher

Nabil Irawan

More Details >

404 Page by SeedProd <= 1.0.1 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)
CVE-ID
CVE-2025-49322
Patch Status
Patched
Published
Jun 5, 2025

Affected Software
404 Page by SeedProd
Researcher

Nguyen Ngoc Quang Bach (maysbachs)

More Details >

ACF: Yandex Maps Field <= 1.1 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)
CVE-ID
CVE-2025-30930
Patch Status
Unpatched
Published
Jun 5, 2025

Affected Software
ACF: Yandex Maps Field
Researcher

Nabil Irawan

More Details >

Bang tinh vay <= 1.0.1 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)
CVE-ID
CVE-2023-26000
Patch Status
Unpatched
Published
Jun 5, 2025

Affected Software
Bang tinh vay
Researcher

Nguyen Ngoc Quang Bach (maysbachs)

More Details >

Booking Ultra Pro <= 1.1.20 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)
CVE-ID
CVE-2025-30637
Patch Status
Patched
Published
Jun 5, 2025

Affected Software
Booking Ultra Pro Appointments Booking Calendar Plugin
Researcher

Nabil Irawan

More Details >

Broadly for WordPress <= 3.0.2 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)
CVE-ID
CVE-2025-30938
Patch Status
Unpatched
Published
Jun 5, 2025

Affected Software
Broadly for WordPress
Researcher

Nabil Irawan

More Details >

Elegant Visitor Counter <= 3.1 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)
CVE-ID
CVE-2025-30627
Patch Status
Unpatched
Published
Jun 5, 2025

Affected Software
Elegant Visitor Counter
Researcher

Nabil Irawan

More Details >

Global Translator <= 2.0.2 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)
CVE-ID
CVE-2025-30630
Patch Status
Unpatched
Published
Jun 5, 2025

Affected Software
Global Translator
Researcher

Nabil Irawan

More Details >

IFrame Widget <= 4.1 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)
CVE-ID
CVE-2025-30939
Patch Status
Unpatched
Published
Jun 5, 2025

Affected Software
IFrame Widget
Researcher

Nabil Irawan

More Details >

Melipayamak <= 2.2.12 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)
CVE-ID
CVE-2025-30940
Patch Status
Unpatched
Published
Jun 5, 2025

Affected Software
Melipayamak
Researcher

Nabil Irawan

More Details >

Pinterest Verify Meta Tag <= 1.3 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)
CVE-ID
CVE-2025-30941
Patch Status
Unpatched
Published
Jun 5, 2025

Affected Software
Pinterest Verify Meta Tag
Researcher

Nabil Irawan

More Details >

Post Custom Templates Lite <= 1.14 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)
CVE-ID
CVE-2025-30942
Patch Status
Unpatched
Published
Jun 5, 2025

Affected Software
Post Custom Templates Lite
Researcher

domiee13

More Details >

Powie’s Uptime Robot <= 0.9.7 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)
CVE-ID
CVE-2025-30638
Patch Status
Unpatched
Published
Jun 5, 2025

Affected Software
Powie’s Uptime Robot Plugin
Researcher

Nabil Irawan

More Details >

Read More Login <= 2.0.3 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)
CVE-ID
CVE-2025-28989
Patch Status
Unpatched
Published
Jun 5, 2025

Affected Software
Read More Login
Researcher

Nguyen Ngoc Quang Bach (maysbachs)

More Details >

Responsify WP <= 1.9.11 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)
CVE-ID
CVE-2025-30937
Patch Status
Unpatched
Published
Jun 5, 2025

Affected Software
Responsify WP
Researcher

Nabil Irawan

More Details >

Simple Membership <= 4.6.3 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)
CVE-ID
CVE-2025-49333
Patch Status
Patched
Published
Jun 5, 2025

Affected Software
Simple Membership
Researcher

bintable

More Details >

WP Biographia <= 4.0.0 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)
CVE-ID
CVE-2025-30928
Patch Status
Unpatched
Published
Jun 5, 2025

Affected Software
WP Biographia
Researcher(s): Unknown

More Details >

WPtouch <= 4.3.60 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)
CVE-ID
CVE-2025-49318
Patch Status
Patched
Published
Jun 5, 2025

Affected Software
WPtouch – Make your WordPress Website Mobile-Friendly
Researcher

Nabil Irawan

More Details >

6Storage Rentals <= 2.19.6 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2023-26002
Patch Status
Unpatched
Published
Jun 5, 2025

Affected Software
6Storage Rentals
Researcher

ghsinfosec

More Details >

Accessibility Suite <= 4.19 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-30636
Patch Status
Unpatched
Published
Jun 5, 2025

Affected Software
Accessibility Suite by Ability, Inc
Researcher

Nguyen Xuan Chien

More Details >

Activity Plus Reloaded for BuddyPress <= 1.1.2 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-30957
Patch Status
Unpatched
Published
Jun 5, 2025

Affected Software
Activity Plus Reloaded for BuddyPress
Researcher

domiee13

More Details >

Admin Notes <= 1.1 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-49446
Patch Status
Unpatched
Published
Jun 5, 2025

Affected Software
Admin Notes
Researcher

Chu The Anh

More Details >

Advanced Post List <= 0.5.6.2 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-30968
Patch Status
Unpatched
Published
Jun 5, 2025

Affected Software
Advanced Post List
Researcher

Nguyen Xuan Chien

More Details >

Anti-spam, Spam protection, ReCaptcha for all forms and GDPR-compliant <= 4.1.1 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-49283
Patch Status
Patched
Published
Jun 5, 2025

Affected Software
Anti-spam, Spam protection, ReCaptcha for all forms and GDPR-compliant
Researcher

Skalucy

More Details >

Art Theme <= 3.12.2.3 – Missing Authorization to Authenticated (Subscriber+) Theme Option Delete

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-1778
Patch Status
Patched
Published
Jun 5, 2025

Affected Software
Art Theme
Researcher

István Márton

More Details >

Atelier Create CV <= 1.1.2 – Cross-Site Request Forgery to Settings Update

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-49439
Patch Status
Unpatched
Published
Jun 5, 2025

Affected Software
Atelier Create CV
Researcher

Chu The Anh

More Details >

Backwp <= 2.0.2 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-28954
Patch Status
Unpatched
Published
Jun 5, 2025

Affected Software
Backwp
Researcher

Nguyen Xuan Chien

More Details >

Behance Portfolio Manager <= 1.7.4 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-29010
Patch Status
Unpatched
Published
Jun 5, 2025

Affected Software
Behance Portfolio Manager
Researcher

domiee13

More Details >

Bitly URL Shortener <= 1.3.3 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-30629
Patch Status
Unpatched
Published
Jun 5, 2025

Affected Software
Bitly URL Shortener
Researcher

Nabil Irawan

More Details >

Booqable Rental <= 2.4.20 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-30956
Patch Status
Unpatched
Published
Jun 5, 2025

Affected Software
Booqable Rental Plugin
Researcher

Nguyen Xuan Chien

More Details >

Broken Link Checker <= 2.4.4 – Missing Autorization to Authenticated (Subscriber+) Plugin Status Dashboard View

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-4047
Patch Status
Patched
Published
Jun 2, 2025

Affected Software
Broken Link Checker
Researcher

Nguyễn Trung Kiên

More Details >

Calculated Fields Form <= 5.3.58 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-49291
Patch Status
Patched
Published
Jun 5, 2025

Affected Software
Calculated Fields Form
Researcher

Trương Hữu Phúc (truonghuuphuc)

More Details >

Contact Forms by Cimatti Plugin <= 1.9.8 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-49069
Patch Status
Patched
Published
Jun 2, 2025

Affected Software
WordPress Contact Forms by Cimatti
Researcher

Shivam Khanna

More Details >

Crawlomatic Multisite Scraper Post Generator <= 2.6.8.2 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-49293
Patch Status
Patched
Published
Jun 5, 2025

Affected Software
Crawlomatic Multipage Scraper Post Generator
Researcher

Nguyễn Trung Kiên

More Details >

CubePoints <= 3.2.1 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-28952
Patch Status
Unpatched
Published
Jun 5, 2025

Affected Software
CubePoints
Researcher

Nguyen Xuan Chien

More Details >

CubeWP – All-in-One Dynamic Content Framework <= 1.1.24 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-30994
Patch Status
Unpatched
Published
Jun 5, 2025

Affected Software
CubeWP – All-in-One Dynamic Content Framework
Researcher

domiee13

More Details >

Custom Bulk/Quick Edit <= 1.6.10 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-30946
Patch Status
Unpatched
Published
Jun 5, 2025

Affected Software
Custom Bulk/Quick Edit
Researcher

domiee13

More Details >

Custom Category/Post Type Post order <= 1.5.9 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-29013
Patch Status
Unpatched
Published
Jun 5, 2025

Affected Software
Custom Category/Post Type Post order
Researcher

domiee13

More Details >

DocsPress <= 2.5.2 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-49240
Patch Status
Patched
Published
Jun 5, 2025

Affected Software
DocsPress – Online Documentation
Researcher

domiee13

More Details >

Elastic Email Subscribe Form <= 1.2.2 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-28985
Patch Status
Unpatched
Published
Jun 5, 2025

Affected Software
Elastic Email Subscribe Form
Researcher

Hiro

More Details >

Elite Video Player <= 10.0.5 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-30986
Patch Status
Unpatched
Published
Jun 5, 2025

Affected Software
Elite Video Player
Researcher

Nguyễn Trung Kiên

More Details >

Epicwin Plugin <= 1.5 – Cross-Site Request Forgery to SQL Injection

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-28986
Patch Status
Unpatched
Published
Jun 5, 2025

Affected Software
Epicwin Plugin
Researcher

Nguyen Xuan Chien

More Details >

Everest Backup <= 2.3.3 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-49238
Patch Status
Patched
Published
Jun 5, 2025

Affected Software
Everest Backup – WordPress Cloud Backup, Migration, Restore & Cloning Plugin
Researcher

domiee13

More Details >

FastBook <= 1.1 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-26593
Patch Status
Unpatched
Published
Jun 5, 2025

Affected Software
FastBook – Responsive Appointment Booking and Scheduling System
Researcher

HLog

More Details >

Free WP Mail SMTP <= 1.0 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-28974
Patch Status
Unpatched
Published
Jun 5, 2025

Affected Software
Free WP Mail SMTP (Official – 2019)
Researcher

Nguyen Xuan Chien

More Details >

Global Translator <= 2.0.2 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-30632
Patch Status
Unpatched
Published
Jun 5, 2025

Affected Software
Global Translator
Researcher

Nabil Irawan

More Details >

GPP Slideshow <= 1.3.5 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-28996
Patch Status
Unpatched
Published
Jun 5, 2025

Affected Software
GPP Slideshow
Researcher

HLog

More Details >

HR Management Lite <= 3.3 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-29005
Patch Status
Unpatched
Published
Jun 5, 2025

Affected Software
HR Management Lite
Researcher

Hiro

More Details >

Icegram Collect – Easy Form, Lead Collection and Subscription plugin <= 1.3.18 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-47527
Patch Status
Patched
Published
Jun 4, 2025

Affected Software
Icegram Collect – Easy Form, Lead Collection and Subscription plugin
Researcher

ch4r0n

More Details >

Interactive Regional Map of Africa <= 1.0 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-49449
Patch Status
Unpatched
Published
Jun 5, 2025

Affected Software
Interactive Regional Map of Africa
Researcher

Chu The Anh

More Details >

Interactive UK Regional Map <= 2.0 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-49445
Patch Status
Unpatched
Published
Jun 5, 2025

Affected Software
Interactive UK Regional Map
Researcher

Chu The Anh

More Details >

Konami Easter Egg <= v0.4 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-49425
Patch Status
Unpatched
Published
Jun 5, 2025

Affected Software
Konami Easter Egg
Researcher

Marek Mikita

More Details >

Layouts for Elementor <= 1.11 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-30948
Patch Status
Unpatched
Published
Jun 5, 2025

Affected Software
Layouts for Elementor
Researcher

domiee13

More Details >

Market Exporter <= 2.0.22 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-49269
Patch Status
Patched
Published
Jun 5, 2025

Affected Software
Market Exporter
Researcher

Kévin Mosbahi (Mika)

More Details >

No Spam At All <= 1.3 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-24778
Patch Status
Unpatched
Published
Jun 5, 2025

Affected Software
No Spam At All
Researcher

ch4r0n

More Details >

oik <= 4.15.1 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-49241
Patch Status
Patched
Published
Jun 5, 2025

Affected Software
oik
Researcher

Annn

More Details >

Pay with Contact Form 7 <= 1.0.4 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-24772
Patch Status
Unpatched
Published
Jun 5, 2025

Affected Software
Pay with Contact Form 7
Researcher

haudayroi

More Details >

PDF for WPForms <= 5.5.0 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-49289
Patch Status
Patched
Published
Jun 5, 2025

Affected Software
PDF for WPForms + Drag and Drop Template Builder
Researcher

domiee13

More Details >

Post Author <= 1.1.1 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-28950
Patch Status
Unpatched
Published
Jun 5, 2025

Affected Software
Post Author
Researcher

Skalucy

More Details >

Post Grid Master <= 3.4.13 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-30974
Patch Status
Unpatched
Published
Jun 5, 2025

Affected Software
Post Grid Master – Custom Post Types, Taxonomies & Ajax Filter Everything with Infinite Scroll, Load More, Pagination & Shortcode Builder
Researcher

muhammad yudha

More Details >

Product Feed for WooCommerce <= 2.2.8 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-49287
Patch Status
Patched
Published
Jun 5, 2025

Affected Software
Product Feed for WooCommerce – Google Shopping Feed, Pinterest Feed, TikTok Ads & More
Researcher

domiee13

More Details >

Quick Event Calendar <= 1.4.9 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-27360
Patch Status
Unpatched
Published
Jun 5, 2025

Affected Software
Quick Event Calendar
Researcher

haudayroi

More Details >

Recent Posts Slider Responsive <= 1.0.1 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-28966
Patch Status
Unpatched
Published
Jun 5, 2025

Affected Software
Recent Posts Slider Responsive
Researcher

Nguyen Xuan Chien

More Details >

Responsive Flipbooks <= 1.0 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-24776
Patch Status
Unpatched
Published
Jun 5, 2025

Affected Software
Responsive Flipbooks
Researcher

ch4r0n

More Details >

Simple Keyword to Link <= 1.5 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-30980
Patch Status
Unpatched
Published
Jun 5, 2025

Affected Software
Simple Keyword to Link
Researcher

Nguyen Xuan Chien

More Details >

Slack Notifications by dorzki <= 2.0.7 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-30978
Patch Status
Unpatched
Published
Jun 5, 2025

Affected Software
Slack Notifications by dorzki
Researcher

Annn

More Details >

Sola Support Ticket <= 3.18 – Missing Authorization to Authenticated (Subscriber+) Arbitrary Content Deletion

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2023-25997
Patch Status
Unpatched
Published
Jun 5, 2025

Affected Software
Sola Support Tickets
Researcher

lucky_buddy

More Details >

Stock Locations for WooCommerce <= 2.8.6 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-47463
Patch Status
Patched
Published
Jun 7, 2025

Affected Software
Stock Locations for WooCommerce
Researcher

LVT-tholv2k

More Details >

Subscription Renewal Reminders for WooCommerce <= 1.3.7 – Cross-Site Request Forgery to Notice Dismissal

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-28984
Patch Status
Unpatched
Published
Jun 5, 2025

Affected Software
Subscription Renewal Reminders for WooCommerce
Researcher

0xd4rk5id3

More Details >

Team Builder <= 1.5.7 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-32308
Patch Status
Unpatched
Published
Jun 4, 2025

Affected Software
Team Builder — Meet The Team WordPress Plugin
Researcher

Tran Nguyen Bao Khanh

More Details >

Team Showcase < 25.05.13 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-49248
Patch Status
Patched
Published
Jun 5, 2025

Affected Software
Team Showcase
Researcher

Tran Nguyen Bao Khanh

More Details >

Testimonials Showcase <= 1.9.16 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-49246
Patch Status
Patched
Published
Jun 5, 2025

Affected Software
Testimonials Showcase
Researcher

Tran Nguyen Bao Khanh

More Details >

ThemeHunk <= 1.1.1 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-30990
Patch Status
Unpatched
Published
Jun 5, 2025

Affected Software
Easy Mega Menu Plugin for WordPress – ThemeHunk
Researcher

domiee13

More Details >

Ultimate WP Mail <= 1.3.5 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-49288
Patch Status
Patched
Published
Jun 5, 2025

Affected Software
Ultimate WP Mail
Researcher

domiee13

More Details >

WordLift <= 3.54.4 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-30624
Patch Status
Unpatched
Published
Jun 5, 2025

Affected Software
WordLift – AI powered SEO – Schema
Researcher

domiee13

More Details >

WP Compress for MainWP <= 6.30.32 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-30932
Patch Status
Unpatched
Published
Jun 5, 2025

Affected Software
WP Compress for MainWP
Researcher

HLog

More Details >

WP Cookie Notice for GDPR, CCPA & ePrivacy Consent <= 3.8.0 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-49285
Patch Status
Patched
Published
Jun 5, 2025

Affected Software
Cookie Banner, Cookie Consent, Consent Log, Cookie Scanner, Script Blocker (for GDPR, CCPA & ePrivacy) : WP Cookie Consent
Researcher

domiee13

More Details >

WP Maintenance Mode & Site Under Construction <= 4.3 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-49284
Patch Status
Patched
Published
Jun 5, 2025

Affected Software
WP Maintenance Mode & Site Under Construction
Researcher

Skalucy

More Details >

WP Media File Type Manager <= 2.3.0 – Cross-Site Request Forgery to Settings Update

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-27359
Patch Status
Unpatched
Published
Jun 5, 2025

Affected Software
WP Media File Type Manager
Researcher

0xd4rk5id3

More Details >

WP Page Loading <= 1.0.6 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-49317
Patch Status
Patched
Published
Jun 5, 2025

Affected Software
WP Page Loading
Researcher

Nabil Irawan

More Details >

WP Security Master <= 1.0.2 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-49440
Patch Status
Unpatched
Published
Jun 5, 2025

Affected Software
WP Security Master
Researcher

Chu The Anh

More Details >

WP Table Builder <= 2.0.6 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-49286
Patch Status
Patched
Published
Jun 5, 2025

Affected Software
WP Table Builder – WordPress Table Plugin
Researcher

domiee13

More Details >

WP Time Slots Booking Form <= 1.2.30 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-49332
Patch Status
Patched
Published
Jun 5, 2025

Affected Software
WP Time Slots Booking Form
Researcher

Jang Jeong Ahn (Jhanks)

More Details >

WP Tools <= 5.24 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-49273
Patch Status
Patched
Published
Jun 5, 2025

Affected Software
WP Tools Repair, Javascript errors, Jquery errors, Increase Maximum Limits, File Permissions, Transients, Error Log
Researcher

Nguyen Xuan Chien

More Details >

WP-Recall <= 16.26.14 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)
CVE-ID
CVE-2025-30981
Patch Status
Unpatched
Published
Jun 5, 2025

Affected Software
WP-Recall – Registration, Profile, Commerce & More
Researcher

0xd4rk5id3

More Details >

Viral Loops WP Integration <= 3.8.1 – Missing Authorization

3.1

CVSS Rating
Low (3.1)
CVE-ID
CVE-2025-28994
Patch Status
Unpatched
Published
Jun 5, 2025

Affected Software
Viral Loops WP Integration
Researcher

ch4r0n

More Details >

Foxit eSign for WordPress <= 2.0.3 – Authenticated (Admin+) Information Exposure

2.7

CVSS Rating
Low (2.7)
CVE-ID
CVE-2025-49419
Patch Status
Unpatched
Published
Jun 5, 2025

Affected Software
Foxit eSign for WordPress
Researcher

Denver Jackson

More Details >

As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.

This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us through our Bug Bounty Program, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

The post Wordfence Intelligence Weekly WordPress Vulnerability Report (June 2, 2025 to June 8, 2025) appeared first on Wordfence.

Adicionar aos favoritos o Link permanente.