CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2025-14892 – Prime Listing Manager <= 1.1 - Unauthenticated Privilege Escalation
https://notcve.org/view.php?id=CVE-2025-14892
12 Feb 2026 — The Prime Listing Manager WordPress plugin through 1.1 allows an attacker to gain administrative access without having any kind of account on the targeted site and perform unauthorized actions due to a hardcoded secret. • https://wpscan.com/vulnerability/d12332ec-1d0c-4ff5-94e0-7c4470bdb79c •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2026-1729 – AdForest <= 6.0.12 - Authentication Bypass
https://notcve.org/view.php?id=CVE-2026-1729
11 Feb 2026 — The AdForest theme for WordPress is vulnerable to authentication bypass in all versions up to, and including, 6.0.12. • https://themeforest.net/item/adforest-classified-wordpress-theme/19481695 • CWE-306: Missing Authentication for Critical Function •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2026-1357 – Migration, Backup, Staging <= 0.9.123 - Unauthenticated Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2026-1357
10 Feb 2026 — The Migration, Backup, Staging – WPvivid Backup & Migration plugin for WordPress is vulnerable to Unauthenticated Arbitrary File Upload in versions up to and including 0.9.123. • https://packetstorm.news/files/id/215570 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2026-1056 – Snow Monkey Forms <= 12.0.3 - Unauthenticated Arbitrary File Deletion via Path Traversal
https://notcve.org/view.php?id=CVE-2026-1056
27 Jan 2026 — The Snow Monkey Forms plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'generate_user_dirpath' function in all versions up to, and including, 12.0.3. • https://plugins.trac.wordpress.org/browser/snow-monkey-forms/tags/12.0.3/App/Model/Directory.php#L58 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-13374 – Kalrav AI Agent <= 2.3.3 - Unauthenticated Arbitrary File Upload via kalrav_upload_file AJAX Action
https://notcve.org/view.php?id=CVE-2025-13374
23 Jan 2026 — The Kalrav AI Agent plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the kalrav_upload_file AJAX action in all versions up to, and including, 2.3.3. • https://github.com/d0n601/CVE-2025-13374 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2026-24531 – WordPress Prowess theme <= 2.3 - Local File Inclusion vulnerability
https://notcve.org/view.php?id=CVE-2026-24531
23 Jan 2026 — The Prowess theme for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 2.3. • https://patchstack.com/database/Wordpress/Theme/prowess/vulnerability/wordpress-prowess-theme-2-3-local-file-inclusion-vulnerability? • CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-15521 – Academy LMS – WordPress LMS Plugin for Complete eLearning Solution <= 3.5.0 - Unauthenticated Privilege Escalation via Account Takeover
https://notcve.org/view.php?id=CVE-2025-15521
20 Jan 2026 — The Academy LMS – WordPress LMS Plugin for Complete eLearning Solution plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.5.0. • https://plugins.trac.wordpress.org/browser/academy/tags/3.5.0/includes/functions.php#L1581 • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-14533 – Advanced Custom Fields: Extended <= 0.9.2.1 - Unauthenticated Privilege Escalation via Insert User Form Action
https://notcve.org/view.php?id=CVE-2025-14533
19 Jan 2026 — The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 0.9.2.1. • https://plugins.trac.wordpress.org/browser/acf-extended/tags/0.9.2.1/includes/modules/form/module-form-action-user.php#L636 • CWE-269: Improper Privilege Management •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-15403 – RegistrationMagic <= 6.0.7.1 - Privilege Escalation via admin_order
https://notcve.org/view.php?id=CVE-2025-15403
16 Jan 2026 — The RegistrationMagic plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 6.0.7.1. • https://plugins.trac.wordpress.org/browser/custom-registration-form-builder-with-submission-manager/trunk/admin/class_rm_admin.php#L487 • CWE-269: Improper Privilege Management •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2026-23800 – WordPress Modular DS plugin <= 2.5.2 - Privilege Escalation vulnerability
https://notcve.org/view.php?id=CVE-2026-23800
16 Jan 2026 — The Modular DS: Monitor, update, and backup multiple websites plugin for WordPress is vulnerable to Privilege Escalation in version 2.5.2. • https://patchstack.com/database/wordpress/plugin/modular-connector/vulnerability/wordpress-modular-ds-plugin-2-5-2-privilege-escalation-vulnerability? • CWE-266: Incorrect Privilege Assignment CWE-269: Improper Privilege Management •