CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-14736 – Frontend Admin by DynamiApps <= 3.28.25 - Unauthenticated Privilege Escalation to Administrator via Role Form Field
https://notcve.org/view.php?id=CVE-2025-14736
08 Jan 2026 — The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 3.28.25. • https://plugins.trac.wordpress.org/changeset/3427243/acf-frontend-form-element/trunk/main/frontend/fields/user/class-role.php • CWE-269: Improper Privilege Management •
CVSS: 10.0EPSS: 0%CPEs: -EXPL: 0CVE-2025-67928 – WordPress Automotive Listings plugin <= 18.6 - SQL Injection vulnerability
https://notcve.org/view.php?id=CVE-2025-67928
08 Jan 2026 — Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in themesuite Automotive Listings automotive allows Blind SQL Injection.This issue affects Automotive Listings: from n/a through <= 18.6. • https://vdp.patchstack.com/database/Wordpress/Plugin/automotive/vulnerability/wordpress-automotive-listings-plugin-18-6-sql-injection-vulnerability? • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 10.0EPSS: 0%CPEs: -EXPL: 0CVE-2025-67924 – WordPress Corpkit theme <= 2.0 - Arbitrary File Upload vulnerability
https://notcve.org/view.php?id=CVE-2025-67924
08 Jan 2026 — Unrestricted Upload of File with Dangerous Type vulnerability in zozothemes Corpkit corpkit allows Upload a Web Shell to a Web Server.This issue affects Corpkit: from n/a through <= 2.0. • https://vdp.patchstack.com/database/Wordpress/Theme/corpkit/vulnerability/wordpress-corpkit-theme-2-0-arbitrary-file-upload-vulnerability? • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 10.0EPSS: 0%CPEs: -EXPL: 0CVE-2025-67921 – WordPress Lobo theme < 2.8.6 - SQL Injection vulnerability
https://notcve.org/view.php?id=CVE-2025-67921
08 Jan 2026 — Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in VanKarWai Lobo lobo allows Blind SQL Injection.This issue affects Lobo: from n/a through < 2.8.6. • https://vdp.patchstack.com/database/Wordpress/Theme/lobo/vulnerability/wordpress-lobo-theme-2-8-6-sql-injection-vulnerability? • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 10.0EPSS: 0%CPEs: -EXPL: 0CVE-2025-67920 – WordPress Neo Ocular theme < 1.2 - Local File Inclusion vulnerability
https://notcve.org/view.php?id=CVE-2025-67920
08 Jan 2026 — Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes Neo Ocular neoocular allows PHP Local File Inclusion.This issue affects Neo Ocular: from n/a through < 1.2. • https://vdp.patchstack.com/database/Wordpress/Theme/neoocular/vulnerability/wordpress-neo-ocular-theme-1-2-local-file-inclusion-vulnerability? • CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-67915 – WordPress Timetics plugin <= 1.0.46 - Broken Authentication vulnerability
https://notcve.org/view.php?id=CVE-2025-67915
08 Jan 2026 — Authentication Bypass Using an Alternate Path or Channel vulnerability in Arraytics Timetics timetics allows Authentication Abuse.This issue affects Timetics: from n/a through <= 1.0.46. • https://vdp.patchstack.com/database/Wordpress/Plugin/timetics/vulnerability/wordpress-timetics-plugin-1-0-46-broken-authentication-vulnerability? • CWE-288: Authentication Bypass Using an Alternate Path or Channel •
CVSS: 10.0EPSS: 0%CPEs: -EXPL: 0CVE-2025-67913 – WordPress Aruba HiSpeed Cache plugin < 3.0.3 - Broken Access Control vulnerability
https://notcve.org/view.php?id=CVE-2025-67913
08 Jan 2026 — Missing Authorization vulnerability in Aruba.it Dev Aruba HiSpeed Cache aruba-hispeed-cache allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Aruba HiSpeed Cache: from n/a through < 3.0.3. • https://vdp.patchstack.com/database/Wordpress/Plugin/aruba-hispeed-cache/vulnerability/wordpress-aruba-hispeed-cache-plugin-3-0-3-broken-access-control-vulnerability? • CWE-862: Missing Authorization •
CVSS: 10.0EPSS: 0%CPEs: -EXPL: 0CVE-2025-67911 – WordPress Newsletters plugin <= 4.11 - PHP Object Injection vulnerability
https://notcve.org/view.php?id=CVE-2025-67911
08 Jan 2026 — Deserialization of Untrusted Data vulnerability in Tribulant Software Newsletters newsletters-lite allows Object Injection.This issue affects Newsletters: from n/a through <= 4.11. • https://vdp.patchstack.com/database/Wordpress/Plugin/newsletters-lite/vulnerability/wordpress-newsletters-plugin-4-11-php-object-injection-vulnerability? • CWE-502: Deserialization of Untrusted Data •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-67910 – WordPress Contentstudio plugin <= 1.3.7 - Arbitrary File Upload vulnerability
https://notcve.org/view.php?id=CVE-2025-67910
08 Jan 2026 — Unrestricted Upload of File with Dangerous Type vulnerability in contentstudio Contentstudio contentstudio allows Upload a Web Shell to a Web Server.This issue affects Contentstudio: from n/a through <= 1.3.7. • https://vdp.patchstack.com/database/Wordpress/Plugin/contentstudio/vulnerability/wordpress-contentstudio-plugin-1-3-7-arbitrary-file-upload-vulnerability? • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 10.0EPSS: 0%CPEs: -EXPL: 0CVE-2025-23993 – WordPress Felan Framework plugin <= 1.1.3 - SQL Injection vulnerability
https://notcve.org/view.php?id=CVE-2025-23993
08 Jan 2026 — Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in RiceTheme Felan Framework felan-framework allows SQL Injection.This issue affects Felan Framework: from n/a through <= 1.1.3. • https://vdp.patchstack.com/database/Wordpress/Plugin/felan-framework/vulnerability/wordpress-felan-framework-plugin-1-1-3-sql-injection-vulnerability? • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •