CVSS: 10.0EPSS: 0%CPEs: -EXPL: 1CVE-2026-23550 – WordPress Modular DS plugin <= 2.5.1 - Privilege Escalation vulnerability
https://notcve.org/view.php?id=CVE-2026-23550
14 Jan 2026 — Incorrect Privilege Assignment vulnerability in Modular DS allows Privilege Escalation.This issue affects Modular DS: from n/a through 2.5.1. • https://patchstack.com/database/wordpress/plugin/modular-connector/vulnerability/wordpress-modular-ds-monitor-update-and-backup-multiple-websites-plugin-2-5-1-privilege-escalation-vulnerability? • CWE-266: Incorrect Privilege Assignment •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-14502 – News and Blog Designer Bundle <= 1.1 - Unauthenticated Local File Inclusion
https://notcve.org/view.php?id=CVE-2025-14502
13 Jan 2026 — The News and Blog Designer Bundle plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.1 via the template parameter. • https://plugins.trac.wordpress.org/browser/news-and-blog-designer-bundle/trunk/includes/class-nbdb-ajax.php#L31 • CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-14301 – Integration Opvius AI for WooCommerce <= 1.3.0 - Unauthenticated Arbitrary File Deletion/Read via Path Traversal
https://notcve.org/view.php?id=CVE-2025-14301
13 Jan 2026 — The Integration Opvius AI for WooCommerce plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.3.0. • https://plugins.trac.wordpress.org/browser/woosa-ai-for-woocommerce/tags/1.3.0/vendor/woosa/logger/class-module-logger-hook.php#L160 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-14736 – Frontend Admin by DynamiApps <= 3.28.25 - Unauthenticated Privilege Escalation to Administrator via Role Form Field
https://notcve.org/view.php?id=CVE-2025-14736
08 Jan 2026 — The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 3.28.25. • https://plugins.trac.wordpress.org/changeset/3427243/acf-frontend-form-element/trunk/main/frontend/fields/user/class-role.php • CWE-269: Improper Privilege Management •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-67910 – WordPress Contentstudio plugin <= 1.3.7 - Arbitrary File Upload vulnerability
https://notcve.org/view.php?id=CVE-2025-67910
08 Jan 2026 — Unrestricted Upload of File with Dangerous Type vulnerability in contentstudio Contentstudio contentstudio allows Upload a Web Shell to a Web Server.This issue affects Contentstudio: from n/a through <= 1.3.7. • https://vdp.patchstack.com/database/Wordpress/Plugin/contentstudio/vulnerability/wordpress-contentstudio-plugin-1-3-7-arbitrary-file-upload-vulnerability? • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 10.0EPSS: 0%CPEs: -EXPL: 0CVE-2025-23504 – WordPress Felan Framework plugin <= 1.1.3 - Account Takeover vulnerability
https://notcve.org/view.php?id=CVE-2025-23504
08 Jan 2026 — Authentication Bypass Using an Alternate Path or Channel vulnerability in RiceTheme Felan Framework felan-framework allows Authentication Abuse.This issue affects Felan Framework: from n/a through <= 1.1.3. • https://vdp.patchstack.com/database/Wordpress/Plugin/felan-framework/vulnerability/wordpress-felan-framework-plugin-1-1-3-account-takeover-vulnerability? • CWE-288: Authentication Bypass Using an Alternate Path or Channel •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-14360 – WordPress Blockons plugin <= 1.2.15 - Broken Access Control vulnerability
https://notcve.org/view.php?id=CVE-2025-14360
08 Jan 2026 — The Blockons plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 1.2.15. • https://vdp.patchstack.com/database/Wordpress/Plugin/blockons/vulnerability/wordpress-blockons-plugin-1-2-15-broken-access-control-vulnerability? • CWE-862: Missing Authorization •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-22713 – WordPress WooCommerce Orders & Customers Exporter plugin <= 5.4 - SQL Injection vulnerability
https://notcve.org/view.php?id=CVE-2025-22713
08 Jan 2026 — The WooCommerce Orders & Customers Exporter plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 5.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. • https://vdp.patchstack.com/database/Wordpress/Plugin/woocommerce-orders-ei/vulnerability/wordpress-woocommerce-orders-customers-exporter-plugin-5-4-sql-injection-vulnerability? • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-22728 – WordPress Workreap (theme's plugin) plugin <= 3.3.6 - SQL Injection vulnerability
https://notcve.org/view.php?id=CVE-2025-22728
08 Jan 2026 — The Workreap (theme's plugin) plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 3.3.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. • https://vdp.patchstack.com/database/Wordpress/Plugin/workreap/vulnerability/wordpress-workreap-theme-s-plugin-plugin-3-3-6-sql-injection-vulnerability? • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-23993 – WordPress Felan Framework plugin <= 1.1.3 - SQL Injection vulnerability
https://notcve.org/view.php?id=CVE-2025-23993
08 Jan 2026 — The Felan Framework plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 1.1.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. • https://vdp.patchstack.com/database/Wordpress/Plugin/felan-framework/vulnerability/wordpress-felan-framework-plugin-1-1-3-sql-injection-vulnerability? • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •