CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-4606 – Sala - Startup & SaaS WordPress Theme <= 1.1.4 - Unauthenticated Privilege Escalation via Password Reset/Account Takeover
https://notcve.org/view.php?id=CVE-2025-4606
08 Jul 2025 — The Sala - Startup & SaaS WordPress Theme theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.1.4. • https://themeforest.net/item/sala-startup-saas-wordpress-theme/33843955? • CWE-620: Unverified Password Change •
CVSS: 10.0EPSS: 0%CPEs: -EXPL: 0CVE-2025-49867 – WordPress RealHomes <= 4.4.0 - Privilege Escalation Vulnerability
https://notcve.org/view.php?id=CVE-2025-49867
04 Jul 2025 — Incorrect Privilege Assignment vulnerability in InspiryThemes RealHomes allows Privilege Escalation. This issue affects RealHomes: from n/a through 4.4.0. • https://patchstack.com/database/wordpress/theme/realhomes/vulnerability/wordpress-realhomes-4-4-0-privilege-escalation-vulnerability? • CWE-266: Incorrect Privilege Assignment •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-23970 – WordPress Service Finder Booking <= 6.0 - Privilege Escalation Vulnerability
https://notcve.org/view.php?id=CVE-2025-23970
04 Jul 2025 — The Service Finder Bookings plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 6.0. • https://patchstack.com/database/wordpress/plugin/sf-booking/vulnerability/wordpress-service-finder-booking-6-0-privilege-escalation-vulnerability? • CWE-266: Incorrect Privilege Assignment •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-49302 – WordPress Easy Stripe <= 1.1 - Remote Code Execution (RCE) Vulnerability
https://notcve.org/view.php?id=CVE-2025-49302
03 Jul 2025 — The Easy Stripe – Tips, Payments, and Donations plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.1. • https://patchstack.com/database/wordpress/plugin/easy-stripe/vulnerability/wordpress-easy-stripe-1-1-remote-code-execution-rce-vulnerability? • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-6463 – Forminator Forms – Contact Form, Payment Form & Custom Form Builder <= 1.44.2 - Unauthenticated Arbitrary File Deletion Triggered via Administrator Form Submission Deletion
https://notcve.org/view.php?id=CVE-2025-6463
01 Jul 2025 — The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'entry_delete_upload_files' function in all versions up to, and including, 1.44.2. ... El complemento Forminator Forms – Contact Form, Payment Form & Custom Form Builder para WordPress es vulnerable a la eliminación arbitraria de archivos debido a una validación insuficiente de la ruta de archivo en la función ... • https://plugins.trac.wordpress.org/browser/forminator/trunk/library/model/class-form-entry-model.php#L1249 • CWE-73: External Control of File Name or Path •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-6459 – Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager <= 4.89 - Cross-Site Request Forgery to PHP Code Injection in bsaCreateAdTemplate
https://notcve.org/view.php?id=CVE-2025-6459
01 Jul 2025 — The Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.89. ... El complemento Ads Pro Plugin - Multi-Purpose WordPress Advertising Manage de WordPress, es vulnerable a Cross-Site Request Forgery en todas las versiones hasta la 4.89 (incluida). • https://codecanyon.net/item/ads-pro-plugin-multipurpose-wordpress-advertising-manager/10275010 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-4689 – Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager <= 4.89 - Unauthenticated Local File Inclusion to Remote Code Execution
https://notcve.org/view.php?id=CVE-2025-4689
01 Jul 2025 — The Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager plugin for WordPress is vulnerable to Local File Inclusion which leads to Remote Code Execution in all versions up to, and including, 4.89. ... El complemento Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager de WordPress, es vulnerable a la Inclusión de Archivos Locales, lo que provoca la ejecución remota de código en todas las versiones hasta la 4.89 incluida. • https://codecanyon.net/item/ads-pro-plugin-multipurpose-wordpress-advertising-manager/10275010 • CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') •
CVSS: 10.0EPSS: 0%CPEs: 2EXPL: 0CVE-2025-5746 – Drag and Drop Multiple File Upload (Pro) - WooCommerce <= 1.7.1 and 5.0 - 5.0.5 - Unauthenticated Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2025-5746
01 Jul 2025 — The Drag and Drop Multiple File Upload (Pro) - WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the dnd_upload_cf7_upload_chunks() function in version 5.0 - 5.0.5 (when bundled with the PrintSpace theme) and all versions up to, and including, 1.7.1 (in the standalone version). ... El complemento Drag and Drop Multiple File Upload (Pro) - WooCommerce para WordPress es vulnerable a la carga de archivos arbitrarios debido a la falta d... • https://www.codedropz.com/woocommerce-drag-drop-multiple-file-upload • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-28983 – WordPress Click & Pledge Connect plugin <= 25.04010101-WP6.8 - Privilege Escalation via SQL Injection vulnerability
https://notcve.org/view.php?id=CVE-2025-28983
01 Jul 2025 — The Click & Pledge Connect plugin for WordPress is vulnerable to SQL Injection in all versions up to, and including, 25.04010101-WP6.8 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. • https://patchstack.com/database/wordpress/plugin/click-pledge-connect/vulnerability/wordpress-click-pledge-connect-plugin-25-04010101-wp6-8-privilege-escalation-via-sql-injection-vulnerability? • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-49417 – WordPress WooCommerce Product Multi-Action <= 1.3 - Deserialization of untrusted data Vulnerability
https://notcve.org/view.php?id=CVE-2025-49417
01 Jul 2025 — The WooCommerce Product Multi-Action plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.3 via deserialization of untrusted input. • https://patchstack.com/database/wordpress/plugin/woo-product-multiaction/vulnerability/wordpress-woocommerce-product-multi-action-1-3-deserialization-of-untrusted-data-vulnerability? • CWE-502: Deserialization of Untrusted Data •