
CVE-2025-1307 – Newscrunch <= 1.8.4 - Authenticated (Subscriber+) Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2025-1307
03 Mar 2025 — The Newscrunch theme for WordPress is vulnerable to arbitrary file uploads due to a missing capability check in the newscrunch_install_and_activate_plugin() function in all versions up to, and including, 1.8.4.1. ... WordPress Newscrunch theme version 1.8.4.1 suffers from a remote shell upload vulnerability. • https://packetstorm.news/files/id/190147 • CWE-862: Missing Authorization •

CVE-2025-0912 – GiveWP – Donation Plugin and Fundraising Platform <= 3.19.4 - Unauthenticated PHP Object Injection
https://notcve.org/view.php?id=CVE-2025-0912
03 Mar 2025 — The Donations Widget plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.19.4 via deserialization of untrusted input from the Donation Form through the 'card_address' parameter. • https://github.com/impress-org/givewp/pull/7679/files • CWE-502: Deserialization of Untrusted Data •

CVE-2024-12824 – Nokri – Job Board WordPress Theme <= 1.6.2 - Unauthenticated Arbitrary Password Change
https://notcve.org/view.php?id=CVE-2024-12824
28 Feb 2025 — The Nokri – Job Board WordPress Theme theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.6.2. • https://themeforest.net/item/nokri-job-board-wordpress-theme/22677241 • CWE-620: Unverified Password Change •

CVE-2025-1564 – SetSail Membership <= 1.0.3 - Authentication Bypass via Account Takeover
https://notcve.org/view.php?id=CVE-2025-1564
28 Feb 2025 — The SetSail Membership plugin for WordPress is vulnerable to in all versions up to, and including, 1.0.3. • https://themeforest.net/item/setsail-travel-agency-theme/22832625 • CWE-288: Authentication Bypass Using an Alternate Path or Channel •

CVE-2025-1638 – Alloggio Membership <= 1.1 - Authentication Bypass via Social Login Account Takeover
https://notcve.org/view.php?id=CVE-2025-1638
28 Feb 2025 — The Alloggio Membership plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.0.2. • https://themeforest.net/item/alloggio-hotel-booking-theme/26775539 • CWE-288: Authentication Bypass Using an Alternate Path or Channel •

CVE-2025-1671 – Academist Membership <= 1.1.6 - Authentication Bypass via Account Takeover
https://notcve.org/view.php?id=CVE-2025-1671
28 Feb 2025 — The Academist Membership plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.1.6. • https://themeforest.net/item/academist-a-modern-learning-management-system-and-education-theme/22376830 • CWE-288: Authentication Bypass Using an Alternate Path or Channel •

CVE-2024-9193 – WHMpress <= 6.3-revision-0 - Unauthenticated Local File Inclusion to Arbitrary Options Update
https://notcve.org/view.php?id=CVE-2024-9193
27 Feb 2025 — The WHMpress - WHMCS WordPress Integration Plugin plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 6.3-revision-0 via the whmpress_domain_search_ajax_extended_results() function. ... This makes it possible for unauthenticated attackers to update arbitrary options on the WordPress site. • https://whmpress.com/docs/change-log • CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') •

CVE-2024-8425 – WooCommerce Ultimate Gift Card <= 2.6.0 - Unauthenticated Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2024-8425
27 Feb 2025 — The WooCommerce Ultimate Gift Card plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'mwb_wgm_preview_mail' and 'mwb_wgm_woocommerce_add_cart_item_data' functions in all versions up to, and including, 2.6.0. • https://codecanyon.net/item/woocommerce-ultimate-gift-card/19191057 • CWE-434: Unrestricted Upload of File with Dangerous Type •

CVE-2024-8420 – DHVC Form <= 2.4.7 - Unauthenticated Privilege Escalation
https://notcve.org/view.php?id=CVE-2024-8420
27 Feb 2025 — The DHVC Form plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 2.4.7. • https://codecanyon.net/item/dhvc-form-wordpress-form-for-visual-composer/8326593 • CWE-266: Incorrect Privilege Assignment •

CVE-2025-1570 – Directorist: AI-Powered Business Directory Plugin with Classified Ads Listings <= 8.1 - Privilege Escalation and Account Takeover via Weak OTP
https://notcve.org/view.php?id=CVE-2025-1570
27 Feb 2025 — The Directorist: AI-Powered Business Directory Plugin with Classified Ads Listings plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 8.1. • https://plugins.trac.wordpress.org/changeset/3246340/directorist • CWE-640: Weak Password Recovery Mechanism for Forgotten Password •