CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-8425 – WooCommerce Ultimate Gift Card <= 2.6.0 - Unauthenticated Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2024-8425
27 Feb 2025 — The WooCommerce Ultimate Gift Card plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'mwb_wgm_preview_mail' and 'mwb_wgm_woocommerce_add_cart_item_data' functions in all versions up to, and including, 2.6.0. • https://codecanyon.net/item/woocommerce-ultimate-gift-card/19191057 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-1687 – Cardealer <= 1.6.4 - Cross-Site Request Forgery to User Update via update_user_profile
https://notcve.org/view.php?id=CVE-2025-1687
27 Feb 2025 — The Cardealer theme for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.6.4. • https://themeforest.net/item/car-dealer-automotive-wordpress-theme-responsive/8574708 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-8420 – DHVC Form <= 2.4.7 - Unauthenticated Privilege Escalation
https://notcve.org/view.php?id=CVE-2024-8420
27 Feb 2025 — The DHVC Form plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 2.4.7. • https://codecanyon.net/item/dhvc-form-wordpress-form-for-visual-composer/8326593 • CWE-266: Incorrect Privilege Assignment •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-1570 – Directorist: AI-Powered Business Directory Plugin with Classified Ads Listings <= 8.1 - Privilege Escalation and Account Takeover via Weak OTP
https://notcve.org/view.php?id=CVE-2025-1570
27 Feb 2025 — The Directorist: AI-Powered Business Directory Plugin with Classified Ads Listings plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 8.1. • https://plugins.trac.wordpress.org/changeset/3246340/directorist • CWE-640: Weak Password Recovery Mechanism for Forgotten Password •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-27276 – WordPress Photo Gallery ( Responsive ) plugin <= 4.0 - CSRF to Privilege Escalation vulnerability
https://notcve.org/view.php?id=CVE-2025-27276
24 Feb 2025 — The Photo Gallery ( Responsive ) plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.0. • https://patchstack.com/database/wordpress/plugin/photo-gallery-pearlbells/vulnerability/wordpress-photo-gallery-responsive-plugin-4-0-csrf-to-privilege-escalation-vulnerability? • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-26936 – WordPress Fresh Framework plugin <= 1.70.0 - Unauthenticated Remote Code Execution (RCE) vulnerability
https://notcve.org/view.php?id=CVE-2025-26936
24 Feb 2025 — The Fresh Framework plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.70.0. • https://patchstack.com/database/wordpress/plugin/fresh-framework/vulnerability/wordpress-fresh-framework-plugin-1-70-0-unauthenticated-remote-code-execution-rce-vulnerability? • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-26966 – WordPress PrivateContent plugin <= 8.11.5 - Unauthenticated Account Takeover vulnerability
https://notcve.org/view.php?id=CVE-2025-26966
24 Feb 2025 — The Private Content plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 8.11.5. • https://patchstack.com/database/wordpress/plugin/private-content/vulnerability/wordpress-privatecontent-plugin-8-11-5-unauthenticated-account-takeover-vulnerability? • CWE-269: Improper Privilege Management CWE-288: Authentication Bypass Using an Alternate Path or Channel •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-26970 – WordPress Ark Theme Core plugin <= 1.70.0 - Unauthenticated Remote Code Execution (RCE) vulnerability
https://notcve.org/view.php?id=CVE-2025-26970
24 Feb 2025 — The ark-core plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.70.0. • https://patchstack.com/database/wordpress/plugin/ark-core/vulnerability/wordpress-ark-theme-core-plugin-1-70-0-unauthenticated-remote-code-execution-rce-vulnerability? • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-26900 – WordPress Flexmls® IDX Plugin Plugin <= 3.14.27 - PHP Object Injection vulnerability
https://notcve.org/view.php?id=CVE-2025-26900
22 Feb 2025 — The Flexmls® IDX plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 3.14.27 via deserialization of untrusted input. • https://patchstack.com/database/wordpress/plugin/flexmls-idx/vulnerability/wordpress-flexmls-idx-plugin-plugin-3-14-27-php-object-injection-vulnerability? • CWE-502: Deserialization of Untrusted Data •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-27270 – WordPress Residential Address Detection Plugin <= 2.5.4 - Arbitrary Option Update to Privilege Escalation vulnerability
https://notcve.org/view.php?id=CVE-2025-27270
21 Feb 2025 — The Residential Address Detection plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on a function in all versions up to, and including, 2.5.4. This makes it possible for unauthenticated attackers to update arbitrary options on the WordPress site. • https://patchstack.com/database/wordpress/plugin/residential-address-detection/vulnerability/wordpress-residential-address-detection-plugin-2-5-4-arbitrary-option-update-to-privilege-escalation-vulnerability? • CWE-862: Missing Authorization •