CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2025-9286 – Appy Pie Connect for WooCommerce <= 1.1.2 - Missing Authorization to Unauthenticated Privilege Escalation via reset_user_password
https://notcve.org/view.php?id=CVE-2025-9286
02 Oct 2025 — The Appy Pie Connect for WooCommerce plugin for WordPress is vulnerable to Privilege Escalation due to missing authorization within the reset_user_password() REST handler in all versions up to, and including, 1.1.2. ... WordPress Appy Pie Connect for WooCommerce plugin versions 1.1.2 and below are vulnerable to privilege escalation due to a missing authorization check within the reset_user_password() REST handler. • https://wordpress.org/plugins/appy-pie-connect-for-woocommerce • CWE-620: Unverified Password Change •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-7721 – JoomSport <= 5.7.3 - Unauthenticated Directory Traversal to Local File Inclusion
https://notcve.org/view.php?id=CVE-2025-7721
02 Oct 2025 — The JoomSport – for Sports: Team & League, Football, Hockey & more plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 5.7.3 via the task parameter. • https://plugins.trac.wordpress.org/browser/joomsport-sports-league-results-management/trunk/sportleague/base/wordpress/classes/class-jsport-controller.php#L74 • CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2025-9209 – RestroPress – Online Food Ordering System 3.0.0 - 3.1.9.2 - Unauthenticated Information Exposure to Authentication Bypass via Forged JWT
https://notcve.org/view.php?id=CVE-2025-9209
02 Oct 2025 — The RestroPress – Online Food Ordering System plugin for WordPress is vulnerable to Authentication Bypass in versions 3.0.0 to 3.1.9.2. ... The RestroPress – Online Food Ordering System plugin for WordPress is vulnerable to Authentication Bypass in versions 3.0.0 to 3.2.1. ... WordPress RestroPress Online Food Ordering System plugin versions 3.0.0 through 3.1.9.2 suffer from an unauthenticated information disclosure vulnerability that leads to authentication bypass. • https://wordpress.org/plugins/restropress • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-9213 – TextBuilder 1.0.0 - 1.1.1 - Cross-Site Request Forgery to Privilege Escalation via Account Takeover
https://notcve.org/view.php?id=CVE-2025-9213
02 Oct 2025 — The TextBuilder plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions 1.0.0 to 1.1.1. • https://plugins.trac.wordpress.org/changeset/3371346 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-6388 – Spirit Framework <= 1.2.14 - Authentication Bypass to Account Takeover and Privilege Escalation
https://notcve.org/view.php?id=CVE-2025-6388
02 Oct 2025 — The Spirit Framework plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.2.14. • https://themespirit.com/talemy-changelog • CWE-288: Authentication Bypass Using an Alternate Path or Channel •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-7052 – LatePoint <= 5.1.94 - Cross-Site Request Forgery to Account Takeover via change_password() Function
https://notcve.org/view.php?id=CVE-2025-7052
29 Sep 2025 — The LatePoint plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.1.94. • https://wordpress.org/plugins/latepoint/#developers • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-9762 – Post By Email <= 1.0.4b - Unauthenticated Arbitrary File Upload via Email Attachments
https://notcve.org/view.php?id=CVE-2025-9762
29 Sep 2025 — The Post By Email plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the save_attachments function in all versions up to, and including, 1.0.4b. • https://plugins.trac.wordpress.org/browser/post-by-email/tags/1.0.4b/class-post-by-email.php#L702 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-8625 – Copypress Rest API 1.1 - 1.2 - Missing Configurable JWT Secret and File-Type Validation to Unauthenticated Remote Code Execution
https://notcve.org/view.php?id=CVE-2025-8625
29 Sep 2025 — The Copypress Rest API plugin for WordPress is vulnerable to Remote Code Execution via copyreap_handle_image() Function in versions 1.1 to 1.2. • https://wordpress.org/plugins/copypress-rest-api/#developers • CWE-321: Use of Hard-coded Cryptographic Key •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-60111 – WordPress Javo Core Plugin <= 3.0.0.266 - Cross Site Request Forgery (CSRF) Vulnerability
https://notcve.org/view.php?id=CVE-2025-60111
26 Sep 2025 — The Javo Core plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.0.0.266. • https://patchstack.com/database/wordpress/plugin/javo-core/vulnerability/wordpress-javo-core-plugin-3-0-0-266-cross-site-request-forgery-csrf-vulnerability? • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-60156 – WordPress AR For WordPress Plugin <= 7.98 - Cross Site Request Forgery (CSRF) Vulnerability
https://notcve.org/view.php?id=CVE-2025-60156
26 Sep 2025 — Cross-Site Request Forgery (CSRF) vulnerability in webandprint AR For WordPress allows Upload a Web Shell to a Web Server. This issue affects AR For WordPress: from n/a through 7.98. The AR For WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 8.31. • https://patchstack.com/database/wordpress/plugin/ar-for-wordpress/vulnerability/wordpress-ar-for-wordpress-plugin-7-98-cross-site-request-forgery-csrf-vulnerability? • CWE-352: Cross-Site Request Forgery (CSRF) •