CVSS: -EPSS: %CPEs: 1EXPL: 1CVE-2025-13307 – Ocean Modal Window < 2.3.3 - Editor+ Remote Code Execution via Modal Conditions
https://notcve.org/view.php?id=CVE-2025-13307
19 Dec 2025 — The Ocean Modal Window WordPress plugin before 2.3.3 is vulnerable to Remote Code Execution via the modal display logic. ... This leads to remote code execution. • https://wpscan.com/vulnerability/710de342-6fb9-47bd-a40b-7b74fc3c181b •
CVSS: 9.4EPSS: 0%CPEs: 1EXPL: 0CVE-2025-66078 – WordPress Hotel Booking Lite plugin <= 5.2.3 - Remote Code Execution (RCE) vulnerability
https://notcve.org/view.php?id=CVE-2025-66078
18 Dec 2025 — Improper Control of Generation of Code ('Code Injection') vulnerability in jetmonsters Hotel Booking Lite motopress-hotel-booking-lite allows Remote Code Inclusion.This issue affects Hotel Booking Lite: from n/a through <= 5.2.3. • https://vdp.patchstack.com/database/Wordpress/Plugin/motopress-hotel-booking-lite/vulnerability/wordpress-hotel-booking-lite-plugin-5-2-3-remote-code-execution-rce-vulnerability? • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-13641 – Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery <= 3.59.12 - Authenticated (Contributor+) Local File Inclusion via 'template'
https://notcve.org/view.php?id=CVE-2025-13641
17 Dec 2025 — The Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.59.12 via the 'template' shortcode parameter. ... Successful exploitation could lead to information disclosure, code execution in the WordPress context, and potential remote code execution if combined with arbitrary file upload capabilities. • https://plugins.trac.wordpress.org/browser/nextgen-gallery/trunk/src/DisplayType/Controller.php#L369 • CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-13094 – WP3D Model Import Viewer <= 1.0.7 - Authenticated (Contributor+) Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2025-13094
12 Dec 2025 — The WP3D Model Import Viewer plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the handle_import_file() function in all versions up to, and including, 1.0.7. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://wordpress.org/plugins/wp3d-model-import-block • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-14476 – Doubly <= 1.0.46 - Authenticated (Subscriber+) PHP Object Injection via ZIP File Import
https://notcve.org/view.php?id=CVE-2025-14476
12 Dec 2025 — The Doubly – Cross Domain Copy Paste for WordPress plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.0.46 via deserialization of untrusted input from the content.txt file within uploaded ZIP archives. ... The additional presence of a POP chain allows attackers to execute arbitrary code, delete files, retrieve sensitive data, or perform other actions depending on the available gadgets. • https://plugins.trac.wordpress.org/browser/doubly/tags/1.0.46/inc_php/functions.class.php#L1040 • CWE-502: Deserialization of Untrusted Data •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-12968 – Infility Global <= 2.14.23 - Authenticated (Subscriber+) Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2025-12968
11 Dec 2025 — The Infility Global plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation and capability checks in all versions up to, and including, 2.14.23. ... This makes it possible for authenticated attackers, with subscriber level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://wordpress.org/plugins/infility-global • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-13320 – WP User Manager <= 2.9.12 - Authenticated (Subscriber+) Arbitrary File Deletion via 'current_user_avatar' Parameter
https://notcve.org/view.php?id=CVE-2025-13320
11 Dec 2025 — The WP User Manager plugin for WordPress is vulnerable to Arbitrary File Deletion in all versions up to, and including, 2.9.12. ... This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server via the 'current_user_avatar' parameter in a two-stage attack which can make remote code execution possible. • https://plugins.trac.wordpress.org/browser/wp-user-manager/tags/2.9.12/includes/forms/trait-wpum-account.php#L70 • CWE-73: External Control of File Name or Path •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-14166 – WPMasterToolKit (WPMTK) <= 2.13.0 - Authenticated (Contributor+) Code Injection
https://notcve.org/view.php?id=CVE-2025-14166
11 Dec 2025 — The WPMasterToolKit plugin for WordPress is vulnerable to PHP Code Injection in all versions up to, and including, 2.13.0. ... This makes it possible for authenticated attackers, with Contributor-level access and above, to execute arbitrary PHP code on the server, leading to remote code execution, privilege escalation, and complete site compromise. • https://plugins.trac.wordpress.org/browser/wpmastertoolkit/tags/2.13.0/admin/modules/core/class-code-snippets.php#L135 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-12824 – Player Leaderboard 1.0.0 - 1.0.2 - Authenticated (Contributor+) Local File Inclusion
https://notcve.org/view.php?id=CVE-2025-12824
11 Dec 2025 — The Player Leaderboard plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.0.2 via the 'player_leaderboard' shortcode. ... This can be used to bypass access controls, obtain sensitive data, or achieve full remote code execution if combined with file upload capabilities. • https://plugins.trac.wordpress.org/browser/player-leaderboard/trunk/public/class-player-leaderboard-public.php#L1419 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-14390 – Video Merchant <= 5.0.4 - Cross-Site Request Forgery to Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2025-14390
09 Dec 2025 — The Video Merchant plugin for WordPress is vulnerable to Cross-Site Request Forgery in version <= 5.0.4. ... This makes it possible for unauthenticated attackers to upload arbitrary files that make remote code execution possible via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. • https://wordpress.org/plugins/video-merchant • CWE-434: Unrestricted Upload of File with Dangerous Type •