CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2025-8570 – BeyondCart Connector <= 2.1.0 - Missing Configuration of JWT Secret to Unauthenticated Privilege Escalation via determine_current_user Filter
https://notcve.org/view.php?id=CVE-2025-8570
10 Sep 2025 — The BeyondCart Connector plugin for WordPress is vulnerable to Privilege Escalation due to improper JWT secret management and authorization within the determine_current_user filter in versions 1.4.2 through 2.1.0. ... The BeyondCart Connector plugin for WordPress, in versions 1.4.2 through 2.1.0, is vulnerable to privilege escalation due to improper JWT secret management and faulty authorization mechanisms within the determine_current_user filter. • https://wordpress.org/plugins/beyondcart/#developers • CWE-798: Use of Hard-coded Credentials •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-58997 – WordPress Mow Theme <= 4.10 - Cross Site Request Forgery (CSRF) Vulnerability
https://notcve.org/view.php?id=CVE-2025-58997
09 Sep 2025 — The Mow plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.10. • https://patchstack.com/database/wordpress/theme/mow/vulnerability/wordpress-mow-theme-4-10-cross-site-request-forgery-csrf-vulnerability? • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-58833 – WordPress Invelity MyGLS connect Plugin <= 1.1.1 - Cross Site Request Forgery (CSRF) Vulnerability
https://notcve.org/view.php?id=CVE-2025-58833
05 Sep 2025 — The Invelity MyGLS connect plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.1. • https://patchstack.com/database/wordpress/plugin/invelity-mygls-connect/vulnerability/wordpress-invelity-mygls-connect-plugin-1-1-1-cross-site-request-forgery-csrf-vulnerability? • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-8359 – AdForest <= 6.0.9 - Authentication Bypass to Admin
https://notcve.org/view.php?id=CVE-2025-8359
05 Sep 2025 — The AdForest theme for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 6.0.9. • https://themeforest.net/item/adforest-classified-wordpress-theme/19481695 • CWE-288: Authentication Bypass Using an Alternate Path or Channel •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-49401 – WordPress Quiz And Survey Master Plugin <= 10.2.5 - PHP Object Injection Vulnerability
https://notcve.org/view.php?id=CVE-2025-49401
03 Sep 2025 — The Quiz And Survey Master plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 10.2.5 via deserialization of untrusted input. • https://patchstack.com/database/wordpress/plugin/quiz-master-next/vulnerability/wordpress-quiz-and-survey-master-plugin-10-2-5-php-object-injection-vulnerability? • CWE-502: Deserialization of Untrusted Data •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-54725 – WordPress Golo Theme <= 1.7.0 - Broken Authentication Vulnerability
https://notcve.org/view.php?id=CVE-2025-54725
28 Aug 2025 — Authentication Bypass Using an Alternate Path or Channel vulnerability in uxper Golo allows Authentication Abuse. This issue affects Golo: from n/a through 1.7.0. • https://patchstack.com/database/wordpress/theme/golo/vulnerability/wordpress-golo-theme-1-7-0-broken-authentication-vulnerability? • CWE-288: Authentication Bypass Using an Alternate Path or Channel •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2025-7955 – RingCentral Communications 1.5 - 1.6.8 - Missing Server‑Side Verification to Authentication Bypass via ringcentral_admin_login_2fa_verify Function
https://notcve.org/view.php?id=CVE-2025-7955
27 Aug 2025 — The RingCentral Communications plugin for WordPress is vulnerable to Authentication Bypass due to improper validation within the ringcentral_admin_login_2fa_verify() function in versions 1.5 to 1.6.8. ... WordPress RingCentral Communications plugin versions 1.5 through 1.6.8 have a missing server-side verification that allows for authentication bypass. • https://wordpress.org/plugins/rccp-free/#developers • CWE-287: Improper Authentication •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-7812 – Video Share VOD – Turnkey Video Site Builder Script <= 2.7.6 - Cross-Site Request Forgery to Command Injection
https://notcve.org/view.php?id=CVE-2025-7812
27 Aug 2025 — The Video Share VOD – Turnkey Video Site Builder Script plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.7.6. • https://www.wordfence.com/threat-intel/vulnerabilities/id/b9e499c4-e683-4587-b0ab-7f4ecde94e41?source=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-49387 – WordPress Drag and Drop File Upload for Elementor Forms Plugin <= 1.5.3 - Arbitrary File Upload Vulnerability
https://notcve.org/view.php?id=CVE-2025-49387
26 Aug 2025 — The Drag and Drop File Upload for Elementor Forms plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 1.5.3. • https://patchstack.com/database/wordpress/plugin/drag-and-drop-file-upload-for-elementor-forms/vulnerability/wordpress-drag-and-drop-file-upload-for-elementor-forms-plugin-1-5-3-arbitrary-file-upload-vulnerability? • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-5821 – Case Theme User <= 1.0.3 - Authentication Bypass via Social Login
https://notcve.org/view.php?id=CVE-2025-5821
22 Aug 2025 — The Case Theme User plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.0.3. ... The Case Theme User plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.0.3. • https://themeforest.net/item/consultio-consulting-business-wordpress/25376496 • CWE-288: Authentication Bypass Using an Alternate Path or Channel •