CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-13619 – Flex Store Users <= 1.1.0 - Unauthenticated Privilege Escalation
https://notcve.org/view.php?id=CVE-2025-13619
19 Dec 2025 — The Flex Store Users plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.1.0. • https://themeforest.net/item/autosmart-automotive-car-dealer-wordpress-theme/20322930 • CWE-269: Improper Privilege Management •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-13329 – File Uploader for WooCommerce <= 1.0.3 - Unauthenticated Arbitrary File Upload via add-image-data
https://notcve.org/view.php?id=CVE-2025-13329
19 Dec 2025 — The File Uploader for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the callback function for the 'add-image-data' REST API endpoint in all versions up to, and including, 1.0.3. • https://wordpress.org/plugins/file-uploader-for-woocommerce • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-10738 – URL Shortener Plugin For WordPress <= 3.0.7 - Unauthenticated SQL Injection
https://notcve.org/view.php?id=CVE-2025-10738
12 Dec 2025 — The URL Shortener Plugin For WordPress plugin for WordPress is vulnerable to SQL Injection via the ‘analytic_id’ parameter in all versions up to, and including, 3.0.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. • https://wordpress.org/plugins/exact-links • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2025-14440 – JAY Login & Register <= 2.4.01 - Authentication Bypass via Cookie
https://notcve.org/view.php?id=CVE-2025-14440
12 Dec 2025 — The JAY Login & Register plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.4.01. • https://packetstorm.news/files/id/213138 • CWE-565: Reliance on Cookies without Validation and Integrity Checking •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-11693 – Export WP Page to Static HTML & PDF <= 4.3.4 - Unauthenticated Cookie Exposure via Log File
https://notcve.org/view.php?id=CVE-2025-11693
12 Dec 2025 — The Export WP Page to Static HTML & PDF plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.3.4 through publicly exposed cookies.txt files containing authentication cookies. • https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3388166%40export-wp-page-to-static-html&new=3388166%40export-wp-page-to-static-html&sfp_email=&sfph_mail= • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-12963 – LazyTasks – Project & Task Management with Collaboration, Kanban and Gantt Chart <= 1.2.29 - Missing Authorization to Uanuthenticated Privilege Escalation
https://notcve.org/view.php?id=CVE-2025-12963
11 Dec 2025 — The LazyTasks – Project & Task Management with Collaboration, Kanban and Gantt Chart plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.2.29. • https://wordpress.org/plugins/lazytasks-project-task-management • CWE-862: Missing Authorization •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-14344 – Multi Uploader for Gravity Forms <= 1.1.7 - Unauthenticated Arbitrary File Deletion
https://notcve.org/view.php?id=CVE-2025-14344
11 Dec 2025 — The Multi Uploader for Gravity Forms plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'plupload_ajax_delete_file' function in all versions up to, and including, 1.1.7. • https://plugins.trac.wordpress.org/browser/gf-multi-uploader/tags/1.1.7/inc/GFMUHandlePluploader.class.php?marks=41-43#L41 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-13613 – Elated Membership <= 1.2 - Authentication Bypass via Social Login
https://notcve.org/view.php?id=CVE-2025-13613
09 Dec 2025 — The Elated Membership plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.2. • https://themeforest.net/item/esmarts-a-modern-education-and-lms-theme/20987760 • CWE-289: Authentication Bypass by Alternate Name •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-14390 – Video Merchant <= 5.0.4 - Cross-Site Request Forgery to Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2025-14390
09 Dec 2025 — The Video Merchant plugin for WordPress is vulnerable to Cross-Site Request Forgery in version <= 5.0.4. • https://wordpress.org/plugins/video-merchant • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-12673 – Flex QR Code Generator <= 1.2.6 - Unauthenticated Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2025-12673
05 Dec 2025 — The Flex QR Code Generator plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the update_qr_code() function in all versions up to, and including, 1.2.6. ... The Flex QR Code Generator plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the update_qr_code() function in all versions up to, and including, 1.2.7. • https://github.com/d0n601/CVE-2025-12673 • CWE-434: Unrestricted Upload of File with Dangerous Type •