CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-13374 – Kalrav AI Agent <= 2.3.3 - Unauthenticated Arbitrary File Upload via kalrav_upload_file AJAX Action
https://notcve.org/view.php?id=CVE-2025-13374
23 Jan 2026 — The Kalrav AI Agent plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the kalrav_upload_file AJAX action in all versions up to, and including, 2.3.3. • https://github.com/d0n601/CVE-2025-13374 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2026-24531 – WordPress Prowess theme <= 2.3 - Local File Inclusion vulnerability
https://notcve.org/view.php?id=CVE-2026-24531
23 Jan 2026 — The Prowess theme for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 2.3. • https://patchstack.com/database/Wordpress/Theme/prowess/vulnerability/wordpress-prowess-theme-2-3-local-file-inclusion-vulnerability? • CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-15521 – Academy LMS – WordPress LMS Plugin for Complete eLearning Solution <= 3.5.0 - Unauthenticated Privilege Escalation via Account Takeover
https://notcve.org/view.php?id=CVE-2025-15521
20 Jan 2026 — The Academy LMS – WordPress LMS Plugin for Complete eLearning Solution plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.5.0. • https://plugins.trac.wordpress.org/browser/academy/tags/3.5.0/includes/functions.php#L1581 • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-14533 – Advanced Custom Fields: Extended <= 0.9.2.1 - Unauthenticated Privilege Escalation via Insert User Form Action
https://notcve.org/view.php?id=CVE-2025-14533
19 Jan 2026 — The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 0.9.2.1. • https://plugins.trac.wordpress.org/browser/acf-extended/tags/0.9.2.1/includes/modules/form/module-form-action-user.php#L636 • CWE-269: Improper Privilege Management •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-15403 – RegistrationMagic <= 6.0.7.1 - Privilege Escalation via admin_order
https://notcve.org/view.php?id=CVE-2025-15403
16 Jan 2026 — The RegistrationMagic plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 6.0.7.1. • https://plugins.trac.wordpress.org/browser/custom-registration-form-builder-with-submission-manager/trunk/admin/class_rm_admin.php#L487 • CWE-269: Improper Privilege Management •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-10484 – Registration & Login with Mobile Phone Number for WooCommerce <= 1.3.1 - Authentication Bypass
https://notcve.org/view.php?id=CVE-2025-10484
16 Jan 2026 — The Registration & Login with Mobile Phone Number for WooCommerce plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.3.1. • https://woocommerce.com/products/registration-login-with-mobile-phone-number • CWE-288: Authentication Bypass Using an Alternate Path or Channel •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2026-23800 – WordPress Modular DS plugin <= 2.5.2 - Privilege Escalation vulnerability
https://notcve.org/view.php?id=CVE-2026-23800
16 Jan 2026 — The Modular DS: Monitor, update, and backup multiple websites plugin for WordPress is vulnerable to Privilege Escalation in version 2.5.2. • https://patchstack.com/database/wordpress/plugin/modular-connector/vulnerability/wordpress-modular-ds-plugin-2-5-2-privilege-escalation-vulnerability? • CWE-266: Incorrect Privilege Assignment CWE-269: Improper Privilege Management •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-69101 – WordPress Workreap Core plugin <= 3.4.0 - Account Takeover vulnerability
https://notcve.org/view.php?id=CVE-2025-69101
15 Jan 2026 — The Workreap Core plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 3.4.0. • https://patchstack.com/database/Wordpress/Plugin/workreap_core/vulnerability/wordpress-workreap-core-plugin-3-4-0-account-takeover-vulnerability? • CWE-288: Authentication Bypass Using an Alternate Path or Channel •
CVSS: 10.0EPSS: 6%CPEs: 1EXPL: 1CVE-2026-23550 – WordPress Modular DS plugin <= 2.5.1 - Privilege Escalation vulnerability
https://notcve.org/view.php?id=CVE-2026-23550
14 Jan 2026 — The Modular DS: Monitor, update, and backup multiple websites plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 2.5.1. • https://patchstack.com/database/wordpress/plugin/modular-connector/vulnerability/wordpress-modular-ds-monitor-update-and-backup-multiple-websites-plugin-2-5-1-privilege-escalation-vulnerability? • CWE-266: Incorrect Privilege Assignment CWE-269: Improper Privilege Management •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-14502 – News and Blog Designer Bundle <= 1.1 - Unauthenticated Local File Inclusion
https://notcve.org/view.php?id=CVE-2025-14502
13 Jan 2026 — The News and Blog Designer Bundle plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.1 via the template parameter. • https://plugins.trac.wordpress.org/browser/news-and-blog-designer-bundle/trunk/includes/class-nbdb-ajax.php#L31 • CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') •