CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-15403 – RegistrationMagic <= 6.0.7.1 - Privilege Escalation via admin_order
https://notcve.org/view.php?id=CVE-2025-15403
16 Jan 2026 — The RegistrationMagic plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 6.0.7.1. • https://plugins.trac.wordpress.org/browser/custom-registration-form-builder-with-submission-manager/trunk/admin/class_rm_admin.php#L487 • CWE-269: Improper Privilege Management •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-10484 – Registration & Login with Mobile Phone Number for WooCommerce <= 1.3.1 - Authentication Bypass
https://notcve.org/view.php?id=CVE-2025-10484
16 Jan 2026 — The Registration & Login with Mobile Phone Number for WooCommerce plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.3.1. • https://woocommerce.com/products/registration-login-with-mobile-phone-number • CWE-288: Authentication Bypass Using an Alternate Path or Channel •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2026-23800 – WordPress Modular DS plugin <= 2.5.2 - Privilege Escalation vulnerability
https://notcve.org/view.php?id=CVE-2026-23800
16 Jan 2026 — The Modular DS: Monitor, update, and backup multiple websites plugin for WordPress is vulnerable to Privilege Escalation in version 2.5.2. • https://patchstack.com/database/wordpress/plugin/modular-connector/vulnerability/wordpress-modular-ds-plugin-2-5-2-privilege-escalation-vulnerability? • CWE-266: Incorrect Privilege Assignment CWE-269: Improper Privilege Management •
CVSS: 10.0EPSS: 3%CPEs: 1EXPL: 1CVE-2026-23550 – WordPress Modular DS plugin <= 2.5.1 - Privilege Escalation vulnerability
https://notcve.org/view.php?id=CVE-2026-23550
14 Jan 2026 — The Modular DS: Monitor, update, and backup multiple websites plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 2.5.1. • https://patchstack.com/database/wordpress/plugin/modular-connector/vulnerability/wordpress-modular-ds-monitor-update-and-backup-multiple-websites-plugin-2-5-1-privilege-escalation-vulnerability? • CWE-266: Incorrect Privilege Assignment CWE-269: Improper Privilege Management •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-14502 – News and Blog Designer Bundle <= 1.1 - Unauthenticated Local File Inclusion
https://notcve.org/view.php?id=CVE-2025-14502
13 Jan 2026 — The News and Blog Designer Bundle plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.1 via the template parameter. • https://plugins.trac.wordpress.org/browser/news-and-blog-designer-bundle/trunk/includes/class-nbdb-ajax.php#L31 • CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-14301 – Integration Opvius AI for WooCommerce <= 1.3.0 - Unauthenticated Arbitrary File Deletion/Read via Path Traversal
https://notcve.org/view.php?id=CVE-2025-14301
13 Jan 2026 — The Integration Opvius AI for WooCommerce plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.3.0. • https://plugins.trac.wordpress.org/browser/woosa-ai-for-woocommerce/tags/1.3.0/vendor/woosa/logger/class-module-logger-hook.php#L160 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-14736 – Frontend Admin by DynamiApps <= 3.28.25 - Unauthenticated Privilege Escalation to Administrator via Role Form Field
https://notcve.org/view.php?id=CVE-2025-14736
08 Jan 2026 — The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 3.28.25. • https://plugins.trac.wordpress.org/changeset/3427243/acf-frontend-form-element/trunk/main/frontend/fields/user/class-role.php • CWE-269: Improper Privilege Management •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-67910 – WordPress Contentstudio plugin <= 1.3.7 - Arbitrary File Upload vulnerability
https://notcve.org/view.php?id=CVE-2025-67910
08 Jan 2026 — Unrestricted Upload of File with Dangerous Type vulnerability in contentstudio Contentstudio contentstudio allows Upload a Web Shell to a Web Server.This issue affects Contentstudio: from n/a through <= 1.3.7. • https://vdp.patchstack.com/database/Wordpress/Plugin/contentstudio/vulnerability/wordpress-contentstudio-plugin-1-3-7-arbitrary-file-upload-vulnerability? • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 10.0EPSS: 0%CPEs: -EXPL: 0CVE-2025-23504 – WordPress Felan Framework plugin <= 1.1.3 - Account Takeover vulnerability
https://notcve.org/view.php?id=CVE-2025-23504
08 Jan 2026 — Authentication Bypass Using an Alternate Path or Channel vulnerability in RiceTheme Felan Framework felan-framework allows Authentication Abuse.This issue affects Felan Framework: from n/a through <= 1.1.3. • https://vdp.patchstack.com/database/Wordpress/Plugin/felan-framework/vulnerability/wordpress-felan-framework-plugin-1-1-3-account-takeover-vulnerability? • CWE-288: Authentication Bypass Using an Alternate Path or Channel •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-14360 – WordPress Blockons plugin <= 1.2.15 - Broken Access Control vulnerability
https://notcve.org/view.php?id=CVE-2025-14360
08 Jan 2026 — The Blockons plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 1.2.15. • https://vdp.patchstack.com/database/Wordpress/Plugin/blockons/vulnerability/wordpress-blockons-plugin-1-2-15-broken-access-control-vulnerability? • CWE-862: Missing Authorization •