
CVE-2025-9890 – Theme Editor <= 3.0 - Cross-Site Request Forgery to Remote Code Execution
https://notcve.org/view.php?id=CVE-2025-9890
17 Oct 2025 — The Theme Editor plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.0. • https://plugins.trac.wordpress.org/browser/theme-editor/trunk/app/controller/theme_controller.php#L87 • CWE-352: Cross-Site Request Forgery (CSRF) •

CVE-2025-11391 – PPOM – Product Addons & Custom Fields for WooCommerce <= 33.0.15 - Unauthenticated Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2025-11391
17 Oct 2025 — The PPOM – Product Addons & Custom Fields for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the image cropper functionality in all versions up to, and including, 33.0.15. • https://plugins.trac.wordpress.org/browser/woocommerce-product-addon/trunk/inc/hooks.php#L45 • CWE-434: Unrestricted Upload of File with Dangerous Type •

CVE-2025-10850 – Felan Framework <= 1.1.4 - Hardcoded Credentials
https://notcve.org/view.php?id=CVE-2025-10850
15 Oct 2025 — The Felan Framework plugin for WordPress is vulnerable to improper authentication in versions up to, and including, 1.1.4. • https://themeforest.net/item/felan-freelance-marketplace-and-job-board-wordpress-theme/53612955 • CWE-798: Use of Hard-coded Credentials •

CVE-2025-10742 – Truelysell Core <= 1.8.6 - Unauthenticated Arbitrary User Password Change
https://notcve.org/view.php?id=CVE-2025-10742
15 Oct 2025 — The Truelysell Core plugin for WordPress is vulnerable to Arbitrary User Password Change in versions up to, and including, 1.8.6. • https://themeforest.net/item/truelysell-service-booking-wordpress-theme/43398124 • CWE-639: Authorization Bypass Through User-Controlled Key •

CVE-2025-9967 – Orion SMS OTP Verification <= 1.1.7 - Authentication Bypass via Account Takeover
https://notcve.org/view.php?id=CVE-2025-9967
14 Oct 2025 — The Orion SMS OTP Verification plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.1.7. • https://plugins.trac.wordpress.org/browser/orion-sms-otp-verification/trunk/vendor/js/reset-password.js • CWE-288: Authentication Bypass Using an Alternate Path or Channel •

CVE-2025-10041 – Flex QR Code Generator <= 1.2.5 - Unauthenticated Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2025-10041
14 Oct 2025 — The Flex QR Code Generator plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in thesave_qr_code_to_db() function in all versions up to, and including, 1.2.5. ... WordPress Flex QR Code Generator versions 1.2.5 and below are vulnerable to arbitrary file uploads due to missing file type validation in the save_qr_code_to_db() function. • https://wordpress.org/plugins/flex-qr-code-generator • CWE-434: Unrestricted Upload of File with Dangerous Type •

CVE-2025-10294 – OwnID Passwordless Login <= 1.3.4 - Authentication Bypass
https://notcve.org/view.php?id=CVE-2025-10294
14 Oct 2025 — The OwnID Passwordless Login plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.3.4. • https://wordpress.org/plugins/ownid-passwordless-login • CWE-288: Authentication Bypass Using an Alternate Path or Channel •

CVE-2025-6439 – WooCommerce Designer Pro <= 1.9.26 - Unauthenticated Arbitrary File Deletion
https://notcve.org/view.php?id=CVE-2025-6439
10 Oct 2025 — The WooCommerce Designer Pro plugin for WordPress, used by the Pricom - Printing Company & Design Services WordPress theme, is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'wcdp_save_canvas_design_ajax' function in all versions up to, and including, 1.9.26. • https://codecanyon.net/item/woocommerce-designer-pro-cmyk-card-flyer/22027731 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •

CVE-2025-11533 – WP Freeio <= 1.2.21 - Unauthenticated Privilege Escalation
https://notcve.org/view.php?id=CVE-2025-11533
10 Oct 2025 — The WP Freeio plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.2.21. • https://themeforest.net/item/freeio-freelance-marketplace-wordpress-theme/42045416 • CWE-269: Improper Privilege Management •

CVE-2025-6553 – Ovatheme Events Manager <= 1.8.5 - Unauthenticated Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2025-6553
10 Oct 2025 — The Ovatheme Events Manager plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the process_checkout() function in all versions up to, and including, 1.8.5. • https://themeforest.net/item/em4u-event-management-multipurpose-wordpress-theme/20846579 • CWE-434: Unrestricted Upload of File with Dangerous Type •