
CVE-2025-7340 – HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder. <= 2.2.1 - Unauthenticated Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2025-7340
14 Jul 2025 — The HT Contact Form Widget For Elementor Page Builder & Gutenberg Blocks & Form Builder. plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the temp_file_upload function in all versions up to, and including, 2.2.1. ... The WordPress HT Contact Form Widget plugin is vulnerable to arbitrary file uploads due to missing file type validation in the temp_file_upload function in all versions up to, and including, 2.2.1. • https://packetstorm.news/files/id/206540 • CWE-434: Unrestricted Upload of File with Dangerous Type •

CVE-2025-5394 – Alone – Charity Multipurpose Non-profit WordPress Theme <= 7.8.3 - Missing Authorization to Unauthenticated Arbitrary File Upload via Plugin Installation
https://notcve.org/view.php?id=CVE-2025-5394
14 Jul 2025 — The Alone – Charity Multipurpose Non-profit WordPress Theme theme for WordPress is vulnerable to arbitrary file uploads due to a missing capability check on the alone_import_pack_install_plugin() function in all versions up to, and including, 7.8.3. • https://themeforest.net/item/alone-charity-multipurpose-nonprofit-wordpress-theme/15019939 • CWE-862: Missing Authorization •

CVE-2025-6058 – WPBookit <= 1.0.4 - Unauthenticated Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2025-6058
11 Jul 2025 — The WPBookit plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the image_upload_handle() function hooked via the 'add_booking_type' route in all versions up to, and including, 1.0.4. ... WordPress WPBookit plugin versions 1.0.4 and below suffer from an arbitrary file upload vulnerability. • https://packetstorm.news/files/id/206492 • CWE-434: Unrestricted Upload of File with Dangerous Type •

CVE-2025-5392 – GB Forms DB <= 1.0.2 - Unauthenticated Remote Code Execution
https://notcve.org/view.php?id=CVE-2025-5392
10 Jul 2025 — The GB Forms DB plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.0.2 via the gbfdb_talk_to_front() function. • https://www.wordfence.com/threat-intel/vulnerabilities/id/fe8723a7-bbb1-41a0-b222-3cf4eb44cd64?source=cve • CWE-94: Improper Control of Generation of Code ('Code Injection') •

CVE-2025-7401 – Premium Age Verification / Restriction for WordPress <= 3.0.2 - Unauthenticated Arbitrary File Read and Write via remote_tunnel.php
https://notcve.org/view.php?id=CVE-2025-7401
10 Jul 2025 — The Premium Age Verification / Restriction for WordPress plugin for WordPress is vulnerable to arbitrary file read and write due to the existence of an insufficiently protected remote support functionality in remote_tunnel.php in all versions up to, and including, 3.0.2. • https://codecanyon.net/item/premium-age-verification-restriction-for-wordpress/11300327 • CWE-798: Use of Hard-coded Credentials •

CVE-2025-34083 – WordPress AIT CSV Import/Export Plugin ≤ 3.0.3 Unauthenticated RCE
https://notcve.org/view.php?id=CVE-2025-34083
09 Jul 2025 — An unrestricted file upload vulnerability exists in the WordPress AIT CSV Import/Export plugin ≤ 3.0.3. • https://vulncheck.com/advisories/wordpress-ait-csv-import-export-plugin-rce • CWE-20: Improper Input Validation CWE-306: Missing Authentication for Critical Function CWE-434: Unrestricted Upload of File with Dangerous Type •

CVE-2025-34077 – WordPress Pie Register Plugin ≤ 3.7.1.4 Authentication Bypass RCE
https://notcve.org/view.php?id=CVE-2025-34077
09 Jul 2025 — An authentication bypass vulnerability exists in the WordPress Pie Register plugin ≤ 3.7.1.4 that allows unauthenticated attackers to impersonate arbitrary users by submitting a crafted POST request to the login endpoint. By setting social_site=true and manipulating the user_id_social_site parameter, an attacker can generate a valid WordPress session cookie for any user ID, including administrators. • https://vulncheck.com/advisories/wordpress-pie-register-plugin-rce • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-306: Missing Authentication for Critical Function CWE-434: Unrestricted Upload of File with Dangerous Type •

CVE-2025-34085 – WordPress Simple File List Plugin < 4.2.3 Unauthenticated Remote Code Execution
https://notcve.org/view.php?id=CVE-2025-34085
09 Jul 2025 — An unrestricted file upload vulnerability in the WordPress Simple File List plugin prior to version 4.2.3 allows unauthenticated remote attackers to achieve remote code execution. • https://vulncheck.com/advisories/wordpress-simple-file-list-plugin-rce • CWE-306: Missing Authentication for Critical Function CWE-434: Unrestricted Upload of File with Dangerous Type •

CVE-2025-4828 – Support Board <= 3.8.0 - Unauthenticated Arbitrary File Deletion
https://notcve.org/view.php?id=CVE-2025-4828
08 Jul 2025 — The Support Board plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the sb_file_delete function in all versions up to, and including, 3.8.0. • https://codecanyon.net/item/support-board-help-desk-and-chat/20359943 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •

CVE-2025-4855 – Support Board <= 3.8.0 - Unauthenticated Authorization Bypass due to Use of Default Secret Key
https://notcve.org/view.php?id=CVE-2025-4855
08 Jul 2025 — The Support Board plugin for WordPress is vulnerable to unauthorized access/modification/deletion of data due to use of hardcoded default secrets in the sb_encryption() function in all versions up to, and including, 3.8.0. • https://codecanyon.net/item/support-board-help-desk-and-chat/20359943 • CWE-639: Authorization Bypass Through User-Controlled Key •