CVSS: 8.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-3055 – WP User Frontend Pro <= 4.1.3 - Authenticated (Subscriber+) Arbitrary File Deletion
https://notcve.org/view.php?id=CVE-2025-3055
04 Jun 2025 — The WP User Frontend Pro plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the delete_avatar_ajax() function in all versions up to, and including, 4.1.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). El complemento WP User Frontend Pro para WordPres... • https://headwayapp.co/wp-user-frontend-changelog • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-3054 – WP User Frontend Pro <= 4.1.3 - Authenticated (Subscriber+) Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2025-3054
04 Jun 2025 — The WP User Frontend Pro plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the upload_files() function in all versions up to, and including, 4.1.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. ... El complemento WP User Frontend Pro para WordPress es vulnerable a la carga de archivos arbitr... • https://headwayapp.co/wp-user-frontend-changelog • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 5.6EPSS: 0%CPEs: 1EXPL: 0CVE-2025-2939 – Ninja Tables – Easy Data Table Builder <= 5.0.18 - Unauthenticated PHP Object Injection to Limited Remote Code Execution
https://notcve.org/view.php?id=CVE-2025-2939
02 Jun 2025 — The Ninja Tables – Easy Data Table Builder plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 5.0.18 via deserialization of untrusted input from the args[callback] parameter . • https://plugins.trac.wordpress.org/browser/ninja-tables/tags/5.0.18/vendor/wpfluent/framework/src/WPFluent/Http/Client.php#L399 • CWE-502: Deserialization of Untrusted Data •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-32291 – SUMO Affiliates Pro <= 10.7.0 - Unauthenticated Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2025-32291
30 May 2025 — The SUMO Affiliates Pro plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 10.7.0. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2025-48267 – WP Pipes <= 1.4.2 - Unauthenticated Arbitrary File Deletion
https://notcve.org/view.php?id=CVE-2025-48267
30 May 2025 — The WP Pipes plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation via the delete_template() function in all versions up to, and including, 1.4.2. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-4800 – MasterStudy LMS Pro <= 4.7.0 - Authenticated (Subscriber+) Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2025-4800
27 May 2025 — The MasterStudy LMS Pro plugin for WordPress is vulnerable to arbitrary file uploads due to a missing file type validation in the stm_lms_add_assignment_attachment function in all versions up to, and including, 4.7.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server, which may make remote code execution possible. • https://stylemixthemes.com/wordpress-lms-plugin • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-5058 – eMagicOne Store Manager for WooCommerce <= 1.2.5 - Unauthenticated Arbitrary File Upload via set_image()
https://notcve.org/view.php?id=CVE-2025-5058
23 May 2025 — The eMagicOne Store Manager for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the set_image() function in all versions up to, and including, 1.2.5. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://github.com/d0n601/CVE-2025-5058 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.4EPSS: 0%CPEs: 1EXPL: 0CVE-2025-4603 – eMagicOne Store Manager for WooCommerce <= 1.2.5 - Unauthenticated Arbitrary File Deletion
https://notcve.org/view.php?id=CVE-2025-4603
23 May 2025 — The eMagicOne Store Manager for WooCommerce plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the delete_file() function in all versions up to, and including, 1.2.5. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). • https://github.com/d0n601/CVE-2025-4603 • CWE-73: External Control of File Name or Path •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2025-4336 – eMagicOne Store Manager for WooCommerce <= 1.2.5 - Unauthenticated Arbitrary File Upload via set_file()
https://notcve.org/view.php?id=CVE-2025-4336
23 May 2025 — The eMagicOne Store Manager for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the set_file() function in all versions up to, and including, 1.2.5. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://github.com/d0n601/CVE-2025-4336 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-48140 – MetalpriceAPI <= 1.1.4 - Authenticated (Contributor+) Remote Code Execution
https://notcve.org/view.php?id=CVE-2025-48140
22 May 2025 — The MetalpriceAPI plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.1.4. • CWE-94: Improper Control of Generation of Code ('Code Injection') •