CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-5486 – WP Email Debug 1.0 - 1.1.0 - Missing Authorization to Unauthenticated Privilege Escalation via Password Reset
https://notcve.org/view.php?id=CVE-2025-5486
05 Jun 2025 — The WP Email Debug plugin for WordPress is vulnerable to privilege escalation due to a missing capability check on the WPMDBUG_handle_settings() function in versions 1.0 to 1.1.0. • https://www.wordfence.com/threat-intel/vulnerabilities/id/d3af64a2-3bd6-47af-919e-00c5249dcc74?source=cve • CWE-862: Missing Authorization •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-5701 – HyperComments <= 1.2.2 - Unauthenticated (Subscriber+) Arbitrary Options Update
https://notcve.org/view.php?id=CVE-2025-5701
04 Jun 2025 — The HyperComments plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the hc_request_handler function in all versions up to, and including, 1.2.2. This makes it possible for unauthenticated attackers to update arbitrary options on the WordPress site. • https://plugins.trac.wordpress.org/browser/hypercomments/trunk/hypercomments.php • CWE-862: Missing Authorization •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-4797 – Golo <= 1.7.0 - Authentication Bypass to Account Takeover
https://notcve.org/view.php?id=CVE-2025-4797
02 Jun 2025 — The Golo - City Travel Guide WordPress Theme theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.7.0. • https://themeforest.net/item/golo-directory-listing-travel-wordpress-theme/25397810 • CWE-288: Authentication Bypass Using an Alternate Path or Channel •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-4607 – PSW Front-end Login & Registration <= 1.12 - Insufficiently Random Values to Unauthenticated Account Takeover/Privilege Escalation via customer_registration Function
https://notcve.org/view.php?id=CVE-2025-4607
30 May 2025 — The PSW Front-end Login & Registration plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.12 via the customer_registration() function. • https://wordpress.org/plugins/psw-login-and-registration/#developers • CWE-330: Use of Insufficiently Random Values •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-4631 – Profitori 2.0.6.0 - 2.1.1.3 - Missing Authorization to Unauthenticated Privilege Escalation via stocktend_object Endpoint
https://notcve.org/view.php?id=CVE-2025-4631
30 May 2025 — The Profitori plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the stocktend_object endpoint in versions 2.0.6.0 to 2.1.1.3. • https://wordpress.org/plugins/profitori/#developers • CWE-285: Improper Authorization •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-48336 – WordPress Course Builder < 3.6.6 - PHP Object Injection Vulnerability
https://notcve.org/view.php?id=CVE-2025-48336
29 May 2025 — The Course Builder - Online Course WordPress Theme theme for WordPress is vulnerable to PHP Object Injection in all versions up to 3.6.6 (exclusive) via deserialization of untrusted input. • https://patchstack.com/database/wordpress/theme/course-builder/vulnerability/wordpress-course-builder-3-6-6-php-object-injection-vulnerability? • CWE-502: Deserialization of Untrusted Data •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-5058 – eMagicOne Store Manager for WooCommerce <= 1.2.5 - Unauthenticated Arbitrary File Upload via set_image()
https://notcve.org/view.php?id=CVE-2025-5058
23 May 2025 — The eMagicOne Store Manager for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the set_image() function in all versions up to, and including, 1.2.5. • https://github.com/d0n601/CVE-2025-5058 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-31918 – WordPress Simple Business Directory Pro <= 15.4.8 - Privilege Escalation Vulnerability
https://notcve.org/view.php?id=CVE-2025-31918
22 May 2025 — The Simple Business Directory Pro plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 15.4.8. • https://patchstack.com/database/wordpress/plugin/simple-business-directory-pro/vulnerability/wordpress-simple-business-directory-pro-15-4-8-privilege-escalation-vulnerability? • CWE-266: Incorrect Privilege Assignment •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-31927 – WordPress Acerola <= 1.6.5 - PHP Object Injection Vulnerability
https://notcve.org/view.php?id=CVE-2025-31927
22 May 2025 — The Acerola theme for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 1.6.5 via deserialization of untrusted input. • https://patchstack.com/database/wordpress/theme/acerola/vulnerability/wordpress-acerola-1-6-5-php-object-injection-vulnerability? • CWE-502: Deserialization of Untrusted Data •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-39480 – WordPress Car Dealer <= 1.6.6 - PHP Object Injection Vulnerability
https://notcve.org/view.php?id=CVE-2025-39480
22 May 2025 — The Car Dealer theme for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 1.6.6 via deserialization of untrusted input. • https://patchstack.com/database/wordpress/theme/cardealer/vulnerability/wordpress-car-dealer-1-6-6-php-object-injection-vulnerability? • CWE-502: Deserialization of Untrusted Data •