
CVE-2025-34083 – WordPress AIT CSV Import/Export Plugin ≤ 3.0.3 Unauthenticated RCE
https://notcve.org/view.php?id=CVE-2025-34083
09 Jul 2025 — An unrestricted file upload vulnerability exists in the WordPress AIT CSV Import/Export plugin ≤ 3.0.3. • https://vulncheck.com/advisories/wordpress-ait-csv-import-export-plugin-rce • CWE-20: Improper Input Validation CWE-306: Missing Authentication for Critical Function CWE-434: Unrestricted Upload of File with Dangerous Type •

CVE-2025-34077 – WordPress Pie Register Plugin ≤ 3.7.1.4 Authentication Bypass RCE
https://notcve.org/view.php?id=CVE-2025-34077
09 Jul 2025 — An authentication bypass vulnerability exists in the WordPress Pie Register plugin ≤ 3.7.1.4 that allows unauthenticated attackers to impersonate arbitrary users by submitting a crafted POST request to the login endpoint. By setting social_site=true and manipulating the user_id_social_site parameter, an attacker can generate a valid WordPress session cookie for any user ID, including administrators. • https://vulncheck.com/advisories/wordpress-pie-register-plugin-rce • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-306: Missing Authentication for Critical Function CWE-434: Unrestricted Upload of File with Dangerous Type •

CVE-2025-34085 – WordPress Simple File List Plugin < 4.2.3 Unauthenticated Remote Code Execution
https://notcve.org/view.php?id=CVE-2025-34085
09 Jul 2025 — An unrestricted file upload vulnerability in the WordPress Simple File List plugin prior to version 4.2.3 allows unauthenticated remote attackers to achieve remote code execution. • https://vulncheck.com/advisories/wordpress-simple-file-list-plugin-rce • CWE-306: Missing Authentication for Critical Function CWE-434: Unrestricted Upload of File with Dangerous Type •

CVE-2025-4828 – Support Board <= 3.8.0 - Unauthenticated Arbitrary File Deletion
https://notcve.org/view.php?id=CVE-2025-4828
08 Jul 2025 — The Support Board plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the sb_file_delete function in all versions up to, and including, 3.8.0. • https://codecanyon.net/item/support-board-help-desk-and-chat/20359943 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •

CVE-2025-4855 – Support Board <= 3.8.0 - Unauthenticated Authorization Bypass due to Use of Default Secret Key
https://notcve.org/view.php?id=CVE-2025-4855
08 Jul 2025 — The Support Board plugin for WordPress is vulnerable to unauthorized access/modification/deletion of data due to use of hardcoded default secrets in the sb_encryption() function in all versions up to, and including, 3.8.0. • https://codecanyon.net/item/support-board-help-desk-and-chat/20359943 • CWE-639: Authorization Bypass Through User-Controlled Key •

CVE-2025-4606 – Sala - Startup & SaaS WordPress Theme <= 1.1.4 - Unauthenticated Privilege Escalation via Password Reset/Account Takeover
https://notcve.org/view.php?id=CVE-2025-4606
08 Jul 2025 — The Sala - Startup & SaaS WordPress Theme theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.1.4. • https://themeforest.net/item/sala-startup-saas-wordpress-theme/33843955? • CWE-620: Unverified Password Change •

CVE-2025-49867 – WordPress RealHomes <= 4.4.0 - Privilege Escalation Vulnerability
https://notcve.org/view.php?id=CVE-2025-49867
04 Jul 2025 — Incorrect Privilege Assignment vulnerability in InspiryThemes RealHomes allows Privilege Escalation. This issue affects RealHomes: from n/a through 4.4.0. • https://patchstack.com/database/wordpress/theme/realhomes/vulnerability/wordpress-realhomes-4-4-0-privilege-escalation-vulnerability? • CWE-266: Incorrect Privilege Assignment •

CVE-2025-23970 – WordPress Service Finder Booking <= 6.0 - Privilege Escalation Vulnerability
https://notcve.org/view.php?id=CVE-2025-23970
04 Jul 2025 — The Service Finder Bookings plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 6.0. • https://patchstack.com/database/wordpress/plugin/sf-booking/vulnerability/wordpress-service-finder-booking-6-0-privilege-escalation-vulnerability? • CWE-266: Incorrect Privilege Assignment •

CVE-2025-49302 – WordPress Easy Stripe <= 1.1 - Remote Code Execution (RCE) Vulnerability
https://notcve.org/view.php?id=CVE-2025-49302
03 Jul 2025 — The Easy Stripe – Tips, Payments, and Donations plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.1. • https://patchstack.com/database/wordpress/plugin/easy-stripe/vulnerability/wordpress-easy-stripe-1-1-remote-code-execution-rce-vulnerability? • CWE-94: Improper Control of Generation of Code ('Code Injection') •

CVE-2025-6463 – Forminator Forms – Contact Form, Payment Form & Custom Form Builder <= 1.44.2 - Unauthenticated Arbitrary File Deletion Triggered via Administrator Form Submission Deletion
https://notcve.org/view.php?id=CVE-2025-6463
01 Jul 2025 — The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'entry_delete_upload_files' function in all versions up to, and including, 1.44.2. ... El complemento Forminator Forms – Contact Form, Payment Form & Custom Form Builder para WordPress es vulnerable a la eliminación arbitraria de archivos debido a una validación insuficiente de la ruta de archivo en la función ... • https://plugins.trac.wordpress.org/browser/forminator/trunk/library/model/class-form-entry-model.php#L1249 • CWE-73: External Control of File Name or Path •