CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2025-2266 – Checkout Mestres do WP for WooCommerce 8.6.5 - 8.7.5 - Unauthenticated Arbitrary Options Update
https://notcve.org/view.php?id=CVE-2025-2266
28 Mar 2025 — The Checkout Mestres do WP for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the cwmpUpdateOptions() function in versions 8.6.5 to 8.7.5. This makes it possible for unauthenticated attackers to update arbitrary options on the WordPress site. • https://wordpress.org/plugins/checkout-mestres-wp • CWE-862: Missing Authorization •
CVSS: 10.0EPSS: 1%CPEs: 1EXPL: 3CVE-2025-2294 – Kubio AI Page Builder <= 2.5.1 - Unauthenticated Local File Inclusion
https://notcve.org/view.php?id=CVE-2025-2294
27 Mar 2025 — The Kubio AI Page Builder plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.5.1 via thekubio_hybrid_theme_load_template function. ... The Kubio AI Page Builder plugin for WordPress is vulnerable to a local file inclusion vulnerability in all versions up to, and including, 2.5.1 via the kubio_hybrid_theme_load_template function. • https://packetstorm.news/files/id/190110 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-2328 – Drag and Drop Multiple File Upload for Contact Form 7 <= 1.3.8.7 - Unauthenticated Arbitrary File Deletion
https://notcve.org/view.php?id=CVE-2025-2328
27 Mar 2025 — The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'dnd_remove_uploaded_files' function in all versions up to, and including, 1.3.8.7. • https://plugins.trac.wordpress.org/browser/drag-and-drop-multiple-file-upload-contact-form-7/trunk/inc/dnd-upload-cf7.php#L153 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-2332 – Export All Posts, Products, Orders, Refunds & Users <= 2.13 - Unauthenticated PHP Object Injection
https://notcve.org/view.php?id=CVE-2025-2332
26 Mar 2025 — The Export All Posts, Products, Orders, Refunds & Users plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.13 via deserialization of untrusted input in the 'returnMetaValueAsCustomerInput' function. • https://plugins.trac.wordpress.org/browser/wp-ultimate-exporter/trunk/exportExtensions/ExportExtension.php#L3332 • CWE-502: Deserialization of Untrusted Data •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-2319 – EZ SQL Reports Shortcode Widget and DB Backup 4.11.13 - 5.25.08 - Cross-Site Request Forgery to Remote Code Execution
https://notcve.org/view.php?id=CVE-2025-2319
24 Mar 2025 — The EZ SQL Reports Shortcode Widget and DB Backup plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions 4.11.13 to 5.25.08. • https://plugins.trac.wordpress.org/browser/elisqlreports/tags/4..11.13/index.php • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 10.0EPSS: 0%CPEs: -EXPL: 0CVE-2025-30615 – WordPress WP e-Commerce Style Email plugin <= 0.6.2 - CSRF to Remote Code Execution vulnerability
https://notcve.org/view.php?id=CVE-2025-30615
24 Mar 2025 — Cross-Site Request Forgery (CSRF) vulnerability in Jacob Schwartz WP e-Commerce Style Email allows Code Injection. This issue affects WP e-Commerce Style Email: from n/a through 0.6.2. • https://patchstack.com/database/wordpress/plugin/wp-e-commerce-style-email/vulnerability/wordpress-wp-e-commerce-style-email-plugin-0-6-2-csrf-to-remote-code-execution-vulnerability? • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-28916 – WordPress Docpro plugin <= 2.0.1 - Local File Inclusion vulnerability
https://notcve.org/view.php?id=CVE-2025-28916
23 Mar 2025 — The Docpro plugin for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 2.0.1. • https://patchstack.com/database/wordpress/plugin/docpro/vulnerability/wordpress-docpro-plugin-2-0-1-local-file-inclusion-vulnerability? • CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-2505 – Age Gate <= 3.5.3 - Unauthenticated Local PHP File Inclusion via 'lang'
https://notcve.org/view.php?id=CVE-2025-2505
19 Mar 2025 — The Age Gate plugin for WordPress is vulnerable to Local PHP File Inclusion in all versions up to, and including, 3.5.3 via the 'lang' parameter. • https://plugins.trac.wordpress.org/browser/age-gate/trunk/vendor/agegate/common/src/Settings.php#L27 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2025-26909 – WordPress Hide My WP Ghost plugin <= 5.4.01 - Local File Inclusion to RCE vulnerability
https://notcve.org/view.php?id=CVE-2025-26909
19 Mar 2025 — The Hide My WP Ghost plugin for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 5.4.01. • https://patchstack.com/database/wordpress/plugin/hide-my-wp/vulnerability/wordpress-hide-my-wp-ghost-plugin-5-4-01-local-file-inclusion-to-rce-vulnerability? • CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-2512 – File Away <= 3.9.9.0.1 - Missing Authorization to Unauthenticated File Upload via upload Function
https://notcve.org/view.php?id=CVE-2025-2512
18 Mar 2025 — The File Away plugin for WordPress is vulnerable to arbitrary file uploads due to a missing capability check and missing file type validation in the upload() function in all versions up to, and including, 3.9.9.0.1. • https://wordpress.org/plugins/file-away/#developers • CWE-434: Unrestricted Upload of File with Dangerous Type •