CVSS: 9.1EPSS: %CPEs: 1EXPL: 0CVE-2025-68912 – HDForms <= 1.6.1 - Unauthenticated Arbitrary File Deletion
https://notcve.org/view.php?id=CVE-2025-68912
13 Jan 2026 — The HDForms | Contact Form Builder plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in all versions up to, and including, 1.6.1. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 8.8EPSS: %CPEs: 1EXPL: 0CVE-2025-68986 – Miion <= 1.2.7 - Authenticated (Subscriber+) Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2025-68986
13 Jan 2026 — The Miion | Multi-Purpose WordPress Theme theme for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 1.2.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.1EPSS: %CPEs: 1EXPL: 0CVE-2025-69097 – WPLMS <= 1.9.9.5.4 - Unauthenticated Arbitrary File Deletion
https://notcve.org/view.php?id=CVE-2025-69097
13 Jan 2026 — The WPLMS Plugin plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in all versions up to, and including, 1.9.9.5.4. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 8.8EPSS: %CPEs: 1EXPL: 0CVE-2026-22327 – Restaurt <= 1.0.4 - Authenticated (subscriber+) Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2026-22327
13 Jan 2026 — The Restaurt theme for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 1.0.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.8EPSS: %CPEs: 1EXPL: 0CVE-2025-50002 – Energia <= 1.1.2 - Unauthenticated Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2025-50002
12 Jan 2026 — The Energia - Renewable Energy WordPress Theme theme for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 1.1.2. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-15158 – WP Enable WebP <= 1.0 - Authenticated (Author+) Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2025-15158
06 Jan 2026 — The WP Enable WebP plugin for WordPress is vulnerable to arbitrary file uploads due to improper file type validation in the 'wpse_file_and_ext_webp' function in all versions up to, and including, 1.0. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://plugins.trac.wordpress.org/browser/wp-enable-webp/trunk/wp-enable-webp.php?rev=1998897#L43 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2025-14842 – Drag and Drop Multiple File Upload – Contact Form 7 <= 1.3.9.2 - Unauthenticated Limited Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2025-14842
06 Jan 2026 — The Drag and Drop Multiple File Upload – Contact Form 7 plugin for WordPress is vulnerable to limited upload of files with a dangerous type in all versions up to, and including, 1.3.9.2. ... Malicious PHP code can be used to achieve remote code execution on the server via direct file access, if the server is configured to execute .phar files as PHP. • https://plugins.trac.wordpress.org/browser/contact-form-7/trunk/includes/formatting.php#L310 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2025-14997 – BuddyPress Xprofile Custom Field Types <= 1.2.8 - Authenticated (Subscriber+) Arbitrary File Deletion
https://notcve.org/view.php?id=CVE-2025-14997
05 Jan 2026 — The BuddyPress Xprofile Custom Field Types plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'delete_field' function in all versions up to, and including, 1.2.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). • https://plugins.trac.wordpress.org/browser/bp-xprofile-custom-field-types/tags/1.2.8/src/handlers/class-field-upload-helper.php • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-67924 – WordPress Corpkit theme <= 2.0 - Arbitrary File Upload vulnerability
https://notcve.org/view.php?id=CVE-2025-67924
05 Jan 2026 — The Corpkit - Business Consulting WordPress Theme theme for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 2.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://vdp.patchstack.com/database/Wordpress/Theme/corpkit/vulnerability/wordpress-corpkit-theme-2-0-arbitrary-file-upload-vulnerability?_s_id=cve • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2025-14509 – Lucky Wheel for WooCommerce – Spin a Sale <= 1.1.13 - Authenticated (Administrator+) PHP Code Injection via Conditional Tags
https://notcve.org/view.php?id=CVE-2025-14509
29 Dec 2025 — The Lucky Wheel for WooCommerce – Spin a Sale plugin for WordPress is vulnerable to PHP Code Injection in all versions up to, and including, 1.1.13. ... In WordPress multisite installations, this allows Site Administrators to execute arbitrary code, a capability they should not have since plugin/theme file editing is disabled for non-Super Admins in multisite environments. • https://plugins.trac.wordpress.org/browser/woo-lucky-wheel/tags/1.1.13/frontend/frontend.php#L127 • CWE-94: Improper Control of Generation of Code ('Code Injection') •