CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2025-14892 – Prime Listing Manager <= 1.1 - Unauthenticated Privilege Escalation
https://notcve.org/view.php?id=CVE-2025-14892
22 Jan 2026 — The Prime Listing Manager WordPress plugin through 1.1 allows an attacker to gain administrative access without having any kind of account on the targeted site and perform unauthorized actions due to a hardcoded secret. The Prime Listing Manager plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.1. • https://wpscan.com/vulnerability/d12332ec-1d0c-4ff5-94e0-7c4470bdb79c • CWE-620: Unverified Password Change •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-15521 – Academy LMS – WordPress LMS Plugin for Complete eLearning Solution <= 3.5.0 - Unauthenticated Privilege Escalation via Account Takeover
https://notcve.org/view.php?id=CVE-2025-15521
20 Jan 2026 — The Academy LMS – WordPress LMS Plugin for Complete eLearning Solution plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.5.0. • https://plugins.trac.wordpress.org/browser/academy/tags/3.5.0/includes/functions.php#L1581 • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-14533 – Advanced Custom Fields: Extended <= 0.9.2.1 - Unauthenticated Privilege Escalation via Insert User Form Action
https://notcve.org/view.php?id=CVE-2025-14533
19 Jan 2026 — The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 0.9.2.1. • https://plugins.trac.wordpress.org/browser/acf-extended/tags/0.9.2.1/includes/modules/form/module-form-action-user.php#L636 • CWE-269: Improper Privilege Management •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-15403 – RegistrationMagic <= 6.0.7.1 - Privilege Escalation via admin_order
https://notcve.org/view.php?id=CVE-2025-15403
16 Jan 2026 — The RegistrationMagic plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 6.0.7.1. • https://plugins.trac.wordpress.org/browser/custom-registration-form-builder-with-submission-manager/trunk/admin/class_rm_admin.php#L487 • CWE-269: Improper Privilege Management •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-10484 – Registration & Login with Mobile Phone Number for WooCommerce <= 1.3.1 - Authentication Bypass
https://notcve.org/view.php?id=CVE-2025-10484
16 Jan 2026 — The Registration & Login with Mobile Phone Number for WooCommerce plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.3.1. • https://woocommerce.com/products/registration-login-with-mobile-phone-number • CWE-288: Authentication Bypass Using an Alternate Path or Channel •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2026-23800 – WordPress Modular DS plugin <= 2.5.2 - Privilege Escalation vulnerability
https://notcve.org/view.php?id=CVE-2026-23800
16 Jan 2026 — The Modular DS: Monitor, update, and backup multiple websites plugin for WordPress is vulnerable to Privilege Escalation in version 2.5.2. • https://patchstack.com/database/wordpress/plugin/modular-connector/vulnerability/wordpress-modular-ds-plugin-2-5-2-privilege-escalation-vulnerability? • CWE-266: Incorrect Privilege Assignment CWE-269: Improper Privilege Management •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-69101 – WordPress Workreap Core plugin <= 3.4.0 - Account Takeover vulnerability
https://notcve.org/view.php?id=CVE-2025-69101
15 Jan 2026 — The Workreap Core plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 3.4.0. • https://patchstack.com/database/Wordpress/Plugin/workreap_core/vulnerability/wordpress-workreap-core-plugin-3-4-0-account-takeover-vulnerability? • CWE-288: Authentication Bypass Using an Alternate Path or Channel •
CVSS: 10.0EPSS: 6%CPEs: 1EXPL: 1CVE-2026-23550 – WordPress Modular DS plugin <= 2.5.1 - Privilege Escalation vulnerability
https://notcve.org/view.php?id=CVE-2026-23550
14 Jan 2026 — The Modular DS: Monitor, update, and backup multiple websites plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 2.5.1. • https://patchstack.com/database/wordpress/plugin/modular-connector/vulnerability/wordpress-modular-ds-monitor-update-and-backup-multiple-websites-plugin-2-5-1-privilege-escalation-vulnerability? • CWE-266: Incorrect Privilege Assignment CWE-269: Improper Privilege Management •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-14502 – News and Blog Designer Bundle <= 1.1 - Unauthenticated Local File Inclusion
https://notcve.org/view.php?id=CVE-2025-14502
13 Jan 2026 — The News and Blog Designer Bundle plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.1 via the template parameter. • https://plugins.trac.wordpress.org/browser/news-and-blog-designer-bundle/trunk/includes/class-nbdb-ajax.php#L31 • CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-14301 – Integration Opvius AI for WooCommerce <= 1.3.0 - Unauthenticated Arbitrary File Deletion/Read via Path Traversal
https://notcve.org/view.php?id=CVE-2025-14301
13 Jan 2026 — The Integration Opvius AI for WooCommerce plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.3.0. • https://plugins.trac.wordpress.org/browser/woosa-ai-for-woocommerce/tags/1.3.0/vendor/woosa/logger/class-module-logger-hook.php#L160 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •