CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2025-4389 – Crawlomatic Multipage Scraper Post Generator <= 2.6.8.1 - Unauthenticated Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2025-4389
16 May 2025 — The Crawlomatic Multipage Scraper Post Generator plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the crawlomatic_generate_featured_image() function in all versions up to, and including, 2.6.8.1. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://codecanyon.net/item/crawlomatic-multisite-scraper-post-generator-plugin-for-wordpress/20476010 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-4391 – Echo RSS Feed Post Generator <= 5.4.8.1 - Unauthenticated Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2025-4391
16 May 2025 — The Echo RSS Feed Post Generator plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the echo_generate_featured_image() function in all versions up to, and including, 5.4.8.1. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://codecanyon.net/item/echo-rss-feed-post-generator-plugin-for-wordpress/19486974 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 8.6EPSS: 0%CPEs: 1EXPL: 0CVE-2025-47512 – WordPress Tainacan plugin <= 0.21.14 - Arbitrary File Deletion vulnerability
https://notcve.org/view.php?id=CVE-2025-47512
16 May 2025 — The Tainacan plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in all versions up to, and including, 0.21.14. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). • https://patchstack.com/database/wordpress/plugin/tainacan/vulnerability/wordpress-tainacan-plugin-0-21-14-arbitrary-file-deletion-vulnerability? • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-47637 – WordPress STAGGS <= 2.11.0 - Arbitrary File Upload Vulnerability
https://notcve.org/view.php?id=CVE-2025-47637
16 May 2025 — The STAGGS – Product Configurator Toolkit plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 2.11.0. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://patchstack.com/database/wordpress/plugin/staggs/vulnerability/wordpress-staggs-2-10-1-arbitrary-file-upload-vulnerability? • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-47641 – WordPress Printcart Web to Print Product Designer for WooCommerce <= 2.3.8 - Arbitrary File Upload Vulnerability
https://notcve.org/view.php?id=CVE-2025-47641
16 May 2025 — The Printcart Web to Print Product Designer for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 2.3.8. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://patchstack.com/database/wordpress/plugin/printcart-integration/vulnerability/wordpress-printcart-web-to-print-product-designer-for-woocommerce-2-3-6-arbitrary-file-upload-vulnerability? • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 2CVE-2025-47577 – WordPress TI WooCommerce Wishlist < 2.10.0 - Arbitrary File Upload Vulnerability
https://notcve.org/view.php?id=CVE-2025-47577
16 May 2025 — The TI WooCommerce Wishlist plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the tinvwl_upload_file_wc_fields_factory() function which has 'test_type' for 'wp_handle_upload' set to false in all versions up to, and including, 2.9.2. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. ... WordPress TI WooCommerce Wishlist plugin version... • https://patchstack.com/database/wordpress/plugin/ti-woocommerce-wishlist/vulnerability/wordpress-ti-woocommerce-wishlist-2-9-2-arbitrary-file-upload-vulnerability? • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 8.6EPSS: 0%CPEs: 1EXPL: 0CVE-2025-47492 – WordPress Drag and Drop File Upload for Elementor Forms <= 1.4.3 - Arbitrary File Deletion Vulnerability
https://notcve.org/view.php?id=CVE-2025-47492
15 May 2025 — The Drag and Drop File Upload for Elementor Forms plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the elementor_file_upload_remove() function in all versions up to, and including, 1.4.3. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). • https://patchstack.com/database/wordpress/plugin/drag-and-drop-file-upload-for-elementor-forms/vulnerability/wordpress-drag-and-drop-file-upload-for-elementor-forms-1-4-3-arbitrary-file-deletion-vulnerability? • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-3917 – 百度站长SEO合集(支持百度/神马/Bing/头条推送) <= 2.0.6 - Unauthenticated Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2025-3917
14 May 2025 — The 百度站长SEO合集(支持百度/神马/Bing/头条推送) plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the download_remote_image_to_media_library function in all versions up to, and including, 2.0.6. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://wordpress.org/plugins/baiduseo • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-3053 – UiPress lite | Effortless custom dashboards, admin themes and pages <= 3.5.07 - Authenticated (Subscriber+) Remote Code Execution
https://notcve.org/view.php?id=CVE-2025-3053
14 May 2025 — The UiPress lite | Effortless custom dashboards, admin themes and pages plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 3.5.07 via the uip_process_form_input() function. ... This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary code on the server. • https://plugins.trac.wordpress.org/changeset/3292552/uipress-lite/trunk/admin/core/ajax-functions.php • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-4564 – TicketBAI Facturas para WooCommerce <= 3.18 - Unauthenticated Arbitrary File Deletion
https://notcve.org/view.php?id=CVE-2025-4564
14 May 2025 — The TicketBAI Facturas para WooCommerce plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation via the 'delpdf' action in all versions up to, and including, 3.18. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). • https://plugins.trac.wordpress.org/browser/wp-ticketbai/trunk/wp-ticketbai.php#L240 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •