CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-3472 – Ocean Extra <= 2.4.6 - Unauthenticated Arbitrary Shortcode Execution
https://notcve.org/view.php?id=CVE-2025-3472
21 Apr 2025 — The Ocean Extra plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 2.4.6. ... El complemento Ocean Extra para WordPress es vulnerable a la ejecución de shortcodes arbitrarios en todas las versiones hasta la 2.4.6 incluida. • https://plugins.trac.wordpress.org/browser/ocean-extra/trunk/includes/shortcodes/shortcodes.php#L618 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-1093 – AIHub <= 1.3.7 - Unauthenticated Arbitrary File Upload in generate_image
https://notcve.org/view.php?id=CVE-2025-1093
18 Apr 2025 — The AIHub theme for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the generate_image function in all versions up to, and including, 1.3.7. ... El tema AIHub para WordPress es vulnerable a la carga de archivos arbitrarios debido a la falta de validación del tipo de archivo en la función generate_image en todas las versiones hasta la 1.3.7 incluida. • https://themeforest.net/item/ai-hub-startup-technology-wordpress-theme/47473638 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-3278 – UrbanGo Membership <= 1.0.4 - Unauthenticated Privilege Escalation
https://notcve.org/view.php?id=CVE-2025-3278
18 Apr 2025 — The UrbanGo Membership plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 1.0.4. ... El complemento UrbanGo Membership para WordPress es vulnerable a la escalada de privilegios en versiones hasta la 1.0.4 incluida. • https://themeforest.net/item/urbango-directory-and-listing-wordpress-theme/22712624 • CWE-269: Improper Privilege Management •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-39596 – WordPress Quentn WP <= 1.2.8 - Privilege Escalation Vulnerability
https://notcve.org/view.php?id=CVE-2025-39596
17 Apr 2025 — The Quentn WP plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.2.8. • https://patchstack.com/database/wordpress/plugin/quentn-wp/vulnerability/wordpress-quentn-wp-1-2-8-privilege-escalation-vulnerability? • CWE-269: Improper Privilege Management CWE-1390: Weak Authentication •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-39550 – WordPress FluentCommunity <= 1.2.15 - PHP Object Injection Vulnerability
https://notcve.org/view.php?id=CVE-2025-39550
17 Apr 2025 — The FluentCommunity plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 1.2.15 via deserialization of untrusted input. • https://patchstack.com/database/wordpress/plugin/fluent-community/vulnerability/wordpress-fluentcommunity-1-2-15-php-object-injection-vulnerability? • CWE-502: Deserialization of Untrusted Data •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-39588 – WordPress Ultimate Store Kit Elementor Addons <= 2.4.0 - Deserialization of untrusted data Vulnerability
https://notcve.org/view.php?id=CVE-2025-39588
17 Apr 2025 — The Ultimate Store Kit – Elementor powered WooCommerce Builder, 80+ Widgets and Template Builder plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.4.0 via deserialization of untrusted input. • https://patchstack.com/database/wordpress/plugin/ultimate-store-kit/vulnerability/wordpress-ultimate-store-kit-elementor-addons-2-4-0-deserialization-of-untrusted-data-vulnerability? • CWE-502: Deserialization of Untrusted Data •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-39551 – WordPress FluentBoards <= 1.47 - PHP Object Injection Vulnerability
https://notcve.org/view.php?id=CVE-2025-39551
17 Apr 2025 — The FluentBoards plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 1.47 via deserialization of untrusted input. • https://patchstack.com/database/wordpress/plugin/fluent-boards/vulnerability/wordpress-fluentboards-1-47-php-object-injection-vulnerability? • CWE-502: Deserialization of Untrusted Data •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-32658 – WordPress HelpGent plugin <= 2.2.4 - PHP Object Injection vulnerability
https://notcve.org/view.php?id=CVE-2025-32658
16 Apr 2025 — The HelpGent plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 2.2.4 via deserialization of untrusted input. • https://patchstack.com/database/wordpress/plugin/helpgent/vulnerability/wordpress-helpgent-plugin-2-2-4-php-object-injection-vulnerability? • CWE-502: Deserialization of Untrusted Data •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 2CVE-2025-39601 – WordPress Custom CSS, JS & PHP plugin <= 2.4.1 - CSRF to RCE vulnerability
https://notcve.org/view.php?id=CVE-2025-39601
16 Apr 2025 — The Custom CSS, JS & PHP plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.4.1. ... WordPress Custom CSS, JS and PHP versions 2.4.1 and below suffer from a cross site request forgery vulnerability that leads to remote code execution. • https://patchstack.com/database/wordpress/plugin/custom-css/vulnerability/wordpress-custom-css-js-php-plugin-2-4-1-csrf-to-rce-vulnerability? • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-32572 – WordPress Kata Plus Plugin <= 1.5.2 - PHP Object Injection vulnerability
https://notcve.org/view.php?id=CVE-2025-32572
15 Apr 2025 — The Kata Plus plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 1.5.2 via deserialization of untrusted input. • https://patchstack.com/database/wordpress/plugin/kata-plus/vulnerability/wordpress-kata-plus-addons-for-elementor-widgets-extensions-and-templates-plugin-1-5-0-php-object-injection-vulnerability? • CWE-502: Deserialization of Untrusted Data •