CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-49071 – WordPress Flozen < 1.5.1 - Arbitrary File Upload Vulnerability
https://notcve.org/view.php?id=CVE-2025-49071
11 Jun 2025 — The flozen-theme theme for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to 1.5.1 (exclusive). This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://patchstack.com/database/wordpress/theme/flozen-theme/vulnerability/wordpress-flozen-1-5-1-arbitrary-file-upload-vulnerability? • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-32510 – WordPress Ovatheme Events Manager plugin <= 1.7.5 - Arbitrary File Upload vulnerability
https://notcve.org/view.php?id=CVE-2025-32510
11 Jun 2025 — The Ovatheme Events Manager plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 1.7.5. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://patchstack.com/database/wordpress/plugin/ova-events-manager/vulnerability/wordpress-ovatheme-events-manager-plugin-1-7-5-arbitrary-file-upload-vulnerability? • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-49444 – WordPress Reformer for Elementor <= 1.0.5 - Arbitrary File Upload Vulnerability
https://notcve.org/view.php?id=CVE-2025-49444
11 Jun 2025 — The ReFormer – Multichannel Contact Form for Elementor plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 1.0.5. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://patchstack.com/database/wordpress/plugin/reformer-elementor/vulnerability/wordpress-reformer-for-elementor-1-0-5-arbitrary-file-upload-vulnerability? • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2025-4954 – Axle Demo Importer <= 1.0.3 - Author+ Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2025-4954
10 Jun 2025 — The Axle Demo Importer WordPress plugin through 1.0.3 does not validate files to be uploaded, which could allow authenticated users (author and above) to upload arbitrary files such as PHP on the server The Axle Demo Importer plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 1.0.3. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected ... • https://wpscan.com/vulnerability/673f35ff-e1d5-4099-86e7-8b6e3e410ef8 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-5395 – WordPress Automatic Plugin - AI content generator and auto poster plugin <= 3.115.0 - Authenticated (Author+) Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2025-5395
10 Jun 2025 — The WordPress Automatic Plugin plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'core.php' file in all versions up to, and including, 3.115.0. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://codecanyon.net/item/wordpress-automatic-plugin/1904470#item-description__changelog • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2025-49415 – WordPress FW Gallery <= 8.0.0 - Arbitrary File Deletion Vulnerability
https://notcve.org/view.php?id=CVE-2025-49415
10 Jun 2025 — The FW Gallery – Photo, video, audio media presentation and management system with players and slideshow plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in a function in all versions up to, and including, 8.0.0. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). • https://patchstack.com/database/wordpress/plugin/fw-gallery/vulnerability/wordpress-fw-gallery-8-0-0-arbitrary-file-deletion-vulnerability? • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 8.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-4799 – WP-DownloadManager <= 1.68.10 - Authenticated (Administrator+) Arbitrary File Deletion
https://notcve.org/view.php?id=CVE-2025-4799
10 Jun 2025 — The WP-DownloadManager plugin for WordPress is vulnerable to arbitrary file deletion due to lack of restriction on the directory a file can be deleted from in all versions up to, and including, 1.68.10. This makes it possible for authenticated attackers, with Administrator-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). This vulnerability can be paired with CVE-2025-4798 to d... • https://plugins.trac.wordpress.org/browser/wp-downloadmanager/trunk/download-manager.php#L215 • CWE-36: Absolute Path Traversal •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-32222 – Widget Logic <= 6.0.5 - Authenticated (Contributor+) Remote Code Execution
https://notcve.org/view.php?id=CVE-2025-32222
09 Jun 2025 — The Widget Logic plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 6.0.5. • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2025-49329 – WordPress Store Locator WordPress <= 1.5.2 - Arbitrary File Upload Vulnerability
https://notcve.org/view.php?id=CVE-2025-49329
05 Jun 2025 — Unrestricted Upload of File with Dangerous Type vulnerability in Agile Logix Store Locator WordPress allows Upload a Web Shell to a Web Server. This issue affects Store Locator WordPress: from n/a through 1.5.2. The Store Locator WordPress plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 1.5.2. This makes it possible for authenticated attackers, with Administrator-level access and above, to uplo... • https://patchstack.com/database/wordpress/plugin/agile-store-locator/vulnerability/wordpress-store-locator-wordpress-1-5-2-arbitrary-file-upload-vulnerability? • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 8.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-3055 – WP User Frontend Pro <= 4.1.3 - Authenticated (Subscriber+) Arbitrary File Deletion
https://notcve.org/view.php?id=CVE-2025-3055
04 Jun 2025 — The WP User Frontend Pro plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the delete_avatar_ajax() function in all versions up to, and including, 4.1.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). El complemento WP User Frontend Pro para WordPres... • https://headwayapp.co/wp-user-frontend-changelog • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •