CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-12876 – Golo - Directory & Listing, Travel WordPress Theme <= 1.6.10 - Missing Authorization to Privilege Escalation via Unauthenticated Arbitrary User Password Change
https://notcve.org/view.php?id=CVE-2024-12876
06 Mar 2025 — The Golo - City Travel Guide WordPress Theme theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.6.10. • https://themeforest.net/item/golo-directory-listing-travel-wordpress-theme/25397810 • CWE-862: Missing Authorization •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-1475 – WPCOM Member <= 1.7.5 - Authentication Bypass via 'user_phone'
https://notcve.org/view.php?id=CVE-2025-1475
06 Mar 2025 — The WPCOM Member plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 1.7.5. • https://plugins.trac.wordpress.org/browser/wpcom-member/tags/1.7.1/includes/form-validation.php#L110 • CWE-287: Improper Authentication •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2025-1306 – Newscrunch <= 1.8.4 - Cross-Site Request Forgery to Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2025-1306
03 Mar 2025 — The Newscrunch theme for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.8.4. • https://github.com/Nxploited/CVE-2025-1306 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 10.0EPSS: 1%CPEs: 1EXPL: 0CVE-2025-0912 – GiveWP – Donation Plugin and Fundraising Platform <= 3.19.4 - Unauthenticated PHP Object Injection
https://notcve.org/view.php?id=CVE-2025-0912
03 Mar 2025 — The Donations Widget plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.19.4 via deserialization of untrusted input from the Donation Form through the 'card_address' parameter. • https://github.com/impress-org/givewp/pull/7679/files • CWE-502: Deserialization of Untrusted Data •
CVSS: 10.0EPSS: 3%CPEs: 1EXPL: 2CVE-2025-1307 – Newscrunch <= 1.8.4 - Authenticated (Subscriber+) Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2025-1307
03 Mar 2025 — The Newscrunch theme for WordPress is vulnerable to arbitrary file uploads due to a missing capability check in the newscrunch_install_and_activate_plugin() function in all versions up to, and including, 1.8.4.1. • https://github.com/McTavishSue/CVE-2025-1307 • CWE-862: Missing Authorization •
CVSS: 10.0EPSS: 42%CPEs: 1EXPL: 0CVE-2024-12824 – Nokri – Job Board WordPress Theme <= 1.6.2 - Unauthenticated Arbitrary Password Change
https://notcve.org/view.php?id=CVE-2024-12824
28 Feb 2025 — The Nokri – Job Board WordPress Theme theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.6.2. • https://themeforest.net/item/nokri-job-board-wordpress-theme/22677241 • CWE-620: Unverified Password Change •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-1564 – SetSail Membership <= 1.0.3 - Authentication Bypass via Account Takeover
https://notcve.org/view.php?id=CVE-2025-1564
28 Feb 2025 — The SetSail Membership plugin for WordPress is vulnerable to in all versions up to, and including, 1.0.3. • https://themeforest.net/item/setsail-travel-agency-theme/22832625 • CWE-288: Authentication Bypass Using an Alternate Path or Channel •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-1638 – Alloggio Membership <= 1.1 - Authentication Bypass via Social Login Account Takeover
https://notcve.org/view.php?id=CVE-2025-1638
28 Feb 2025 — The Alloggio Membership plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.0.2. • https://themeforest.net/item/alloggio-hotel-booking-theme/26775539 • CWE-288: Authentication Bypass Using an Alternate Path or Channel •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-1671 – Academist Membership <= 1.1.6 - Authentication Bypass via Account Takeover
https://notcve.org/view.php?id=CVE-2025-1671
28 Feb 2025 — The Academist Membership plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.1.6. • https://themeforest.net/item/academist-a-modern-learning-management-system-and-education-theme/22376830 • CWE-288: Authentication Bypass Using an Alternate Path or Channel •
CVSS: 10.0EPSS: 17%CPEs: 1EXPL: 0CVE-2024-9193 – WHMpress <= 6.3-revision-0 - Unauthenticated Local File Inclusion to Arbitrary Options Update
https://notcve.org/view.php?id=CVE-2024-9193
27 Feb 2025 — The WHMpress - WHMCS WordPress Integration Plugin plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 6.3-revision-0 via the whmpress_domain_search_ajax_extended_results() function. ... This makes it possible for unauthenticated attackers to update arbitrary options on the WordPress site. • https://whmpress.com/docs/change-log • CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') •