CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2025-1562 – Recover WooCommerce Cart Abandonment, Newsletter, Email Marketing, Marketing Automation By FunnelKit <= 3.5.3 - Missing Authorization to Unauthenticated Arbitrary Plugin Installation
https://notcve.org/view.php?id=CVE-2025-1562
17 Jun 2025 — The Recover WooCommerce Cart Abandonment, Newsletter, Email Marketing, Marketing Automation By FunnelKit plugin for WordPress is vulnerable to unauthorized arbitrary plugin installation due to a missing capability check on the install_or_activate_addon_plugins() function and a weak nonce hash in all versions up to, and including, 3.5.3. • https://github.com/gmh5225/CVE-2025-1562 • CWE-862: Missing Authorization •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-49330 – WordPress Integration for Contact Form 7 and Zoho CRM, Bigin <= 1.3.0 - PHP Object Injection Vulnerability
https://notcve.org/view.php?id=CVE-2025-49330
16 Jun 2025 — The Integration for Contact Form 7 and Zoho CRM, Bigin plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 1.3.0 via deserialization of untrusted input. • https://patchstack.com/database/wordpress/plugin/cf7-zoho/vulnerability/wordpress-integration-for-contact-form-7-and-zoho-crm-bigin-1-3-0-php-object-injection-vulnerability? • CWE-502: Deserialization of Untrusted Data •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 2CVE-2025-5288 – REST API | Custom API Generator For Cross Platform And Import Export In WP 1.0.0 - 2.0.3 - Missing Authorization to Unauthenticated Privilege Escalation via process_handler Function
https://notcve.org/view.php?id=CVE-2025-5288
12 Jun 2025 — The REST API | Custom API Generator For Cross Platform And Import Export In WP plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the process_handler() function in versions 1.0.0 to 2.0.3. ... WordPress REST API | Custom API Generator For Cross Platform And Import Export In WP plugin versions 1.0.0 through 2.0.3 are susceptible to a privilege escalation vulnerability due to a missing capability check on the process_handler(). • https://wordpress.org/plugins/import-export-with-custom-rest-api/#developers • CWE-862: Missing Authorization •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-49447 – WordPress FW Food Menu <= 6.0.0 - Arbitrary File Upload Vulnerability
https://notcve.org/view.php?id=CVE-2025-49447
12 Jun 2025 — The FW Food Menu – Responsive food menu with ordering & delivery solutions plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 6.0.0. • https://patchstack.com/database/wordpress/plugin/fw-food-menu/vulnerability/wordpress-fw-food-menu-6-0-0-arbitrary-file-upload-vulnerability? • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-4973 – Workreap <= 3.3.1 - Authentication Bypass via 'workreap_verify_user_account'
https://notcve.org/view.php?id=CVE-2025-4973
11 Jun 2025 — The Workreap plugin for WordPress, used by the Workreap - Freelance Marketplace WordPress Theme, is vulnerable to authentication bypass in all versions up to, and including, 3.3.1. ... El complemento Workreap para WordPress, utilizado por el tema Workreap - Freelance Marketplace para WordPress, es vulnerable a la omisión de la autenticación en todas las versiones hasta la 3.3.1 incluida. • https://themeforest.net/item/workreap-freelance-marketplace-wordpress-theme/23712454#item-description__release-3-3-2-23-may-2025 • CWE-288: Authentication Bypass Using an Alternate Path or Channel •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-49071 – WordPress Flozen < 1.5.1 - Arbitrary File Upload Vulnerability
https://notcve.org/view.php?id=CVE-2025-49071
11 Jun 2025 — The flozen-theme theme for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to 1.5.1 (exclusive). • https://patchstack.com/database/wordpress/theme/flozen-theme/vulnerability/wordpress-flozen-1-5-1-arbitrary-file-upload-vulnerability? • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-32510 – WordPress Ovatheme Events Manager plugin <= 1.7.5 - Arbitrary File Upload vulnerability
https://notcve.org/view.php?id=CVE-2025-32510
11 Jun 2025 — The Ovatheme Events Manager plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 1.7.5. • https://patchstack.com/database/wordpress/plugin/ova-events-manager/vulnerability/wordpress-ovatheme-events-manager-plugin-1-7-5-arbitrary-file-upload-vulnerability? • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-49444 – WordPress Reformer for Elementor <= 1.0.5 - Arbitrary File Upload Vulnerability
https://notcve.org/view.php?id=CVE-2025-49444
11 Jun 2025 — The ReFormer – Multichannel Contact Form for Elementor plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 1.0.5. • https://patchstack.com/database/wordpress/plugin/reformer-elementor/vulnerability/wordpress-reformer-for-elementor-1-0-5-arbitrary-file-upload-vulnerability? • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-31919 – WordPress Spare <= 1.7 - PHP Object Injection Vulnerability
https://notcve.org/view.php?id=CVE-2025-31919
10 Jun 2025 — The Spare theme for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 1.7 via deserialization of untrusted input. • https://patchstack.com/database/wordpress/theme/spare/vulnerability/wordpress-spare-1-7-php-object-injection-vulnerability? • CWE-502: Deserialization of Untrusted Data •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-49507 – WordPress CozyStay < 1.7.1 - PHP Object Injection Vulnerability
https://notcve.org/view.php?id=CVE-2025-49507
09 Jun 2025 — The CozyStay theme for WordPress is vulnerable to PHP Object Injection in versions up to 1.7.1 via deserialization of untrusted input. • https://patchstack.com/database/wordpress/theme/cozystay/vulnerability/wordpress-cozystay-1-7-1-php-object-injection-vulnerability? • CWE-502: Deserialization of Untrusted Data •