CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-49417 – WordPress WooCommerce Product Multi-Action <= 1.3 - Deserialization of untrusted data Vulnerability
https://notcve.org/view.php?id=CVE-2025-49417
01 Jul 2025 — The WooCommerce Product Multi-Action plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.3 via deserialization of untrusted input. • https://patchstack.com/database/wordpress/plugin/woo-product-multiaction/vulnerability/wordpress-woocommerce-product-multi-action-1-3-deserialization-of-untrusted-data-vulnerability? • CWE-502: Deserialization of Untrusted Data •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 3CVE-2025-6934 – Opal Estate Pro <= 1.7.5 - Unauthenticated Privilege Escalation via 'on_regiser_user'
https://notcve.org/view.php?id=CVE-2025-6934
30 Jun 2025 — The Opal Estate Pro – Property Management and Submission plugin for WordPress, used by the FullHouse - Real Estate Responsive WordPress Theme, is vulnerable to privilege escalation via in all versions up to, and including, 1.7.5. ... WordPress Opal Estate Pro plugin versions 1.7.5 and below suffers from a privilege escalation vulnerability. • https://themeforest.net/item/fullhouse-real-estate-responsive-wordpress-theme/16179481 • CWE-269: Improper Privilege Management •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-30933 – WordPress LogisticsHub <= 1.1.6 - Arbitrary File Upload Vulnerability
https://notcve.org/view.php?id=CVE-2025-30933
30 Jun 2025 — The LogisticsHub theme for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 1.1.6. • https://patchstack.com/database/wordpress/theme/logistics-hub/vulnerability/wordpress-logisticshub-1-1-6-arbitrary-file-upload-vulnerability? • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-49414 – WordPress FW Gallery <= 8.0.0 - Arbitrary File Upload Vulnerability
https://notcve.org/view.php?id=CVE-2025-49414
30 Jun 2025 — The FW Gallery – Photo, video, audio media presentation and management system with players and slideshow plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 8.0.0. • https://patchstack.com/database/wordpress/plugin/fw-gallery/vulnerability/wordpress-fw-gallery-8-0-0-arbitrary-file-upload-vulnerability? • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-5304 – PT Project Notebooks 1.0.0 - 1.1.3 - Missing Authorization to Unauthenticated Privilege Escalation via wpnb_pto_new_users_add Function
https://notcve.org/view.php?id=CVE-2025-5304
27 Jun 2025 — The PT Project Notebooks plugin for WordPress is vulnerable to Privilege Escalation due to missing authorization in the wpnb_pto_new_users_add() function in versions 1.0.0 through 1.1.3. • https://wordpress.org/plugins/project-notebooks/#developers • CWE-862: Missing Authorization •
CVSS: 10.0EPSS: 0%CPEs: -EXPL: 0CVE-2025-49885 – WordPress Drag and Drop Multiple File Upload (Pro) - WooCommerce plugin <= 5.0.6 - Arbitrary File Upload Vulnerability
https://notcve.org/view.php?id=CVE-2025-49885
27 Jun 2025 — Unrestricted Upload of File with Dangerous Type vulnerability in HaruTheme Drag and Drop Multiple File Upload (Pro) - WooCommerce allows Upload a Web Shell to a Web Server. This issue affects Drag and Drop Multiple File Upload (Pro) - WooCommerce: from n/a through 5.0.6. • https://patchstack.com/database/wordpress/plugin/drag-and-drop-file-upload-wc-pro/vulnerability/wordpress-drag-and-drop-multiple-file-upload-pro-woocommerce-5-0-6-arbitrary-file-upload-vulnerability? • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-52709 – WordPress Everest Forms plugin <= 3.2.2 - PHP Object Injection Vulnerability
https://notcve.org/view.php?id=CVE-2025-52709
27 Jun 2025 — The Everest Forms plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 3.2.2 via deserialization of untrusted input. • https://patchstack.com/database/wordpress/plugin/everest-forms/vulnerability/wordpress-everest-forms-3-2-2-php-object-injection-vulnerability? • CWE-502: Deserialization of Untrusted Data •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-52724 – WordPress Amwerk theme <= 1.2.0 - PHP Object Injection Vulnerability
https://notcve.org/view.php?id=CVE-2025-52724
27 Jun 2025 — The Amwerk theme for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 1.2.0 via deserialization of untrusted input. • https://patchstack.com/database/wordpress/theme/amwerk/vulnerability/wordpress-amwerk-1-2-0-php-object-injection-vulnerability? • CWE-502: Deserialization of Untrusted Data •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-52725 – WordPress CouponXxL theme <= 3.0.0 - PHP Object Injection Vulnerability
https://notcve.org/view.php?id=CVE-2025-52725
27 Jun 2025 — The CouponXxL theme for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 3.0.0 via deserialization of untrusted input. • https://patchstack.com/database/wordpress/theme/couponxxl/vulnerability/wordpress-couponxxl-3-0-0-php-object-injection-vulnerability? • CWE-502: Deserialization of Untrusted Data •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-53277 – WordPress IS-theme-companion plugin <= 1.57 - Cross Site Request Forgery (CSRF) Vulnerability
https://notcve.org/view.php?id=CVE-2025-53277
27 Jun 2025 — The IS-theme-companion plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.57. • https://patchstack.com/database/wordpress/plugin/weblizar-companion/vulnerability/wordpress-is-theme-companion-plugin-1-57-cross-site-request-forgery-csrf-vulnerability? • CWE-352: Cross-Site Request Forgery (CSRF) •