CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-3917 – 百度站长SEO合集(支持百度/神马/Bing/头条推送) <= 2.0.6 - Unauthenticated Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2025-3917
14 May 2025 — The 百度站长SEO合集(支持百度/神马/Bing/头条推送) plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the download_remote_image_to_media_library function in all versions up to, and including, 2.0.6. • https://wordpress.org/plugins/baiduseo • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-4564 – TicketBAI Facturas para WooCommerce <= 3.18 - Unauthenticated Arbitrary File Deletion
https://notcve.org/view.php?id=CVE-2025-4564
14 May 2025 — The TicketBAI Facturas para WooCommerce plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation via the 'delpdf' action in all versions up to, and including, 3.18. • https://plugins.trac.wordpress.org/browser/wp-ticketbai/trunk/wp-ticketbai.php#L240 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-47582 – WordPress WPBot Pro Wordpress Chatbot <= 12.7.0 - PHP Object Injection Vulnerability
https://notcve.org/view.php?id=CVE-2025-47582
14 May 2025 — Deserialization of Untrusted Data vulnerability in QuantumCloud WPBot Pro Wordpress Chatbot allows Object Injection.This issue affects WPBot Pro Wordpress Chatbot: from n/a through 12.7.0. The WPBot Pro Wordpress Chatbot plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 12.7.0 via deserialization of untrusted input. • https://patchstack.com/database/wordpress/plugin/wpbot-pro/vulnerability/wordpress-wpbot-pro-wordpress-chatbot-12-7-0-php-object-injection-vulnerability? • CWE-502: Deserialization of Untrusted Data •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-47530 – WordPress WPFunnels <= 3.5.18 - PHP Object Injection Vulnerability
https://notcve.org/view.php?id=CVE-2025-47530
12 May 2025 — The WPFunnels plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 3.5.18 via deserialization of untrusted input. • https://patchstack.com/database/wordpress/plugin/wpfunnels/vulnerability/wordpress-wpfunnels-3-5-18-php-object-injection-vulnerability? • CWE-502: Deserialization of Untrusted Data •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-47642 – WordPress Ajar in5 Embed <= 3.1.5 - Arbitrary File Upload Vulnerability
https://notcve.org/view.php?id=CVE-2025-47642
09 May 2025 — The Ajar in5 Embed plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the handleUpload.php file in all versions up to, and including, 3.1.5. • https://patchstack.com/database/wordpress/plugin/ajar-productions-in5-embed/vulnerability/wordpress-ajar-in5-embed-3-1-5-arbitrary-file-upload-vulnerability? • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-47687 – WordPress StoreKeeper for WooCommerce <= 14.4.4 - Arbitrary File Upload Vulnerability
https://notcve.org/view.php?id=CVE-2025-47687
09 May 2025 — The StoreKeeper for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 14.4.4. • https://patchstack.com/database/wordpress/plugin/storekeeper-for-woocommerce/vulnerability/wordpress-storekeeper-for-woocommerce-14-4-4-arbitrary-file-upload-vulnerability? • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2025-4403 – Drag and Drop Multiple File Upload for WooCommerce <= 1.1.6 - Unauthenticated Arbitrary File Upload via upload Function
https://notcve.org/view.php?id=CVE-2025-4403
08 May 2025 — The Drag and Drop Multiple File Upload for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads in all versions up to, and including, 1.1.6 due to accepting a user‐supplied supported_type string and the uploaded filename without enforcing real extension or MIME checks within the upload() function. • https://wordpress.org/plugins/drag-and-drop-multiple-file-upload-for-woocommerce/#developers • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-11617 – Envolve Plugin <= 1.0 - Unauthenticated Arbitrary File Upload via language_file and fonts_file
https://notcve.org/view.php?id=CVE-2024-11617
08 May 2025 — The Envolve Plugin plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'zetra_languageUpload' and 'zetra_fontsUpload' functions in all versions up to, and including, 1.0. • https://themeforest.net/item/envolve-consulting-business-wordpress-theme/28748459 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-3810 – WPBookit <= 1.0.2 - Insecure Direct Object Reference to Unauthenticated Privilege Escalation via Account Takeover
https://notcve.org/view.php?id=CVE-2025-3810
08 May 2025 — The WPBookit plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.0.2. • https://plugins.trac.wordpress.org/changeset/3278939/wpbookit/trunk/core/admin/classes/controllers/class.wpb-profile-controller.php • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-3811 – WPBookit <= 1.0.2 - Insecure Direct Object Reference to Unauthenticated Privilege Escalation via Email Update
https://notcve.org/view.php?id=CVE-2025-3811
08 May 2025 — The WPBookit plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.0.2. • https://plugins.trac.wordpress.org/changeset/3278939/wpbookit/trunk/core/admin/classes/controllers/class.wpb-customer-controller.php • CWE-639: Authorization Bypass Through User-Controlled Key •