
CVE-2025-32510 – WordPress Ovatheme Events Manager plugin <= 1.7.5 - Arbitrary File Upload vulnerability
https://notcve.org/view.php?id=CVE-2025-32510
11 Jun 2025 — The Ovatheme Events Manager plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 1.7.5. • https://patchstack.com/database/wordpress/plugin/ova-events-manager/vulnerability/wordpress-ovatheme-events-manager-plugin-1-7-5-arbitrary-file-upload-vulnerability? • CWE-434: Unrestricted Upload of File with Dangerous Type •

CVE-2025-49444 – WordPress Reformer for Elementor <= 1.0.5 - Arbitrary File Upload Vulnerability
https://notcve.org/view.php?id=CVE-2025-49444
11 Jun 2025 — The ReFormer – Multichannel Contact Form for Elementor plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 1.0.5. • https://patchstack.com/database/wordpress/plugin/reformer-elementor/vulnerability/wordpress-reformer-for-elementor-1-0-5-arbitrary-file-upload-vulnerability? • CWE-434: Unrestricted Upload of File with Dangerous Type •

CVE-2025-31919 – WordPress Spare <= 1.7 - PHP Object Injection Vulnerability
https://notcve.org/view.php?id=CVE-2025-31919
10 Jun 2025 — The Spare theme for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 1.7 via deserialization of untrusted input. • https://patchstack.com/database/wordpress/theme/spare/vulnerability/wordpress-spare-1-7-php-object-injection-vulnerability? • CWE-502: Deserialization of Untrusted Data •

CVE-2025-49507 – WordPress CozyStay < 1.7.1 - PHP Object Injection Vulnerability
https://notcve.org/view.php?id=CVE-2025-49507
09 Jun 2025 — The CozyStay theme for WordPress is vulnerable to PHP Object Injection in versions up to 1.7.1 via deserialization of untrusted input. • https://patchstack.com/database/wordpress/theme/cozystay/vulnerability/wordpress-cozystay-1-7-1-php-object-injection-vulnerability? • CWE-502: Deserialization of Untrusted Data •

CVE-2025-49455 – WordPress TinySalt < 3.10.0 - PHP Object Injection Vulnerability
https://notcve.org/view.php?id=CVE-2025-49455
09 Jun 2025 — The TinySalt theme for WordPress is vulnerable to PHP Object Injection in versions up to 3.10.0 via deserialization of untrusted input. • https://patchstack.com/database/wordpress/theme/tinysalt/vulnerability/wordpress-tinysalt-3-10-0-php-object-injection-vulnerability? • CWE-502: Deserialization of Untrusted Data •

CVE-2025-49072 – WordPress Mr.
https://notcve.org/view.php?id=CVE-2025-49072
06 Jun 2025 — Deserialization of Untrusted Data vulnerability in AncoraThemes Mr. Murphy allows Object Injection.This issue affects Mr. Murphy: from n/a before 1.2.12.1. • https://patchstack.com/database/wordpress/theme/mr-murphy/vulnerability/wordpress-mr-murphy-1-2-12-1-php-object-injection-vulnerability? • CWE-502: Deserialization of Untrusted Data •

CVE-2025-5486 – WP Email Debug 1.0 - 1.1.0 - Missing Authorization to Unauthenticated Privilege Escalation via Password Reset
https://notcve.org/view.php?id=CVE-2025-5486
05 Jun 2025 — The WP Email Debug plugin for WordPress is vulnerable to privilege escalation due to a missing capability check on the WPMDBUG_handle_settings() function in versions 1.0 to 1.1.0. • https://www.wordfence.com/threat-intel/vulnerabilities/id/d3af64a2-3bd6-47af-919e-00c5249dcc74?source=cve • CWE-862: Missing Authorization •

CVE-2025-31022 – WordPress PayU India plugin <= 3.8.5 - Account Takeover vulnerability
https://notcve.org/view.php?id=CVE-2025-31022
05 Jun 2025 — The PayU CommercePro Plugin plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 3.8.7. • https://patchstack.com/database/wordpress/plugin/payu-india/vulnerability/wordpress-payu-india-plugin-3-8-5-account-takeover-vulnerability? • CWE-288: Authentication Bypass Using an Alternate Path or Channel •

CVE-2025-5701 – HyperComments <= 1.2.2 - Unauthenticated (Subscriber+) Arbitrary Options Update
https://notcve.org/view.php?id=CVE-2025-5701
04 Jun 2025 — The HyperComments plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the hc_request_handler function in all versions up to, and including, 1.2.2. This makes it possible for unauthenticated attackers to update arbitrary options on the WordPress site. • https://packetstorm.news/files/id/200686 • CWE-862: Missing Authorization •

CVE-2025-31429 – WordPress PressGrid - Frontend Publish Reaction & Multimedia Theme <= 1.3.1 - Deserialization of untrusted data Vulnerability
https://notcve.org/view.php?id=CVE-2025-31429
04 Jun 2025 — The PressGrid theme for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.3.1 via deserialization of untrusted input. • https://patchstack.com/database/wordpress/theme/press-grid/vulnerability/wordpress-pressgrid-frontend-publish-reaction-multimedia-theme-1-3-1-deserialization-of-untrusted-data-vulnerability? • CWE-502: Deserialization of Untrusted Data •