CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-1305 – NewsBlogger <= 0.2.5.4 - Cross-Site Request Forgery to Arbitrary Plugin Installation
https://notcve.org/view.php?id=CVE-2025-1305
30 Apr 2025 — The NewsBlogger theme for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.2.5.4. ... This makes it possible for unauthenticated attackers to upload arbitrary files and achieve remote code execution via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. • https://themes.trac.wordpress.org/browser/newsblogger/0.2/functions.php#L440 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 8.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-3491 – Add custom page template <= 2.0.1 - Authenticated (Administrator+) PHP Code Injection to Remote Code Execution
https://notcve.org/view.php?id=CVE-2025-3491
25 Apr 2025 — The Add custom page template plugin for WordPress is vulnerable to PHP Code Injection leading to Remote Code Execution in all versions up to, and including, 2.0.1 via the 'acpt_validate_setting' function. • https://plugins.svn.wordpress.org/add-custom-page-template/trunk/index.php • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.9EPSS: 0%CPEs: 1EXPL: 0CVE-2025-46490 – WordPress Crossword Compiler Puzzles <= 5.2 - Arbitrary File Upload Vulnerability
https://notcve.org/view.php?id=CVE-2025-46490
25 Apr 2025 — The Crossword Compiler Puzzles plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 5.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://patchstack.com/database/wordpress/plugin/crossword-compiler-puzzles/vulnerability/wordpress-crossword-compiler-puzzles-5-2-arbitrary-file-upload-vulnerability? • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-13808 – Xpro Elementor Addons - Pro <= 1.4.9 - Authenticated (Contributor+) Remote Code Execution
https://notcve.org/view.php?id=CVE-2024-13808
25 Apr 2025 — The Xpro Elementor Addons - Pro plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.4.9 via the custom PHP widget. • https://elementor.wpxpro.com • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 1CVE-2025-3914 – Aeropage Sync for Airtable <= 3.2.0 - Authenticated (Subscriber+) Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2025-3914
25 Apr 2025 — The Aeropage Sync for Airtable plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'aeropage_media_downloader' function in all versions up to, and including, 3.2.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://github.com/LvL23HT/PoC-CVE-2025-3914-Aeropage-WordPress-File-Upload • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2025-46439 – WordPress Plugin Central plugin <= 2.5.1 - CSRF to Arbitrary File Deletion vulnerability
https://notcve.org/view.php?id=CVE-2025-46439
24 Apr 2025 — The Plugin Central plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.5.1. ... This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php), granted they can trick a site administrator into performing an action such as clicking on a link. • https://patchstack.com/database/wordpress/plugin/plugin-central/vulnerability/wordpress-plugin-central-plugin-2-5-1-csrf-to-arbitrary-file-deletion-vulnerability? • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 9.4EPSS: 1%CPEs: 1EXPL: 0CVE-2025-3065 – Database Toolset <= 1.8.4 - Unauthenticated Arbitrary File Deletion
https://notcve.org/view.php?id=CVE-2025-3065
23 Apr 2025 — This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). • https://wordpress.org/plugins/database-toolset • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 8.3EPSS: 0%CPEs: 1EXPL: 3CVE-2025-3776 – Verification SMS with TargetSMS <= 1.5 - Unauthenticated Limited Remote Code Execution
https://notcve.org/view.php?id=CVE-2025-3776
23 Apr 2025 — The Verification SMS with TargetSMS plugin for WordPress is vulnerable to limited Remote Code Execution in all versions up to, and including, 1.5 via the 'targetvr_ajax_handler' function. ... El complemento Verification SMS with TargetSMS para WordPress es vulnerable a la ejecución remota de código (RCE) limitada en todas las versiones hasta la 1.5 incluida, a través de la función «targetvr_ajax_handler». ... WordPress Verification SMS with TargetSMS plugin versions 1.5 an... • https://packetstorm.news/files/id/190651 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.9EPSS: 0%CPEs: 1EXPL: 0CVE-2025-46264 – WordPress PowerPress Podcasting <= 11.12.5 - Arbitrary File Upload Vulnerability
https://notcve.org/view.php?id=CVE-2025-46264
23 Apr 2025 — The PowerPress Podcasting plugin by Blubrry plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 11.12.5. This makes it possible for authenticated attackers, with Contributor-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://patchstack.com/database/wordpress/plugin/powerpress/vulnerability/wordpress-powerpress-podcasting-11-12-7-arbitrary-file-upload-vulnerability? • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-39380 – WordPress Hospital Management System plugin <= 47.0(20-11-2023) - Arbitrary File Upload vulnerability
https://notcve.org/view.php?id=CVE-2025-39380
22 Apr 2025 — The Hospital Management System for Wordpress plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, version 47.0(20-11-2023). This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://patchstack.com/database/wordpress/plugin/hospital-management/vulnerability/wordpress-hospital-management-system-plugin-47-0-20-11-2023-arbitrary-file-upload-vulnerability? • CWE-434: Unrestricted Upload of File with Dangerous Type •