CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 1CVE-2025-3054 – WP User Frontend Pro <= 4.1.3 - Authenticated (Subscriber+) Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2025-3054
04 Jun 2025 — The WP User Frontend Pro plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the upload_files() function in all versions up to, and including, 4.1.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. ... El complemento WP User Frontend Pro para WordPress es vulnerable a la carga de archivos arbitr... • https://github.com/frogchung/CVE-2025-3054-Exploit • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 7.7EPSS: 0%CPEs: 1EXPL: 0CVE-2025-47511 – WordPress Welcart e-Commerce <= 2.11.13 - Arbitrary File Deletion Vulnerability
https://notcve.org/view.php?id=CVE-2025-47511
03 Jun 2025 — The Welcart e-Commerce plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in a function in all versions up to, and including, 2.11.13. This makes it possible for authenticated attackers, with Editor-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). • https://patchstack.com/database/wordpress/plugin/usc-e-shop/vulnerability/wordpress-welcart-e-commerce-2-11-13-arbitrary-file-deletion-vulnerability? • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 5.6EPSS: 0%CPEs: 1EXPL: 0CVE-2025-2939 – Ninja Tables – Easy Data Table Builder <= 5.0.18 - Unauthenticated PHP Object Injection to Limited Remote Code Execution
https://notcve.org/view.php?id=CVE-2025-2939
02 Jun 2025 — The Ninja Tables – Easy Data Table Builder plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 5.0.18 via deserialization of untrusted input from the args[callback] parameter . • https://plugins.trac.wordpress.org/browser/ninja-tables/tags/5.0.18/vendor/wpfluent/framework/src/WPFluent/Http/Client.php#L399 • CWE-502: Deserialization of Untrusted Data •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2025-48267 – WordPress WP Pipes plugin <= 1.4.2 - Arbitrary File Deletion Vulnerability
https://notcve.org/view.php?id=CVE-2025-48267
30 May 2025 — The WP Pipes plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation via the delete_template() function in all versions up to, and including, 1.4.2. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). • https://patchstack.com/database/wordpress/plugin/wp-pipes/vulnerability/wordpress-wp-pipes-1-4-2-arbitrary-file-deletion-vulnerability? • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-32291 – WordPress SUMO Affiliates Pro <= 10.7.0 - Arbitrary File Upload Vulnerability
https://notcve.org/view.php?id=CVE-2025-32291
30 May 2025 — The SUMO Affiliates Pro plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 10.7.0. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://patchstack.com/database/wordpress/plugin/affs/vulnerability/wordpress-sumo-affiliates-pro-10-7-0-arbitrary-file-upload-vulnerability? • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-4800 – MasterStudy LMS Pro <= 4.7.0 - Authenticated (Subscriber+) Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2025-4800
27 May 2025 — The MasterStudy LMS Pro plugin for WordPress is vulnerable to arbitrary file uploads due to a missing file type validation in the stm_lms_add_assignment_attachment function in all versions up to, and including, 4.7.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server, which may make remote code execution possible. • https://stylemixthemes.com/wordpress-lms-plugin • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2025-5058 – eMagicOne Store Manager for WooCommerce <= 1.2.5 - Unauthenticated Arbitrary File Upload via set_image()
https://notcve.org/view.php?id=CVE-2025-5058
23 May 2025 — The eMagicOne Store Manager for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the set_image() function in all versions up to, and including, 1.2.5. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://github.com/d0n601/CVE-2025-5058 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.4EPSS: 0%CPEs: 1EXPL: 1CVE-2025-4603 – eMagicOne Store Manager for WooCommerce <= 1.2.5 - Unauthenticated Arbitrary File Deletion
https://notcve.org/view.php?id=CVE-2025-4603
23 May 2025 — The eMagicOne Store Manager for WooCommerce plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the delete_file() function in all versions up to, and including, 1.2.5. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). • https://github.com/d0n601/CVE-2025-4603 • CWE-73: External Control of File Name or Path •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 1CVE-2025-4336 – eMagicOne Store Manager for WooCommerce <= 1.2.5 - Unauthenticated Arbitrary File Upload via set_file()
https://notcve.org/view.php?id=CVE-2025-4336
23 May 2025 — The eMagicOne Store Manager for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the set_file() function in all versions up to, and including, 1.2.5. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://github.com/d0n601/CVE-2025-4336 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.9EPSS: 0%CPEs: 1EXPL: 0CVE-2025-48140 – WordPress MetalpriceAPI <= 1.1.4 - Remote Code Execution (RCE) Vulnerability
https://notcve.org/view.php?id=CVE-2025-48140
22 May 2025 — The MetalpriceAPI plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.1.4. • https://patchstack.com/database/wordpress/plugin/metalpriceapi/vulnerability/wordpress-metalpriceapi-1-1-4-remote-code-execution-rce-vulnerability? • CWE-94: Improper Control of Generation of Code ('Code Injection') •