CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-11617 – Envolve Plugin <= 1.0 - Unauthenticated Arbitrary File Upload via language_file and fonts_file
https://notcve.org/view.php?id=CVE-2024-11617
08 May 2025 — The Envolve Plugin plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'zetra_languageUpload' and 'zetra_fontsUpload' functions in all versions up to, and including, 1.0. • https://themeforest.net/item/envolve-consulting-business-wordpress-theme/28748459 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 2CVE-2025-47646 – WordPress PSW Front-end Login & Registration <= 1.13 - Broken Authentication Vulnerability
https://notcve.org/view.php?id=CVE-2025-47646
08 May 2025 — The PSW Front-end Login & Registration plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.12. ... WordPress PSW Front-end Login Registration plugin versions 1.12 and below suffers from a vulnerability that allows an unauthenticated attacker to register new user accounts via an exposed AJAX action without proper validation or restrictions. • https://patchstack.com/database/wordpress/plugin/psw-login-and-registration/vulnerability/wordpress-psw-front-end-login-registration-1-12-broken-authentication-vulnerability? • CWE-288: Authentication Bypass Using an Alternate Path or Channel CWE-640: Weak Password Recovery Mechanism for Forgotten Password •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-3810 – WPBookit <= 1.0.2 - Insecure Direct Object Reference to Unauthenticated Privilege Escalation via Account Takeover
https://notcve.org/view.php?id=CVE-2025-3810
08 May 2025 — The WPBookit plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.0.2. • https://plugins.trac.wordpress.org/changeset/3278939/wpbookit/trunk/core/admin/classes/controllers/class.wpb-profile-controller.php • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-3811 – WPBookit <= 1.0.2 - Insecure Direct Object Reference to Unauthenticated Privilege Escalation via Email Update
https://notcve.org/view.php?id=CVE-2025-3811
08 May 2025 — The WPBookit plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.0.2. • https://plugins.trac.wordpress.org/changeset/3278939/wpbookit/trunk/core/admin/classes/controllers/class.wpb-customer-controller.php • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 10.0EPSS: 2%CPEs: 1EXPL: 3CVE-2025-3605 – Frontend Login and Registration Blocks <= 1.0.7 - Unauthenticated Privilege Escalation via Account Takeover
https://notcve.org/view.php?id=CVE-2025-3605
08 May 2025 — The Frontend Login and Registration Blocks plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.0.7. ... WordPress Frontend Login and Registration Blocks plugin versions 1.0.7 and below suffer from a privilege escalation vulnerability. • https://packetstorm.news/files/id/191747 • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-47532 – WordPress CoinPayments.net Payment Gateway for WooCommerce <= 1.0.17 - PHP Object Injection Vulnerability
https://notcve.org/view.php?id=CVE-2025-47532
07 May 2025 — The CoinPayments.net Payment Gateway for WooCommerce plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 1.0.17 via deserialization of untrusted input via the 'custom' parameter. • https://patchstack.com/database/wordpress/plugin/coinpayments-payment-gateway-for-woocommerce/vulnerability/wordpress-coinpayments-net-payment-gateway-for-woocommerce-1-0-17-php-object-injection-vulnerability? • CWE-502: Deserialization of Untrusted Data •
CVSS: 10.0EPSS: 6%CPEs: 1EXPL: 1CVE-2025-47539 – WordPress Eventin <= 4.0.26 - Privilege Escalation Vulnerability
https://notcve.org/view.php?id=CVE-2025-47539
07 May 2025 — The Event Manager, Events Calendar, Tickets, Registrations – Eventin plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the import_items() function in all versions up to, and including, 4.0.26. ... WordPress Eventin plugin versions 4.0.26 and below suffers from an unauthenticated privilege escalation vulnerability due to a missing authorization check in the import_items() function. • https://patchstack.com/database/wordpress/plugin/wp-event-solution/vulnerability/wordpress-eventin-4-0-26-privilege-escalation-vulnerability? • CWE-266: Incorrect Privilege Assignment CWE-862: Missing Authorization •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-47462 – WordPress Challan plugin <= 3.7.58 - CSRF to Privilege Escalation vulnerability
https://notcve.org/view.php?id=CVE-2025-47462
07 May 2025 — The Challan plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.7.58. • https://patchstack.com/database/wordpress/plugin/webappick-pdf-invoice-for-woocommerce/vulnerability/wordpress-challan-plugin-3-7-58-csrf-to-privilege-escalation-vulnerability? • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-4104 – Frontend Dashboard 1.0 - 2.2.6 - Missing Authorization to Unauthenticated Privilege Escalation via fed_wp_ajax_fed_login_form_post Function
https://notcve.org/view.php?id=CVE-2025-4104
06 May 2025 — The Frontend Dashboard plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the fed_wp_ajax_fed_login_form_post() function in versions 1.0 to 2.2.6. • https://wordpress.org/plugins/frontend-dashboard/#developers • CWE-285: Improper Authorization •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-3844 – PeproDev Ultimate Profile Solutions 1.9.1 - 7.5.2 - Authentication Bypass to Account Takeover
https://notcve.org/view.php?id=CVE-2025-3844
06 May 2025 — The PeproDev Ultimate Profile Solutions plugin for WordPress is vulnerable to Authentication Bypass in versions 1.9.1 to 7.5.2. • https://plugins.trac.wordpress.org/browser/peprodev-ups/tags/7.5.2/login/login.php#L1483 • CWE-288: Authentication Bypass Using an Alternate Path or Channel •