CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-9054 – MultiLoca - WooCommerce Multi Locations Inventory Management <= 4.2.8 - Missing Authorization to Unauthenticated Arbitrary Options Update via 'wcmlim_settings_ajax_handler'
https://notcve.org/view.php?id=CVE-2025-9054
23 Sep 2025 — The MultiLoca - WooCommerce Multi Locations Inventory Management plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the 'wcmlim_settings_ajax_handler' function in all versions up to, and including, 4.2.8. This makes it possible for unauthenticated attackers to update arbitrary options on the WordPress site. • https://codecanyon.net/item/woocommerce-multi-locations-inventory-management/28949586#item-description__changelog • CWE-862: Missing Authorization •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-60214 – WordPress Goldenblatt theme <= 1.2.1 - PHP Object Injection vulnerability
https://notcve.org/view.php?id=CVE-2025-60214
23 Sep 2025 — The Goldenblatt theme for WordPress is vulnerable to PHP Object Injection in versions up to 1.3.0 via deserialization of untrusted input. • https://vdp.patchstack.com/database/Wordpress/Theme/goldenblatt/vulnerability/wordpress-goldenblatt-theme-1-2-1-php-object-injection-vulnerability • CWE-502: Deserialization of Untrusted Data •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-58013 – WordPress CouponXxL Theme <= 4.5.0 - Cross Site Request Forgery (CSRF) Vulnerability
https://notcve.org/view.php?id=CVE-2025-58013
22 Sep 2025 — The CouponXxL theme for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.5.0. • https://patchstack.com/database/wordpress/theme/couponxxl/vulnerability/wordpress-couponxxl-theme-4-5-0-cross-site-request-forgery-csrf-vulnerability? • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-58244 – WordPress Constructo Theme <= 4.3.9 - Cross Site Request Forgery (CSRF) Vulnerability
https://notcve.org/view.php?id=CVE-2025-58244
22 Sep 2025 — The Constructo theme for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.3.9. • https://patchstack.com/database/wordpress/theme/constructo/vulnerability/wordpress-constructo-theme-4-3-9-cross-site-request-forgery-csrf-vulnerability? • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-58250 – WordPress Findgo Theme <= 1.3.55 - Cross Site Request Forgery (CSRF) Vulnerability
https://notcve.org/view.php?id=CVE-2025-58250
22 Sep 2025 — The Findgo theme for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.3.55. • https://patchstack.com/database/wordpress/theme/fingo/vulnerability/wordpress-findgo-theme-1-3-55-cross-site-request-forgery-csrf-vulnerability? • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-58255 – WordPress Custom Post Type Images Plugin <= 0.5 - Cross Site Request Forgery (CSRF) Vulnerability
https://notcve.org/view.php?id=CVE-2025-58255
22 Sep 2025 — The Custom Post Type Images plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 0.5. • https://patchstack.com/database/wordpress/plugin/custom-post-types-image/vulnerability/wordpress-custom-post-type-images-plugin-0-5-cross-site-request-forgery-csrf-vulnerability? • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-59572 – WordPress WorkScout-Core Plugin < 1.7.06 - Cross Site Request Forgery (CSRF) Vulnerability
https://notcve.org/view.php?id=CVE-2025-59572
22 Sep 2025 — The Workscout Core plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to 1.7.06 (exclusive). • https://patchstack.com/database/wordpress/plugin/workscout-core/vulnerability/wordpress-workscout-core-plugin-1-7-06-cross-site-request-forgery-csrf-vulnerability? • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-10147 – Podlove Podcast Publisher <= 4.2.6 - Unauthenticated Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2025-10147
22 Sep 2025 — The Podlove Podcast Publisher plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'move_as_original_file' function in all versions up to, and including, 4.2.6. • https://plugins.trac.wordpress.org/browser/podlove-podcasting-plugin-for-wordpress/tags/4.2.6/lib/model/image.php#L465 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-9321 – WPCasa <= 1.4.1 - Unauthenticated Code Injection
https://notcve.org/view.php?id=CVE-2025-9321
22 Sep 2025 — The WPCasa plugin for WordPress is vulnerable to Code Injection in all versions up to, and including, 1.4.1. • https://plugins.trac.wordpress.org/browser/wpcasa/trunk/includes/class-wpsight-api.php#L48 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-10412 – Product Options and Price Calculation Formulas for WooCommerce – Uni CPO (Premium) <= 4.9.54 - Unauthenticated Arbitrary File Upload via 'uni_cpo_upload_file'
https://notcve.org/view.php?id=CVE-2025-10412
22 Sep 2025 — The Product Options and Price Calculation Formulas for WooCommerce – Uni CPO (Premium) plugin for WordPress is vulnerable to arbitrary file uploads due to misconfigured file type validation in the 'uni_cpo_upload_file' function in all versions up to, and including, 4.9.54. ... The Product Options and Price Calculation Formulas for WooCommerce – Uni CPO (Premium) plugin for WordPress is vulnerable to arbitrary file uploads due to misconfigured file type validation in the 'uni_cpo_upload_file' f... • https://builderius.io/cpo • CWE-434: Unrestricted Upload of File with Dangerous Type •