CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-1687 – Cardealer <= 1.6.4 - Cross-Site Request Forgery to User Update via update_user_profile
https://notcve.org/view.php?id=CVE-2025-1687
27 Feb 2025 — The Cardealer theme for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.6.4. • https://themeforest.net/item/car-dealer-automotive-wordpress-theme-responsive/8574708 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-26936 – WordPress Fresh Framework plugin <= 1.70.0 - Unauthenticated Remote Code Execution (RCE) vulnerability
https://notcve.org/view.php?id=CVE-2025-26936
24 Feb 2025 — The Fresh Framework plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.70.0. • https://patchstack.com/database/wordpress/plugin/fresh-framework/vulnerability/wordpress-fresh-framework-plugin-1-70-0-unauthenticated-remote-code-execution-rce-vulnerability? • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-26966 – WordPress PrivateContent plugin <= 8.11.5 - Unauthenticated Account Takeover vulnerability
https://notcve.org/view.php?id=CVE-2025-26966
24 Feb 2025 — The Private Content plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 8.11.5. • https://patchstack.com/database/wordpress/plugin/private-content/vulnerability/wordpress-privatecontent-plugin-8-11-5-unauthenticated-account-takeover-vulnerability? • CWE-269: Improper Privilege Management CWE-288: Authentication Bypass Using an Alternate Path or Channel •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-26970 – WordPress Ark Theme Core plugin <= 1.70.0 - Unauthenticated Remote Code Execution (RCE) vulnerability
https://notcve.org/view.php?id=CVE-2025-26970
24 Feb 2025 — The ark-core plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.70.0. • https://patchstack.com/database/wordpress/plugin/ark-core/vulnerability/wordpress-ark-theme-core-plugin-1-70-0-unauthenticated-remote-code-execution-rce-vulnerability? • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-27276 – WordPress Photo Gallery ( Responsive ) plugin <= 4.0 - CSRF to Privilege Escalation vulnerability
https://notcve.org/view.php?id=CVE-2025-27276
24 Feb 2025 — The Photo Gallery ( Responsive ) plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.0. • https://patchstack.com/database/wordpress/plugin/photo-gallery-pearlbells/vulnerability/wordpress-photo-gallery-responsive-plugin-4-0-csrf-to-privilege-escalation-vulnerability? • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-26900 – WordPress Flexmls® IDX Plugin Plugin <= 3.14.27 - PHP Object Injection vulnerability
https://notcve.org/view.php?id=CVE-2025-26900
22 Feb 2025 — The Flexmls® IDX plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 3.14.27 via deserialization of untrusted input. • https://patchstack.com/database/wordpress/plugin/flexmls-idx/vulnerability/wordpress-flexmls-idx-plugin-plugin-3-14-27-php-object-injection-vulnerability? • CWE-502: Deserialization of Untrusted Data •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-27012 – WordPress A1POST.BG Shipping for Woo plugin <= 1.5.1 - CSRF to Privilege Escalation vulnerability
https://notcve.org/view.php?id=CVE-2025-27012
21 Feb 2025 — The A1POST.BG Shipping for WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5. • https://patchstack.com/database/wordpress/plugin/a1post-bg-shipping-for-woocommerce/vulnerability/wordpress-a1post-bg-shipping-for-woo-plugin-1-5-1-csrf-to-privilege-escalation-vulnerability? • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-27270 – WordPress Residential Address Detection Plugin <= 2.5.4 - Arbitrary Option Update to Privilege Escalation vulnerability
https://notcve.org/view.php?id=CVE-2025-27270
21 Feb 2025 — The Residential Address Detection plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on a function in all versions up to, and including, 2.5.4. This makes it possible for unauthenticated attackers to update arbitrary options on the WordPress site. • https://patchstack.com/database/wordpress/plugin/residential-address-detection/vulnerability/wordpress-residential-address-detection-plugin-2-5-4-arbitrary-option-update-to-privilege-escalation-vulnerability? • CWE-862: Missing Authorization •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-13789 – Ravpage <= 2.31 - PHP Object Injection
https://notcve.org/view.php?id=CVE-2024-13789
19 Feb 2025 — The ravpage plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.31 via deserialization of untrusted input from the 'paramsv2' parameter. • https://plugins.trac.wordpress.org/browser/ravpage/trunk/ravpage.php#L24 • CWE-502: Deserialization of Untrusted Data •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-1441 – Royal Elementor Addons and Templates <= 1.7.1007 - Cross-Site Request Forgery to Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2025-1441
18 Feb 2025 — The Royal Elementor Addons and Templates plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.7.1007. • https://plugins.trac.wordpress.org/browser/royal-elementor-addons/tags/1.7.1007/classes/modules/wpr-filter-woo-products.php#L1895 • CWE-352: Cross-Site Request Forgery (CSRF) •