CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 2CVE-2025-39538 – WordPress WP-Advanced-Search <= 3.3.9.3 - Arbitrary File Upload Vulnerability
https://notcve.org/view.php?id=CVE-2025-39538
16 Apr 2025 — The WordPress WP-Advanced-Search plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 3.3.9.3. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. WordPress WP-Advanced-Search plugin versions 3.3.9.3 and below suffer from a remote shell upload vulnerabilit... • https://patchstack.com/database/wordpress/plugin/wp-advanced-search/vulnerability/wordpress-wp-advanced-search-3-3-9-3-arbitrary-file-upload-vulnerability? • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2025-39557 – WordPress Kadence WooCommerce Email Designer plugin <= 1.5.14 - Arbitrary File Upload vulnerability
https://notcve.org/view.php?id=CVE-2025-39557
16 Apr 2025 — The Kadence WooCommerce Email Designer plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 1.5.14. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://patchstack.com/database/wordpress/plugin/kadence-woocommerce-email-designer/vulnerability/wordpress-kadence-woocommerce-email-designer-plugin-1-5-14-arbitrary-file-upload-vulnerability? • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 2CVE-2025-39601 – WordPress Custom CSS, JS & PHP plugin <= 2.4.1 - CSRF to RCE vulnerability
https://notcve.org/view.php?id=CVE-2025-39601
16 Apr 2025 — The Custom CSS, JS & PHP plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.4.1. ... WordPress Custom CSS, JS and PHP versions 2.4.1 and below suffer from a cross site request forgery vulnerability that leads to remote code execution. • https://patchstack.com/database/wordpress/plugin/custom-css/vulnerability/wordpress-custom-css-js-php-plugin-2-4-1-csrf-to-rce-vulnerability? • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 9.9EPSS: 0%CPEs: 1EXPL: 2CVE-2025-32583 – WordPress PDF 2 Post Plugin <= 2.4.0 - Remote Code Execution (RCE) vulnerability
https://notcve.org/view.php?id=CVE-2025-32583
15 Apr 2025 — The PDF 2 Post plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.4.0. ... WordPress PDF 2 Post plugin versions 2.4.0 and below suffers from a remote shell upload vulnerability via a zip file. • https://patchstack.com/database/wordpress/plugin/pdf2post/vulnerability/wordpress-pdf-2-post-plugin-2-4-0-remote-code-execution-rce-vulnerability? • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-32596 – WordPress Real Estate Manager plugin <= 7.3 - Arbitrary Code Execution vulnerability
https://notcve.org/view.php?id=CVE-2025-32596
15 Apr 2025 — The Real Estate Manager – Property Listing and Agent Management plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 7.3. • https://patchstack.com/database/wordpress/plugin/real-estate-manager/vulnerability/wordpress-real-estate-manager-plugin-7-3-arbitrary-code-execution-vulnerability? • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.9EPSS: 0%CPEs: 1EXPL: 2CVE-2025-32682 – WordPress MapSVG Lite plugin <= 8.5.34 - Arbitrary File Upload Vulnerability
https://notcve.org/view.php?id=CVE-2025-32682
15 Apr 2025 — The MapSVG – Vector maps, Image maps, Google Maps plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 8.5.34. This makes it possible for authenticated attackers, with Contributor-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. WordPress MapSVG Lite plugin versions 8.5.34 and below suffer from a remote shell upload vulnerability... • https://patchstack.com/database/wordpress/plugin/mapsvg-lite-interactive-vector-maps/vulnerability/wordpress-mapsvg-lite-plugin-8-5-32-arbitrary-file-upload-vulnerability? • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-32660 – WordPress JS Job Manager plugin <= 2.0.2 - Arbitrary File Upload vulnerability
https://notcve.org/view.php?id=CVE-2025-32660
14 Apr 2025 — The JS Job Manager plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 2.0.2. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://patchstack.com/database/wordpress/plugin/js-jobs/vulnerability/wordpress-js-job-manager-plugin-2-0-2-arbitrary-file-upload-vulnerability? • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.9EPSS: 0%CPEs: 1EXPL: 0CVE-2025-26872 – WordPress Eximius theme <= 2.2 - Arbitrary File Upload vulnerability
https://notcve.org/view.php?id=CVE-2025-26872
14 Apr 2025 — The Eximius theme for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 2.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://patchstack.com/database/wordpress/theme/eximius/vulnerability/wordpress-eximius-theme-2-2-arbitrary-file-upload-vulnerability? • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.9EPSS: 0%CPEs: 1EXPL: 0CVE-2025-26892 – WordPress Celestial Aura plugin <= 2.2 - Arbitrary File Upload vulnerability
https://notcve.org/view.php?id=CVE-2025-26892
14 Apr 2025 — The Celestial Aura theme for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 2.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://patchstack.com/database/wordpress/theme/celestial-aura/vulnerability/wordpress-celestial-aura-plugin-2-2-arbitrary-file-upload-vulnerability? • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2025-30967 – WordPress WPJobBoard plugin < 5.11.1 - CSRF to Remote Code Execution (RCE) vulnerability
https://notcve.org/view.php?id=CVE-2025-30967
10 Apr 2025 — The WPJobBoard plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to 5.11.1. ... This makes it possible for unauthenticated attackers to execute arbitrary code via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. • https://patchstack.com/database/wordpress/plugin/wpjobboard/vulnerability/wordpress-wpjobboard-plugin-5-11-1-csrf-to-remote-code-execution-rce-vulnerability? • CWE-352: Cross-Site Request Forgery (CSRF) •