CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-2470 – Service Finder Bookings <= 5.1 - Unauthenticated Privilege Escalation via 'nsl_registration_store_extra_input'
https://notcve.org/view.php?id=CVE-2025-2470
24 Apr 2025 — The Service Finder Bookings plugin for WordPress, used by the Service Finder - Directory and Job Board WordPress Theme, is vulnerable to privilege escalation in all versions up to, and including, 5.1. ... El complemento Service Finder Bookings plugin for WordPress, used by the Service Finder - Directory and Job Board WordPress Theme, es vulnerable a la escalada de privilegios en todas las versiones hasta la 5.1 incluida. • https://themeforest.net/item/service-finder-service-and-business-listing-wordpress-theme/15208793 • CWE-266: Incorrect Privilege Assignment •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 2CVE-2025-3604 – Flynax Bridge <= 2.2.0 - Unauthenticated Privilege Escalation via Account Takeover
https://notcve.org/view.php?id=CVE-2025-3604
23 Apr 2025 — The Flynax Bridge plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 2.2.0. ... El complemento Flynax Bridge para WordPress es vulnerable a la escalada de privilegios mediante el robo de cuentas en todas las versiones hasta la 2.2.0 incluida. ... WordPress Flynax Bridge plugin versions 2.2.0 and below suffer from an unauthenticated privilege escalation vulnerability. • https://packetstorm.news/files/id/190799 • CWE-862: Missing Authorization •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-3603 – Flynax Bridge <= 2.2.0 - Unauthenticated Privilege Escalation via Password Update
https://notcve.org/view.php?id=CVE-2025-3603
23 Apr 2025 — The Flynax Bridge plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 2.2.0. ... El complemento Flynax Bridge para WordPress es vulnerable a la escalada de privilegios mediante el robo de cuentas en todas las versiones hasta la 2.2.0 incluida. • https://plugins.trac.wordpress.org/browser/flynax-bridge/trunk/request.php • CWE-620: Unverified Password Change •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-39380 – WordPress Hospital Management System plugin <= 47.0(20-11-2023) - Arbitrary File Upload vulnerability
https://notcve.org/view.php?id=CVE-2025-39380
22 Apr 2025 — The Hospital Management System for Wordpress plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, version 47.0(20-11-2023). • https://patchstack.com/database/wordpress/plugin/hospital-management/vulnerability/wordpress-hospital-management-system-plugin-47-0-20-11-2023-arbitrary-file-upload-vulnerability? • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-46231 – WordPress affiliate-toolkit <= 3.7.3 - Cross Site Request Forgery (CSRF) Vulnerability
https://notcve.org/view.php?id=CVE-2025-46231
22 Apr 2025 — The affiliate-toolkit – WP Affiliate Plugin with Amazon plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.7.3. • https://patchstack.com/database/wordpress/plugin/affiliate-toolkit-starter/vulnerability/wordpress-affiliate-toolkit-3-7-3-cross-site-request-forgery-csrf-vulnerability? • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-46249 – WordPress Simple calendar for Elementor <= 1.6.4 - Cross Site Request Forgery (CSRF) Vulnerability
https://notcve.org/view.php?id=CVE-2025-46249
22 Apr 2025 — The Simple calendar for Elementor plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.6.4. • https://patchstack.com/database/wordpress/plugin/simple-calendar-for-elementor/vulnerability/wordpress-simple-calendar-for-elementor-1-6-4-cross-site-request-forgery-csrf-vulnerability? • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-46251 – WordPress VikRestaurants Table Reservations and Take-Away plugin <= 1.3.3 - CSRF to Stored XSS vulnerability
https://notcve.org/view.php?id=CVE-2025-46251
22 Apr 2025 — The VikRestaurants Table Reservations and Take-Away plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3.3. • https://patchstack.com/database/wordpress/plugin/vikrestaurants/vulnerability/wordpress-vikrestaurants-table-reservations-and-take-away-plugin-1-3-3-csrf-to-stored-xss-vulnerability? • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-39348 – WordPress Grand Restaurant WordPress theme <= 7.0 - PHP Object Injection vulnerability
https://notcve.org/view.php?id=CVE-2025-39348
21 Apr 2025 — Deserialization of Untrusted Data vulnerability in ThemeGoods Grand Restaurant WordPress allows Object Injection.This issue affects Grand Restaurant WordPress: from n/a through 7.0. The Grand Restaurant WordPress theme for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 7.0 via deserialization of untrusted input. • https://patchstack.com/database/wordpress/theme/grandrestaurant/vulnerability/wordpress-grand-restaurant-wordpress-theme-7-0-php-object-injection-vulnerability? • CWE-502: Deserialization of Untrusted Data •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-39349 – WordPress CiyaShop theme <= 4.18.0 - PHP Object Injection vulnerability
https://notcve.org/view.php?id=CVE-2025-39349
21 Apr 2025 — The CiyaShop theme for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 4.18.0 via deserialization of untrusted input. • https://patchstack.com/database/wordpress/theme/ciyashop/vulnerability/wordpress-ciyashop-theme-4-18-0-php-object-injection-vulnerability? • CWE-502: Deserialization of Untrusted Data •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-39354 – WordPress Grand Conference theme <= 5.2 - PHP Object Injection vulnerability
https://notcve.org/view.php?id=CVE-2025-39354
21 Apr 2025 — The Grand Conference plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 5.2 via deserialization of untrusted input. • https://patchstack.com/database/wordpress/plugin/grandconference/vulnerability/wordpress-grand-conference-theme-5-2-php-object-injection-vulnerability? • CWE-502: Deserialization of Untrusted Data •