CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-53424 – WordPress WooCommerce Orders & Customers Exporter plugin <= 5.4 - Broken Access Control vulnerability
https://notcve.org/view.php?id=CVE-2025-53424
19 Sep 2025 — The WooCommerce Orders & Customers Exporter plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 5.4. • https://vdp.patchstack.com/database/Wordpress/Plugin/woocommerce-orders-ei/vulnerability/wordpress-woocommerce-orders-customers-exporter-plugin-5-4-broken-access-control-vulnerability • CWE-862: Missing Authorization •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-5948 – Service Finder Bookings <= 6.0 - Unauthenticated Privilege Escalation via claim_business
https://notcve.org/view.php?id=CVE-2025-5948
18 Sep 2025 — The Service Finder Bookings plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 6.0. • https://themeforest.net/item/service-finder-service-and-business-listing-wordpress-theme/15208793 • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-58963 – WordPress Medcity theme < 1.1.9 - Arbitrary File Upload vulnerability
https://notcve.org/view.php?id=CVE-2025-58963
17 Sep 2025 — The Medcity - Health & Medical WordPress Theme theme for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to 1.1.9 (exclusive). • https://vdp.patchstack.com/database/Wordpress/Theme/medcity/vulnerability/wordpress-medcity-theme-1-1-9-arbitrary-file-upload-vulnerability • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-58619 – WordPress Falang multilanguage Plugin <= 1.3.65 - PHP Object Injection Vulnerability
https://notcve.org/view.php?id=CVE-2025-58619
16 Sep 2025 — The Falang multilanguage for WordPress plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.3.65 via deserialization of untrusted input. • https://vdp.patchstack.com/database/Wordpress/Plugin/falang/vulnerability/wordpress-falang-multilanguage-plugin-1-3-65-php-object-injection-vulnerability • CWE-502: Deserialization of Untrusted Data •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-58967 – WordPress Businext theme < 2.4.4 - Local File Inclusion vulnerability
https://notcve.org/view.php?id=CVE-2025-58967
15 Sep 2025 — The Businext theme for WordPress is vulnerable to Local File Inclusion in versions up to 2.4.4. • https://vdp.patchstack.com/database/Wordpress/Theme/businext/vulnerability/wordpress-businext-theme-2-4-4-local-file-inclusion-vulnerability • CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2025-9697 – Ajax WooSearch <= 1.0.0 - Unauthenticated SQL Injection
https://notcve.org/view.php?id=CVE-2025-9697
11 Sep 2025 — The Ajax WooSearch WordPress plugin through 1.0.0 does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection The Ajax WooSearch plugin for WordPress is vulnerable to SQL Injection in all versions up to, and including, 1.0.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. • https://wpscan.com/vulnerability/38939152-e54e-4f8f-996b-592de195570d • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2025-8570 – BeyondCart Connector <= 2.1.0 - Missing Configuration of JWT Secret to Unauthenticated Privilege Escalation via determine_current_user Filter
https://notcve.org/view.php?id=CVE-2025-8570
10 Sep 2025 — The BeyondCart Connector plugin for WordPress is vulnerable to Privilege Escalation due to improper JWT secret management and authorization within the determine_current_user filter in versions 1.4.2 through 2.1.0. ... The BeyondCart Connector plugin for WordPress is vulnerable to Privilege Escalation due to improper JWT secret management and authorization within the determine_current_user filter in versions 1.4.2 through 3.0.1. ... The BeyondCart Connector plugin for WordPress, in versi... • https://wordpress.org/plugins/beyondcart/#developers • CWE-798: Use of Hard-coded Credentials •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-58997 – WordPress Mow Theme <= 4.10 - Cross Site Request Forgery (CSRF) Vulnerability
https://notcve.org/view.php?id=CVE-2025-58997
09 Sep 2025 — The Mow plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.10. • https://patchstack.com/database/wordpress/theme/mow/vulnerability/wordpress-mow-theme-4-10-cross-site-request-forgery-csrf-vulnerability? • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-10690 – Goza - Nonprofit Charity WordPress Theme <= 3.2.2 - Missing Authorization to Unauthenticated Arbitrary File Upload via Plugin Installation
https://notcve.org/view.php?id=CVE-2025-10690
08 Sep 2025 — The Goza - Nonprofit Charity WordPress Theme theme for WordPress is vulnerable to unauthorized arbitrary file uploads due to a missing capability check on the 'beplus_import_pack_install_plugin' function in all versions up to, and including, 3.2.2. • https://themeforest.net/item/goza-nonprofit-charity-wordpress-theme/23781575 • CWE-862: Missing Authorization •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-60213 – WordPress Scape theme <= 1.5.13 - PHP Object Injection vulnerability
https://notcve.org/view.php?id=CVE-2025-60213
07 Sep 2025 — The Scape theme for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 1.5.13 via deserialization of untrusted input. • https://vdp.patchstack.com/database/Wordpress/Theme/scape/vulnerability/wordpress-scape-theme-1-5-13-php-object-injection-vulnerability • CWE-502: Deserialization of Untrusted Data •