CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-12860 – CarSpot – Dealership Wordpress Classified Theme <= 2.4.3 - Unauthenticated Arbitrary Password Reset/Account Takeover
https://notcve.org/view.php?id=CVE-2024-12860
17 Feb 2025 — The CarSpot – Dealership Wordpress Classified Theme theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 2.4.3. • https://themeforest.net/item/carspot-automotive-car-dealer-wordpress-classified-theme/20195539 • CWE-620: Unverified Password Change •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-13852 – Option Editor <= 1.0 - Cross-Site Request Forgery to Arbitrary Options Update
https://notcve.org/view.php?id=CVE-2024-13852
17 Feb 2025 — The Option Editor plugin for WordPress is vulnerable to Cross-Site Request Forgery in version 1.0. ... This makes it possible for unauthenticated attackers to update arbitrary options on the WordPress site via a forged request, granted they can trick a site administrator into performing an action such as clicking on a link. • https://wordpress.org/plugins/option-editor/#developers • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-13725 – Keap Official Opt-in Forms <= 2.0.1 - Unauthenticated Limited Local File Inclusion
https://notcve.org/view.php?id=CVE-2024-13725
17 Feb 2025 — The Keap Official Opt-in Forms plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.0.1 via the service parameter. • https://wordpress.org/plugins/infusionsoft-official-opt-in-forms • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-13315 – Shopwarden – Automated WooCommerce monitoring & testing <= 1.0.11 - Cross-Site Request Forgery to Arbitrary Options Update
https://notcve.org/view.php?id=CVE-2024-13315
17 Feb 2025 — The Shopwarden – Automated WooCommerce monitoring & testing plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.11. • https://plugins.trac.wordpress.org/browser/shopwarden/trunk/shopwarden.php#L112 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-1128 – Everest Forms <= 3.0.9.4 - Unauthenticated Arbitrary File Upload, Read, and Deletion
https://notcve.org/view.php?id=CVE-2025-1128
17 Feb 2025 — The Everest Forms – Contact Forms, Quiz, Survey, Newsletter & Payment Form Builder for WordPress plugin for WordPress is vulnerable to arbitrary file upload, read, and deletion due to missing file type and path validation in the 'format' method of the EVF_Form_Fields_Upload class in all versions up to, and including, 3.0.9.4. ... El complemento Everest Forms – Contact Forms, Quiz, Survey, Newsletter & Payment Form Builder para WordPress es vulnerable a la carga, lectura y eliminació... • https://github.com/wpeverest/everest-forms/commit/7d37858d2c614aa107b0f495fe50819a3867e7f5 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-56000 – WordPress K Elements plugin < 5.4.0 - Unauthenticated Account Takeover vulnerability
https://notcve.org/view.php?id=CVE-2024-56000
17 Feb 2025 — The K Elements plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 5.3.9. • https://patchstack.com/database/wordpress/plugin/k-elements/vulnerability/wordpress-k-elements-plugin-5-2-0-unauthenticated-account-takeover-vulnerability? • CWE-266: Incorrect Privilege Assignment •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-13513 – Oliver POS – A WooCommerce Point of Sale (POS) <= 2.4.2.3 - Sensitive Information Exposure to Privilege Escalation
https://notcve.org/view.php?id=CVE-2024-13513
14 Feb 2025 — The Oliver POS – A WooCommerce Point of Sale (POS) plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.4.2.3 via the logging functionality. • https://plugins.trac.wordpress.org/browser/oliver-pos/trunk/includes/models/class-pos-bridge-user.php#L373 • CWE-862: Missing Authorization •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-12562 – s2Member Pro <= 241216 - Unauthenticated PHP Object Injection
https://notcve.org/view.php?id=CVE-2024-12562
14 Feb 2025 — The s2Member Pro plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 241216 via deserialization of untrusted input from the 's2member_pro_remote_op' vulnerable parameter. • https://s2member.com/changelog • CWE-502: Deserialization of Untrusted Data •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-26763 – WordPress Slider, Gallery, and Carousel by MetaSlider – Image Slider, Video Slider Plugin <= 3.94.0 - PHP Object Injection vulnerability
https://notcve.org/view.php?id=CVE-2025-26763
14 Feb 2025 — The Slider, Gallery, and Carousel by MetaSlider – Image Slider, Video Slider plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.94.0 via deserialization of untrusted input. • https://patchstack.com/database/wordpress/plugin/ml-slider/vulnerability/wordpress-slider-gallery-and-carousel-by-metaslider-image-slider-video-slider-plugin-3-94-0-php-object-injection-vulnerability? • CWE-502: Deserialization of Untrusted Data •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-26776 – WordPress Chaty Pro Plugin <= 3.3.3 - Arbitrary File Upload vulnerability
https://notcve.org/view.php?id=CVE-2025-26776
14 Feb 2025 — The Chaty Pro plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 3.3.3. • https://patchstack.com/database/wordpress/plugin/chaty-pro/vulnerability/wordpress-chaty-pro-plugin-3-3-3-arbitrary-file-upload-vulnerability? • CWE-434: Unrestricted Upload of File with Dangerous Type •