CVSS: 8.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-10176 – The Hack Repair Guy's Plugin Archiver <= 2.0.4 - Authenticated (Administrator+) Arbitrary File Deletion
https://notcve.org/view.php?id=CVE-2025-10176
12 Sep 2025 — The The Hack Repair Guy's Plugin Archiver plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the prepare_items function in all versions up to, and including, 2.0.4. This makes it possible for authenticated attackers, with Administrator-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). • https://www.wordfence.com/threat-intel/vulnerabilities/id/d449a285-34f5-41ed-acfd-2a9acfb04271?source=cve • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 8.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-8575 – LWS Cleaner <= 2.4.1.3 - Authenticated (Administrator+) Arbitrary File Deletion via 'lws_cl_delete_file'
https://notcve.org/view.php?id=CVE-2025-8575
11 Sep 2025 — The LWS Cleaner plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'lws_cl_delete_file' function in all versions up to, and including, 2.4.1.3. This makes it possible for authenticated attackers, with Administrator-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). • https://www.wordfence.com/threat-intel/vulnerabilities/id/fa37025a-7f20-4cfe-a7d0-38168f49b6d9?source=cve • CWE-36: Absolute Path Traversal •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-9693 – User Meta – User Profile Builder and User management plugin <= 3.1.2 - Authenticated (Subscriber+) Arbitrary File Deletion
https://notcve.org/view.php?id=CVE-2025-9693
10 Sep 2025 — The User Meta – User Profile Builder and User management plugin plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the postInsertUserProcess function in all versions up to, and including, 3.1.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). • https://www.wordfence.com/threat-intel/vulnerabilities/id/d482f3a1-4a5a-4382-88b1-fd3b91605694?source=cve • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 8.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-10049 – Responsive Filterable Portfolio <= 1.0.24 - Authenticated (Admin+) Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2025-10049
09 Sep 2025 — The Responsive Filterable Portfolio plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation via the HdnMediaSelection_image field in all versions up to, and including, 1.0.24. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://www.wordfence.com/threat-intel/vulnerabilities/id/017f5894-be0d-4b0f-82bd-13bf7e2ff53f?source=cve • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 8.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-10001 – Import any XML, CSV or Excel File to WordPress <= 3.9.3 - Authenticated (Admin+) Limited Unsafe File Upload
https://notcve.org/view.php?id=CVE-2025-10001
09 Sep 2025 — The Import any XML, CSV or Excel File to WordPress plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the import functionality in all versions up to, and including, 3.9.3. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload unsafe files like .phar files on the affected site's server which may make remote code execution possible. • https://www.wordfence.com/threat-intel/vulnerabilities/id/bb03aeb8-32ab-4962-bc95-b10fb7bd7fcf?source=cve • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 8.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-9539 – AutomatorWP – Automator plugin for no-code automations, webhooks & custom integrations in WordPress <= 5.3.6 - Missing Authorization To Authenticated (Subscriber+) Remote Code Execution via Automation Creation
https://notcve.org/view.php?id=CVE-2025-9539
08 Sep 2025 — The AutomatorWP – Automator plugin for no-code automations, webhooks & custom integrations in WordPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the automatorwp_ajax_import_automation_from_url function in all versions up to, and including, 5.3.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create arbitrary automations, which can lead to Remote Code Execution or Privileg... • https://www.wordfence.com/threat-intel/vulnerabilities/id/9efa04ca-68c8-4221-a3d9-cf75010d2266?source=cve • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-9113 – Doccure <= 1.4.8 - Unauthenticated Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2025-9113
08 Sep 2025 — The Doccure theme for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'doccure_temp_upload_to_media' function in all versions up to, and including, 1.4.8. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://themeforest.net/item/doccure-medical-wordpress-theme/34329202 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-9112 – Doccure <= 1.4.8 - Authenticated (Subscriber+) Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2025-9112
08 Sep 2025 — The Doccure theme for WordPress is vulnerable to arbitrary file uploads due to incorrect file type validation in the 'doccure_temp_file_uploader' function in all versions up to, and including, 1.4.8. This makes it possible for authenticated attackers, with subscriber-level and above permissions, to upload arbitrary files on the affected site's server which may make remote code execution possible. This makes it possible for authenticated attackers, with subscriber-level and above permissions, t... • https://themeforest.net/item/doccure-medical-wordpress-theme/34329202 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2025-58819 – WordPress Bulk Featured Image Plugin <= 1.2.2 - Arbitrary File Upload Vulnerability
https://notcve.org/view.php?id=CVE-2025-58819
05 Sep 2025 — The Bulk Featured Image plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 1.2.2. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://patchstack.com/database/wordpress/plugin/bulk-featured-image/vulnerability/wordpress-bulk-featured-image-plugin-1-2-2-arbitrary-file-upload-vulnerability? • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 8.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-9515 – Multi Step Form <= 1.7.25 - Authenticated (Admin+) Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2025-9515
05 Sep 2025 — The Multi Step Form plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation via the import functionality in all versions up to, and including, 1.7.25. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://www.wordfence.com/threat-intel/vulnerabilities/id/af7dbb61-90b1-4a61-819e-bcef88b12b7f?source=cve • CWE-434: Unrestricted Upload of File with Dangerous Type •