CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 1CVE-2025-13407 – GravityForms < 2.9.23.1 - Unauthenticated Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2025-13407
24 Dec 2025 — The Gravity Forms WordPress plugin before 2.9.23.1 does not properly prevent users from uploading dangerous files through its chunked upload functionality, allowing attackers to upload PHP files to affected sites and achieve Remote Code Execution, granted they can discover or enumerate the upload path. • https://wpscan.com/vulnerability/e09908fb-f5ad-45ca-8698-c0d596fd39cc •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-13773 – Print Invoice & Delivery Notes for WooCommerce <= 5.8.0 - Unauthenticated Remote Code Execution
https://notcve.org/view.php?id=CVE-2025-13773
23 Dec 2025 — The Print Invoice & Delivery Notes for WooCommerce plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 5.8.0 via the 'WooCommerce_Delivery_Notes::update' function. • https://plugins.trac.wordpress.org/browser/woocommerce-delivery-notes/tags/5.8.0/includes/class-woocommerce-delivery-notes.php#L347 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 3.3EPSS: 0%CPEs: 1EXPL: 2CVE-2025-12654 – Migration, Backup, Staging – WPvivid Backup & Migration <= 0.9.120 - Authenticated (Admin+) Arbitrary Directory Creation
https://notcve.org/view.php?id=CVE-2025-12654
20 Dec 2025 — The Migration, Backup, Staging – WPvivid Backup & Migration plugin for WordPress is vulnerable to arbitrary directory creation in all versions up to, and including, 0.9.120. • https://github.com/Yuweixn/Anydesk-Exploit-CVE-2025-12654-RCE-Builder • CWE-73: External Control of File Name or Path •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-13329 – File Uploader for WooCommerce <= 1.0.3 - Unauthenticated Arbitrary File Upload via add-image-data
https://notcve.org/view.php?id=CVE-2025-13329
19 Dec 2025 — The File Uploader for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the callback function for the 'add-image-data' REST API endpoint in all versions up to, and including, 1.0.3. This makes it possible for unauthenticated attackers to upload arbitrary files to the Uploadcare service and subsequently download them on the affected site's server which may make remote code execution possible. • https://wordpress.org/plugins/file-uploader-for-woocommerce • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-13641 – Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery <= 3.59.12 - Authenticated (Contributor+) Local File Inclusion via 'template'
https://notcve.org/view.php?id=CVE-2025-13641
17 Dec 2025 — The Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.59.12 via the 'template' shortcode parameter. ... Successful exploitation could lead to information disclosure, code execution in the WordPress context, and potential remote code execution if combined with arbitrary file upload capabilities. • https://plugins.trac.wordpress.org/browser/nextgen-gallery/trunk/src/DisplayType/Controller.php#L369 • CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-13094 – WP3D Model Import Viewer <= 1.0.7 - Authenticated (Contributor+) Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2025-13094
12 Dec 2025 — The WP3D Model Import Viewer plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the handle_import_file() function in all versions up to, and including, 1.0.7. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://wordpress.org/plugins/wp3d-model-import-block • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-14476 – Doubly <= 1.0.46 - Authenticated (Subscriber+) PHP Object Injection via ZIP File Import
https://notcve.org/view.php?id=CVE-2025-14476
12 Dec 2025 — The Doubly – Cross Domain Copy Paste for WordPress plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.0.46 via deserialization of untrusted input from the content.txt file within uploaded ZIP archives. ... The additional presence of a POP chain allows attackers to execute arbitrary code, delete files, retrieve sensitive data, or perform other actions depending on the available gadgets. • https://plugins.trac.wordpress.org/browser/doubly/tags/1.0.46/inc_php/functions.class.php#L1040 • CWE-502: Deserialization of Untrusted Data •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-66074 – WordPress WP Webhooks plugin <= 3.3.8 - Arbitrary File Upload vulnerability
https://notcve.org/view.php?id=CVE-2025-66074
12 Dec 2025 — The WP Webhooks – Automate repetitive tasks by creating powerful automation workflows directly within WordPress plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 3.3.8. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://vdp.patchstack.com/database/Wordpress/Plugin/wp-webhooks/vulnerability/wordpress-wp-webhooks-plugin-3-3-8-arbitrary-file-upload-vulnerability? • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-12968 – Infility Global <= 2.14.23 - Authenticated (Subscriber+) Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2025-12968
11 Dec 2025 — The Infility Global plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation and capability checks in all versions up to, and including, 2.14.23. ... This makes it possible for authenticated attackers, with subscriber level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://wordpress.org/plugins/infility-global • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-13320 – WP User Manager <= 2.9.12 - Authenticated (Subscriber+) Arbitrary File Deletion via 'current_user_avatar' Parameter
https://notcve.org/view.php?id=CVE-2025-13320
11 Dec 2025 — The WP User Manager plugin for WordPress is vulnerable to Arbitrary File Deletion in all versions up to, and including, 2.9.12. ... This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server via the 'current_user_avatar' parameter in a two-stage attack which can make remote code execution possible. • https://plugins.trac.wordpress.org/browser/wp-user-manager/tags/2.9.12/includes/forms/trait-wpum-account.php#L70 • CWE-73: External Control of File Name or Path •