CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-6895 – MelaPress Login Security 2.1.0 - 2.1.1 - Authentication Bypass to Privilege Escalation via get_valid_user_based_on_token Function
https://notcve.org/view.php?id=CVE-2025-6895
25 Jul 2025 — The Melapress Login Security plugin for WordPress is vulnerable to Authentication Bypass due to missing authorization within the get_valid_user_based_on_token() function in versions 2.1.0 to 2.1.1. • https://wordpress.org/plugins/melapress-login-security/#developers • CWE-288: Authentication Bypass Using an Alternate Path or Channel •
CVSS: 10.0EPSS: 0%CPEs: 3EXPL: 0CVE-2025-41240 – Mounted Kubernetes Secrets under a predictable path located within the web server document root
https://notcve.org/view.php?id=CVE-2025-41240
24 Jul 2025 — Three Bitnami Helm charts mount Kubernetes Secrets under a predictable path (/opt/bitnami/*/secrets) that is located within the web server document root. In affected versions, this can lead to unauthenticated access to sensitive credentials via HTTP/S. A remote attacker could retrieve these secrets by accessing specific URLs if the application is exposed externally. The issue affects deployments using the default value of usePasswordFiles=true, which mounts secrets as files into the container filesystem. Th... • https://github.com/bitnami/charts/security/advisories/GHSA-wgg9-9qgw-529w • CWE-552: Files or Directories Accessible to External Parties •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-6380 – ONLYOFFICE Docs 1.1.0 - 2.2.0 - Missing Authorization to Unauthenticated Privilege Escalation via callback Function
https://notcve.org/view.php?id=CVE-2025-6380
23 Jul 2025 — The ONLYOFFICE Docs plugin for WordPress is vulnerable to Privilege Escalation due to missing authorization within its oo.callback REST endpoint in versions 1.1.0 to 2.2.0. ... The ONLYOFFICE Docs plugin for WordPress is vulnerable to Privilege Escalation due to missing... • https://wordpress.org/plugins/onlyoffice/#developers • CWE-862: Missing Authorization •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-6441 – Webinar Solution: Create live/evergreen/automated/instant webinars, stream & Zoom Meetings | WebinarIgnition <= 4.03.31 - Unauthenticated Login Token Generation to Authentication Bypass
https://notcve.org/view.php?id=CVE-2025-6441
23 Jul 2025 — The Webinar Solution: Create live/evergreen/automated/instant webinars, stream & Zoom Meetings | WebinarIgnition plugin for WordPress is vulnerable to unauthenticated login token generation due to a missing capability check on the `webinarignition_sign_in_support_staff` and `webinarignition_register_support` functions in all versions up to, and including, 4.03.31. This makes it possible for unauthenticated attackers to generate login tokens for arbitrary WordPress users under certain circumsta... • https://www.wordfence.com/threat-intel/vulnerabilities/id/52c19707-df18-4239-af46-12ea5ee86a4b?source=cve • CWE-862: Missing Authorization •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-7437 – Ebook Store <= 5.8012 - Unauthenticated Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2025-7437
23 Jul 2025 — The Ebook Store plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the ebook_store_save_form function in all versions up to, and including, 5.8012. ... The Ebook Store plugin for WordPress is vulnerable to arbitrary file uploads due to missing file... • https://www.wordfence.com/threat-intel/vulnerabilities/id/0dc5c05d-51b7-4aee-bb4e-366ded45c4d8?source=cve • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-7852 – WPBookit <= 1.0.6 - Unauthenticated Arbitrary File Upload via image_upload_handle Function
https://notcve.org/view.php?id=CVE-2025-7852
23 Jul 2025 — The WPBookit plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the image_upload_handle() function hooked via the 'add_new_customer' route in all versions up to, and including, 1.0.6. ... The WPBookit plugin for WordPress is vulnerable to arbitrary file uploads due to missing file... • https://wordpress.org/plugins/wpbookit/#developers • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-6187 – bSecure 1.3.7 - 1.7.9 - Missing Authorization to Unauthenticated Privilege Escalation via order_info REST Endpoint
https://notcve.org/view.php?id=CVE-2025-6187
21 Jul 2025 — The bSecure plugin for WordPress is vulnerable to Privilege Escalation due to missing authorization within its order_info REST endpoint in versions 1.3.7 through 1.7.9. • https://wordpress.org/plugins/bsecure/#developers • CWE-862: Missing Authorization •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-7697 – Integration for Google Sheets and Contact Form 7, WPForms, Elementor, Ninja Forms <= 1.1.1 - Unauthenticated PHP Object Injection via verify_field_val Function
https://notcve.org/view.php?id=CVE-2025-7697
18 Jul 2025 — The Integration for Google Sheets and Contact Form 7, WPForms, Elementor, Ninja Forms plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.1.1 via deserialization of untrusted input within the verify_field_val() function. • https://wordpress.org/plugins/integration-for-contact-form-7-and-google-sheets/#developers • CWE-502: Deserialization of Untrusted Data •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-7696 – Integration for Pipedrive and Contact Form 7, WPForms, Elementor, Ninja Forms <= 1.2.3 - Unauthenticated PHP Object Injection via verify_field_val Function
https://notcve.org/view.php?id=CVE-2025-7696
18 Jul 2025 — The Integration for Pipedrive and Contact Form 7, WPForms, Elementor, Ninja Forms plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.2.3 via deserialization of untrusted input within the verify_field_val() function. • https://wordpress.org/plugins/integration-for-contact-form-7-and-pipedrive/#developers • CWE-502: Deserialization of Untrusted Data •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-6222 – WooCommerce Refund And Exchange with RMA - Warranty Management, Refund Policy, Manage User Wallet <= 3.2.6 - Unauthenticated Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2025-6222
17 Jul 2025 — The WooCommerce Refund And Exchange with RMA - Warranty Management, Refund Policy, Manage User Wallet theme for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'ced_rnx_order_exchange_attach_files' function in all versions up to, and including, 3.2.6. • https://codecanyon.net/item/woocommerce-refund-and-exchange/17810207#item-description__changelog • CWE-434: Unrestricted Upload of File with Dangerous Type •