CVSS: 10.0EPSS: 1%CPEs: 1EXPL: 1CVE-2025-2294 – Kubio AI Page Builder <= 2.5.1 - Unauthenticated Local File Inclusion
https://notcve.org/view.php?id=CVE-2025-2294
27 Mar 2025 — The Kubio AI Page Builder plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.5.1 via thekubio_hybrid_theme_load_template function. ... The Kubio AI Page Builder plugin for WordPress is vulnerable to a local file inclusion vulnerability in all versions up to, and including, 2.5.1 via the kubio_hybrid_theme_load_template function. • https://packetstorm.news/files/id/190110 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-2328 – Drag and Drop Multiple File Upload for Contact Form 7 <= 1.3.8.7 - Unauthenticated Arbitrary File Deletion
https://notcve.org/view.php?id=CVE-2025-2328
27 Mar 2025 — The Drag and Drop Multiple File Upload for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'dnd_remove_uploaded_files' function in all versions up to, and including, 1.3.8.7. • https://plugins.trac.wordpress.org/browser/drag-and-drop-multiple-file-upload-contact-form-7/trunk/inc/dnd-upload-cf7.php#L153 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-2332 – Export All Posts, Products, Orders, Refunds & Users <= 2.13 - Unauthenticated PHP Object Injection
https://notcve.org/view.php?id=CVE-2025-2332
26 Mar 2025 — The Export All Posts, Products, Orders, Refunds & Users plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.13 via deserialization of untrusted input in the 'returnMetaValueAsCustomerInput' function. • https://plugins.trac.wordpress.org/browser/wp-ultimate-exporter/trunk/exportExtensions/ExportExtension.php#L3332 • CWE-502: Deserialization of Untrusted Data •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-2319 – EZ SQL Reports Shortcode Widget and DB Backup 4.11.13 - 5.25.08 - Cross-Site Request Forgery to Remote Code Execution
https://notcve.org/view.php?id=CVE-2025-2319
24 Mar 2025 — The EZ SQL Reports Shortcode Widget and DB Backup plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions 4.11.13 to 5.25.08. • https://plugins.trac.wordpress.org/browser/elisqlreports/tags/4..11.13/index.php • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 10.0EPSS: 0%CPEs: -EXPL: 0CVE-2025-30615 – WordPress WP e-Commerce Style Email plugin <= 0.6.2 - CSRF to Remote Code Execution vulnerability
https://notcve.org/view.php?id=CVE-2025-30615
24 Mar 2025 — Cross-Site Request Forgery (CSRF) vulnerability in Jacob Schwartz WP e-Commerce Style Email allows Code Injection. This issue affects WP e-Commerce Style Email: from n/a through 0.6.2. • https://patchstack.com/database/wordpress/plugin/wp-e-commerce-style-email/vulnerability/wordpress-wp-e-commerce-style-email-plugin-0-6-2-csrf-to-remote-code-execution-vulnerability? • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-28916 – WordPress Docpro plugin <= 2.0.1 - Local File Inclusion vulnerability
https://notcve.org/view.php?id=CVE-2025-28916
23 Mar 2025 — The Docpro plugin for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 2.0.1. • https://patchstack.com/database/wordpress/plugin/docpro/vulnerability/wordpress-docpro-plugin-2-0-1-local-file-inclusion-vulnerability? • CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-2505 – Age Gate <= 3.5.3 - Unauthenticated Local PHP File Inclusion via 'lang'
https://notcve.org/view.php?id=CVE-2025-2505
19 Mar 2025 — The Age Gate plugin for WordPress is vulnerable to Local PHP File Inclusion in all versions up to, and including, 3.5.3 via the 'lang' parameter. • https://plugins.trac.wordpress.org/browser/age-gate/trunk/vendor/agegate/common/src/Settings.php#L27 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-26909 – WordPress Hide My WP Ghost plugin <= 5.4.01 - Local File Inclusion to RCE vulnerability
https://notcve.org/view.php?id=CVE-2025-26909
19 Mar 2025 — The Hide My WP Ghost plugin for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 5.4.01. • https://patchstack.com/database/wordpress/plugin/hide-my-wp/vulnerability/wordpress-hide-my-wp-ghost-plugin-5-4-01-local-file-inclusion-to-rce-vulnerability? • CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-2512 – File Away <= 3.9.9.0.1 - Missing Authorization to Unauthenticated File Upload via upload Function
https://notcve.org/view.php?id=CVE-2025-2512
18 Mar 2025 — The File Away plugin for WordPress is vulnerable to arbitrary file uploads due to a missing capability check and missing file type validation in the upload() function in all versions up to, and including, 3.9.9.0.1. • https://wordpress.org/plugins/file-away/#developers • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-12922 – Altair <= 5.2.4 - Unauthenticated Arbitrary Options Update via pp_import_current
https://notcve.org/view.php?id=CVE-2024-12922
18 Mar 2025 — The Altair theme for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check within functions.php in all versions up to, and including, 5.2.4. This makes it possible for unauthenticated attackers to update arbitrary options on the WordPress site. ... El tema Altair para WordPress es vulnerable a la modificación no autorizada de datos, lo que puede provocar una escalada de privilegios debido a la falta de una co... • https://themeforest.net/item/tour-travel-agency-altair-theme/9318575 • CWE-862: Missing Authorization •