CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2025-28998 – WordPress SERPed.net plugin <= 4.6 - Local File Inclusion Vulnerability
https://notcve.org/view.php?id=CVE-2025-28998
25 Jun 2025 — Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in serpednet SERPed.net allows PHP Local File Inclusion. This issue affects SERPed.net: from n/a through 4.6. The SERPed.net plugin for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 4.6. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can ... • https://patchstack.com/database/wordpress/plugin/serped-net/vulnerability/wordpress-serped-net-4-6-local-file-inclusion-vulnerability?_s_id=cve • CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-32651 – WordPress SERPed.net Plugin <= 4.6 - Reflected Cross Site Scripting (XSS) vulnerability
https://notcve.org/view.php?id=CVE-2025-32651
10 Apr 2025 — Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in serpednet SERPed.net allows Reflected XSS. This issue affects SERPed.net: from n/a through 4.6. The SERPed.net plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 4.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully ... • https://patchstack.com/database/wordpress/plugin/serped-net/vulnerability/wordpress-serped-net-plugin-4-6-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-24669 – WordPress SERPed.net Plugin <= 4.4 - SQL Injection vulnerability
https://notcve.org/view.php?id=CVE-2025-24669
24 Jan 2025 — Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in SERPed SERPed.net allows SQL Injection. This issue affects SERPed.net: from n/a through 4.4. The SERPed.net plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 4.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with contributor-level access and abov... • https://patchstack.com/database/wordpress/plugin/serped-net/vulnerability/wordpress-serped-net-plugin-4-4-sql-injection-vulnerability?_s_id=cve • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •