CVSS: 8.8EPSS: %CPEs: 1EXPL: 0CVE-2025-29004 – Responsive Coming Soon Landing Page / Holding Page for WordPress <= 3.0 - Authenticated (Susbcriber+) Privilege Escalation
https://notcve.org/view.php?id=CVE-2025-29004
08 Jul 2025 — The wordpress-flat-countdown plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 3.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to elevate their privileges to that of an administrator. • CWE-269: Improper Privilege Management •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2025-53260 – WordPress File Manager Plugin For Wordpress plugin <= 7.5 - Arbitrary File Upload Vulnerability
https://notcve.org/view.php?id=CVE-2025-53260
27 Jun 2025 — Unrestricted Upload of File with Dangerous Type vulnerability in getredhawkstudio File Manager Plugin For Wordpress allows Upload a Web Shell to a Web Server. This issue affects File Manager Plugin For Wordpress: from n/a through 7.5. The File Manager Plugin For WordPress plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 7.5. This makes it possible for authenticated attackers, with Administrator-level access and above, to u... • https://patchstack.com/database/wordpress/plugin/file-manager-plugin-for-wordpress/vulnerability/wordpress-file-manager-plugin-for-wordpress-plugin-7-5-arbitrary-file-upload-vulnerability?_s_id=cve • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2025-49879 – WordPress Litho <= 3.0 - Arbitrary File Deletion Vulnerability
https://notcve.org/view.php?id=CVE-2025-49879
17 Jun 2025 — Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in themezaa Litho allows Path Traversal. This issue affects Litho: from n/a through 3.0. The Litho theme for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in all versions up to, and including, 3.0. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (su... • https://patchstack.com/database/wordpress/theme/litho/vulnerability/wordpress-litho-3-0-arbitrary-file-deletion-vulnerability?_s_id=cve • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-49435 – WordPress Wp Easy Allopass <= 4.1.1 - Cross Site Request Forgery (CSRF) Vulnerability
https://notcve.org/view.php?id=CVE-2025-49435
05 Jun 2025 — Cross-Site Request Forgery (CSRF) vulnerability in Hasina77 Wp Easy Allopass allows Cross Site Request Forgery. This issue affects Wp Easy Allopass: from n/a through 4.1.1. The Wp Easy Allopass plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.1.1. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to perform an unauthorized action granted they can trick a site administrator into perf... • https://patchstack.com/database/wordpress/plugin/wordpress-easy-allopass/vulnerability/wordpress-wp-easy-allopass-4-1-1-cross-site-request-forgery-csrf-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-39509 – WordPress TNC FlipBook plugin <= 12.1.0 - Cross Site Scripting (XSS) vulnerability
https://notcve.org/view.php?id=CVE-2025-39509
16 May 2025 — Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeNcode TNC FlipBook allows Stored XSS. This issue affects TNC FlipBook: from n/a through 12.1.0. The TNC FlipBook plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 12.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts ... • https://patchstack.com/database/wordpress/plugin/pdf-viewer-for-wordpress/vulnerability/wordpress-tnc-flipbook-plugin-12-1-0-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-39376 – WordPress Car Park Booking System for WordPress plugin <= 2.6 - Broken Access Control vulnerability
https://notcve.org/view.php?id=CVE-2025-39376
22 Apr 2025 — Missing Authorization vulnerability in QuanticaLabs Car Park Booking System for WordPress.This issue affects Car Park Booking System for WordPress: from n/a through 2.6. The car-park-booking-system-for-wordpress plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 2.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform an unauthorized action. • https://patchstack.com/database/wordpress/plugin/car-park-booking-system-for-wordpress/vulnerability/wordpress-car-park-booking-system-for-wordpress-plugin-2-6-broken-access-control-vulnerability?_s_id=cve • CWE-862: Missing Authorization •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-39431 – WordPress Amazon Showcase WordPress Plugin plugin <= 2.2 - CSRF to XSS vulnerability
https://notcve.org/view.php?id=CVE-2025-39431
17 Apr 2025 — Cross-Site Request Forgery (CSRF) vulnerability in Aaron Forgue Amazon Showcase WordPress Plugin allows Stored XSS. This issue affects Amazon Showcase WordPress Plugin: from n/a through 2.2. The Amazon Showcase WordPress Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.2. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via... • https://patchstack.com/database/wordpress/plugin/amazon-showcase-wordpress-widget/vulnerability/wordpress-amazon-showcase-wordpress-plugin-plugin-2-2-csrf-to-xss-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2025-32202 – WordPress Insert or Embed Articulate Content into WordPress plugin <= 4.3000000025 - Arbitrary File Upload vulnerability
https://notcve.org/view.php?id=CVE-2025-32202
08 Apr 2025 — Unrestricted Upload of File with Dangerous Type vulnerability in Brian Batt - elearningfreak.com Insert or Embed Articulate Content into WordPress allows Upload a Web Shell to a Web Server. This issue affects Insert or Embed Articulate Content into WordPress: from n/a through 4.3000000025. The Insert or Embed Articulate Content into WordPress plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 4.3000000025. This makes it poss... • https://patchstack.com/database/wordpress/plugin/insert-or-embed-articulate-content-into-wordpress/vulnerability/wordpress-insert-or-embed-articulate-content-into-wordpress-plugin-4-3000000025-arbitrary-file-upload-vulnerability?_s_id=cve • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-31735 – WordPress Footnotes for WordPress plugin <= 2016.1230 - Cross Site Scripting (XSS) Vulnerability
https://notcve.org/view.php?id=CVE-2025-31735
01 Apr 2025 — Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in C. Johnson Footnotes for WordPress allows Stored XSS. This issue affects Footnotes for WordPress: from n/a through 2016.1230. The Footnotes for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2016.1230 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and ... • https://patchstack.com/database/wordpress/plugin/footnotes-for-wordpress/vulnerability/wordpress-footnotes-for-wordpress-plugin-2016-1230-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-30552 – WordPress WordPress Admin Bar Improved plugin <= 3.3.5 - CSRF to Stored XSS vulnerability
https://notcve.org/view.php?id=CVE-2025-30552
24 Mar 2025 — Cross-Site Request Forgery (CSRF) vulnerability in Donald Gilbert WordPress Admin Bar Improved allows Stored XSS. This issue affects WordPress Admin Bar Improved: from n/a through 3.3.5. The WordPress Admin Bar Improved plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.3.5. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to perform an unauthorized action granted they can trick a si... • https://patchstack.com/database/wordpress/plugin/wordpress-admin-bar-improved/vulnerability/wordpress-wordpress-admin-bar-improved-plugin-3-3-5-csrf-to-stored-xss-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •