CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-6439 – WooCommerce Designer Pro <= 1.9.26 - Unauthenticated Arbitrary File Deletion
https://notcve.org/view.php?id=CVE-2025-6439
10 Oct 2025 — The WooCommerce Designer Pro plugin for WordPress, used by the Pricom - Printing Company & Design Services WordPress theme, is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'wcdp_save_canvas_design_ajax' function in all versions up to, and including, 1.9.26. This makes it possible for unauthenticated attackers to delete all files in an arbitrary directory on the server, which can lead to remote code execution, data loss, or site unavailability. • https://codecanyon.net/item/woocommerce-designer-pro-cmyk-card-flyer/22027731 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-6553 – Ovatheme Events Manager <= 1.8.5 - Unauthenticated Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2025-6553
10 Oct 2025 — The Ovatheme Events Manager plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the process_checkout() function in all versions up to, and including, 1.8.5. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://themeforest.net/item/em4u-event-management-multipurpose-wordpress-theme/20846579 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-7526 – WP Travel Engine – Tour Booking Plugin – Tour Operator Software <= 6.6.7 - Authenticated (Subscriber+) Arbitrary File Deletion via File Renaming
https://notcve.org/view.php?id=CVE-2025-7526
08 Oct 2025 — The WP Travel Engine – Tour Booking Plugin – Tour Operator Software plugin for WordPress is vulnerable to arbitrary file deletion (via renaming) due to insufficient file path validation in the set_user_profile_image function in all versions up to, and including, 6.6.7. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). • https://plugins.trac.wordpress.org/browser/wp-travel-engine/tags/6.5.6/includes/dashboard/class-wp-travel-engine-form-handler.php#L512 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 8.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-10494 – Motors – Car Dealership & Classified Listings Plugin <= 1.4.89 - Authenticated (Subscriber+) Arbitrary File Deletion
https://notcve.org/view.php?id=CVE-2025-10494
07 Oct 2025 — The Motors – Car Dealership & Classified Listings Plugin plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation when deleting profile pictures in all versions up to, and including, 1.4.89. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). • https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3369415%40motors-car-dealership-classified-listings%2Ftrunk&old=3367132%40motors-car-dealership-classified-listings%2Ftrunk&sfp_email=&sfph_mail= • CWE-73: External Control of File Name or Path •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-9212 – WP Dispatcher <= 1.2.0 - Authenticated (Subscriber+) Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2025-9212
02 Oct 2025 — The WP Dispatcher plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the wp_dispatcher_process_upload() function in all versions up to, and including, 1.2.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. The directory does have an .htaccess file which limits the ability to achieve remote code exe... • https://plugins.trac.wordpress.org/browser/wp-dispatcher/trunk/admin/class-wp-dispatcher-add-new-upload.php#L110 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-9561 – AP Background 3.8.1 - 3.8.2 - Missing Authorization to Authenticated (Subscriber+) Arbitrary File Upload via advParallaxBackAdminSaveSlider Function
https://notcve.org/view.php?id=CVE-2025-9561
02 Oct 2025 — The AP Background plugin for WordPress is vulnerable to arbitrary file uploads due to missing authorization and insufficient file validation within the advParallaxBackAdminSaveSlider() handler in versions 3.8.1 to 3.8.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://wordpress.org/plugins/ap-background • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-9762 – Post By Email <= 1.0.4b - Unauthenticated Arbitrary File Upload via Email Attachments
https://notcve.org/view.php?id=CVE-2025-9762
29 Sep 2025 — The Post By Email plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the save_attachments function in all versions up to, and including, 1.0.4b. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://plugins.trac.wordpress.org/browser/post-by-email/tags/1.0.4b/class-post-by-email.php#L702 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-8625 – Copypress Rest API 1.1 - 1.2 - Missing Configurable JWT Secret and File-Type Validation to Unauthenticated Remote Code Execution
https://notcve.org/view.php?id=CVE-2025-8625
29 Sep 2025 — The Copypress Rest API plugin for WordPress is vulnerable to Remote Code Execution via copyreap_handle_image() Function in versions 1.1 to 1.2. ... As a result, unauthenticated attackers can forge a valid token to gain elevated privileges and upload an arbitrary file (e.g. a PHP script) through the image handler, leading to remote code execution. • https://wordpress.org/plugins/copypress-rest-api/#developers • CWE-321: Use of Hard-coded Cryptographic Key •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2025-10000 – Qyrr – simply and modern QR-Code creation <= 2.0.7 - Authenticated (Contributor+) Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2025-10000
29 Sep 2025 — The Qyrr – simply and modern QR-Code creation plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the blob_to_file() function in all versions up to, and including, 2.0.7. This makes it possible for authenticated attackers, with Contributor-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://plugins.trac.wordpress.org/browser/qyrr-code/trunk/inc/class-qyrr-rest.php#L94 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2025-60114 – WordPress YayCurrency Plugin <= 3.2 - Remote Code Execution (RCE) Vulnerability
https://notcve.org/view.php?id=CVE-2025-60114
26 Sep 2025 — The YayCurrency – WooCommerce Multi-Currency Switcher plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 3.2. • https://patchstack.com/database/wordpress/plugin/yaycurrency/vulnerability/wordpress-yaycurrency-plugin-3-2-remote-code-execution-rce-vulnerability? • CWE-94: Improper Control of Generation of Code ('Code Injection') •