CVSS: 8.8EPSS: %CPEs: 1EXPL: 0CVE-2025-13062 – Supreme Modules Lite <= 2.5.62 - Authenticated (Author+) Arbitrary File Upload via JSON Upload Bypass
https://notcve.org/view.php?id=CVE-2025-13062
15 Jan 2026 — The Supreme Modules Lite plugin for WordPress is vulnerable to arbitrary file upload in all versions up to, and including, 2.5.62. ... This makes it possible for authenticated attackers, with author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-15158 – WP Enable WebP <= 1.0 - Authenticated (Author+) Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2025-15158
06 Jan 2026 — The WP Enable WebP plugin for WordPress is vulnerable to arbitrary file uploads due to improper file type validation in the 'wpse_file_and_ext_webp' function in all versions up to, and including, 1.0. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://plugins.trac.wordpress.org/browser/wp-enable-webp/trunk/wp-enable-webp.php?rev=1998897#L43 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2025-14842 – Drag and Drop Multiple File Upload – Contact Form 7 <= 1.3.9.2 - Unauthenticated Limited Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2025-14842
06 Jan 2026 — The Drag and Drop Multiple File Upload – Contact Form 7 plugin for WordPress is vulnerable to limited upload of files with a dangerous type in all versions up to, and including, 1.3.9.2. ... Malicious PHP code can be used to achieve remote code execution on the server via direct file access, if the server is configured to execute .phar files as PHP. • https://plugins.trac.wordpress.org/browser/contact-form-7/trunk/includes/formatting.php#L310 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2025-14997 – BuddyPress Xprofile Custom Field Types <= 1.2.8 - Authenticated (Subscriber+) Arbitrary File Deletion
https://notcve.org/view.php?id=CVE-2025-14997
05 Jan 2026 — The BuddyPress Xprofile Custom Field Types plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'delete_field' function in all versions up to, and including, 1.2.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). • https://plugins.trac.wordpress.org/browser/bp-xprofile-custom-field-types/tags/1.2.8/src/handlers/class-field-upload-helper.php • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-67924 – WordPress Corpkit theme <= 2.0 - Arbitrary File Upload vulnerability
https://notcve.org/view.php?id=CVE-2025-67924
05 Jan 2026 — The Corpkit - Business Consulting WordPress Theme theme for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 2.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://vdp.patchstack.com/database/Wordpress/Theme/corpkit/vulnerability/wordpress-corpkit-theme-2-0-arbitrary-file-upload-vulnerability? • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2025-14509 – Lucky Wheel for WooCommerce – Spin a Sale <= 1.1.13 - Authenticated (Administrator+) PHP Code Injection via Conditional Tags
https://notcve.org/view.php?id=CVE-2025-14509
29 Dec 2025 — The Lucky Wheel for WooCommerce – Spin a Sale plugin for WordPress is vulnerable to PHP Code Injection in all versions up to, and including, 1.1.13. ... In WordPress multisite installations, this allows Site Administrators to execute arbitrary code, a capability they should not have since plugin/theme file editing is disabled for non-Super Admins in multisite environments. • https://plugins.trac.wordpress.org/browser/woo-lucky-wheel/tags/1.1.13/frontend/frontend.php#L127 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2025-13592 – Advanced Ads <= 2.0.14 - Authenticated (Editor+) Remote Code Execution via Shortcode
https://notcve.org/view.php?id=CVE-2025-13592
29 Dec 2025 — The Advanced Ads plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 2.0.14 via the 'change-ad__content' shortcode parameter. • https://plugins.trac.wordpress.org/browser/advanced-ads/tags/2.0.14/includes/ads/class-ad-plain.php#L36 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.9EPSS: 0%CPEs: 1EXPL: 0CVE-2025-68897 – WordPress IF AS Shortcode plugin <= 1.2 - Remote Code Execution (RCE) vulnerability
https://notcve.org/view.php?id=CVE-2025-68897
25 Dec 2025 — The IF AS Shortcode plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.2. • https://vdp.patchstack.com/database/wordpress/plugin/if-as-shortcode/vulnerability/wordpress-if-as-shortcode-plugin-1-2-remote-code-execution-rce-vulnerability? • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.9EPSS: 0%CPEs: 1EXPL: 0CVE-2025-68562 – WordPress MapSVG plugin <= 8.7.3 - Arbitrary File Upload vulnerability
https://notcve.org/view.php?id=CVE-2025-68562
24 Dec 2025 — The MapSVG – Vector maps, Image maps, Google Maps plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 8.7.3. This makes it possible for authenticated attackers, with Contributor-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://vdp.patchstack.com/database/wordpress/plugin/mapsvg-lite-interactive-vector-maps/vulnerability/wordpress-mapsvg-plugin-8-7-3-arbitrary-file-upload-vulnerability? • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-13773 – Print Invoice & Delivery Notes for WooCommerce <= 5.8.0 - Unauthenticated Remote Code Execution
https://notcve.org/view.php?id=CVE-2025-13773
23 Dec 2025 — The Print Invoice & Delivery Notes for WooCommerce plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 5.8.0 via the 'WooCommerce_Delivery_Notes::update' function. • https://plugins.trac.wordpress.org/browser/woocommerce-delivery-notes/tags/5.8.0/includes/class-woocommerce-delivery-notes.php#L347 • CWE-94: Improper Control of Generation of Code ('Code Injection') •