Wordfence Intelligence Weekly WordPress Vulnerability Report (April 21, 2025 to April 27, 2025)

In case you missed it, Wordfence just published its annual WordPress security report for 2024. Read it now to learn more about the evolving risk landscape of WordPress so you can keep your sites protected in 2025 and beyond.  

Last week, there were 230 vulnerabilities disclosed in 197 WordPress Plugins and 14 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 53 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to implement layered security, aligning with our overarching mission to secure WordPress with defense in depth strategies. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 26,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

New Firewall Rules Deployed Last Week

The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.

The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:

• My Tickets – Accessible Event Ticketing <= 2.0.16 – Authenticated (Subscriber+) Privilege Escalation
• WAF-RULE-822 – Data redacted while we work with the vendor on a patch.
• WAF-RULE-824 – Data redacted while we work with the vendor on a patch.

Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.

Total Unpatched & Patched Vulnerabilities Last Week

Total Vulnerabilities by CVSS Severity Last Week

Total Vulnerabilities by CWE Type Last Week

Researchers That Contributed to WordPress Security Last Week

Researcher Name	Number of Vulnerabilities
johska	49
Nabil Irawan	16
muhammad yudha	15
Dimas Maulana	12
Nguyen Xuan Chien	10
ch4r0n	10
Trương Hữu Phúc (truonghuuphuc)	7
Aiden (Thái An)	7
Bonds	7
Ananda Dhakal	6
kr0d	6
Nguyen Ngoc Quang Bach (maysbachs)	5
Tonn	5
stealthcopter	4
astra.r3verii	4
timomangcut	4
Avraham Shemesh	4
Peter Thaleikis	4
Skalucy	3
Phat RiO – BlueRock	3
Dave Jong	3
Lucio Sá	3
0x1ceKing	3
Chuck	3
mikemyers	2
theviper17y	2
nquangit	2
Michael	2
Le Ngoc Anh	2
Jack Taylor	2
haudayroi	2
Webbernaut	2
João Pedro Soares de Alcântara	1
0xVenus	1
0xbro	1
Amin Beheshti	1
Gab	1
Ngo Bui Truong Vu	1
domiee13	1
shaman0x01	1
Foxyyy	1
lucky_buddy	1
Francesco Carlucci	1
LVT-tholv2k	1
zer0gh0st	1
Psai	1
Khalid Yusuf	1
Alyudin Nafiie	1
p4	1
Hiro	1
Tom Broucke	1
Dhabaleshwar Das	1
zaim	1

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through our Bug Bounty Program. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.

WordPress Plugins with Reported Vulnerabilities Last Week

WordPress Themes with Reported Vulnerabilities Last Week

Vulnerability Details

Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.

Altair <= 5.2.2 – Unauthenticated PHP Object Injection

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2025-32928

Patch Status
Unpatched

Published
Apr 21, 2025

Affected Software
Altair

Researcher

Bonds

More Details >

Arrival <= 1.4.5 – Unauthenticated Local File Inclusion

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2025-32921

Patch Status
Unpatched

Published
Apr 21, 2025

Affected Software
Arrival

Researcher

Dimas Maulana

More Details >

Capturly <= 2.0.1 – Unauthenticated Local File Inclusion

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2025-39379

Patch Status
Unpatched

Published
Apr 21, 2025

Affected Software
Capturly

Researcher

Dimas Maulana

More Details >

Checkout Field Visibility for WooCommerce <= 1.2.3 – Unauthenticated Local File Inclusion

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2025-39391

Patch Status
Unpatched

Published
Apr 21, 2025

Affected Software
Checkout Field Visibility for WooCommerce

Researcher

Dimas Maulana

More Details >

CiyaShop <= 4.18.0 – Unauthenticated PHP Object Injection

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2025-39349

Patch Status
Unpatched

Published
Apr 21, 2025

Affected Software
CiyaShop – Multipurpose WooCommerce Theme

Researcher

Bonds

More Details >

CWW Portfolio <= 1.3.1 – Unauthenticated Local File Inclusion

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2025-39359

Patch Status
Unpatched

Published
Apr 21, 2025

Affected Software
CWW Portfolio

Researcher

Dimas Maulana

More Details >

Fable Extra <= 1.0.6 – Unauthenticated Local File Inclusion

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2025-46468

Patch Status
Patched

Published
Apr 25, 2025

Affected Software
Fable Extra

Researcher

stealthcopter

More Details >

Flynax Bridge <= 2.2.0 – Unauthenticated Privilege Escalation via Account Takeover

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2025-3604

Patch Status
Unpatched

Published
Apr 23, 2025

Affected Software
Flynax Bridge

Researcher

kr0d

More Details >

Flynax Bridge <= 2.2.0 – Unauthenticated Privilege Escalation via Password Update

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2025-3603

Patch Status
Unpatched

Published
Apr 23, 2025

Affected Software
Flynax Bridge

Researcher

kr0d

More Details >

Foodbakery Sticky Cart <= 3.2 – Unauthenticated PHP Object Injection

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2025-39356

Patch Status
Unpatched

Published
Apr 21, 2025

Affected Software
Foodbakery Sticky Cart

Researcher

Bonds

More Details >

Grace Mag <= 1.1.5 – Unauthenticated Local File Inclusion

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2025-39360

Patch Status
Unpatched

Published
Apr 21, 2025

Affected Software
Grace Mag

Researcher

Dimas Maulana

More Details >

Grand Conference <= 5.2 – Unauthenticated PHP Object Injection

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2025-39354

Patch Status
Unpatched

Published
Apr 21, 2025

Affected Software
Grand Conference | Event WordPress

Researcher

Bonds

More Details >

Grand Restaurant WordPress <= 7.0 – Unauthenticated PHP Object Injection

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2025-39348

Patch Status
Unpatched

Published
Apr 21, 2025

Affected Software
Grand Restaurant WordPress

Researcher

Ananda Dhakal

More Details >

Grand Restaurant WordPress <= 7.0 – Unauthenticated PHP Object Injection via Path Traversal

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2025-32926

Patch Status
Unpatched

Published
Apr 21, 2025

Affected Software
Grand Restaurant WordPress

Researcher

Ananda Dhakal

More Details >

Hospital Management System <= 47.0(20-11-2023) – Unauthenticated Arbitrary File Upload

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2025-39380

Patch Status
Unpatched

Published
Apr 22, 2025

Affected Software
Hospital Management System for WordPress

Researcher

Aiden (Thái An)

More Details >

License For Envato <= 1.0.0 – Unauthenticated Local File Inclusion

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2025-39399

Patch Status
Unpatched

Published
Apr 21, 2025

Affected Software
License For Envato

Researcher

Dimas Maulana

More Details >

Opstore <= 1.4.5 – Unauthenticated Local File Inclusion

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2025-39387

Patch Status
Unpatched

Published
Apr 21, 2025

Affected Software
Opstore

Researcher

Dimas Maulana

More Details >

Product Lister for eBay <= 2.0.9 – Unauthenticated Local File Inclusion

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2025-39384

Patch Status
Unpatched

Published
Apr 21, 2025

Affected Software
Product Lister for eBay

Researcher

Dimas Maulana

More Details >

Service Finder Bookings <= 5.1 – Unauthenticated Privilege Escalation via ‘nsl_registration_store_extra_input’

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2025-2470

Patch Status
Patched

Published
Apr 24, 2025

Affected Software
Service Finder Bookings

Researcher

Alyudin Nafiie

More Details >

SEUR Oficial <= 2.2.23 – Unauthenticated Local File Inclusion

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2025-46474

Patch Status
Unpatched

Published
Apr 25, 2025

Affected Software
SEUR Oficial

Researcher

Aiden (Thái An)

More Details >

Spreadsheet Price Changer for WooCommerce and WP E-commerce – Light <= 2.4.37 – Unauthenticated Local File Inclusion

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2025-39378

Patch Status
Unpatched

Published
Apr 21, 2025

Affected Software
Spreadsheet Price Changer for WooCommerce and WP E-commerce – Light

Researcher

Dimas Maulana

More Details >

SUMO Reward Points <= 30.7.0 – Unauthenticated Local File Inclusion

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2025-32925

Patch Status
Unpatched

Published
Apr 21, 2025

Affected Software
SUMO Reward Points for WooCommerce

Researcher

Bonds

More Details >

WP FoodBakery <= 3.3 – Unauthenticated PHP Object Injection

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2025-32927

Patch Status
Unpatched

Published
Apr 21, 2025

Affected Software
WP Foodbakery

Researcher

Bonds

More Details >

Xews Lite <= 1.0.9 – Unauthenticated Local File Inclusion

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2025-39383

Patch Status
Unpatched

Published
Apr 21, 2025

Affected Software
Xews Lite

Researcher

Dimas Maulana

More Details >

Database Toolset <= 1.8.4 – Unauthenticated Arbitrary File Deletion

9.1

CVSS Rating
Critical (9.1)

CVE-ID
CVE-2025-3065

Patch Status
Unpatched

Published
Apr 23, 2025

Affected Software
Database Toolset

Researcher

theviper17y

More Details >

Aeropage Sync for Airtable <= 3.2.0 – Authenticated (Subscriber+) Arbitrary File Upload

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2025-3914

Patch Status
Patched

Published
Apr 25, 2025

Affected Software
Aeropage Sync for Airtable

Researcher

Chuck

More Details >

BM Content Builder <= 3.16.2.1 – Missing Authorization to Authenticated (Subscriber+) Arbitrary Options Update

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2025-1279

Patch Status
Patched

Published
Apr 24, 2025

Affected Software
BM Content Builder

Researcher

Tonn

More Details >

Configurator Theme Core <= 1.4.7 – Authenticated (Subscriber+) Privilege Escalation

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2025-3101

Patch Status
Unpatched

Published
Apr 23, 2025

Affected Software
Configurator Theme Core

Researcher

Tonn

More Details >

Crossword Compiler Puzzles <= 5.2 – Authenticated (Subscriber+) Arbitrary File Upload

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2025-46490

Patch Status
Unpatched

Published
Apr 25, 2025

Affected Software
Crossword Compiler Puzzles

Researcher

astra.r3verii

More Details >

Frontend Login and Registration Blocks <= 1.0.7 – Authenticated (Subscriber+) Privilege Escalation via Password Reset

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2025-3607

Patch Status
Unpatched

Published
Apr 23, 2025

Affected Software
Frontend Login and Registration Blocks

Researcher

kr0d

More Details >

Greenshift 11.4 – 11.4.5 – Authenticated (Subscriber+) Arbitrary File Upload

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2025-3616

Patch Status
Patched

Published
Apr 21, 2025

Affected Software
Greenshift – animation and page builder blocks

Researcher

mikemyers

More Details >

Integração entre Eduzz e Woocommerce 1.5.0 – 1.7.5 – Missing Authorization to Authenticated (Subscriber+) Privilege Escalation

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2025-3906

Patch Status
Unpatched

Published
Apr 25, 2025

Affected Software
Integração entre Eduzz e Woocommerce

Researcher

kr0d

More Details >

My Tickets – Accessible Event Ticketing <= 2.0.16 – Authenticated (Subscriber+) Privilege Escalation

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2025-3761

Patch Status
Patched

Published
Apr 23, 2025

Affected Software
My Tickets – Accessible Event Ticketing

Researcher

Le Ngoc Anh

More Details >

Popup Builder <= 1.1.35 – Authenticated (Subscriber+) Local File Inclusion

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2025-46230

Patch Status
Patched

Published
Apr 22, 2025

Affected Software
Popup Builder

Researcher

LVT-tholv2k

More Details >

PowerPress Podcasting plugin by Blubrry <= 11.12.5 – Authenticated (Contributor+) Stored Cross-Site Scripting

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2025-46264

Patch Status
Patched

Published
Apr 23, 2025

Affected Software
PowerPress Podcasting plugin by Blubrry

Researcher

Trương Hữu Phúc (truonghuuphuc)

More Details >

Vikinger <= 1.9.30 – Authenticated (Subscriber+) Privilege Escalation via ‘vikinger_user_meta_update_ajax’

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2025-2238

Patch Status
Patched

Published
Apr 24, 2025

Affected Software
Vikinger

Researcher

Tonn

More Details >

wProject < 5.8.0 – Authenticated (Subscriber+) Privilege Escalation

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2025-39366

Patch Status
Patched

Published
Apr 22, 2025

Affected Software
wProject

Researcher

Dave Jong

More Details >

Xelion Webchat <= 9.1.0 – Authenticated (Subscriber+) Arbitrary Options Update

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2025-3058

Patch Status
Patched

Published
Apr 23, 2025

Affected Software
Xelion Webchat

Researcher

kr0d

More Details >

Xpro Elementor Addons – Pro <= 1.4.9 – Authenticated (Contributor+) Remote Code Execution

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2024-13808

Patch Status
Patched

Published
Apr 25, 2025

Affected Software
Xpro Elementor Addons – Pro

Researcher

stealthcopter

More Details >

Verification SMS with TargetSMS <= 1.5 – Unauthenticated Limited Remote Code Execution

8.3

CVSS Rating
High (8.3)

CVE-ID
CVE-2025-3776

Patch Status
Unpatched

Published
Apr 23, 2025

Affected Software
Verification SMS with TargetSMS

Researcher

Chuck

More Details >

Grand Restaurant WordPress <= 7.0 – Missing Authorization to Unauthenticated Arbitrary Options Deletion

8.2

CVSS Rating
High (8.2)

CVE-ID
CVE-2025-39352

Patch Status
Unpatched

Published
Apr 21, 2025

Affected Software
Grand Restaurant WordPress

Researcher

Ananda Dhakal

More Details >

WordPress Simple PayPal Shopping Cart <= 5.1.2 – Unauthenticated Information Exposure via file_url Parameter

8.2

CVSS Rating
High (8.2)

CVE-ID
CVE-2025-3529

Patch Status
Patched

Published
Apr 22, 2025

Affected Software
WordPress Simple Shopping Cart

Researcher

Jack Taylor

More Details >

Edumall <= 4.2.4 – Unauthenticated Local File Inclusion

8.1

CVSS Rating
High (8.1)

CVE-ID
CVE-2025-2101

Patch Status
Patched

Published
Apr 25, 2025

Affected Software
EduMall – Professional LMS Education Center WordPress Theme

Researcher

Tonn

More Details >

JobSearch WP Job Board <= 2.8.8 – Authentication Bypass via Social Logins

8.1

CVSS Rating
High (8.1)

CVE-ID
CVE-2024-11917

Patch Status
Unpatched

Published
Apr 24, 2025

Affected Software
JobSearch WP Job Board

Researcher

Foxyyy

More Details >

Jupiter X Core <= 4.8.11 – Unauthenticated PHP Object Injection via PHAR

8.1

CVSS Rating
High (8.1)

CVE-ID
CVE-2025-2105

Patch Status
Patched

Published
Apr 25, 2025

Affected Software
Jupiter X Core

Researcher

Phat RiO – BlueRock

More Details >

Plugin Central <= 2.5.1 – Cross-Site Request Forgery to Arbitrary File Deletion

8.1

CVSS Rating
High (8.1)

CVE-ID
CVE-2025-46439

Patch Status
Unpatched

Published
Apr 24, 2025

Affected Software
Plugin Central

Researcher

Nguyen Xuan Chien

More Details >

AnalyticsWP <= 2.1.2 – Unauthenticated SQL Injection

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2025-39389

Patch Status
Patched

Published
Apr 21, 2025

Affected Software
AnalyticsWP

Researcher

Trương Hữu Phúc (truonghuuphuc)

More Details >

Easy Guide <= 1.0.0 – Unauthenticated SQL Injection

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2025-46460

Patch Status
Unpatched

Published
Apr 25, 2025

Affected Software
WordPress Easy Guide

Researcher

Le Ngoc Anh

More Details >

Fable Extra <= 1.0.6 – Unauthenticated SQL Injection

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2025-46539

Patch Status
Patched

Published
Apr 25, 2025

Affected Software
Fable Extra

Researcher

timomangcut

More Details >

Frontend Dashboard <= 2.2.5 – Unauthenticated SQL Injection

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2025-46248

Patch Status
Patched

Published
Apr 22, 2025

Affected Software
Frontend Dashboard

Researcher

Nguyen Ngoc Quang Bach (maysbachs)

More Details >

Frontend Dashboard <= 2.2.5 – Unauthenticated SQL Injection

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2025-46248

Patch Status
Patched

Published
Apr 22, 2025

Affected Software
Frontend Dashboard

Researcher

Nguyen Ngoc Quang Bach (maysbachs)

More Details >

Hospital Management System <= 47.0(20-11-2023) – Unauthenticated SQL Injection

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2025-39386

Patch Status
Unpatched

Published
Apr 22, 2025

Affected Software
Hospital Management System for WordPress

Researcher

Trương Hữu Phúc (truonghuuphuc)

More Details >

Mayosis Core <= 5.4.1 – Unauthenticated Arbitrary File Read

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2025-1565

Patch Status
Patched

Published
Apr 24, 2025

Affected Software
Mayosis Core

Researcher

Tonn

More Details >

WordPress Simple PayPal Shopping Cart <= 5.1.2 – Unauthenticated Product Price Manipulation

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2025-3530

Patch Status
Patched

Published
Apr 22, 2025

Affected Software
WordPress Simple Shopping Cart

Researcher

Jack Taylor

More Details >

WP HRM LITE <= 1.1 – Unauthenticated SQL Injection

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2025-46455

Patch Status
Unpatched

Published
Apr 25, 2025

Affected Software
WP HRM LITE

Researcher

Hiro

More Details >

Create custom forms for WordPress with a smart form plugin for smart businesses <= 1.2.4 – Unauthenticated Arbitrary Shortcode Execution

7.3

CVSS Rating
High (7.3)

CVE-ID
CVE-2025-2801

Patch Status
Unpatched

Published
Apr 25, 2025

Affected Software
Create custom forms for WordPress with a smart form plugin for smart businesses – Form builder for WordPress

Researcher

Avraham Shemesh

More Details >

Add custom page template <= 2.0.1 – Authenticated (Administrator+) PHP Code Injection to Remote Code Execution

7.2

CVSS Rating
High (7.2)

CVE-ID
CVE-2025-3491

Patch Status
Unpatched

Published
Apr 25, 2025

Affected Software
Add custom page template

Researcher

ch4r0n

More Details >

eForm <= 4.18.0 – Unauthenticated Stored Cross-Site Scripting

7.2

CVSS Rating
High (7.2)

CVE-ID
CVE-2025-1294

Patch Status
Patched

Published
Apr 24, 2025

Affected Software
eForm – WordPress Form Builder

Researcher

shaman0x01

More Details >

Flickr Shortcode Importer <= 2.2.3 – Authenticated (Administrator+) PHP Object Injection

7.2

CVSS Rating
High (7.2)

CVE-ID
CVE-2025-46481

Patch Status
Unpatched

Published
Apr 24, 2025

Affected Software
Flickr Shortcode Importer

Researcher

Ngo Bui Truong Vu

More Details >

WPMasterToolKit (WPMTK) – All in one plugin <= 2.5.2 – Authenticated (Administrator+) to Arbitrary File Read and Write

7.2

CVSS Rating
High (7.2)

CVE-ID
CVE-2025-3300

Patch Status
Patched

Published
Apr 23, 2025

Affected Software
WPMasterToolKit (WPMTK) – All in one plugin

Researcher

nquangit

More Details >

Social Counter <= 2.0.5 – Authenticated (Administrator+) PHP Object Injection

6.6

CVSS Rating
Medium (6.6)

CVE-ID
CVE-2025-46473

Patch Status
Unpatched

Published
Apr 24, 2025

Affected Software
Social Counter

Researcher

Nguyen Ngoc Quang Bach (maysbachs)

More Details >

Anps Theme plugin <= 1.1.1 – Unauthenticated Arbitrary Shortcode Execution

6.5

CVSS Rating
Medium (6.5)

CVE-ID
CVE-2024-13812

Patch Status
Patched

Published
Apr 25, 2025

Affected Software
Anps Theme plugin

Researcher

Lucio Sá

More Details >

Appointment Booking Calendar <= 1.3.92 – Cross-Site Request Forgery to SQL Injection

6.5

CVSS Rating
Medium (6.5)

CVE-ID
CVE-2025-46241

Patch Status
Patched

Published
Apr 22, 2025

Affected Software
Appointment Booking Calendar

Researcher

astra.r3verii

More Details >

Appsero Helper <= 1.3.4 – Authenticated (Subscriber+) SQL Injection

6.5

CVSS Rating
Medium (6.5)

CVE-ID
CVE-2025-39377

Patch Status
Unpatched

Published
Apr 21, 2025

Affected Software
Appsero Helper

Researcher

Trương Hữu Phúc (truonghuuphuc)

More Details >

ELEX WooCommerce Advanced Bulk Edit Products, Prices & Attributes <= 1.4.9 – Authenticated (Subscriber+) SQL Injection

6.5

CVSS Rating
Medium (6.5)

CVE-ID
CVE-2025-3280

Patch Status
Unpatched

Published
Apr 23, 2025

Affected Software
ELEX WooCommerce Advanced Bulk Edit Products, Prices & Attributes

Researcher

Phat RiO – BlueRock

More Details >

FAT Services Booking <= 5.6 – Authenticated (Subscriber+) SQL Injection

6.5

CVSS Rating
Medium (6.5)

CVE-ID
CVE-2025-39355

Patch Status
Unpatched

Published
Apr 21, 2025

Affected Software
FAT Services Booking

Researcher

Aiden (Thái An)

More Details >

Hospital Management System <= 47.0(20-11-2023) – Authenticated (Subscriber+) SQL Injection

6.5

CVSS Rating
Medium (6.5)

CVE-ID
CVE-2025-39357

Patch Status
Unpatched

Published
Apr 21, 2025

Affected Software
Hospital Management System for WordPress

Researcher

Aiden (Thái An)

More Details >

Mailing Group Listserv <= 3.0.4 – Authenticated (Subscriber+) SQL Injection

6.5

CVSS Rating
Medium (6.5)

CVE-ID
CVE-2025-46463

Patch Status
Patched

Published
Apr 25, 2025

Affected Software
Mailing Group Listserv

Researcher

timomangcut

More Details >

Ocean Extra <= 2.4.6 – Unauthenticated Arbitrary Shortcode Execution

6.5

CVSS Rating
Medium (6.5)

CVE-ID
CVE-2025-3472

Patch Status
Patched

Published
Apr 21, 2025

Affected Software
Ocean Extra

Researcher

stealthcopter

More Details >

Revy <= 2.1 – Authenticated (Subscriber+) SQL Injection

6.5

CVSS Rating
Medium (6.5)

CVE-ID
CVE-2025-32924

Patch Status
Unpatched

Published
Apr 21, 2025

Affected Software
Revy

Researcher

Aiden (Thái An)

More Details >

ShopLentor – WooCommerce Builder for Elementor & Gutenberg +20 Modules – All in One Solution (formerly WooLentor) <= 3.1.2 – Unauthenticated Server-Side Request Forgery via URL Parameter

6.5

CVSS Rating
Medium (6.5)

CVE-ID
CVE-2025-3775

Patch Status
Patched

Published
Apr 24, 2025

Affected Software
ShopLentor – WooCommerce Builder for Elementor & Gutenberg +20 Modules – All in One Solution (formerly WooLentor)

Researcher

mikemyers

More Details >

360 View <= 1.1.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-46509

Patch Status
Unpatched

Published
Apr 24, 2025

Affected Software
360 View

Researcher

johska

More Details >

Able Player <= 1.2.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-46475

Patch Status
Patched

Published
Apr 24, 2025

Affected Software
Able Player, accessible HTML5 media player

Researcher

johska

More Details >

Able Player, accessible HTML5 media player <= 1.2.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via preload Parameter

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-3752

Patch Status
Patched

Published
Apr 24, 2025

Affected Software
Able Player, accessible HTML5 media player

Researcher

Peter Thaleikis

More Details >

Advanced Accordion Gutenberg Block <= 5.0.2 – Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-2543

Patch Status
Patched

Published
Apr 23, 2025

Affected Software
Advanced Accordion Gutenberg Block

Researcher

Avraham Shemesh

More Details >

Animate <= 0.5 – Authenticated (Contributor+) Server-Side Request Forgery

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-46443

Patch Status
Unpatched

Published
Apr 24, 2025

Affected Software
Animate

Researcher

Nguyen Xuan Chien

More Details >

Author Box After Posts <= 1.6 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-46263

Patch Status
Unpatched

Published
Apr 25, 2025

Affected Software
Author Box After Posts

Researcher

Michael

More Details >

Awesome Wp Image Gallery <= 1.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-46476

Patch Status
Unpatched

Published
Apr 24, 2025

Affected Software
Awesome Wp Image Gallery

Researcher

muhammad yudha

More Details >

BBCode Deluxe <= 2020.08.01.2 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-46479

Patch Status
Unpatched

Published
Apr 24, 2025

Affected Software
BBCode Deluxe

Researcher

johska

More Details >

BeerXML Shortcode <= 0.71 – Authenticated (Contributor+) Server-Side Request Forgery

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-46511

Patch Status
Unpatched

Published
Apr 24, 2025

Affected Software
BeerXML Shortcode

Researcher

ch4r0n

More Details >

Breeze Display <= 1.2.3 – Authenticated (Contributor+) Stored Cross-Site Scripting via cal_size Parameter

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-3749

Patch Status
Patched

Published
Apr 24, 2025

Affected Software
Breeze Display

Researcher

Peter Thaleikis

More Details >

Carousel-of-post-images <= 1.07 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-46536

Patch Status
Unpatched

Published
Apr 24, 2025

Affected Software
Carousel-of-post-images

Researcher

johska

More Details >

Custom Related Posts <= 1.7.4 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-46227

Patch Status
Patched

Published
Apr 22, 2025

Affected Software
Custom Related Posts

Researcher

muhammad yudha

More Details >

Dropdown Content <= 1.0.2 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-46478

Patch Status
Unpatched

Published
Apr 24, 2025

Affected Software
Dropdown Content

Researcher

muhammad yudha

More Details >

Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid, Carousel and Remote Arrows) <= 5.10.29 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-1458

Patch Status
Patched

Published
Apr 25, 2025

Affected Software
Element Pack Addons for Elementor – Best Elementor addons with Ready Templates, Blocks, Widgets and WooCommerce Builder

Researcher

zer0gh0st

More Details >

Enhanced Paypal Shortcodes <= 0.5a – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-46543

Patch Status
Unpatched

Published
Apr 25, 2025

Affected Software
Enhanced Paypal Shortcodes

Researcher

johska

More Details >

Event post <= 5.9.11 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-46228

Patch Status
Patched

Published
Apr 22, 2025

Affected Software
Event post

Researcher

astra.r3verii

More Details >

External Markdown <= 0.0.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-46445

Patch Status
Unpatched

Published
Apr 24, 2025

Affected Software
External Markdown

Researcher

johska

More Details >

Fable Extra <= 1.0.6 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-46447

Patch Status
Patched

Published
Apr 24, 2025

Affected Software
Fable Extra

Researcher

timomangcut

More Details >

FuseDesk <= 6.7 – Authenticated (Contributor+) Stored Cross-Site Scripting via successredirect Parameter

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-3832

Patch Status
Patched

Published
Apr 23, 2025

Affected Software
FuseDesk

Researcher

Peter Thaleikis

More Details >

GNA Search Shortcode <= 0.9.5 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-46540

Patch Status
Unpatched

Published
Apr 24, 2025

Affected Software
GNA Search Shortcode

Researcher

johska

More Details >

GTDB Guitar Tuners <= 4.2.2 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-46438

Patch Status
Unpatched

Published
Apr 24, 2025

Affected Software
GTDB Guitar Tuners

Researcher

johska

More Details >

GutenKit <= 2.2.2 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-46253

Patch Status
Patched

Published
Apr 22, 2025

Affected Software
GutenKit – Page Builder Blocks, Patterns, and Templates for Gutenberg Block Editor

Researcher

Khalid Yusuf

More Details >

HTML Forms <= 1.5.2 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-46236

Patch Status
Patched

Published
Apr 22, 2025

Affected Software
HTML Forms – Simple WordPress Forms Plugin

Researcher

muhammad yudha

More Details >

Image Hover Effects For WPBakery Page Builder <= 2.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-46484

Patch Status
Unpatched

Published
Apr 24, 2025

Affected Software
Image Hover Effects For WPBakery Page Builder

Researcher

muhammad yudha

More Details >

Image Style Hover <= 1.0.6 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-46534

Patch Status
Unpatched

Published
Apr 24, 2025

Affected Software
Image Style Hover – Displays content when you hover on image

Researcher

johska

More Details >

Inline Text Popup <= 1.0.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-46538

Patch Status
Unpatched

Published
Apr 24, 2025

Affected Software
Inline Text Popup

Researcher

johska

More Details >

Link Library <= 7.8 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-46237

Patch Status
Patched

Published
Apr 22, 2025

Affected Software
Link Library

Researcher

muhammad yudha

More Details >

List Last Changes <= 1.2.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-46238

Patch Status
Patched

Published
Apr 22, 2025

Affected Software
List Last Changes

Researcher

muhammad yudha

More Details >

Lottie Player <= 1.1.8 – Authenticated (Author+) Stored Cross-Site Scripting via File Upload

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-2579

Patch Status
Patched

Published
Apr 23, 2025

Affected Software
Lottie Player- Great Lottie Player Solution

Researcher

Avraham Shemesh

More Details >

Mad Mimi for WordPress <= 1.5.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-46262

Patch Status
Unpatched

Published
Apr 25, 2025

Affected Software
Mad Mimi for WordPress

Researcher

0x1ceKing

More Details >

Mini twitter feed <= 3.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-46496

Patch Status
Unpatched

Published
Apr 24, 2025

Affected Software
Mini twitter feed

Researcher

johska

More Details >

Mixcloud Embed <= 2.2.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-46501

Patch Status
Unpatched

Published
Apr 24, 2025

Affected Software
Mixcloud Embed

Researcher

johska

More Details >

MPL-Publisher <= 2.18.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-46226

Patch Status
Patched

Published
Apr 22, 2025

Affected Software
MPL-Publisher — Ebook & Audiobook Creator

Researcher

muhammad yudha

More Details >

Multi-Column Taxonomy List <= 1.5 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-46491

Patch Status
Unpatched

Published
Apr 24, 2025

Affected Software
Multi-Column Taxonomy List

Researcher

johska

More Details >

Nepali Post Date <= 5.1.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-46480

Patch Status
Unpatched

Published
Apr 24, 2025

Affected Software
Nepali Post Date

Researcher

muhammad yudha

More Details >

Ocean Extra <= 2.4.6 – Authenticated (Contributor+) Stored Cross-Site Scripting via ‘ocean_gallery_id’

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-3458

Patch Status
Patched

Published
Apr 21, 2025

Affected Software
Ocean Extra

Researcher

muhammad yudha

More Details >

Ocean Extra <= 2.4.6 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-3457

Patch Status
Patched

Published
Apr 21, 2025

Affected Software
Ocean Extra

Researcher

muhammad yudha

More Details >

Peadig’s Google +1 Button <= 0.1.2 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-46483

Patch Status
Unpatched

Published
Apr 24, 2025

Affected Software
Peadig’s Google +1 Button

Researcher

johska

More Details >

Peekaboo <= 1.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-46505

Patch Status
Unpatched

Published
Apr 24, 2025

Affected Software
Peekaboo

Researcher

johska

More Details >

Post in page for Elementor <= 1.0.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-46225

Patch Status
Patched

Published
Apr 22, 2025

Affected Software
Post in page for Elementor

Researcher

Gab

More Details >

Posts for Page <= 2.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-39369

Patch Status
Unpatched

Published
Apr 25, 2025

Affected Software
Posts for Page

Researcher

theviper17y

More Details >

RAphicon <= 2.1.2 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-46467

Patch Status
Unpatched

Published
Apr 24, 2025

Affected Software
RAphicon

Researcher

johska

More Details >

RRSSB <= 1.0.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-46461

Patch Status
Unpatched

Published
Apr 24, 2025

Affected Software
RRSSB

Researcher

johska

More Details >

Simple Download Counter <= 2.2 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-46240

Patch Status
Patched

Published
Apr 22, 2025

Affected Software
Simple Download Counter

Researcher

muhammad yudha

More Details >

Simple Google Photos Grid <= 1.5 – Authenticated (Contributor+) Server-Side Request Forgery

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-46503

Patch Status
Unpatched

Published
Apr 24, 2025

Affected Software
Simple Google Photos Grid

Researcher

ch4r0n

More Details >

Sirv <= 7.5.3 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-46233

Patch Status
Patched

Published
Apr 22, 2025

Affected Software
Image Optimizer, Resizer and CDN – Sirv

Researcher

Trương Hữu Phúc (truonghuuphuc)

More Details >

SKT Blocks <= 2.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-46235

Patch Status
Patched

Published
Apr 22, 2025

Affected Software
SKT Blocks – Gutenberg based Page Builder

Researcher

zaim

More Details >

Sky Addons for Elementor <= 3.0.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-46260

Patch Status
Patched

Published
Apr 22, 2025

Affected Software
Sky Addons for Elementor (Free Templates Library, Live Copy, Animations, Post Grid, Post Carousel, Particles, Sliders, Chart, Blog, Video Gallery)

Researcher

João Pedro Soares de Alcântara

More Details >

Tax Switch for WooCommerce <= 1.4.2 – Authenticated (Contributor+) Stored Cross-Site Scripting via class-name Parameter

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-3814

Patch Status
Patched

Published
Apr 21, 2025

Affected Software
Tax Switch for WooCommerce

Researcher

Peter Thaleikis

More Details >

The Pack Elementor addons <= 2.1.3 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-46472

Patch Status
Unpatched

Published
Apr 24, 2025

Affected Software
The Pack Elementor addon

Researcher

Michael

More Details >

Theme Switcha <= 3.4 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-46239

Patch Status
Patched

Published
Apr 22, 2025

Affected Software
Theme Switcha – Easily Switch Themes for Development and Testing

Researcher

muhammad yudha

More Details >

Tooltip <= 1.0.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-46532

Patch Status
Unpatched

Published
Apr 24, 2025

Affected Software
WordPress Tooltip

Researcher

johska

More Details >

UiCore Elements – Free Elementor widgets and templates <= 1.0.16 – Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-1054

Patch Status
Patched

Published
Apr 22, 2025

Affected Software
UiCore Elements – Free Elementor widgets and templates

Researcher

Webbernaut

More Details >

Visual Composer Website Builder <= 45.10.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-46254

Patch Status
Patched

Published
Apr 22, 2025

Affected Software
Visual Composer Website Builder

Researcher

muhammad yudha

More Details >

WoWHead Tooltips <= 2.0.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-46449

Patch Status
Unpatched

Published
Apr 24, 2025

Affected Software
WoWHead Tooltips

Researcher

johska

More Details >

WP AVCL Automation Helper (formerly WPFlyLeads) <= 3.4 – Authenticated (Subscriber+) Server-Side Request Forgery

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-46531

Patch Status
Unpatched

Published
Apr 24, 2025

Affected Software
WP AVCL Automation Helper (formerly WPFlyLeads)

Researcher

ch4r0n

More Details >

WP Custom Post Popup <= 1.0.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-46471

Patch Status
Unpatched

Published
Apr 24, 2025

Affected Software
WP Custom Post Popup

Researcher

johska

More Details >

WP Import Export Lite <= 3.9.27 – Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-2839

Patch Status
Patched

Published
Apr 21, 2025

Affected Software
WP Import Export Lite

Researcher

Webbernaut

More Details >

WP Quiz <= 2.0.10 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-46482

Patch Status
Unpatched

Published
Apr 25, 2025

Affected Software
Best Quiz Plugin for WordPress: WP Quiz

Researcher

muhammad yudha

More Details >

WP Vegas <= 2.2 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-43841

Patch Status
Unpatched

Published
Apr 25, 2025

Affected Software
WP Vegas

Researcher

johska

More Details >

Xpert Tab <= 1.3 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-46542

Patch Status
Unpatched

Published
Apr 24, 2025

Affected Software
Xpert Tab

Researcher

johska

More Details >

Zoho Creator Forms <= 1.0.5 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-46453

Patch Status
Unpatched

Published
Apr 24, 2025

Affected Software
Zoho Creator Forms

Researcher

johska

More Details >

1 Decembrie 1918 <= 1.dec.2012 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-3870

Patch Status
Unpatched

Published
Apr 24, 2025

Affected Software
1 Decembrie 1918

Researcher

johska

More Details >

ACF: Google Font Selector <= 3.0.1 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-39382

Patch Status
Unpatched

Published
Apr 21, 2025

Affected Software
ACF: Google Font Selector

Researcher

Dimas Maulana

More Details >

Add Google +1 (Plus one) social share Button <= 1.0.0 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-3866

Patch Status
Unpatched

Published
Apr 24, 2025

Affected Software
Add Google +1 (Plus one) social share Button

Researcher

johska

More Details >

Advanced lazy load <= 1.6.0 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-46508

Patch Status
Unpatched

Published
Apr 24, 2025

Affected Software
Advanced lazy load

Researcher

johska

More Details >

Ajax Comment Form CST <= 1.2 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-3867

Patch Status
Unpatched

Published
Apr 24, 2025

Affected Software
Ajax Comment Form CST

Researcher

johska

More Details >

Anything Popup <= 7.3 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-39397

Patch Status
Unpatched

Published
Apr 21, 2025

Affected Software
Anything Popup

Researcher

Dimas Maulana

More Details >

Best Posts Summary <= 1.0 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-39374

Patch Status
Unpatched

Published
Apr 25, 2025

Affected Software
Best Posts Summary

Researcher

johska

More Details >

CheckBot <= 1.05 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-43840

Patch Status
Unpatched

Published
Apr 25, 2025

Affected Software
CheckBot

Researcher

johska

More Details >

Contact Form 7 Calendar <= 3.0.1 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-46510

Patch Status
Unpatched

Published
Apr 24, 2025

Affected Software
Contact Form 7 Calendar

Researcher

johska

More Details >

Control Listings <= 1.0.4.1 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-46234

Patch Status
Patched

Published
Apr 22, 2025

Affected Software
Control Listings – Classifieds Ads Directory Portal Manager

Researcher

Aiden (Thái An)

More Details >

Custom Admin-Bar Favorites <= 0.1 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-3868

Patch Status
Unpatched

Published
Apr 24, 2025

Affected Software
Custom Admin-Bar Favorites

Researcher

johska

More Details >

Custom Functions Plugin <= 1.1 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-46512

Patch Status
Unpatched

Published
Apr 24, 2025

Affected Software
Custom Functions Plugin

Researcher

johska

More Details >

Document Management System <= 1.24 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-46448

Patch Status
Unpatched

Published
Apr 25, 2025

Affected Software
Document Management System

Researcher

Nguyen Xuan Chien

More Details >

Drop Caps <= 2.1 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-46495

Patch Status
Unpatched

Published
Apr 24, 2025

Affected Software
Drop Caps

Researcher

johska

More Details >

Google News <= 2.5.1 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-46452

Patch Status
Unpatched

Published
Apr 24, 2025

Affected Software
Google News

Researcher

Nguyen Xuan Chien

More Details >

Hospital Management System <= 47.0(20-11-2023) – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-39393

Patch Status
Unpatched

Published
Apr 22, 2025

Affected Software
Hospital Management System for WordPress

Researcher

Aiden (Thái An)

More Details >

Libro de Reclamaciones <= 1.0.1 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-46446

Patch Status
Unpatched

Published
Apr 25, 2025

Affected Software
Libro de Reclamaciones

Researcher

Nguyen Xuan Chien

More Details >

Loan Calculator <= 1.3 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-46442

Patch Status
Unpatched

Published
Apr 24, 2025

Affected Software
Loan Calculator

Researcher

Nabil Irawan

More Details >

LSD Custom taxonomy and category meta <= 1.3.2 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-46502

Patch Status
Unpatched

Published
Apr 24, 2025

Affected Software
LSD Custom taxonomy and category meta

Researcher

johska

More Details >

Milat jQuery Automatic Popup <= 1.3.1 – Cross-Site Request Forgery to Stored Cross-site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-46514

Patch Status
Unpatched

Published
Apr 24, 2025

Affected Software
Milat jQuery Automatic Popup

Researcher

johska

More Details >

My Custom Widgets <= 2.0.5 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-46526

Patch Status
Unpatched

Published
Apr 25, 2025

Affected Software
My Custom Widgets

Researcher

johska

More Details >

occupancyplan <= 1.0.3.0 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-46450

Patch Status
Unpatched

Published
Apr 24, 2025

Affected Software
occupancyplan

Researcher

Nguyen Xuan Chien

More Details >

Related Posts via Taxonomies <= 1.0.1 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-46520

Patch Status
Unpatched

Published
Apr 24, 2025

Affected Software
Related Posts via Taxonomies

Researcher

johska

More Details >

Tayori Form <= 1.2.9 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-46437

Patch Status
Unpatched

Published
Apr 25, 2025

Affected Software
Tayori Form Plugin

Researcher

Nguyen Xuan Chien

More Details >

Time Based Greeting <= 2.2.2 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-46435

Patch Status
Unpatched

Published
Apr 24, 2025

Affected Software
Time Based Greeting

Researcher

Nguyen Xuan Chien

More Details >

Twitter Card Generator <= 1.0.5 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-46516

Patch Status
Unpatched

Published
Apr 24, 2025

Affected Software
Twitter Card Generator

Researcher

johska

More Details >

User Registration <= 4.1.5 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-39400

Patch Status
Patched

Published
Apr 22, 2025

Affected Software
User Registration & Membership – Custom Registration Form, Login Form, and User Profile

Researcher

Psai

More Details >

Vasaio QR Code <= 1.2.5 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-46504

Patch Status
Unpatched

Published
Apr 24, 2025

Affected Software
Vasaio QR Code

Researcher

johska

More Details >

VikRestaurants Table Reservations and Take-Away <= 1.3.3 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-46251

Patch Status
Patched

Published
Apr 22, 2025

Affected Software
VikRestaurants Table Reservations and Take-Away

Researcher

Dhabaleshwar Das

More Details >

WordPress Events Calendar Registration & Tickets <= 2.6.0 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-39372

Patch Status
Unpatched

Published
Apr 22, 2025

Affected Software
WordPress Events Calendar Registration & Tickets

Researcher

Bonds

More Details >

Wp Custom CMS Block <= 2.1 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-46457

Patch Status
Unpatched

Published
Apr 24, 2025

Affected Software
Wp Custom CMS Block

Researcher

johska

More Details >

WP Filter Post Category <= 2.1.4 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-46524

Patch Status
Unpatched

Published
Apr 24, 2025

Affected Software
WP Filter Post Category

Researcher

johska

More Details >

wProject < 5.8.0 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-39365

Patch Status
Patched

Published
Apr 22, 2025

Affected Software
wProject

Researcher

Dave Jong

More Details >

WpZon – Amazon Affiliate Plugin <= 1.3 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-46506

Patch Status
Unpatched

Published
Apr 24, 2025

Affected Software
WpZon – Amazon Affiliate Plugin

Researcher

johska

More Details >

Confirm User Registration <= 2.1.5 – Authenticated (Administrator+) Stored Cross-Site Scripting

5.5

CVSS Rating
Medium (5.5)

CVE-ID
CVE-2025-46459

Patch Status
Unpatched

Published
Apr 24, 2025

Affected Software
Confirm User Registration

Researcher

Nabil Irawan

More Details >

Send From <= 2.2 – Authenticated (Administrator+) Stored Cross-Site Scripting

5.5

CVSS Rating
Medium (5.5)

CVE-ID
CVE-2025-46469

Patch Status
Unpatched

Published
Apr 24, 2025

Affected Software
Send From

Researcher

Nabil Irawan

More Details >

WP Customize Login Page <= 1.6.5 – Authenticated (Administrator+) Stored Cross-Site Scripting

5.5

CVSS Rating
Medium (5.5)

CVE-ID
CVE-2025-46477

Patch Status
Unpatched

Published
Apr 24, 2025

Affected Software
WP Customize Login Page

Researcher

Nabil Irawan

More Details >

Prevent Direct Access 2.8.6 – 2.8.8.2 – Incorrect Authorization to Authenticated (Contributor+) Multiple Media Actions

5.4

CVSS Rating
Medium (5.4)

CVE-ID
CVE-2025-3861

Patch Status
Patched

Published
Apr 24, 2025

Affected Software
Prevent Direct Access – Protect WordPress Files

Researcher

0xbro

More Details >

Print Science Designer <= 1.3.155 – Cross-Site Request Forgery to Stored Cross-Site Scripting

5.4

CVSS Rating
Medium (5.4)

CVE-ID
CVE-2025-46465

Patch Status
Unpatched

Published
Apr 24, 2025

Affected Software
Print Science Designer

Researcher

Skalucy

More Details >

Advanced Linked Variations for Woocommerce <= 1.0.3 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-46244

Patch Status
Patched

Published
Apr 22, 2025

Affected Software
Advanced Linked Variations for Woocommerce

Researcher

ch4r0n

More Details >

Appointment Booking Calendar <= 1.3.92 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-46247

Patch Status
Patched

Published
Apr 22, 2025

Affected Software
Appointment Booking Calendar

Researcher

timomangcut

More Details >

Bulk Assign Linked Products For WooCommerce <= 2.1 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-46489

Patch Status
Unpatched

Published
Apr 24, 2025

Affected Software
Bulk Assign Linked Products For WooCommerce

Researcher

ch4r0n

More Details >

JNews <= 11.6.5 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-39373

Patch Status
Unpatched

Published
Apr 22, 2025

Affected Software
JNews – WordPress Newspaper Magazine Blog AMP Theme

Researcher

Ananda Dhakal

More Details >

Memberpress <= 1.11.37 – Unauthenticated Content Restriction Bypass to Sensitive Information Exposure

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-11299

Patch Status
Patched

Published
Apr 21, 2025

Affected Software
Memberpress

Researcher

Francesco Carlucci

More Details >

Prevent Direct Access – Protect WordPress Files <= 2.8.8 – Unauthenticated Sensitive Information Exposure

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-3923

Patch Status
Patched

Published
Apr 24, 2025

Affected Software
Prevent Direct Access – Protect WordPress Files

Researcher

Tom Broucke

More Details >

Reales WP – Real Estate WordPress Theme <= 2.1.2 – Missing Authorization to Unauthenticated Attachment Deletion and Favorite Property Updates

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-13307

Patch Status
Unpatched

Published
Apr 23, 2025

Affected Software
Reales WP – Real Estate WordPress Theme

Researcher

Lucio Sá

More Details >

Upsell Funnel Builder for WooCommerce <= 3.0.0 – Unauthenticated Order Manipulation

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-3743

Patch Status
Patched

Published
Apr 24, 2025

Affected Software
Upsell Funnel Builder for WooCommerce

Researcher

p4

More Details >

WP Customize Login Page <= 1.6.5 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-46485

Patch Status
Unpatched

Published
Apr 24, 2025

Affected Software
WP Customize Login Page

Researcher

Nabil Irawan

More Details >

wProject < 5.8.0 – Missing Authorization to Unauthenticated Content Modification and Deletion

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-39350

Patch Status
Patched

Published
Apr 22, 2025

Affected Software
wProject

Researcher

Dave Jong

More Details >

WS Form LITE – Drag & Drop Contact Form Builder for WordPress <= 1.10.35 – Missing Authorization to Unauthenticated Sensitive Information Exposure

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-3912

Patch Status
Patched

Published
Apr 24, 2025

Affected Software
WS Form LITE – Drag & Drop Contact Form Builder for WordPress

Researcher

Amin Beheshti

More Details >

Absolute Links <= 1.1.1 – Authenticated (Administrator+) SQL Injection

4.9

CVSS Rating
Medium (4.9)

CVE-ID
CVE-2025-43833

Patch Status
Unpatched

Published
Apr 25, 2025

Affected Software
Absolute Links

Researcher

0x1ceKing

More Details >

Contact Form by Bit Form <= 2.18.3 – Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload

4.9

CVSS Rating
Medium (4.9)

CVE-ID
CVE-2025-2580

Patch Status
Patched

Published
Apr 24, 2025

Affected Software
Contact Form by Bit Form: Multi Step Form, Calculation Contact Form, Payment Contact Form & Custom Contact Form builder

Researcher

Avraham Shemesh

More Details >

iCafe Library <= 1.8.3 – Authenticated (Editor+) SQL Injection

4.9

CVSS Rating
Medium (4.9)

CVE-ID
CVE-2025-39370

Patch Status
Unpatched

Published
Apr 25, 2025

Affected Software
iCafe Library

Researcher

0x1ceKing

More Details >

Message Filter for Contact Form 7 <= 1.6.3.2 – Authenticated (Administrator+) SQL Injection

4.9

CVSS Rating
Medium (4.9)

CVE-ID
CVE-2025-46252

Patch Status
Patched

Published
Apr 22, 2025

Affected Software
Message Filter for Contact Form 7

Researcher

Phat RiO – BlueRock

More Details >

Watu Quiz <= 3.4.3 – Authenticated (Administrator+) SQL Injection

4.9

CVSS Rating
Medium (4.9)

CVE-ID
CVE-2025-46242

Patch Status
Patched

Published
Apr 22, 2025

Affected Software
Watu Quiz

Researcher

astra.r3verii

More Details >

Blog Manager WP <= 1.0.5 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2025-46517

Patch Status
Unpatched

Published
Apr 24, 2025

Affected Software
Blog Manager WP

Researcher

Nabil Irawan

More Details >

Business Contact Widget <= 2.7.0 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2025-46529

Patch Status
Unpatched

Published
Apr 24, 2025

Affected Software
Business Contact Widget

Researcher

Nabil Irawan

More Details >

cookieBAR <= 1.7.0 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2025-43834

Patch Status
Unpatched

Published
Apr 25, 2025

Affected Software
cookieBAR

Researcher

Nabil Irawan

More Details >

COVID-19 (Coronavirus) Update Your Customers <= 1.5.1 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2025-46523

Patch Status
Unpatched

Published
Apr 24, 2025

Affected Software
COVID-19 (Coronavirus) Update Your Customers

Researcher

Nguyen Ngoc Quang Bach (maysbachs)

More Details >

Floating Social Bar <= 1.1.7 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2025-46451

Patch Status
Unpatched

Published
Apr 24, 2025

Affected Software
Floating Social Bar

Researcher

Nabil Irawan

More Details >

Landing pages and Domain aliases for WordPress <= 0.8 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2025-46533

Patch Status
Unpatched

Published
Apr 24, 2025

Affected Software
Landing pages and Domain aliases for WordPress

Researcher

Nabil Irawan

More Details >

MangBoard WP <= 1.8.6 – Authenticated (Administrator+) Stored Cross-Site Scripting via Board Header And Footer

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2025-3435

Patch Status
Patched

Published
Apr 23, 2025

Affected Software
Mang Board WP

Researcher

nquangit

More Details >

Seriously Simple Podcasting <= 3.9.0 – Authenticated (Editor+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2025-46261

Patch Status
Patched

Published
Apr 22, 2025

Affected Software
Seriously Simple Podcasting

Researcher

Trương Hữu Phúc (truonghuuphuc)

More Details >

Textmetrics <= 3.6.2 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2025-46229

Patch Status
Patched

Published
Apr 22, 2025

Affected Software
Textmetrics

Researcher

Nabil Irawan

More Details >

VForm <= 3.1.14 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2025-46250

Patch Status
Patched

Published
Apr 22, 2025

Affected Software
Lifetime free Drag & Drop Contact Form Builder for WordPress VForm

Researcher

0xVenus

More Details >

WP Cookie Consent <= 1.0 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2025-46525

Patch Status
Unpatched

Published
Apr 24, 2025

Affected Software
WP Cookie Consent

Researcher

Nabil Irawan

More Details >

WP-reCAPTCHA-bp <= 4.1 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2025-46541

Patch Status
Unpatched

Published
Apr 24, 2025

Affected Software
WP-reCAPTCHA-bp

Researcher

Nabil Irawan

More Details >

WS Force Login Page <= 3.0.3 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2025-46521

Patch Status
Unpatched

Published
Apr 24, 2025

Affected Software
WS Force Login Page

Researcher

Nabil Irawan

More Details >

Aeropage Sync for Airtable <= 3.2.0 – Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Deletion

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-3915

Patch Status
Patched

Published
Apr 25, 2025

Affected Software
Aeropage Sync for Airtable

Researcher

Chuck

More Details >

affiliate-toolkit <= 3.7.3 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-46231

Patch Status
Patched

Published
Apr 22, 2025

Affected Software
affiliate-toolkit – WP Affiliate Plugin with Amazon

Researcher

stealthcopter

More Details >

All in One Time Clock Lite <= 1.3.324 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-46513

Patch Status
Unpatched

Published
Apr 24, 2025

Affected Software
All in One Time Clock Lite – Tracking Employee Time Has Never Been Easier

Researcher

Nabil Irawan

More Details >

Author Box Plugin With Different Description <= 1.3.5 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-39371

Patch Status
Unpatched

Published
Apr 25, 2025

Affected Software
Author Box Plugin With Different Description

Researcher

johska

More Details >

Availability Calendar <= 0.2.4 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-46528

Patch Status
Unpatched

Published
Apr 24, 2025

Affected Software
Availability Calendar

Researcher

johska

More Details >

Call Now PHT Blog <= 2.4.1 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-46492

Patch Status
Unpatched

Published
Apr 24, 2025

Affected Software
Call Now PHT Blog

Researcher

johska

More Details >

Car Park Booking System for WordPress <= 2.6 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-39376

Patch Status
Unpatched

Published
Apr 22, 2025

Affected Software
Car Park Booking System for WordPress

Researcher

Ananda Dhakal

More Details >

CM Ad Changer <= 2.0.5 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-46245

Patch Status
Patched

Published
Apr 22, 2025

Affected Software
CM Ad Changer – A simple tool to control and optimize your site’s banners

Researcher

ch4r0n

More Details >

CM Answers <= 3.3.3 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-46246

Patch Status
Patched

Published
Apr 22, 2025

Affected Software
CM Answers – Easy-to-use forum to grow your WP community

Researcher

ch4r0n

More Details >

Custom Login and Registration <= 1.0.0 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-46535

Patch Status
Unpatched

Published
Apr 25, 2025

Affected Software
Custom Login and Registration

Researcher

Nguyen Ngoc Quang Bach (maysbachs)

More Details >

Download Alt Text AI <= 1.9.93 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-46232

Patch Status
Patched

Published
Apr 22, 2025

Affected Software
Alt Text AI – Automatically generate image alt text for SEO and accessibility

Researcher

Trương Hữu Phúc (truonghuuphuc)

More Details >

Easy Child Theme Creator <= 1.3.1 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-39375

Patch Status
Unpatched

Published
Apr 25, 2025

Affected Software
Easy Child Theme Creator

Researcher

Nguyen Xuan Chien

More Details >

Hacklog Remote Attachment <= 1.3.2 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-46530

Patch Status
Unpatched

Published
Apr 24, 2025

Affected Software
Hacklog Remote Attachment

Researcher

johska

More Details >

Hotel + Bed and Breakfast Booking Calendar Theme | Bellevue <= 4.2.2 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-39398

Patch Status
Unpatched

Published
Apr 22, 2025

Affected Software
bellevuex

Researcher

Ananda Dhakal

More Details >

Media Library Downloader <= 1.3.1 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-46519

Patch Status
Patched

Published
Apr 24, 2025

Affected Software
Media Library Downloader

Researcher

ch4r0n

More Details >

Modern Polls <= 1.0.10 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-46466

Patch Status
Unpatched

Published
Apr 24, 2025

Affected Software
Modern Polls

Researcher

Skalucy

More Details >

Navegg Analytics <= 3.3.3 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-46497

Patch Status
Unpatched

Published
Apr 24, 2025

Affected Software
Navegg Analytics

Researcher

johska

More Details >

PayPal Express Checkout <= 2.1.2 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-46499

Patch Status
Unpatched

Published
Apr 24, 2025

Affected Software
PayPal Express Checkout

Researcher

johska

More Details >

Recover abandoned cart for WooCommerce <= 2.2 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-46243

Patch Status
Patched

Published
Apr 22, 2025

Affected Software
Recover abandoned cart for WooCommerce

Researcher

ch4r0n

More Details >

SCSS-Library <= 0.4.1 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-46436

Patch Status
Unpatched

Published
Apr 24, 2025

Affected Software
SCSS-Library

Researcher

Nguyen Xuan Chien

More Details >

Simple calendar for Elementor <= 1.6.4 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-46249

Patch Status
Patched

Published
Apr 22, 2025

Affected Software
Simple calendar for Elementor

Researcher

haudayroi

More Details >

Smart Hashtags [#hashtagger] <= 7.2.3 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-46470

Patch Status
Unpatched

Published
Apr 24, 2025

Affected Software
Smart Hashtags [#hashtagger]

Researcher

domiee13

More Details >

Tabs <= 4.0.3 – Cross-Site Request Forgery to Stored Cross-Site Scripting

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-46522

Patch Status
Unpatched

Published
Apr 24, 2025

Affected Software
WordPress Tabs

Researcher

johska

More Details >

Unsafe Mimetypes <= 0.1.4 – Cross-Site Request Forgery to Stored Cross-Site Scripting

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-46507

Patch Status
Unpatched

Published
Apr 24, 2025

Affected Software
Unsafe Mimetypes

Researcher

lucky_buddy

More Details >

Woocommerce Automatic Order Printing | ( Formerly WooCommerce Google Cloud Print) <= 4.1 – Insecure Direct Object Reference to Authenticated (Subscriber+) Order Information Disclosure

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-1284

Patch Status
Unpatched

Published
Apr 23, 2025

Affected Software
Woocommerce Automatic Order Printing | ( Formerly WooCommerce Google Cloud Print)

Researcher

Lucio Sá

More Details >

wp-cyr-cho <= 0.1 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-43835

Patch Status
Unpatched

Published
Apr 25, 2025

Affected Software
wp-cyr-cho | Конвертира кирилски символи в латиниски

Researcher

Nabil Irawan

More Details >

WPVN <= 0.7.8 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-46462

Patch Status
Unpatched

Published
Apr 24, 2025

Affected Software
WPVN – Username Changer

Researcher

Skalucy

More Details >

Zalo Official Live Chat <= 1.0.0 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-46498

Patch Status
Unpatched

Published
Apr 24, 2025

Affected Software
Zalo Official Live Chat

Researcher

haudayroi

More Details >

Buddypress Force Password Change <= 0.1 – Authenticated (Subscriber+) Account Takeover via Password Update

4.2

CVSS Rating
Medium (4.2)

CVE-ID
CVE-2025-3793

Patch Status
Unpatched

Published
Apr 23, 2025

Affected Software
Buddypress Force Password Change

Researcher

kr0d

More Details >