Wordfence Intelligence Weekly WordPress Vulnerability Report (May 5, 2025 to May 11, 2025)

In case you missed it, Wordfence just published its annual WordPress security report for 2024. Read it now to learn more about the evolving risk landscape of WordPress so you can keep your sites protected in 2025 and beyond.  

Last week, there were 222 vulnerabilities disclosed in 202 WordPress Plugins and 2 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 66 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to implement layered security, aligning with our overarching mission to secure WordPress with defense in depth strategies. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report. As the world’s leading quality vulnerability database provider for WordPress, site owners can rest assured knowing Wordfence has their back.

Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 26,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

New Firewall Rules Deployed Last Week

The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.

The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:

• TheGem <= 5.10.3 – Authenticated (Subscriber+) Arbitrary File Upload
• WAF-RULE-827 – Data redacted while we work with the vendor on a patch.
• WAF-RULE-829 – Data redacted while we work with the vendor on a patch.
• WAF-RULE-830 – Data redacted while we work with the vendor on a patch.
• WAF-RULE-831 – Data redacted while we work with the vendor on a patch.

Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.

Total Unpatched & Patched Vulnerabilities Last Week

Total Vulnerabilities by CVSS Severity Last Week

Total Vulnerabilities by CWE Type Last Week

Researchers That Contributed to WordPress Security Last Week

Researcher Name	Number of Vulnerabilities
Nabil Irawan	33
muhammad yudha	28
Nguyen Xuan Chien	16
domiee13	10
kr0d	10
zaim	8
Trương Hữu Phúc (truonghuuphuc)	7
István Márton	6
ch4r0n	6
Ngo Bui Truong Vu	5
timomangcut	5
Peter Thaleikis	5
theviper17y	4
johska	4
LVT-tholv2k	4
Denver Jackson	3
stealthcopter	3
wesley (wcraft)	3
Cút lộn xào me	3
Foxyyy	3
mikemyers	2
m3ssap0	2
Kévin Mosbahi (Mika)	2
Michael	2
Marek Mikita	2
zer0gh0st	2
Ryan Kozak	2
João Pedro Soares de Alcântara	2
haudayroi	2
astra.r3verii	2
Gilang	2
Phat Do	1
Phat RiO – BlueRock	1
0xd4rk5id3	1
Asaf Mozes	1
Noah Stead (TurtleBurg)	1
Jorgson	1
lucky_buddy	1
SavPhill (Savphill)	1
Muhamad Visat	1
Nguyen Ngoc Quang Bach (maysbachs)	1
Alyudin Nafiie	1
Truoc Phan	1
Chu The Anh	1
Lucio Sá	1
Jack Taylor	1
jh_hack	1
Prissy	1
ChuongVN	1
Nguyễn Trung Kiên	1
Milinxee	1
Ibrahim Mohammad	1
Chuck	1
Hiroho Shimada	1
Le Ngoc Anh	1
Régis SENET	1
HLog	1
tratt	1
TaiYou	1
Skalucy	1
Nicolai Hellesnes (nico_)	1
Snurkeburk	1
SashaRyba	1
R4mbb	1
Kate Kligman (Sunsword)	1
Avraham Shemesh	1

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through our Bug Bounty Program. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.

WordPress Plugins with Reported Vulnerabilities Last Week

WordPress Themes with Reported Vulnerabilities Last Week

Vulnerability Details

Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.

Ajar in5 Embed <= 3.1.5 – Unauthenticated Arbitrary File Upload

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2025-47642

Patch Status
Unpatched

Published
May 9, 2025

Affected Software
Ajar in5 Embed

Researcher

LVT-tholv2k

More Details >

BuddyBoss Platform Pro <= 2.7.01 – Authentication Bypass via Apple OAuth provider

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2025-1909

Patch Status
Patched

Published
May 5, 2025

Affected Software
BuddyBoss Platform Pro

Researcher

István Márton

More Details >

CoinPayments.net Payment Gateway for WooCommerce <= 1.0.17 – Unauthenticated PHP Object Injection

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2025-47532

Patch Status
Patched

Published
May 7, 2025

Affected Software
CoinPayments.net Payment Gateway for WooCommerce

Researcher

timomangcut

More Details >

Drag and Drop Multiple File Upload for WooCommerce <= 1.1.6 – Unauthenticated Arbitrary File Upload via upload Function

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2025-4403

Patch Status
Patched

Published
May 8, 2025

Affected Software
Drag and Drop Multiple File Upload for WooCommerce

Researcher

Milinxee

More Details >

Envolve Plugin <= 1.0 – Unauthenticated Arbitrary File Upload via language_file and fonts_file

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2024-11617

Patch Status
Patched

Published
May 8, 2025

Affected Software
Envolve Plugin

Researcher

Foxyyy

More Details >

Eventin <= 4.0.26 – Missing Authorization to Unauthenticated Privilege Escalation

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2025-47539

Patch Status
Patched

Published
May 7, 2025

Affected Software
Event Manager, Events Calendar, Tickets, Registrations – Eventin

Researcher

Denver Jackson

More Details >

Frontend Dashboard 1.0 – 2.2.6 – Missing Authorization to Unauthenticated Privilege Escalation via fed_wp_ajax_fed_login_form_post Function

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2025-4104

Patch Status
Patched

Published
May 6, 2025

Affected Software
Frontend Dashboard

Researcher

kr0d

More Details >

Frontend Login and Registration Blocks <= 1.0.7 – Unauthenticated Privilege Escalation via Account Takeover

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2025-3605

Patch Status
Unpatched

Published
May 8, 2025

Affected Software
Frontend Login and Registration Blocks

Researcher

kr0d

More Details >

IMITHEMES Listing <= 3.3 – Unauthenticated Privilege Escalation via Unverified Password Reset

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2025-2253

Patch Status
Patched

Published
May 8, 2025

Affected Software
IMITHEMES Listing

Researcher

Alyudin Nafiie

More Details >

PeproDev Ultimate Profile Solutions 1.9.1 – 7.5.2 – Authentication Bypass to Account Takeover

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2025-3844

Patch Status
Unpatched

Published
May 6, 2025

Affected Software
PeproDev Ultimate Profile Solutions

Researcher

kr0d

More Details >

PGS Core <= 5.8.0 – Unauthenticated PHP Object Injection

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2025-0855

Patch Status
Patched

Published
May 6, 2025

Affected Software
PGS Core

Researcher

István Márton

More Details >

PSW Front-end Login & Registration <= 1.12 – Authentication Bypass

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2025-47646

Patch Status
Unpatched

Published
May 8, 2025

Affected Software
PSW Front-end Login & Registration

Researcher

LVT-tholv2k

More Details >

StoreKeeper for WooCommerce <= 14.4.4 – Unauthenticated Arbitrary File Upload

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2025-47687

Patch Status
Unpatched

Published
May 9, 2025

Affected Software
StoreKeeper for WooCommerce

Researcher

Cút lộn xào me

More Details >

WP Job Portal <= 2.3.1 – Unauthenticated Local File Inclusion

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2025-47438

Patch Status
Patched

Published
May 8, 2025

Affected Software
WP Job Portal – A Complete Recruitment System for Company or Job Board website

Researcher

Trương Hữu Phúc (truonghuuphuc)

More Details >

WPBookit <= 1.0.2 – Insecure Direct Object Reference to Unauthenticated Privilege Escalation via Account Takeover

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2025-3810

Patch Status
Patched

Published
May 8, 2025

Affected Software
WPBookit

Researcher

kr0d

More Details >

WPBookit <= 1.0.2 – Insecure Direct Object Reference to Unauthenticated Privilege Escalation via Email Update

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2025-3811

Patch Status
Patched

Published
May 8, 2025

Affected Software
WPBookit

Researcher

kr0d

More Details >

1 Click WordPress Migration Plugin – 100% FREE for a limited time <= 2.2 – Missing Authorization to Authenticated (Subscriber+) Arbitrary File Upload

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2025-3455

Patch Status
Unpatched

Published
May 8, 2025

Affected Software
1 Click WordPress Migration Plugin – 100% FREE for a limited time

Researcher

Kate Kligman (Sunsword)

More Details >

Challan <= 3.7.58 – Cross-Site Request Forgery to Arbitrary Options Update

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2025-47462

Patch Status
Patched

Published
May 7, 2025

Affected Software
Challan – PDF Invoice & Packing Slip for WooCommerce

Researcher

LVT-tholv2k

More Details >

Display Eventbrite Events <= 6.2.6 – Authenticated (Contributor+) Local File Inclusion

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2025-47510

Patch Status
Patched

Published
May 7, 2025

Affected Software
Display Eventbrite Events

Researcher

muhammad yudha

More Details >

Download Monitor <= 5.0.22 – Authenticated (Contributor+) Local File Inclusion

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2025-47439

Patch Status
Patched

Published
May 7, 2025

Affected Software
Download Monitor

Researcher

João Pedro Soares de Alcântara

More Details >

ELEX WordPress HelpDesk & Customer Ticketing System <= 3.2.7 – Authenticated (Subscriber+) Arbitrary File Upload

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2025-47658

Patch Status
Unpatched

Published
May 8, 2025

Affected Software
ELEX WordPress HelpDesk & Customer Ticketing System

Researcher

Phat RiO – BlueRock

More Details >

EventON <= 2.4.1 – Authenticated (Contributor+) Local File Inclusion

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2025-47494

Patch Status
Patched

Published
May 7, 2025

Affected Software
EventON – Events Calendar

Researcher

zaim

More Details >

External image replace <= 1.0.8 – Authenticated (Contributor+) Arbitrary File Upload

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2025-4279

Patch Status
Unpatched

Published
May 5, 2025

Affected Software
External image replace

Researcher

István Márton

More Details >

GamiPress <= 7.3.7 – Authenticated (Contributor+) Local File Inclusion

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2025-47508

Patch Status
Patched

Published
May 7, 2025

Affected Software
GamiPress – Gamification plugin to reward points, achievements, badges & ranks in WordPress

Researcher

muhammad yudha

More Details >

Hotel Booking <= 3.6 – Authenticated (Contributor+) Local File Inclusion

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2025-47498

Patch Status
Patched

Published
May 7, 2025

Affected Software
Hotel Booking

Researcher

muhammad yudha

More Details >

Lead Form Data Collection to CRM <= 3.1 – Missing Authorization to Authenticated (Subscriber+) Arbitrary Options Update

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2025-47690

Patch Status
Unpatched

Published
May 9, 2025

Affected Software
Lead Form Data Collection to CRM

Researcher

LVT-tholv2k

More Details >

List category posts <= 0.90.3 – Authenticated (Contributor+) Local File Inclusion

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2025-47636

Patch Status
Unpatched

Published
May 7, 2025

Affected Software
List category posts

Researcher

Trương Hữu Phúc (truonghuuphuc)

More Details >

Open Close WooCommerce Store <= 4.9.5 – Authenticated (Contributor+) Local File Inclusion

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2025-47649

Patch Status
Unpatched

Published
May 7, 2025

Affected Software
Open Close WooCommerce Store – Best Business Schedules Manager

Researcher

muhammad yudha

More Details >

PublishPress Authors <= 4.7.5 – Authenticated (Contributor+) Local File Inclusion

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2025-47496

Patch Status
Patched

Published
May 7, 2025

Affected Software
Co-Authors, Multiple Authors and Guest Authors in an Author Box with PublishPress Authors

Researcher

muhammad yudha

More Details >

Reales WP STPT <= 2.1.2 – Authenticated (Subscriber+) Privilege Escalation via Password Update

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2025-3610

Patch Status
Unpatched

Published
May 5, 2025

Affected Software
Reales WP STPT

Researcher

Foxyyy

More Details >

SMS Alert Order Notifications – WooCommerce <= 3.8.1 – Authenticated (Subscriber+) Privilege Escalation via handleWpLoginCreateUserAction Function

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2025-3876

Patch Status
Patched

Published
May 9, 2025

Affected Software
SMS Alert Order Notifications – WooCommerce

Researcher

wesley (wcraft)

More Details >

Woocommerce Multiple Addresses <= 1.0.7.1 – Authenticated (Subscriber+) Privilege Escalation

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2025-4335

Patch Status
Unpatched

Published
May 6, 2025

Affected Software
Woocommerce Multiple Addresses

Researcher

Chuck

More Details >

WordPress Review Plugin: The Ultimate Solution for Building a Review Website <= 5.3.5 – Authenticated (Contributor+) Local File Inclusion via Post Custom Fields

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2025-2158

Patch Status
Unpatched

Published
May 9, 2025

Affected Software
WordPress Review Plugin: The Ultimate Solution for Building a Review Website

Researcher

Hiroho Shimada

More Details >

WP-Recall <= 16.26.14 – Authenticated (Contributor+) Local File Inclusion

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2025-47653

Patch Status
Unpatched

Published
May 7, 2025

Affected Software
WP-Recall – Registration, Profile, Commerce & More

Researcher

muhammad yudha

More Details >

WPAdverts <= 2.2.2 – Authenticated (Contributor+) Local File Inclusion

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2025-47440

Patch Status
Patched

Published
May 7, 2025

Affected Software
WPAdverts – Classifieds Plugin

Researcher

zaim

More Details >

WPshop 2 – E-Commerce 2.0.0 – 2.6.0 – Authenticated (Subscriber+) Privilege Escalation via Account Takeover

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2025-3852

Patch Status
Unpatched

Published
May 6, 2025

Affected Software
WPshop 2 – E-Commerce

Researcher

kr0d

More Details >

XT Event Widget for Social Events <= 1.1.7 – Authenticated (Contributor+) Local File Inclusion

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2025-47531

Patch Status
Patched

Published
May 7, 2025

Affected Software
XT Event Widget for Social Events

Researcher

timomangcut

More Details >

PeproDev Ultimate Profile Solutions 1.9.1 – 7.5.2 – Missing Authorization to Limited Unauthenticated Arbitrary User Meta Update via handel_ajax_req Function

8.2

CVSS Rating
High (8.2)

CVE-ID
CVE-2025-3921

Patch Status
Unpatched

Published
May 6, 2025

Affected Software
PeproDev Ultimate Profile Solutions

Researcher

kr0d

More Details >

belingoGeo <= 1.12.0 – Unauthenticated Arbitrary File Download

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2025-47603

Patch Status
Unpatched

Published
May 9, 2025

Affected Software
belingoGeo

Researcher

Nguyen Xuan Chien

More Details >

Event Manager, Events Calendar, Tickets, Registrations – Eventin <= 4.0.26 – Unauthenticated Arbitrary File Read

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2025-3419

Patch Status
Patched

Published
May 7, 2025

Affected Software
Event Manager, Events Calendar, Tickets, Registrations – Eventin

Researcher

mikemyers

More Details >

Graphina <= 3.0.4 – Cross-Site Request Forgery to Local File Inclusion

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2025-47533

Patch Status
Patched

Published
May 7, 2025

Affected Software
Graphina – Elementor Charts and Graphs

Researcher

timomangcut

More Details >

PGS Core <= 5.8.0 – Unauthenticated SQL Injection

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2025-0853

Patch Status
Patched

Published
May 6, 2025

Affected Software
PGS Core

Researcher

István Márton

More Details >

Productive Commerce <= 1.1.22 – Unauthenticated SQL Injection

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2025-47657

Patch Status
Unpatched

Published
May 7, 2025

Affected Software
Productive Commerce – WooCommerce Wishlist, Compare, Quick View, & MiniCart

Researcher

Cút lộn xào me

More Details >

Slider & Popup Builder by Depicter <= 3.6.1 – Unauthenticated SQL Injection via ‘s’ Parameter

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2025-2011

Patch Status
Patched

Published
May 5, 2025

Affected Software
Popup and Slider Builder by Depicter – Add Email collecting Popup, Popup Modal, Coupon Popup, Image Slider, Carousel Slider, Post Slider Carousel

Researcher

Muhamad Visat

More Details >

SMS Alert Order Notifications – WooCommerce <= 3.8.2 – Unauthenticated SQL Injection

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2025-47682

Patch Status
Patched

Published
May 8, 2025

Affected Software
SMS Alert Order Notifications – WooCommerce

Researcher

astra.r3verii

More Details >

LayoutBoxx <= 0.3.1 – Unauthenticated Arbitrary Shortcode Execution

7.3

CVSS Rating
High (7.3)

CVE-ID
CVE-2025-2802

Patch Status
Unpatched

Published
May 5, 2025

Affected Software
LayoutBoxx

Researcher

Avraham Shemesh

More Details >

PGS Core <= 5.8.0 – Missing Authorization via Multiple Functions

7.3

CVSS Rating
High (7.3)

CVE-ID
CVE-2025-0856

Patch Status
Patched

Published
May 6, 2025

Affected Software
PGS Core

Researcher

István Márton

More Details >

Wolmart | Multi-Vendor Marketplace WooCommerce Theme <= 1.8.11 – Unauthenticated Arbitrary Shortcode Execution in wolmart_loadmore

7.3

CVSS Rating
High (7.3)

CVE-ID
CVE-2024-13793

Patch Status
Patched

Published
May 7, 2025

Affected Software
Wolmart | Multi-Vendor Marketplace WooCommerce Theme

Researcher

Lucio Sá

More Details >

BEAF <= 4.6.10 – Authenticated (Admin+) Arbitrary File Upload

7.2

CVSS Rating
High (7.2)

CVE-ID
CVE-2025-47549

Patch Status
Patched

Published
May 7, 2025

Affected Software
Ultimate Before After Image Slider & Gallery – BEAF

Researcher

Ryan Kozak

More Details >

Instantio <= 3.3.16 – Authenticated (Admin+) Arbitrary File Upload

7.2

CVSS Rating
High (7.2)

CVE-ID
CVE-2025-47550

Patch Status
Patched

Published
May 7, 2025

Affected Software
Instantio – WooCommerce Quick Checkout | Direct Checkout, Floating Cart, Side Cart & Popup Cart

Researcher

Ryan Kozak

More Details >

Ultimate Member <= 2.10.3 – Authenticated (Administrator+) Arbitrary Function Call

7.2

CVSS Rating
High (7.2)

CVE-ID
CVE-2025-47691

Patch Status
Unpatched

Published
May 7, 2025

Affected Software
Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin

Researcher

Trương Hữu Phúc (truonghuuphuc)

More Details >

Wbcom Designs – Activity Link Preview For BuddyPress <= 1.4.4 – Unauthenticated Server-Side Request Forgery

7.2

CVSS Rating
High (7.2)

CVE-ID
CVE-2025-47548

Patch Status
Patched

Published
May 7, 2025

Affected Software
Wbcom Designs – Activity Link Preview For BuddyPress

Researcher

HLog

More Details >

WordPress CRM, Email & Marketing Automation for WordPress | Award Winner — Groundhogg <= 4.1.1.2 – Authenticated (Administrator+) Arbitrary File Deletion

7.2

CVSS Rating
High (7.2)

CVE-ID
CVE-2025-4206

Patch Status
Patched

Published
May 8, 2025

Affected Software
WordPress CRM, Email & Marketing Automation for WordPress | Award Winner — Groundhogg

Researcher

Phat Do

More Details >

WP Maintenance <= 6.1.9.7 – Authenticated (Administrator+) PHP Object Injection

7.2

CVSS Rating
High (7.2)

CVE-ID
CVE-2025-47683

Patch Status
Unpatched

Published
May 7, 2025

Affected Software
WP Maintenance

Researcher

Ngo Bui Truong Vu

More Details >

WP-CRM System <= 3.4.2 – Authenticated (Administrator+) PHP Object Injection

7.2

CVSS Rating
High (7.2)

CVE-ID
CVE-2025-47629

Patch Status
Unpatched

Published
May 7, 2025

Affected Software
WordPress CRM Plugin – WP-CRM System

Researcher

Ngo Bui Truong Vu

More Details >

GS Testimonial Slider <= 3.2.9 – Unauthenticated Arbitrary Shortcode Execution

6.5

CVSS Rating
Medium (6.5)

CVE-ID
CVE-2025-47481

Patch Status
Patched

Published
May 7, 2025

Affected Software
A WordPress Testimonial Plugin to Showcase Testimonial Slider, Testimonial Grid and More: Solid Testimonials

Researcher

theviper17y

More Details >

Ultimate WP Mail <= 1.3.4 – Authenticated (Contributor+) SQL Injection

6.5

CVSS Rating
Medium (6.5)

CVE-ID
CVE-2025-47490

Patch Status
Patched

Published
May 7, 2025

Affected Software
Ultimate WP Mail

Researcher

Cút lộn xào me

More Details >

WPshop 2 – E-Commerce 2.0.0 – 2.6.0 – Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary User Key Generation

6.5

CVSS Rating
Medium (6.5)

CVE-ID
CVE-2025-3853

Patch Status
Unpatched

Published
May 6, 2025

Affected Software
WPshop 2 – E-Commerce

Researcher

kr0d

More Details >

aBlocks <= 1.9.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-47616

Patch Status
Unpatched

Published
May 7, 2025

Affected Software
aBlocks – WordPress Gutenberg Blocks

Researcher

Prissy

More Details >

Ajax Load More <= 7.3.1.2 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-47630

Patch Status
Unpatched

Published
May 7, 2025

Affected Software
WordPress Infinite Scroll – Ajax Load More

Researcher

muhammad yudha

More Details >

Awesome Gallery <= 1.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-47632

Patch Status
Unpatched

Published
May 7, 2025

Affected Software
Awesome Gallery

Researcher

muhammad yudha

More Details >

Beds24 Online Booking <= 2.0.29 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-47489

Patch Status
Patched

Published
May 7, 2025

Affected Software
Beds24 Online Booking

Researcher

Peter Thaleikis

More Details >

Better Search <= 4.1.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-47507

Patch Status
Patched

Published
May 7, 2025

Affected Software
Better Search – Relevant search results for WordPress

Researcher

muhammad yudha

More Details >

Blockspare <= 3.2.9 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-47495

Patch Status
Patched

Published
May 7, 2025

Affected Software
BlockSpare: Gutenberg Blocks & Patterns for Blogs, Magazines, Business Sites – Post Grids, Sliders, Carousels, Counters, Page Builder & Starter Site Imports, No Coding Needed

Researcher

zaim

More Details >

Bold Page Builder <= 5.3.2 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-47488

Patch Status
Patched

Published
May 7, 2025

Affected Software
Bold Page Builder

Researcher

Peter Thaleikis

More Details >

CarDealerPress <= 6.8.2505.00 – Authenticated (Contributor+) Stored Cross-Site Scripting via saleclass Parameter

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-3860

Patch Status
Patched

Published
May 6, 2025

Affected Software
CarDealerPress

Researcher

Peter Thaleikis

More Details >

CBX Map for Google Map & OpenStreetMap <= 1.1.12 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-47669

Patch Status
Unpatched

Published
May 7, 2025

Affected Software
CBX Map for Google Map & OpenStreetMap

Researcher

zaim

More Details >

CC BMI Calculator <= 2.1.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-47442

Patch Status
Patched

Published
May 7, 2025

Affected Software
CC BMI Calculator

Researcher

muhammad yudha

More Details >

Cision Block <= 4.3.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via id Parameter

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-3782

Patch Status
Patched

Published
May 5, 2025

Affected Software
Cision Block

Researcher

Peter Thaleikis

More Details >

Content Control <= 2.6.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-47501

Patch Status
Patched

Published
May 7, 2025

Affected Software
Content Control – The Ultimate Content Restriction Plugin! Restrict Content, Create Conditional Blocks & More

Researcher

muhammad yudha

More Details >

Contest Gallery <= 26.0.6 – Authenticated (Contributor+) Stored Cross-Site Scripting via id Parameter

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-3862

Patch Status
Patched

Published
May 7, 2025

Affected Software
Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal or Stripe, Social Share Buttons

Researcher

stealthcopter

More Details >

Contextual Related Posts <= 4.0.2 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-47506

Patch Status
Patched

Published
May 7, 2025

Affected Software
Contextual Related Posts

Researcher

muhammad yudha

More Details >

Cost Calculator for Elementor <= 1.3.3 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-47476

Patch Status
Patched

Published
May 7, 2025

Affected Software
Cost Calculator for Elementor

Researcher

Michael

More Details >

Custom Checkout Fields for WooCommerce <= 1.8.3 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-47504

Patch Status
Patched

Published
May 7, 2025

Affected Software
Custom Checkout Fields for WooCommerce

Researcher

muhammad yudha

More Details >

DELUCKS SEO <= 2.5.9 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-47686

Patch Status
Unpatched

Published
May 7, 2025

Affected Software
DELUCKS SEO

Researcher

muhammad yudha

More Details >

Display Remote Posts Block <= 1.1.0 – Authenticated (Contributor+) Server-Side Request Forgery

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-47484

Patch Status
Patched

Published
May 7, 2025

Affected Software
Display Remote Posts Block

Researcher

theviper17y

More Details >

Easy Replace Image <= 3.5.0 – Authenticated (Contributor+) Server-Side Request Forgery

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-47483

Patch Status
Patched

Published
May 7, 2025

Affected Software
Easy Replace Image

Researcher

theviper17y

More Details >

Ebook Store <= 5.8007 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-47589

Patch Status
Unpatched

Published
May 7, 2025

Affected Software
Ebook Store

Researcher

timomangcut

More Details >

Inline Related Posts <= 3.8.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-47604

Patch Status
Unpatched

Published
May 7, 2025

Affected Software
Inline Related Posts

Researcher

muhammad yudha

More Details >

Jeg Elementor Kit <= 2.6.12 – Authenticated (Contributor+) Stored Cross-Site Scripting via Video Button and Countdown Widgets

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-2944

Patch Status
Patched

Published
May 9, 2025

Affected Software
Jeg Elementor Kit

Researcher

zer0gh0st

More Details >

JupiterX Core <= 4.8.11 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-47475

Patch Status
Patched

Published
May 7, 2025

Affected Software
Jupiter X Core

Researcher

Michael

More Details >

Logo Showcase <= 3.0.4 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-47497

Patch Status
Patched

Published
May 7, 2025

Affected Software
Logo Showcase

Researcher

muhammad yudha

More Details >

Meks Flexible Shortcodes <= 1.3.6 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-47621

Patch Status
Patched

Published
May 7, 2025

Affected Software
Meks Flexible Shortcodes

Researcher

muhammad yudha

More Details >

Meow Gallery <= 5.2.7 – Authenticated (Author+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-47449

Patch Status
Patched

Published
May 7, 2025

Affected Software
Meow Gallery

Researcher

R4mbb

More Details >

Mollie Forms <= 2.7.12 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-47502

Patch Status
Patched

Published
May 7, 2025

Affected Software
Mollie Forms

Researcher

muhammad yudha

More Details >

Multiple Post Type Order <= 1.10.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via mpto Shortcode

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-4055

Patch Status
Unpatched

Published
May 6, 2025

Affected Software
Multiple Post Type Order

Researcher

Gilang

More Details >

NEX-Forms – Ultimate Form Builder – Contact forms and much more <= 8.9.1 – Authenticated (Custom) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-3468

Patch Status
Patched

Published
May 7, 2025

Affected Software
NEX-Forms – Ultimate Forms Plugin for WordPress

Researcher

m3ssap0

More Details >

NGG Smart Image Search <= 3.3.3 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-47503

Patch Status
Patched

Published
May 7, 2025

Affected Software
NGG Smart Image Search

Researcher

muhammad yudha

More Details >

Photo Gallery – GT3 Image Gallery & Gutenberg Block Gallery <= 2.7.7.25 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-47677

Patch Status
Unpatched

Published
May 7, 2025

Affected Software
Photo Gallery – GT3 Image Gallery & Gutenberg Block Gallery

Researcher

muhammad yudha

More Details >

Product Time Countdown for WooCommerce <= 1.6.2 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-47505

Patch Status
Patched

Published
May 7, 2025

Affected Software
Product Time Countdown for WooCommerce

Researcher

muhammad yudha

More Details >

Progress Bar <= 2.2.3 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-47441

Patch Status
Patched

Published
May 7, 2025

Affected Software
Progress Bar

Researcher

muhammad yudha

More Details >

Royal Elementor Addons <= 1.7.1017 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-39361

Patch Status
Patched

Published
May 7, 2025

Affected Software
Royal Elementor Addons and Templates

Researcher

João Pedro Soares de Alcântara

More Details >

RS WP Book Showcase <= 6.7.40 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-47679

Patch Status
Unpatched

Published
May 7, 2025

Affected Software
RS WP Book Showcase – A Complete Book Catalogue & Library System

Researcher

Peter Thaleikis

More Details >

SendPulse Email Marketing Newsletter <= 2.1.6 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-47547

Patch Status
Patched

Published
May 7, 2025

Affected Software
SendPulse Email Marketing Newsletter

Researcher

jh_hack

More Details >

Simple Blog Stats <= 20250416 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-47499

Patch Status
Patched

Published
May 7, 2025

Affected Software
Simple Blog Stats

Researcher

muhammad yudha

More Details >

SKT Skill Bar <= 2.4 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-47482

Patch Status
Patched

Published
May 7, 2025

Affected Software
SKT Skill Bar

Researcher

theviper17y

More Details >

SMS Alert Order Notifications – WooCommerce <= 3.8.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via sa_verify Shortcode

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-3878

Patch Status
Patched

Published
May 9, 2025

Affected Software
SMS Alert Order Notifications – WooCommerce

Researcher

wesley (wcraft)

More Details >

Solace Extra <= 1.3.1 – Authenticated (Subscriber+) Server-Side Request Forgery

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-47464

Patch Status
Patched

Published
May 7, 2025

Affected Software
Solace Extra

Researcher

stealthcopter

More Details >

Spiraclethemes Site Library <= 1.4.2 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-47656

Patch Status
Unpatched

Published
May 7, 2025

Affected Software
Spiraclethemes Site Library

Researcher

zaim

More Details >

Top 10 <= 4.1.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-47509

Patch Status
Patched

Published
May 7, 2025

Affected Software
Top 10 – WordPress Popular posts by WebberZone

Researcher

muhammad yudha

More Details >

Ultimate Blocks <= 3.2.9 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-47493

Patch Status
Patched

Published
May 7, 2025

Affected Software
Ultimate Blocks – WordPress Blocks Plugin

Researcher

zaim

More Details >

User Login History <= 2.1.6 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-47676

Patch Status
Unpatched

Published
May 7, 2025

Affected Software
User Login History

Researcher

muhammad yudha

More Details >

Widget Countdown <= 2.7.4 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-47443

Patch Status
Patched

Published
May 7, 2025

Affected Software
Countdown Timer – Widget Countdown

Researcher

muhammad yudha

More Details >

Woobox <= 1.6 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-47662

Patch Status
Unpatched

Published
May 7, 2025

Affected Software
Woobox

Researcher

zaim

More Details >

Woobox <= 1.6 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-47675

Patch Status
Unpatched

Published
May 7, 2025

Affected Software
Woobox

Researcher

muhammad yudha

More Details >

WP DPE-GES <= 1.6 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-47515

Patch Status
Patched

Published
May 7, 2025

Affected Software
WP DPE-GES

Researcher

johska

More Details >

WP SEO Structured Data Schema <= 2.7.11 – Authenticated (Contributor+) Stored Cross-Site Scripting via Plugin Settings

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-4127

Patch Status
Patched

Published
May 7, 2025

Affected Software
WP SEO Structured Data Schema

Researcher

Jorgson

More Details >

WPBakery Visual Composer WHMCS Elements <= 1.0.4.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-47659

Patch Status
Unpatched

Published
May 7, 2025

Affected Software
WPBakery Visual Composer WHMCS Elements

Researcher

zaim

More Details >

WZ Followed Posts – Display what visitors are reading <= 3.1.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-4171

Patch Status
Patched

Published
May 6, 2025

Affected Software
WZ Followed Posts – Display what visitors are reading

Researcher

muhammad yudha

More Details >

Xavin’s List Subpages <= 1.3 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-4220

Patch Status
Unpatched

Published
May 6, 2025

Affected Software
Xavin’s List Subpages

Researcher

Gilang

More Details >

NEX-Forms – Ultimate Form Builder – Contact forms and much more <= 8.9.1 – Authenticated (Custom) Limited Code Execution via get_table_records Function

6.3

CVSS Rating
Medium (6.3)

CVE-ID
CVE-2025-4208

Patch Status
Patched

Published
May 7, 2025

Affected Software
NEX-Forms – Ultimate Forms Plugin for WordPress

Researcher

m3ssap0

More Details >

Accept Donations with PayPal <= 1.4.5 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-47517

Patch Status
Patched

Published
May 7, 2025

Affected Software
Accept Donations with PayPal & Stripe

Researcher

Nabil Irawan

More Details >

BMI Adult & Kid Calculator <= 1.2.2 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-47618

Patch Status
Unpatched

Published
May 8, 2025

Affected Software
BMI Adult & Kid Calculator

Researcher

stealthcopter

More Details >

Contribuinte Checkout <= 2.0.02 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-47685

Patch Status
Unpatched

Published
May 7, 2025

Affected Software
Contribuinte Checkout

Researcher

Nguyen Xuan Chien

More Details >

ELI’s Related Posts Footer Links and Widget <= 1.2.04.20 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-47514

Patch Status
Patched

Published
May 7, 2025

Affected Software
EZ Related Posts Footer Links and Widget

Researcher

johska

More Details >

FunnelCockpit <= 1.4.2 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-47678

Patch Status
Unpatched

Published
May 9, 2025

Affected Software
FunnelCockpit

Researcher

domiee13

More Details >

Integration for WooCommerce and Salesforce <= 1.7.5 – Open Redirect

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-47455

Patch Status
Patched

Published
May 7, 2025

Affected Software
Integration for WooCommerce and Salesforce

Researcher

Nguyen Xuan Chien

More Details >

Integrations of Zoho CRM with Elementor form <= 1.0.7 – Open Redirect

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-47644

Patch Status
Unpatched

Published
May 7, 2025

Affected Software
Integrations of Zoho CRM with Elementor form

Researcher

Nguyen Xuan Chien

More Details >

Relevanssi <= 4.24.3 (Free) and <= 2.27.4 (Premium) – Unauthenticated Stored Cross-Site Scripting via Search Highlights

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-4054

Patch Status
Patched

Published
May 6, 2025

Affected Software
Relevanssi – A Better Search
Relevanssi – A Better Search (Pro)

Researcher

Jack Taylor

More Details >

tagDiv Composer <= 5.3 – Reflected Cross-Site Scripting via ‘data’

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-2806

Patch Status
Patched

Published
May 7, 2025

Affected Software
tagDiv Composer

Researcher

Truoc Phan

More Details >

theMarketer <= 1.4.7 – Cross-Site Request Forgery to Stored Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-47655

Patch Status
Unpatched

Published
May 7, 2025

Affected Software
theMarketer – Email marketing, Newsletters, Automation & Loyalty for Woocommerce

Researcher

Nguyen Xuan Chien

More Details >

WP Gravity Forms Dynamics CRM <= 1.1.4 – Open Redirect

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-47454

Patch Status
Patched

Published
May 7, 2025

Affected Software
WP Gravity Forms Dynamics CRM

Researcher

Nguyen Xuan Chien

More Details >

WP Gravity Forms Zendesk <= 1.1.2 – Open Redirect

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-47456

Patch Status
Patched

Published
May 7, 2025

Affected Software
WP Gravity Forms Zendesk

Researcher

Nguyen Xuan Chien

More Details >

xili-tidy-tags <= 1.12.06 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-47680

Patch Status
Unpatched

Published
May 8, 2025

Affected Software
xili-tidy-tags

Researcher

Nguyen Xuan Chien

More Details >

EUCookieLaw <= 2.7.2 – Unauthenticated Arbitrary File Read

5.9

CVSS Rating
Medium (5.9)

CVE-ID
CVE-2025-3897

Patch Status
Patched

Published
May 8, 2025

Affected Software
EUCookieLaw

Researcher

Nicolai Hellesnes (nico_)

More Details >

DoFollow Case by Case <= 3.5.1 – Authenticated (Administrator+) Stored Cross-Site Scripting

5.5

CVSS Rating
Medium (5.5)

CVE-ID
CVE-2025-47625

Patch Status
Unpatched

Published
May 7, 2025

Affected Software
DoFollow Case by Case

Researcher

Nabil Irawan

More Details >

LiteSpeed Cache <= 7.0.1 – Authenticated (Editor+) Server-Side Request Forgery

5.5

CVSS Rating
Medium (5.5)

CVE-ID
CVE-2025-47437

Patch Status
Patched

Published
May 7, 2025

Affected Software
LiteSpeed Cache

Researcher

TaiYou

More Details >

Really Simple Under Construction Page <= 1.4.6 – Authenticated (Administrator+) Stored Cross-Site Scripting

5.5

CVSS Rating
Medium (5.5)

CVE-ID
CVE-2025-47593

Patch Status
Unpatched

Published
May 7, 2025

Affected Software
Really Simple Under Construction Page

Researcher

Nabil Irawan

More Details >

WebinarPress <= 1.33.27 – Authenticated (Administrator+) Server-Side Request Forgery

5.5

CVSS Rating
Medium (5.5)

CVE-ID
CVE-2025-47635

Patch Status
Unpatched

Published
May 7, 2025

Affected Software
WordPress Webinar Plugin – WebinarPress

Researcher

Trương Hữu Phúc (truonghuuphuc)

More Details >

WP Pipes <= 1.4.3 – Authenticated (Administrator+) Server-Side Request Forgery

5.5

CVSS Rating
Medium (5.5)

CVE-ID
CVE-2025-47664

Patch Status
Unpatched

Published
May 7, 2025

Affected Software
WP Pipes

Researcher

domiee13

More Details >

Login Lockdown & Protection <= 2.11 – Missing Authorization to Authenticated (Subscriber+) Arbitrary IP Whitelisting

5.4

CVSS Rating
Medium (5.4)

CVE-ID
CVE-2025-3766

Patch Status
Patched

Published
May 6, 2025

Affected Software
Login Lockdown & Protection

Researcher

Trương Hữu Phúc (truonghuuphuc)

More Details >

Media Hygiene <= 4.0.0 – Missing Authorization

5.4

CVSS Rating
Medium (5.4)

CVE-ID
CVE-2025-47469

Patch Status
Patched

Published
May 7, 2025

Affected Software
Media Hygiene: Remove or Delete Unused Images and More!

Researcher

domiee13

More Details >

Royal Elementor Addons and Templates <= 1.7.1017 – Authenticated (Contributor+) Stored Cross-Site Scripting

5.4

CVSS Rating
Medium (5.4)

CVE-ID
CVE-2024-12120

Patch Status
Patched

Published
May 6, 2025

Affected Software
Royal Elementor Addons and Templates

Researcher

zer0gh0st

More Details >

Supertext Translation and Proofreading <= 4.25 – Cross-Site Request Forgery to Stored Cross-Site Scripting

5.4

CVSS Rating
Medium (5.4)

CVE-ID
CVE-2025-47639

Patch Status
Unpatched

Published
May 7, 2025

Affected Software
Supertext Translation and Proofreading

Researcher

johska

More Details >

Uncanny Automator <= 6.4.0.2 – Missing Authorization to Authenticated (Subscriber+) Plugin Settings Update

5.4

CVSS Rating
Medium (5.4)

CVE-ID
CVE-2025-4520

Patch Status
Patched

Published
May 9, 2025

Affected Software
Uncanny Automator – Easy Automation, Integration, Webhooks & Workflow Builder Plugin

Researcher

mikemyers

More Details >

WPForms Lite <= 1.9.5 – Authenticated (Contributor+) Stored Cross-Site Scripting via ‘start_timestamp’ Parameter

5.4

CVSS Rating
Medium (5.4)

CVE-ID
CVE-2025-3794

Patch Status
Patched

Published
May 9, 2025

Affected Software
WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More

Researcher

Asaf Mozes

More Details >

Advanced File Manager <= 5.3.1 – Missing Authorization to Notice Dismisaal

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-47688

Patch Status
Patched

Published
May 7, 2025

Affected Software
Advanced File Manager — Ultimate WordPress File Manager and Document Library Plugin

Researcher

Trương Hữu Phúc (truonghuuphuc)

More Details >

Cozy Blocks <= 2.1.22 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-47485

Patch Status
Patched

Published
May 7, 2025

Affected Software
Cozy Blocks – Page Builder for Gutenberg & Site Editor with Post Blocks, WooCommerce Blocks, Magazine Blocks & WordPress Gutenberg Blocks

Researcher

Marek Mikita

More Details >

Envolve Plugin <= 1.0 – Unauthenticated Language File Deletion

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2024-11615

Patch Status
Patched

Published
May 5, 2025

Affected Software
Envolve Plugin

Researcher

István Márton

More Details >

Gutenberg & Elementor Templates Importer For Responsive <= 3.1.9 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-47486

Patch Status
Patched

Published
May 7, 2025

Affected Software
Responsive Plus – Starter Templates, Advanced Features and Customizer Settings for Responsive Theme.

Researcher

Marek Mikita

More Details >

LocateAndFilter <= 1.6.16 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-47457

Patch Status
Patched

Published
May 7, 2025

Affected Software
LocateAndFilter

Researcher

Nguyen Xuan Chien

More Details >

Mail Mint <= 1.17.7 – Unauthenticated Sensitive Information Exposure

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-47541

Patch Status
Patched

Published
May 7, 2025

Affected Software
Email Marketing, Email Automation, Newsletter & Cart Abandonment for WordPress and WooCommerce – Mail Mint

Researcher

Denver Jackson

More Details >

PeproDev Ultimate Profile Solutions 1.9.1 – 7.5.2 – Missing Authorization to Unauthenticated Email Enumeration

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-3924

Patch Status
Unpatched

Published
May 6, 2025

Affected Software
PeproDev Ultimate Profile Solutions

Researcher

kr0d

More Details >

Poll Maker <= 5.7.7 – Unauthenticated Race Condition to Multi-Vote

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-47545

Patch Status
Patched

Published
May 7, 2025

Affected Software
Poll Maker – Versus Polls, Anonymous Polls, Image Polls

Researcher

Ibrahim Mohammad

More Details >

Reales WP STPT <= 2.1.2 – Unauthorized User Registration

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-3609

Patch Status
Unpatched

Published
May 5, 2025

Affected Software
Reales WP STPT

Researcher

Foxyyy

More Details >

Search Exclude <= 2.4.9 – Missing Authorization to Unauthenticated Plugin Settings Modification

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-2821

Patch Status
Patched

Published
May 6, 2025

Affected Software
Search Exclude

Researcher

Noah Stead (TurtleBurg)

More Details >

Simple File List <= 6.1.13 – Missing Authorization to Unauthenticated Minor Settings Update

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-47450

Patch Status
Patched

Published
May 7, 2025

Affected Software
Simple File List

Researcher

Kévin Mosbahi (Mika)

More Details >

User Registration & Membership – Custom Registration Form, Login Form, and User Profile <= 4.2.1 – Insecure Direct Object Reference to Unauthenticated Limited User Deletion

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-3281

Patch Status
Patched

Published
May 5, 2025

Affected Software
User Registration & Membership – Custom Registration Form, Login Form, and User Profile

Researcher

wesley (wcraft)

More Details >

weMail <= 1.14.13 – Unauthenticated Sensitive Information Exposure

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-47540

Patch Status
Patched

Published
May 7, 2025

Affected Software
weMail – Email Marketing, Lead Generation, Optin Forms, Email Newsletters, A/B Testing, and Automation

Researcher

Denver Jackson

More Details >

Cart tracking for WooCommerce <= 1.0.17 – Authenticated (Administrator+) SQL Injection

4.9

CVSS Rating
Medium (4.9)

CVE-ID
CVE-2025-47538

Patch Status
Patched

Published
May 7, 2025

Affected Software
Cart tracking for WooCommerce

Researcher

Ngo Bui Truong Vu

More Details >

Dynamic Pricing With Discount Rules for WooCommerce <= 4.5.8 – Authenticated (Shop manager+) SQL Injection

4.9

CVSS Rating
Medium (4.9)

CVE-ID
CVE-2025-47544

Patch Status
Patched

Published
May 7, 2025

Affected Software
Dynamic Pricing With Discount Rules for WooCommerce

Researcher

tratt

More Details >

ELEX Product Feed for WooCommerce <= 3.1.2 – Authenticated (Administrator+) SQL Injection

4.9

CVSS Rating
Medium (4.9)

CVE-ID
CVE-2025-47643

Patch Status
Unpatched

Published
May 7, 2025

Affected Software
ELEX Product Feed for WooCommerce

Researcher

Ngo Bui Truong Vu

More Details >

PDF Invoices for WooCommerce + Drag and Drop Template Builder <= 5.3.8 – Authenticated (Administrator+) SQL Injection

4.9

CVSS Rating
Medium (4.9)

CVE-ID
CVE-2025-47537

Patch Status
Patched

Published
May 7, 2025

Affected Software
PDF for WooCommerce – ALL in One + Drag And Drop Template Builder

Researcher

Ngo Bui Truong Vu

More Details >

TrackShip for WooCommerce <= 1.9.1 – Authenticated (Shop manager+) SQL Injection

4.9

CVSS Rating
Medium (4.9)

CVE-ID
CVE-2025-47460

Patch Status
Patched

Published
May 7, 2025

Affected Software
TrackShip for WooCommerce

Researcher

Le Ngoc Anh

More Details >

YaySMTP <= 2.6.4 – Authenticated (Administrator+) SQL Injection

4.9

CVSS Rating
Medium (4.9)

CVE-ID
CVE-2025-47587

Patch Status
Patched

Published
May 7, 2025

Affected Software
YaySMTP and Email Logs: Amazon SES, SendGrid, Outlook, Mailgun, Brevo, Google and Any SMTP Service

Researcher

ChuongVN

More Details >

Amazon Product in a Post <= 5.2.2 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2025-47615

Patch Status
Unpatched

Published
May 7, 2025

Affected Software
Amazon Product in a Post Plugin

Researcher

Nabil Irawan

More Details >

AWEOS WP Lock <= 1.4.8 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2025-47522

Patch Status
Patched

Published
May 7, 2025

Affected Software
AWEOS WP Lock

Researcher

Nabil Irawan

More Details >

Bold Page Builder <= 5.3.0 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2025-47525

Patch Status
Patched

Published
May 7, 2025

Affected Software
Bold Page Builder

Researcher

Nabil Irawan

More Details >

Charitable <= 1.8.5.1 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2025-47520

Patch Status
Patched

Published
May 7, 2025

Affected Software
Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More

Researcher

Nabil Irawan

More Details >

Color Your Bar <= 2.0 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2025-47595

Patch Status
Unpatched

Published
May 7, 2025

Affected Software
Color Your Bar

Researcher

Nabil Irawan

More Details >

Contact Form 7 – PayPal & Stripe Add-on <= 2.3.4 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2025-47518

Patch Status
Patched

Published
May 7, 2025

Affected Software
Contact Form 7 – PayPal & Stripe Add-on

Researcher

Nabil Irawan

More Details >

CookieCode <= 2.4.4 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2025-47668

Patch Status
Unpatched

Published
May 7, 2025

Affected Software
CookieCode

Researcher

Nabil Irawan

More Details >

Easy PayPal Buy Now Button <= 2.0 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2025-47623

Patch Status
Unpatched

Published
May 7, 2025

Affected Software
Easy PayPal & Stripe Buy Now Button

Researcher

Nabil Irawan

More Details >

Email Notification on Login <= 1.6.1 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2025-47622

Patch Status
Unpatched

Published
May 7, 2025

Affected Software
Email Notification on Login

Researcher

Nabil Irawan

More Details >

Legal Terms and Conditions Popup for User Login and WooCommerce Checkout – TPUL <= 2.0.3 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2025-47592

Patch Status
Unpatched

Published
May 7, 2025

Affected Software
Legal Terms and Conditions Popup for User Login and WooCommerce Checkout – TPUL

Researcher

Nabil Irawan

More Details >

N360 | Splash Screen <= 1.0.6 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2025-47665

Patch Status
Unpatched

Published
May 7, 2025

Affected Software
N360 | Splash Screen

Researcher

Nabil Irawan

More Details >

Quran multilanguage Text & Audio <= 2.3.23 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2025-47524

Patch Status
Patched

Published
May 7, 2025

Affected Software
Quran multilanguage Text & Audio

Researcher

Nabil Irawan

More Details >

Robo Gallery <= 5.0.2 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2025-47521

Patch Status
Patched

Published
May 7, 2025

Affected Software
Photo Gallery, Images, Slider in Rbs Image Gallery

Researcher

Nabil Irawan

More Details >

Show All Comments <= 7.0.1 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2025-47607

Patch Status
Unpatched

Published
May 7, 2025

Affected Software
Show All Comments

Researcher

Nabil Irawan

More Details >

Submission DOM tracking for Contact Form 7 <= 2.0 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2025-47626

Patch Status
Unpatched

Published
May 7, 2025

Affected Software
Submission DOM tracking for Contact Form 7

Researcher

Nabil Irawan

More Details >

Time Clock <= 1.2.3 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2025-47516

Patch Status
Patched

Published
May 7, 2025

Affected Software
Time Clock – A WordPress Employee & Volunteer Time Clock Plugin

Researcher

Nabil Irawan

More Details >

WP Discord Invite <= 2.5.3 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2025-47638

Patch Status
Unpatched

Published
May 7, 2025

Affected Software
WP Discord Invite

Researcher

Nabil Irawan

More Details >

WP Front User Submit / Front Editor <= 4.9.3 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2025-47617

Patch Status
Unpatched

Published
May 7, 2025

Affected Software
Guest posting / Frontend Posting / Front Editor – WP Front User Submit

Researcher

Nguyen Ngoc Quang Bach (maysbachs)

More Details >

WP jQuery DataTable <= 4.1.0 – Authenticated (Administrator+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2025-47605

Patch Status
Unpatched

Published
May 7, 2025

Affected Software
WP jQuery DataTable

Researcher

Nabil Irawan

More Details >

AHAthat Plugin <= 1.6 – Cross-Site Request Forgery to AHA Page Deletion

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-4337

Patch Status
Unpatched

Published
May 5, 2025

Affected Software
AHAthat Plugin

Researcher

Régis SENET

More Details >

Awin – Advertiser Tracking for WooCommerce <= 2.0.0 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-47633

Patch Status
Unpatched

Published
May 7, 2025

Affected Software
Awin – Advertiser Tracking for WooCommerce

Researcher

ch4r0n

More Details >

Beacon Lead Magnets and Lead Capture <= 1.5.8 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-47596

Patch Status
Unpatched

Published
May 7, 2025

Affected Software
Beacon Lead Magnets and Lead Capture

Researcher

Nabil Irawan

More Details >

Bulk Featured Image <= 1.2.1 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-47591

Patch Status
Unpatched

Published
May 7, 2025

Affected Software
Bulk Featured Image

Researcher

timomangcut

More Details >

Calculate Prices based on Distance For WooCommerce <= 1.3.5 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-47602

Patch Status
Unpatched

Published
May 7, 2025

Affected Software
Calculate Prices based on Distance For WooCommerce

Researcher

ch4r0n

More Details >

ClickWhale <= 2.4.6 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-47612

Patch Status
Unpatched

Published
May 7, 2025

Affected Software
ClickWhale – Link Manager, Link Shortener and Click Tracker for Affiliate Links & Link Pages

Researcher

Nabil Irawan

More Details >

Contact Form Widget <= 1.4.6 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-47491

Patch Status
Patched

Published
May 7, 2025

Affected Software
Contact Form Widget – Contact Query, Contact Page, Form Maker, Query Table

Researcher

0xd4rk5id3

More Details >

ContentStudio <= 1.3.3 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-47692

Patch Status
Unpatched

Published
May 7, 2025

Affected Software
ContentStudio

Researcher

Nguyen Xuan Chien

More Details >

Cool Author Box <= 3.0.0 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-47447

Patch Status
Patched

Published
May 7, 2025

Affected Software
Cool Author Box – For Widget and Post Content

Researcher

Nabil Irawan

More Details >

Credova_Financial <= 2.5.0 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-47674

Patch Status
Unpatched

Published
May 7, 2025

Affected Software
Credova Financial

Researcher

astra.r3verii

More Details >

DoFollow Case by Case <= 3.5.1 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-47624

Patch Status
Unpatched

Published
May 7, 2025

Affected Software
DoFollow Case by Case

Researcher

Nabil Irawan

More Details >

Download Manager and Payment Form WordPress Plugin – WP SmartPay 1.1.0 – 2.7.13 – Authenticated (Subscriber+) Information Exposure

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-3851

Patch Status
Unpatched

Published
May 6, 2025

Affected Software
Download Manager and Payment Form WordPress Plugin – WP SmartPay

Researcher

kr0d

More Details >

Easy PayPal Events <= 1.2.2 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-47519

Patch Status
Patched

Published
May 7, 2025

Affected Software
Easy PayPal Events & Tickets

Researcher

Nabil Irawan

More Details >

EasyMe Connect <= 3.0.3 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-47609

Patch Status
Unpatched

Published
May 7, 2025

Affected Software
EasyMe Connect

Researcher

Nabil Irawan

More Details >

Envo Extra <= 1.9.9 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-47471

Patch Status
Patched

Published
May 7, 2025

Affected Software
Envo Extra

Researcher

domiee13

More Details >

GPT3 AI Content Writer <= 1.9.14 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-47470

Patch Status
Patched

Published
May 7, 2025

Affected Software
AI Power: Complete AI Pack

Researcher

domiee13

More Details >

Graphina <= 3.0.4 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-47480

Patch Status
Patched

Published
May 7, 2025

Affected Software
Graphina – Elementor Charts and Graphs

Researcher

Nguyễn Trung Kiên

More Details >

GS Testimonial Slider <= 3.3.0 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-47467

Patch Status
Patched

Published
May 7, 2025

Affected Software
A WordPress Testimonial Plugin to Showcase Testimonial Slider, Testimonial Grid and More: Solid Testimonials

Researcher

domiee13

More Details >

GS Variation Swatches for WooCommerce <= 3.0.4 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-47526

Patch Status
Patched

Published
May 7, 2025

Affected Software
GS Variation Swatches for WooCommerce

Researcher

ch4r0n

More Details >

Hash Form <= 1.2.8 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-47468

Patch Status
Patched

Published
May 7, 2025

Affected Software
Hash Form – Drag & Drop Form Builder

Researcher

domiee13

More Details >

LessButtons Social Sharing and Statistics <= 1.6.1 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-47614

Patch Status
Unpatched

Published
May 7, 2025

Affected Software
LessButtons Social Sharing and Statistics

Researcher

Nabil Irawan

More Details >

Listamester <= 2.3.6 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-47446

Patch Status
Patched

Published
May 7, 2025

Affected Software
Listamester

Researcher

Nabil Irawan

More Details >

LiveAgent <= 4.4.7 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-47667

Patch Status
Unpatched

Published
May 7, 2025

Affected Software
LiveAgent – Omnichannel Help Desk & Live Chat Software

Researcher

Nabil Irawan

More Details >

Martins Free Monetized Ad Exchange Network <= 1.0.5 – Cross-Site Request Forgery to Stored Cross-Site Scripting

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-47620

Patch Status
Unpatched

Published
May 7, 2025

Affected Software
Martins Free Monetized Ad Exchange Network – Get more website visitors

Researcher

johska

More Details >

Music Player for WooCommerce <= 1.5.1 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-47472

Patch Status
Patched

Published
May 7, 2025

Affected Software
Music Player for WooCommerce

Researcher

domiee13

More Details >

Ovation Elements <= 1.1.2 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-47528

Patch Status
Patched

Published
May 7, 2025

Affected Software
Ovation Elements

Researcher

ch4r0n

More Details >

Pays – WooCommerce Payment Gateway <= 2.6 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-47648

Patch Status
Unpatched

Published
May 7, 2025

Affected Software
Pays – WooCommerce Payment Gateway

Researcher

Nguyen Xuan Chien

More Details >

Product Quantity Dropdown For Woocommerce <= 1.2 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-47451

Patch Status
Patched

Published
May 7, 2025

Affected Software
Product Quantity Dropdown For Woocommerce

Researcher

Kévin Mosbahi (Mika)

More Details >

PW WooCommerce Bulk Edit <= 2.134 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-47473

Patch Status
Patched

Published
May 7, 2025

Affected Software
PW WooCommerce Bulk Edit

Researcher

domiee13

More Details >

QS Dark Mode <= 3.0 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-47628

Patch Status
Unpatched

Published
May 7, 2025

Affected Software
QS Dark Mode Plugin

Researcher

Nabil Irawan

More Details >

Seznam Webmaster <= 1.4.7 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-47523

Patch Status
Patched

Published
May 7, 2025

Affected Software
Seznam Webmaster

Researcher

Nabil Irawan

More Details >

Sidebar Manager Light <= 1.18 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-47647

Patch Status
Unpatched

Published
May 7, 2025

Affected Software
Sidebar Manager Light

Researcher

Skalucy

More Details >

Simple calendar for Elementor <= 1.6.5 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-47542

Patch Status
Patched

Published
May 7, 2025

Affected Software
Simple calendar for Elementor

Researcher

haudayroi

More Details >

Simple Giveaways <= 2.48.2 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-47606

Patch Status
Unpatched

Published
May 7, 2025

Affected Software
Simple Giveaways – Grow your business, email lists and traffic with contests

Researcher

Nabil Irawan

More Details >

Smaily for WP <= 3.1.6 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-47684

Patch Status
Unpatched

Published
May 7, 2025

Affected Software
Smaily for WP

Researcher

Nguyen Xuan Chien

More Details >

Soccer Live Scores <= 1.0.5 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-47594

Patch Status
Unpatched

Published
May 7, 2025

Affected Software
Soccer Live Scores

Researcher

ch4r0n

More Details >

TrueBooker <= 1.0.7 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-47543

Patch Status
Patched

Published
May 7, 2025

Affected Software
TrueBooker – Appointment Booking and Scheduler Plugin.

Researcher

haudayroi

More Details >

Ultimate WP Mail <= 1.3.4 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-47466

Patch Status
Patched

Published
May 7, 2025

Affected Software
Ultimate WP Mail

Researcher

domiee13

More Details >

Web Accessibility with Max Access <= 2.0.9 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-47681

Patch Status
Unpatched

Published
May 7, 2025

Affected Software
Web Accessibility with Max Access

Researcher

Nguyen Xuan Chien

More Details >

Website Builder by SeedProd — Theme Builder, Landing Page Builder, Coming Soon Page, Maintenance Mode <= 6.18.15 – Missing Authorization to Authenticated (Subscriber+) Sensitive Information Exposure

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-3949

Patch Status
Patched

Published
May 8, 2025

Affected Software
Website Builder by SeedProd — Theme Builder, Landing Page Builder, Coming Soon Page, Maintenance Mode

Researcher

Trương Hữu Phúc (truonghuuphuc)

More Details >

Wiki Embed <= 1.4.6 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-47551

Patch Status
Patched

Published
May 7, 2025

Affected Software
Wiki Embed

Researcher

Chu The Anh

More Details >

WP Compress <= 6.30.30 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-47546

Patch Status
Patched

Published
May 7, 2025

Affected Software
WP Compress – Instant Performance & Speed Optimization

Researchers

Snurkeburk

SashaRyba

More Details >

WP Fundraising Donation and Crowdfunding Platform <= 1.7.3 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-47459

Patch Status
Patched

Published
May 7, 2025

Affected Software
FundEngine – Donation and Crowdfunding Platform

Researcher

Nguyen Xuan Chien

More Details >

WP Hotel Booking <= 2.1.9 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-47448

Patch Status
Patched

Published
May 7, 2025

Affected Software
WP Hotel Booking

Researcher

lucky_buddy

More Details >

WP Podcasts Manager <= 1.2 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-47597

Patch Status
Unpatched

Published
May 7, 2025

Affected Software
WP Podcasts Manager

Researcher

ch4r0n

More Details >

WPSpeed <= 2.6.5 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-47590

Patch Status
Unpatched

Published
May 7, 2025

Affected Software
WPSpeed

Researcher

Nguyen Xuan Chien

More Details >

워드프레스 결제 심플페이 <= 5.2.11 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-47661

Patch Status
Unpatched

Published
May 7, 2025

Affected Software
워드프레스 결제 심플페이 – 우커머스 결제 플러그인

Researcher

Nguyen Xuan Chien

More Details >

Blocksy <= 2.0.97 – Missing Authorization

2.7

CVSS Rating
Low (2.7)

CVE-ID
CVE-2025-47465

Patch Status
Patched

Published
May 7, 2025

Affected Software
Blocksy

Researcher

SavPhill (Savphill)

More Details >