Did you know Wordfence runs a Bug Bounty Program for all WordPress plugin and themes at no cost to vendors? Researchers can earn up to $31,200 per vulnerability, for all in-scope vulnerabilities submitted to our Bug Bounty Program! Find a vulnerability, submit the details directly to us, and we handle all the rest. Special Note: This week’s Wordfence Intelligence Weekly WordPress Vulnerability Report is an extended edition to cover the last few weeks in December over the holidays and the first week in January. Over the past three weeks, there were 459 vulnerabilities disclosed in 390 WordPress Plugins and 29 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 95 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected. Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to implement layered security, aligning with our overarching mission to secure WordPress with defense in depth strategies. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report. As the world’s leading quality vulnerability database provider for WordPress, site owners can rest assured knowing Wordfence has their back. Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 32,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free. Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published. Total Unpatched & Patched Vulnerabilities Last Week Patch Status Number of Vulnerabilities Patched 213 Unpatched 246 Total Vulnerabilities by CVSS Severity Last Week Severity Rating Number of Vulnerabilities Low Severity 2 Medium Severity 402 High Severity 48 Critical Severity 7 Total Vulnerabilities by CWE Type Last Week Vulnerability Type by CWE Number of Vulnerabilities Missing Authorization 167 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') 133 Cross-Site Request Forgery (CSRF) 52 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') 25 Exposure of Sensitive Information to an Unauthorized Actor 24 Authorization Bypass Through User-Controlled Key 14 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') 10 Server-Side Request Forgery (SSRF) 9 Improper Control of Generation of Code ('Code Injection') 4 Unrestricted Upload of File with Dangerous Type 3 URL Redirection to Untrusted Site ('Open Redirect') 3 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') 2 Authentication Bypass Using an Alternate Path or Channel 1 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') 1 Deserialization of Untrusted Data 1 External Control of File Name or Path 1 Generation of Error Message Containing Sensitive Information 1 Improper Authentication 1 Improper Input Validation 1 Improper Neutralization of Null Byte or NUL Character 1 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) 1 Improper Privilege Management 1 Incorrect Authorization 1 Insertion of Sensitive Information into Log File 1 Weak Password Recovery Mechanism for Forgotten Password 1 Researchers That Contributed to WordPress Security Last Week Researcher Name Number of Vulnerabilities Muhammad Yudha - DJ 49 Nabil Irawan 44 Legion Hunter 35 Phat RiO - BlueRock 33 daroo 33 João Pedro S Alcântara (Kinorth) 21 Muhammad Nur Ibnu Hubab (Ibnu) 21 Athiwat Tiprasaharn (Jitlada) 20 benzdeus 11 Doan Dinh Van (DinhVan52) 10 Skalucy 10 shark3y 9 zaim 8 Marcin Dudek (dudekmar) 8 Nguyen Xuan Chien 8 Bonds 7 Peter Thaleikis 7 NumeX 7 Powpy 6 Tran Nguyen Bao Khanh 5 Jarno Vos (jarnovos) 4 Dmitrii Ignatyev 4 Zeeshan Haider 4 type5afe 4 Que Thanh Tuan - Blue Rock 3 zer0gh0st 3 Md. Moniruzzaman Prodhan (NomanProdhan) 3 Bao - BlueRock 3 Abdulsamad Yusuf (0xVenus) 3 Itthidej Aramsri (Boeing777) 3 Muhammad Zeeshan (Xib3rR4dAr) 3 Drew Webber (mcdruid) 3 Deadbee 2 afnaan 2 MD ISMAIL 2 HunSec 2 Trương Hữu Phúc (truonghuuphuc) 2 Tarcísio Luchesi(Poystick) 2 w41bu1 2 PPzzAArr 2 meghnine islem 2 Waris Damkham 2 Varakorn Chanthasri (iCreaM) 2 Peerapat Samatathanyakorn 2 Rooting 2 kr0d 2 Webbernaut 2 0xd4rk5id3 2 Nguyen Tran Tuan Dung (domiee13) 2 johska 2 Offensive Labs 1 stealthcopter 1 Asaf Mozes 1 Paolo Tresso 1 Mdr 1 Hieus 1 ch1mk 1 Lucas Montes (NiRoX) 1 Rafshanzani Suhada 1 Sopon Tangpathum (SoNaJaa) 1 wesley (wcraft) 1 Ahmed Rayen Ayari 1 Tiến Dũng Nguyễn 1 blue0x1 1 Supakiad S. (m3ez) 1 Ananda Dhakal 1 JongHwan Shin (zzzsleep) 1 bosz 1 Dieu Link 1 GCSC Vietnam 1 ISMAILSHADOW 1 tiborisaak 1 Arif Shaikh 1 Nguyen Truong (Roll) 1 シルAsuna 1 Myungju Kim 1 Boris Bogosavac 1 Certus Cybersecurity 1 LionTree 1 Ahmad Salem (a7mad.cc) 1 dayea song 1 Bhumividh Treloges 1 ChamlaVic 1 Denver Jackson 1 Tri Firdyanto (Firdy) 1 LVT-tholv2k 1 Sarawut Poolkhet (MisterHelloz) 1 Krissaphat Jankaew 1 Abu Hurayra (HurayraIIT) 1 Abhinav Jaswal (wrath_exe) 1 Rapid0nion 1 Arkadiusz Hydzik 1 timomangcut 1 LIM MINHYEOK 1 NosleeP++ 1 Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through our Bug Bounty Program. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report. WordPress Plugins with Reported Vulnerabilities Last Week Software Name Software Slug 6Storage Rentals 6storage-rentals 907 - Responsive Multi-Purpose WordPress Theme wbc907-core Academy LMS – WordPress LMS Plugin for Complete eLearning Solution academy Accept Donations with PayPal & Stripe easy-paypal-donation Accessibility Press ilogic-accessibility Accordion Slider Gallery accordion-slider-gallery Add Custom Codes – Insert Header, Footer, Custom PHP Snippets, CSS, Javascript add-custom-codes Add Featured Image Custom Link custom-url-to-featured-image Addonify – Quick View For WooCommerce addonify-quick-view Admin and Site Enhancements (ASE) admin-site-enhancements Advanced Ads – Ad Manager & AdSense advanced-ads Advanced Classifieds & Directory Pro advanced-classifieds-and-directory-pro Advanced Custom CSS advanced-custom-css AdWords Conversion Tracking Code adwords-conversion-tracking-code AI Content Writing Assistant ai-content-writing-assistant AI Copilot – ChatGPT Chatbot & AI Engine for Post Automation ai-copilot AI-Powered Business Directory and Classified Ads Listings – Listdom listdom All in One Accessibility all-in-one-accessibility All-in-one Sticky Floating Contact Form, Call, Click to Chat, and 50+ Social Icon Tabs – My Sticky Elements mystickyelements AM Events am-events Amazon affiliate lite Plugin afiliados-de-amazon-lite Animation Addons for Elementor – GSAP Powered Elementor Addons & Website Templates animation-addons-for-elementor AnyComment anycomment Appender – Copycat Content Protection for WordPress appender Appointify appointify Appointment Booking and Scheduler Plugin – Truebooker truebooker-appointment-booking Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin simply-schedule-appointments Appointment Bookings for Zoom GoogleMeet and more – Wappointment wappointment Astra Widgets astra-widgets Attachments Handler attachments-handler Audiomack audiomack Auto Featured Image (Auto Post Thumbnail) auto-post-thumbnail Auto Listings – Car Listings & Car Dealership Plugin for WordPress auto-listings BA Book Everything ba-book-everything Basticom Framework basticom-framework Beaver Builder Page Builder – Drag and Drop Website Builder beaver-builder-lite-version Behance Portfolio Manager portfolio-manager-powered-by-behance Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss bp-better-messages Blog Filter Post Filtering blog-filter Bold Timeline Lite bold-timeline-lite Booking Calendar booking Booking calendar, Appointment Booking System booking-calendar BoomDevs WordPress Coming Soon Plugin coming-soon-by-boomdevs Bootstrap Modals bootstrap-modals Branda – White Label & Branding, Free Login Page Customizer branda-white-labeling Brands for WooCommerce brands-for-woocommerce Brave – Create Popup, Optins, Lead Generation, Survey, Sticky Elements & Interactive Content brave-popup-builder BuddyPress Activity Shortcode bp-activity-shortcode Business Directory Plugin – Easy Listing Directories for WordPress business-directory-plugin Business Hours for WPBakery – Worker worker-wpbakery Business hours widget for Elementor – Worker worker-elementor BWL Knowledge Base Manager bwl-kb-manager BWL Pro Voting Manager bwl-pro-voting-manager Calendar calendar Calendar.online / Kalender.digital – Plugin kalender-digital Captivate Sync captivatesync-trade Category Icon category-icon CC Child Pages cc-child-pages CedCommerce Integration for Good Market ced-good-market-integration Chakra test chakra-test Changelog & Custom List for Elementor logger-elementor Chat Widget: Floating Customer Support Button for 30+ Channels, Supporting SMS, Calls, and Chat – Bit Assist bit-assist Cincopa video and media plug-in video-playlist-and-gallery-plugin Claspo – Popups, Spin the Wheel & Email Capture claspo Co-marquage service-public.fr co-marquage-service-public Colibri Page Builder colibri-page-builder Combo Offers WooCommerce woo-combo-offers Comments – wpDiscuz wpdiscuz Connect Contact Form 7 and Mailchimp contact-form-7-mailchimp-extension Contact Form 7 styler for Elementor – Conformer conformer-elementor Contact Form Widget new-contact-form-widget Content Fetcher content-fetcher Content Grid Slider content-grid-slider Converter for Media – Optimize images | Convert WebP & AVIF webp-converter-for-media Cooked – Recipe Management cooked Cookie Banner for GDPR / CCPA – WPLP Cookie Consent gdpr-cookie-consent CookieHint WP cookiehint-wp Core Web Vitals & PageSpeed Booster core-web-vitals-pagespeed-booster Countdowner – Countdown Timer for Elementor countdowner-elementor Couponer – Discount Coupons for Elementor couponer-elementor Criptopayer – Crypto Payment Button for Elementor criptopayer-elementor Crowdsignal Forms crowdsignal-forms CubeWP Framework cubewp-framework Curator.io curatorio Custom Background Changer custom-background-changer Custom Field Template custom-field-template Custom Post Status custom-post-status Custom Style custom-style Customizable heading for Elementor headinger-elementor CWW Companion cww-companion Dashboard Beacon wp-dashboard-beacon Demo Importer Plus demo-importer-plus DesignThemes Core designthemes-core DesignThemes LMS Addon designthemes-lms-addon DesignThemes Portfolio Addon designthemes-portfolio-addon Direct Payments WP direct-payments-wp Directorist: AI-Powered Business Directory Plugin with Classified Ads Listings directorist Discussion Board – WordPress Forum Plugin wp-discussion-board DMCA Protection Badge dmca-badge Docket Cache – Object Cache Accelerator docket-cache Document Library Lite document-library-lite Dokan Pro dokan-pro Download Manager download-manager Download Media Library download-media-library Download Plugins and Themes in ZIP from Dashboard download-plugins-dashboard Draft Notify draft-notify Easy Appointment Booking & Scheduling System – Webba Booking Calendar webba-booking-lite Easy Digital Downloads – eCommerce Payments and Subscriptions made easy easy-digital-downloads Easy Form Builder by WhiteStudio — Drag & Drop Form Builder easy-form-builder Easy Invoice – PDF Invoice Generator & Quote Builder easy-invoice Easy Upload Files During Checkout easy-upload-files-during-checkout EasyIndex easyindex EasyTest – Simplify A/B Testing convertpro Editorial Calendar editorial-calendar Efí Bank woo-gerencianet-official Eight Day Week Print Workflow eight-day-week-print-workflow EInvoice App Malaysia einvoiceapp-malaysia Elementor Website Builder – More Than Just a Page Builder elementor ELEX WordPress HelpDesk & Customer Ticketing System elex-helpdesk-customer-support-ticket-system Email Marketing Plugin – WP Email Capture wp-email-capture Embed Any Document – Embed PDF, Word, PowerPoint and Excel Files embed-any-document Embeds for YouTube youtube-embed Essential Addons for Elementor – Popular Elementor Templates & Widgets essential-addons-for-elementor-lite Event Organiser event-organiser Events Manager – Calendar, Bookings, Tickets, and more! events-manager Everest Backup – WordPress Cloud Backup, Migration, Restore & Cloning Plugin everest-backup Evergreen Post Tweeter evergreen-post-tweeter Extra Shortcodes extra-shortcodes F70 Lead Document Download f70-lead-document-download Fancy Product Designer fancy-product-designer FAPI Member fapi-member Fast User Switching fast-user-switching Featured Image Generator featured-image-generator Featured Video for WordPress – VideographyWP videographywp FiboSearch – Ajax Search for WooCommerce ajax-search-for-woocommerce File Uploader for WooCommerce file-uploader-for-woocommerce FileBird – WordPress Media Library Folders & File Manager filebird Five Star Restaurant Reservations – WordPress Booking Plugin restaurant-reservations Flex Store Users flex-store-user FlippingBook flippingbook Flowbox flowbox FluentAuth – The Ultimate Authorization & Security Plugin for WordPress fluent-security FormFacade – Embed Google Forms in your website formfacade Forumax – Advanced Community Forum Plugin bbp-core Fox LMS – WordPress LMS Plugin fox-lms Free Shipping Bar: Amount Left for Free Shipping for WooCommerce amount-left-free-shipping-woocommerce Frontend Post Submission Manager Lite – Frontend Posting WordPress Plugin frontend-post-submission-manager-lite FV Simpler SEO fv-all-in-one-seo-pack Gift Hunt gift-hunt GiveWP – Donation Plugin and Fundraising Platform give Gmedia Photo Gallery grand-media Google AdSense for Responsive Design – GARD google-adsense-for-responsive-design-gard Google Maps for Elementor gmaper-elementor Google Street View for Elementor – Walker walker-elementor Graphist – Graphs & Charts for Elementor graphist-elementor Greenhouse Job Board greenhouse-job-board GS Portfolio for Envato gs-envato-portfolio Gutenberg Essential Blocks – Page Builder for Gutenberg Blocks & Patterns essential-blocks Gutenverse Form – Contact Form Builder, Booking, Reservation, Subscribe for Block Editor gutenverse-form Happy Addons for Elementor happy-elementor-addons HAPPY – Helpdesk Support Ticket System happy-helpdesk-support-ticket-system Health Check & Troubleshooting health-check Heateor Social Login WordPress heateor-social-login Hide Plugins hide-plugins Highlight and Share – Social Text and Image Sharing highlight-and-share History Timeline for Biography, Company History & Event Timeline timeline-awesome HomeFix Elementor Portfolio homefix-ele-portfolio Hotel Booking nd-booking HR Management Lite hr-management-lite HTML Forms – Simple WordPress Forms Plugin html-forms HTML5 Audio Player – The Ultimate No-Code Podcast, MP3 & Audio Player html5-audio-player Hummingbird Performance – Cache & Page Speed Optimization for Core Web Vitals | Critical CSS | Minify CSS | Defer CSS Javascript | CDN hummingbird-performance HUSKY – Products Filter Professional for WooCommerce woocommerce-products-filter IF AS Shortcode if-as-shortcode Image Caption Hover Pro image-caption-hover-pro Image Photo Gallery Final Tiles Grid final-tiles-grid-gallery-lite Import into Easy Property Listings easy-property-listings-xml-csv-import Inboxify Sign Up Form inboxify-sign-up-form iNext Woo Pincode Checker inext-woo-pincode-checker Innovs WPBakery Visual Composer WHMCS Elements void-visual-whmcs-element Integration for HubSpot and Contact Form 7, WPForms, Elementor, Ninja Forms cf7-hubspot Interactive Contact Form and Multi Step Form Builder with Drag & Drop Editor – Funnelforms Free funnelforms-free Interactive Content – H5P h5p Invelity SPS connect invelity-sps-connect JetBlog jet-blog JetFormBuilder — Dynamic Blocks Form Builder jetformbuilder JetPopup jet-popup JetSearch jet-search JetTabs jet-tabs Job Postings job-postings Knowledge Base documentation & wiki plugin – BasePress Docs basepress LearnPress – WordPress LMS Plugin learnpress Link Library link-library Live Composer – Free WordPress Website Builder live-composer-page-builder Live Shopping & Shoppable Videos For WooCommerce live-shopping-video-streams Livemesh Addons for Beaver Builder addons-for-beaver-builder Locatoraid Store Locator locatoraid Logo Slider , Logo Carousel , Logo showcase , Client Logo tc-logo-slider Lucky Wheel for WooCommerce – Spin a Sale woo-lucky-wheel MailerLite – WooCommerce integration woo-mailerlite MapSVG – Vector maps, Image maps, Google Maps mapsvg-lite-interactive-vector-maps MAS Videos masvideos Master Addons For Elementor – White Label, Free Widgets, Hover Effects, Conditions, & Animations master-addons Maximum Products per User for WooCommerce maximum-products-per-user-for-woocommerce Meks Quick Plugin Disabler meks-quick-plugin-disabler Membership For WooCommerce – WordPress Membership Plugin, Restrict Content, Build Online Communities, Paywall & Content Dripping membership-for-woocommerce Membership Plugin – Restrict Content restrict-content Mergado Pack mergado-marketing-pack Migration, Backup, Staging – WPvivid Backup & Migration wpvivid-backuprestore Mobile builder mobile-builder ModelTheme Addons for WPBakery and Elementor modeltheme-addons-for-wpbakery Modula Image Gallery – Photo Grid & Video Gallery modula-best-grid-gallery Multi-Step Checkout for WooCommerce wp-multi-step-checkout MX Time Zone Clocks mx-time-zone-clocks My auctions allegro my-auctions-allegro-free-edition My Calendar – Accessible Event Manager my-calendar MyBookTable Bookstore by Stormhill Media mybooktable myCred – Points Management System For Gamification, Ranks, Badges, and Loyalty Program. mycred MyD Delivery myd-delivery Newsletter – Send awesome emails from WordPress newsletter Newsletters newsletters-lite Ninja Forms – The Contact Form Builder That Grows With You ninja-forms Ninja Tables – Easy Data Table Builder ninja-tables Noindex by Path noindex-by-path OneSignal – Web Push Notifications onesignal-free-web-push-notifications OpenHook thesis-openhook OpenID Connect Generic Client daggerhart-openid-connect-generic Order Cancellation & Returns for WooCommerce wc-order-cancellation-return Orders Chat for WooCommerce orders-chat-for-woocommerce Overstock Affiliate Links overstock-affiliate-links Page Title Splitter page-title-splitter PhastPress phastpress Photo Block – A Modern Image Block With Lightbox and Caption Support photo-block Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery nextgen-gallery Pixel Manager for WooCommerce – Track Conversions and Analytics, Google Ads, TikTok and more woocommerce-google-adwords-conversion-tracking-tag PixelYourSite – Your smart PIXEL (TAG) & API Manager pixelyoursite Plugin Optimizer – Speed Up Your WordPress Like Never Before plugin-optimizer Poll, Survey & Quiz Maker Plugin by Opinion Stage social-polls-by-opinionstage Popping Sidebars and Widgets Light popping-sidebars-and-widgets-light Poptics – Popup Builder, Email Opt-ins, Exit-Intent & WooCommerce Popups Sales poptics Popup Box – Create Countdown, Coupon, Video, Contact Form Popups ays-popup-box Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers popup-builder-block Portfolio Gallery – Responsive Image Gallery gallery-portfolio Post Grid post-grid Post Grid Gutenberg Blocks for News, Magazines, Blog Websites – PostX ultimate-post Post Snippets – Custom WordPress Code Snippets Customizer post-snippets Postie postie Premium Addons for Elementor – Powerful Elementor Templates & Widgets premium-addons-for-elementor Pretty Google Calendar pretty-google-calendar Prime Slider – Addons for Elementor bdthemes-prime-slider-lite Print Anywhere & Create PDFs of Order Receipts, Invoices, Labels & More. print-google-cloud-print-gcp-woocommerce Print Invoice & Delivery Notes for WooCommerce woocommerce-delivery-notes Product Delivery Date for WooCommerce – Lite product-delivery-date-for-woocommerce-lite Product Loops for WooCommerce product-loops Product Table for WooCommerce woo-product-table Project Manager – AI-Powered Project & Task Manager with Kanban Board & Gantt Chart wedevs-project-manager Protect WP Admin protect-wp-admin QuadLayers TikTok Feed wp-tiktok-feed Questionar – FAQ Accordions for Elementor questionar-elementor Quran Gateway quran-gateway Read More & Accordion expand-maker Real 3D Flipbook – 3D FlipBook, PDF FlipBook, PDF Viewer, PDF Embedder real3d-flipbook-lite Realbig For WordPress realbig-media Recent Posts From Each Category recent-posts-from-each-category Redirection for Contact Form 7 wpcf7-redirect RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login custom-registration-form-builder-with-submission-manager Rencontre – Dating Site rencontre Request a Quote Form Plugin – Price Quote Request Management Made Easy request-a-quote RESPONSIVE AND SWIPE SLIDER! responsive-and-swipe-slider Responsive Block Control – Hide blocks based on display width responsive-block-control Responsive Posts Carousel WordPress Plugin responsive-posts-carousel-pro RestroPress – Online Food Ordering System restropress Reuters Direct reuters-direct Review Disclaimer review-disclaimer Robots.txt rewrite robotstxt-rewrite Sailing sailing SALESmanago & Leadoo salesmanago Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories post-expirator Semrush Content Toolkit semrush-contentshake SensitiveTagCloud sensitive-tag-cloud SEO Slider seo-slider Serial Codes Generator and Validator with WooCommerce Support serial-codes-generator-and-validator Series series Sermon Manager sermon-manager-for-wordpress Share, Print and PDF Products for WooCommerce share-print-pdf-woocommerce Shortcodes and extra features for Phlox theme auxin-elements Signature Add-On for Gravity Forms gravity-signature-forms-add-on Simple Archive Generator simple-archive-generator Simple Calendar – Google Calendar Plugin google-calendar-events Simple File List simple-file-list Simple Folio simple-folio Simple Keyword to Link simple-keyword-to-link Simple Like Page Plugin simple-facebook-plugin Simple Link Directory simple-link-directory SiteLock Security – WP Hardening, Login Security & Malware Scans sitelock Sitewide Notice WP sitewide-notice-wp SlimStat Analytics wp-slimstat Sliper – Full-screen Slider for Elementor sliper-elementor Sober sober Social Profilr social-profilr-display-social-network-profile Sticky Notes for WP Dashboard wb-sticky-notes Stratum Widgets for Elementor stratum Strong Testimonials strong-testimonials Subscribe to Unlock Lite – Opt In Content Locker Plugin for WordPress subscribe-to-unlock-lite Sunshine Photo Cart: Free Client Photo Galleries for Photographers sunshine-photo-cart SureForms – Contact Form, Payment Form & Other Custom Form Builder sureforms Sweet Energy Efficiency sweet-energy-efficiency Tablesome Table – Contact Form DB – WPForms, CF7, Gravity, Forminator, Fluent tablesome Tainacan tainacan Tasty Recipes Lite tasty-recipes-lite Terms descriptions terms-descriptions The Moneytizer the-moneytizer Themebeez Toolkit themebeez-toolkit Themify Portfolio Post themify-portfolio-post ThirstyAffiliates – Affiliate Links, Link Branding, Link Tracking & Marketing Plugin thirstyaffiliates Tooltips for WordPress wordpress-tooltips Trash Duplicate and 301 Redirect trash-duplicate-and-301-redirect TS Poll – Survey, Versus Poll, Image Poll, Video Poll poll-wp Twitch Player ttv-easy-embed-player Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin ultimate-member UnGrabber ungrabber User Feedback – Create Interactive Feedback Form, User Surveys, and Polls in Seconds userfeedback-lite User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration wp-user-frontend User Registration & Membership – Custom Registration Form Builder, Custom Login Form, User Profile, Content Restriction & Membership Plugin user-registration User Specific Content user-specific-content User Submitted Posts – Enable Users to Submit Posts from the Front End user-submitted-posts UserPro - Community and User Profile WordPress Plugin userpro UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP userswp UseStrict's Calendly Embedder cal-embedder-lite Valenti Engine valenti-engine Varnish/Nginx Proxy Caching vcaching Vimeotheque – Vimeo WordPress Plugin & Video Gallery codeflavors-vimeo-video-post-lite Virusdie – One-click website security virusdie VK Google Job Posting Manager vk-google-job-posting-manager VPSUForm – Drag & Drop Contact Form Builder with Email Automation v-form Watcher – Flexible Video Player for Elementor watcher-elementor Watu Quiz watu Wawp – Order Notifications, OTP Login, Checkout Verifications and Country Code automation-web-platform Wbcom Designs – Private Community for BuddyPress lock-my-bp WC Builder – WooCommerce Page Builder for WPBakery wc-builder WCFM Marketplace – Multivendor Marketplace for WooCommerce wc-multivendor-marketplace WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible wc-frontend-manager Web and WooCommerce Addons for WPBakery Builder vc-addons-by-bit14 Web Directory Free web-directory-free Web to SugarCRM Lead web-to-sugarcrm-lead WebMan Amplifier webman-amplifier WeDesignTech Portfolio wedesigntech-portfolio weForms – Easy Drag & Drop Contact Form Builder For WordPress weforms WH Tweaks wh-tweaks Widgets for Social Photo Feed social-photo-feed-widget WING WordPress Migrator wing-migrator Wiremo – Product Reviews for WooCommerce woo-reviews-by-wiremo WishSuite – Wishlist for WooCommerce wishsuite WooCommerce Parcelas woocommerce-parcelas WordPress & WooCommerce Scraper Plugin, Import Data from Any WebSite. wp_scraper WordPress User Extra Fields wp-user-extra-fields WP Adminify – White Label WordPress, Admin Menu Editor, Login Customizer adminify WP Advanced PDF wp-advanced-pdf WP Attachments wp-attachments WP Custom Admin Interface wp-custom-admin-interface WP DB Booster wp-db-booster WP Document Revisions wp-document-revisions WP eBay Product Feeds ebay-feeds-for-wordpress WP Export Categories & Taxonomies wp-export-categories-taxonomies WP Gmail SMTP wp-gmail-smtp WP Hallo Welt wp-hallo-welt WP Import – Ultimate CSV XML Importer for WordPress wp-ultimate-csv-importer WP JobHunt wp-jobhunt WP Post Signature wp-post-signature WP Recipe Maker wp-recipe-maker WP Social Ninja – Embed Social Feeds, User Reviews & Chat Widgets wp-social-reviews WP Telegram Widget and Join Link wptelegram-widget Wp Text Slider Widget wp-text-slider-widget WP Time Slots Booking Form wp-time-slots-booking-form WP Visitor Statistics (Real Time Traffic) wp-stats-manager WP-CalDav2ICS wp-caldav2ics WP-EasyArchives wp-easyarchives WP-ShowHide wp-showhide WPBulky – WordPress Bulk Edit Post Types wpbulky-wp-bulk-edit-post-types WPCal.io – Easy Meeting Scheduler wpcal WPCOM Member wpcom-member WpStream – Live Streaming, Video on Demand, Pay Per View wpstream XStore Core et-core-plugin Yaad Sarig Payment Gateway For WC yaad-sarig-payment-gateway-for-wc Yada Wiki yada-wiki YITH Slider for page builders yith-slider-for-page-builders Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress youzify Zephyr Project Manager zephyr-project-manager Zoho ZeptoMail transmail پلاگین پرداخت دلخواه pardakht-delkhah WordPress Themes with Reported Vulnerabilities Last Week Software Name Software Slug Aora - Home & Lifestyle Elementor WooCommerce Theme aora Arcane - The Gaming Community Theme arcane Backpack Traveler - Modern Travel Blog WordPress Theme backpacktraveler Besa - Elementor Marketplace WooCommerce Theme besa bookory bookory Cinerama - A WordPress Theme for Movie Studios and Filmmakers cinerama Consulting consulting Diza - Pharmacy Store Elementor WooCommerce Theme diza ekommart - All-in-one eCommerce WordPress Theme ekommart Fana - Fashion Shop WordPress Theme fana Fashion - WooCommerce Responsive WordPress Theme fashion2 FiveStar - Hotel Booking WordPress Theme fivestar Genemy - Creative Minimal Landing Page Builder for Digital Startup Design Studio Agency in Marketing genemy GreenMart – Organic & Food WooCommerce WordPress Theme greenmart Hara - Beauty and Cosmetics Shop WooCommerce Theme hara Lekker - Portfolio WordPress Theme lekker Medical Equipment eCommerce WordPress Theme medicalequipment Melos melos Minamaze minamaze Nika - Medical Elementor WooCommerce Theme nika Personal Portfolio Resume Theme | Kerge kerge Puca - Optimized Mobile WooCommerce Theme puca sailing sailing Shuttle shuttle Struktur - Creative Agency WordPress Theme struktur Urna - All-in-one WooCommerce WordPress Theme urna Vireo vireo Wilmër - Construction WordPress Theme wilmer Zota - Elementor Multi-Purpose WooCommerce Theme zota Vulnerability Details Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize. Branda – White Label & Branding, Free Login Page Customizer <= 3.4.24 - Unauthenticated Privilege Escalation via Account Takeover 9.8 CVSS Rating Critical (9.8) CVE-ID CVE-2025-14998 Patch Status Patched Published Jan 1, 2026 Affected Software Branda – White Label & Branding, Free Login Page Customizer Researcher Drew Webber (mcdruid) More Details > File Uploader for WooCommerce <= 1.0.3 - Unauthenticated Arbitrary File Upload via add-image-data 9.8 CVSS Rating Critical (9.8) CVE-ID CVE-2025-13329 Patch Status Patched Published Dec 19, 2025 Affected Software File Uploader for WooCommerce Researcher Md. Moniruzzaman Prodhan (NomanProdhan) More Details > Flex Store Users <= 1.1.0 - Unauthenticated Privilege Escalation 9.8 CVSS Rating Critical (9.8) CVE-ID CVE-2025-13619 Patch Status Unpatched Published Dec 19, 2025 Affected Software Flex Store Users Researcher シルAsuna More Details > Fox LMS – WordPress LMS Plugin 1.0.4.7 - 1.0.5.1 - Unauthenticated Privilege Escalation via 'createOrder' 9.8 CVSS Rating Critical (9.8) CVE-ID CVE-2025-14156 Patch Status Patched Published Dec 15, 2025 Affected Software Fox LMS – WordPress LMS Plugin Researcher kr0d More Details > Mobile builder <= 1.4.2 - Authentication Bypass 9.8 CVSS Rating Critical (9.8) CVE-ID CVE-2025-68860 Patch Status Unpatched Published Dec 26, 2025 Affected Software Mobile builder Researcher Jarno Vos (jarnovos) More Details > PhastPress <= 3.7 - Unauthenticated Arbitrary File Read via Null Byte Injection 9.8 CVSS Rating Critical (9.8) CVE-ID CVE-2025-14388 Patch Status Patched Published Dec 22, 2025 Affected Software PhastPress Researcher shark3y More Details > Print Invoice & Delivery Notes for WooCommerce <= 5.8.0 - Unauthenticated Remote Code Execution 9.8 CVSS Rating Critical (9.8) CVE-ID CVE-2025-13773 Patch Status Patched Published Dec 23, 2025 Affected Software Print Invoice & Delivery Notes for WooCommerce Researchers shark3yMarcin Dudek (dudekmar) More Details > Demo Importer Plus <= 2.0.8 - Missing Authorization to Authenticated (Subscriber+) Site Reset and Privilege Escalation 8.8 CVSS Rating High (8.8) CVE-ID CVE-2025-14364 Patch Status Patched Published Dec 17, 2025 Affected Software Demo Importer Plus Researcher shark3y More Details > IF AS Shortcode <= 1.2 - Authenticated (Contributor+) Remote Code Execution 8.8 CVSS Rating High (8.8) CVE-ID CVE-2025-68897 Patch Status Unpatched Published Dec 25, 2025 Affected Software IF AS Shortcode Researcher Drew Webber (mcdruid) More Details > MapSVG <= 8.7.3 - Authenticated (Contributor+) Arbitrary File Upload 8.8 CVSS Rating High (8.8) CVE-ID CVE-2025-68562 Patch Status Patched Published Dec 24, 2025 Affected Software MapSVG – Vector maps, Image maps, Google Maps Researcher stealthcopter More Details > Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery <= 3.59.12 - Authenticated (Contributor+) Local File Inclusion via 'template' 8.8 CVSS Rating High (8.8) CVE-ID CVE-2025-13641 Patch Status Patched Published Dec 17, 2025 Affected Software Photo Gallery, Sliders, Proofing and Themes – NextGEN Gallery Researcher Athiwat Tiprasaharn (Jitlada) More Details > Beaver Builder – WordPress Page Builder <= 2.9.4.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Update 8.1 CVSS Rating High (8.1) CVE-ID CVE-2025-12934 Patch Status Patched Published Dec 22, 2025 Affected Software Beaver Builder Page Builder – Drag and Drop Website Builder Researcher Athiwat Tiprasaharn (Jitlada) More Details > CedCommerce Integration for Good Market <= 1.0.6 - Unauthenticated Local File Inclusion 8.1 CVSS Rating High (8.1) CVE-ID CVE-2025-68877 Patch Status Unpatched Published Dec 26, 2025 Affected Software CedCommerce Integration for Good Market Researcher Nguyen Xuan Chien More Details > CookieHint WP <= 1.0.0 - Unauthenticated Local File Inclusion 8.1 CVSS Rating High (8.1) CVE-ID CVE-2025-68870 Patch Status Unpatched Published Dec 25, 2025 Affected Software CookieHint WP Researcher Nguyen Xuan Chien More Details > Docket Cache <= 24.07.03 - Unauthenticated Local File Inclusion 8.1 CVSS Rating High (8.1) CVE-ID CVE-2025-68506 Patch Status Patched Published Dec 24, 2025 Affected Software Docket Cache – Object Cache Accelerator Researcher Nguyen Xuan Chien More Details > Lekker <= 1.8 - Unauthenticated Local File Inclusion 8.1 CVSS Rating High (8.1) CVE-ID CVE-2025-69034 Patch Status Unpatched Published Dec 30, 2025 Affected Software Lekker - Portfolio WordPress Theme Researcher Bonds More Details > Redirection for Contact Form 7 <= 3.2.7 - Unauthenticated Arbitrary File Copy via move_file_to_upload 8.1 CVSS Rating High (8.1) CVE-ID CVE-2025-14800 Patch Status Patched Published Dec 20, 2025 Affected Software Redirection for Contact Form 7 Researcher LionTree More Details > WPCOM Member <= 1.7.16 - Authentication Bypass via Weak OTP 8.1 CVSS Rating High (8.1) CVE-ID CVE-2025-14002 Patch Status Patched Published Dec 15, 2025 Affected Software WPCOM Member Researcher wesley (wcraft) More Details > WP JobHunt <= 7.7 - Missing Authorization to Authenticated (Candidate+) Stored Cross-Site Scripting via 'status' 7.6 CVSS Rating High (7.6) CVE-ID CVE-2025-7782 Patch Status Unpatched Published Dec 20, 2025 Affected Software WP JobHunt Researcher meghnine islem More Details > Aora <= 1.3.15 - Authenticated (Contributor+) Local File Inclusion 7.5 CVSS Rating High (7.5) CVE-ID CVE-2025-68985 Patch Status Unpatched Published Dec 20, 2025 Affected Software Aora - Home & Lifestyle Elementor WooCommerce Theme Researcher João Pedro S Alcântara (Kinorth) More Details > Besa <= 2.3.15 - Authenticated (Contributor+) Local File Inclusion 7.5 CVSS Rating High (7.5) CVE-ID CVE-2025-67530 Patch Status Patched Published Dec 15, 2025 Affected Software Besa - Elementor Marketplace WooCommerce Theme Researcher João Pedro S Alcântara (Kinorth) More Details > Booking Calendar <= 10.14.8 - Unauthenticated SQL Injection via dates_to_check 7.5 CVSS Rating High (7.5) CVE-ID CVE-2025-14383 Patch Status Patched Published Dec 15, 2025 Affected Software Booking Calendar Researcher Marcin Dudek (dudekmar) More Details > Bookory <= 2.2.7 - Authenticated (Contributor+) Local File Inclusion 7.5 CVSS Rating High (7.5) CVE-ID CVE-2025-68530 Patch Status Patched Published Jan 1, 2026 Affected Software bookory Researcher João Pedro S Alcântara (Kinorth) More Details > Cinerama - A WordPress Theme for Movie Studios and Filmmakers <= 2.4 - Authenticated (Contributor+) Local File Inclusion 7.5 CVSS Rating High (7.5) CVE-ID CVE-2025-68987 Patch Status Unpatched Published Dec 20, 2025 Affected Software Cinerama - A WordPress Theme for Movie Studios and Filmmakers Researcher João Pedro S Alcântara (Kinorth) More Details > Diza <= 1.3.15 - Authenticated (Contributor+) Local File Inclusion 7.5 CVSS Rating High (7.5) CVE-ID CVE-2025-68544 Patch Status Patched Published Dec 23, 2025 Affected Software Diza - Pharmacy Store Elementor WooCommerce Theme Researcher João Pedro S Alcântara (Kinorth) More Details > Download Media Library <= 0.2.1 - Unauthenticated Sensitive Information Exposure 7.5 CVSS Rating High (7.5) CVE-ID CVE-2025-62114 Patch Status Unpatched Published Dec 31, 2025 Affected Software Download Media Library Researcher Nabil Irawan More Details > ekommart < 4.3.1 - Authenticated (Contributor+) Local File Inclusion 7.5 CVSS Rating High (7.5) CVE-ID CVE-2025-67525 Patch Status Patched Published Dec 15, 2025 Affected Software ekommart - All-in-one eCommerce WordPress Theme Researcher João Pedro S Alcântara (Kinorth) More Details > Fana <= 1.1.35 - Authenticated (Contributor+) Local File Inclusion 7.5 CVSS Rating High (7.5) CVE-ID CVE-2025-68540 Patch Status Patched Published Dec 28, 2025 Affected Software Fana - Fashion Shop WordPress Theme Researcher João Pedro S Alcântara (Kinorth) More Details > Fashion < 5.3.0 - Authenticated (Contributor+) Local File Inclusion 7.5 CVSS Rating High (7.5) CVE-ID CVE-2025-67529 Patch Status Patched Published Dec 15, 2025 Affected Software Fashion - WooCommerce Responsive WordPress Theme Researcher João Pedro S Alcântara (Kinorth) More Details > Greenmart <= 4.2.11 - Authenticated (Contributor+) Local File Inclusion 7.5 CVSS Rating High (7.5) CVE-ID CVE-2025-68983 Patch Status Unpatched Published Dec 20, 2025 Affected Software GreenMart – Organic & Food WooCommerce WordPress Theme Researcher João Pedro S Alcântara (Kinorth) More Details > Hara <= 1.2.17 - Authenticated (Contributor+) Local File Inclusion 7.5 CVSS Rating High (7.5) CVE-ID CVE-2025-67532 Patch Status Patched Published Dec 15, 2025 Affected Software Hara - Beauty and Cosmetics Shop WooCommerce Theme Researcher João Pedro S Alcântara (Kinorth) More Details > Hummingbird <= 3.18.0 - Unauthenticated Sensitive Information Exposure via Log File 7.5 CVSS Rating High (7.5) CVE-ID CVE-2025-14437 Patch Status Patched Published Dec 17, 2025 Affected Software Hummingbird Performance – Cache & Page Speed Optimization for Core Web Vitals | Critical CSS | Minify CSS | Defer CSS Javascript | CDN Researcher ISMAILSHADOW More Details > Live Composer – Free WordPress Website Builder <= 2.0.2 - Authenticated (Contributor+) PHP Object Injection via dslc_module_posts_output Shortcode 7.5 CVSS Rating High (7.5) CVE-ID CVE-2025-14071 Patch Status Unpatched Published Dec 20, 2025 Affected Software Live Composer – Free WordPress Website Builder Researcher Athiwat Tiprasaharn (Jitlada) More Details > MAS Videos <= 1.3.2 - Authenticated (Contributor+) Local File Inclusion 7.5 CVSS Rating High (7.5) CVE-ID CVE-2025-62753 Patch Status Unpatched Published Dec 30, 2025 Affected Software MAS Videos Researcher Muhammad Yudha - DJ More Details > Nika <= 1.2.14 - Authenticated (Contributor+) Local File Inclusion 7.5 CVSS Rating High (7.5) CVE-ID CVE-2025-68546 Patch Status Patched Published Dec 23, 2025 Affected Software Nika - Medical Elementor WooCommerce Theme Researcher João Pedro S Alcântara (Kinorth) More Details > Ninja Forms – The Contact Form Builder That Grows With You <= 3.13.2 - Insecure Direct Object Reference to Unauthenticated Sensitive Information Exposure via Unscoped Bearer Token 7.5 CVSS Rating High (7.5) CVE-ID CVE-2025-11924 Patch Status Patched Published Dec 16, 2025 Affected Software Ninja Forms – The Contact Form Builder That Grows With You Researchers Lucas Montes (NiRoX)Marcin Dudek (dudekmar) More Details > Post Grid Gutenberg Blocks for News, Magazines, Blog Websites – PostX <= 5.0.3 - Missing Authorization to Unauthenticated Sensitive Information Exposure 7.5 CVSS Rating High (7.5) CVE-ID CVE-2025-12980 Patch Status Patched Published Dec 20, 2025 Affected Software Post Grid Gutenberg Blocks for News, Magazines, Blog Websites – PostX Researcher Marcin Dudek (dudekmar) More Details > Puca <= 2.6.39 - Authenticated (Contributor+) Local File Inclusion 7.5 CVSS Rating High (7.5) CVE-ID CVE-2025-68984 Patch Status Unpatched Published Dec 20, 2025 Affected Software Puca - Optimized Mobile WooCommerce Theme Researcher João Pedro S Alcântara (Kinorth) More Details > Responsive Posts Carousel Pro <= 15.1 - Authenticated (Contributor+) Local File Inclusion 7.5 CVSS Rating High (7.5) CVE-ID CVE-2025-68996 Patch Status Patched Published Dec 25, 2025 Affected Software Responsive Posts Carousel WordPress Plugin Researcher Phat RiO - BlueRock More Details > Sailing < 4.4.6 - Authenticated (Contributor+) Local File Inclusion 7.5 CVSS Rating High (7.5) CVE-ID CVE-2025-67526 Patch Status Patched Published Dec 15, 2025 Affected Software sailing Researcher João Pedro S Alcântara (Kinorth) More Details > Subscribe to Unlock Lite <= 1.3.0 - Authenticated (Subscriber+) Local File Inclusion 7.5 CVSS Rating High (7.5) CVE-ID CVE-2025-68563 Patch Status Patched Published Dec 24, 2025 Affected Software Subscribe to Unlock Lite – Opt In Content Locker Plugin for WordPress Researcher LVT-tholv2k More Details > Terms descriptions <= 3.4.9 - Unauthenticated Information Exposure 7.5 CVSS Rating High (7.5) CVE-ID CVE-2025-62139 Patch Status Unpatched Published Dec 31, 2025 Affected Software Terms descriptions Researcher Muhammad Nur Ibnu Hubab (Ibnu) More Details > Urna <= 2.5.12 - Authenticated (Contributor+) Local File Inclusion 7.5 CVSS Rating High (7.5) CVE-ID CVE-2025-67528 Patch Status Patched Published Dec 15, 2025 Affected Software Urna - All-in-one WooCommerce WordPress Theme Researcher João Pedro S Alcântara (Kinorth) More Details > Varnish/Nginx Proxy Caching <= 1.8.3 - Unauthenticated Information Exposure 7.5 CVSS Rating High (7.5) CVE-ID CVE-2025-62126 Patch Status Unpatched Published Dec 31, 2025 Affected Software Varnish/Nginx Proxy Caching Researcher Legion Hunter More Details > Wilmër < 3.5 - Authenticated (Contributor+) Local File Inclusion 7.5 CVSS Rating High (7.5) CVE-ID CVE-2025-67515 Patch Status Patched Published Dec 15, 2025 Affected Software Wilmër - Construction WordPress Theme Researcher João Pedro S Alcântara (Kinorth) More Details > Zota <= 1.3.14 - Authenticated (Contributor+) Local File Inclusion 7.5 CVSS Rating High (7.5) CVE-ID CVE-2025-68537 Patch Status Patched Published Dec 27, 2025 Affected Software Zota - Elementor Multi-Purpose WooCommerce Theme Researcher João Pedro S Alcântara (Kinorth) More Details > Advanced Ads <= 2.0.14 - Authenticated (Editor+) Remote Code Execution via Shortcode 7.2 CVSS Rating High (7.2) CVE-ID CVE-2025-13592 Patch Status Patched Published Dec 29, 2025 Affected Software Advanced Ads – Ad Manager & AdSense Researcher NosleeP++ More Details > ELEX WordPress HelpDesk & Customer Ticketing System <= 3.3.4 - Unauthenticated Stored Cross-Site Scripting 7.2 CVSS Rating High (7.2) CVE-ID CVE-2025-9343 Patch Status Patched Published Dec 20, 2025 Affected Software ELEX WordPress HelpDesk & Customer Ticketing System Researcher Athiwat Tiprasaharn (Jitlada) More Details > HTML5 Audio Player – The Ultimate No-Code Podcast, MP3 & Audio Player 2.4.0 - 2.5.1 - Unauthenticated Server-Side Request Forgery 7.2 CVSS Rating High (7.2) CVE-ID CVE-2025-13999 Patch Status Patched Published Dec 18, 2025 Affected Software HTML5 Audio Player – The Ultimate No-Code Podcast, MP3 & Audio Player Researcher kr0d More Details > Kerge <= 4.1.3 - Unauthenticated Server-Side Request Forgery 7.2 CVSS Rating High (7.2) CVE-ID CVE-2025-67989 Patch Status Patched Published Dec 15, 2025 Affected Software Personal Portfolio Resume Theme | Kerge Researcher João Pedro S Alcântara (Kinorth) More Details > Lucky Wheel for WooCommerce – Spin a Sale <= 1.1.13 - Authenticated (Administrator+) PHP Code Injection via Conditional Tags 7.2 CVSS Rating High (7.2) CVE-ID CVE-2025-14509 Patch Status Patched Published Dec 29, 2025 Affected Software Lucky Wheel for WooCommerce – Spin a Sale Researcher Nguyen Truong (Roll) More Details > SlimStat Analytics <= 5.3.2 - Unauthenticated Stored Cross-Site Scripting 7.2 CVSS Rating High (7.2) CVE-ID CVE-2025-14151 Patch Status Patched Published Dec 18, 2025 Affected Software SlimStat Analytics Researcher Supakiad S. (m3ez) More Details > SureForms <= 2.2.0 - Unauthenticated Stored Cross-Site Scripting 7.2 CVSS Rating High (7.2) CVE-ID CVE-2025-14855 Patch Status Patched Published Dec 20, 2025 Affected Software SureForms – Contact Form, Payment Form & Other Custom Form Builder Researcher Tiến Dũng Nguyễn More Details > WordPress & WooCommerce Scraper Plugin, Import Data from Any WebSite. <= 1.0.7 - Unauthenticated Server-Side Request Forgery 7.2 CVSS Rating High (7.2) CVE-ID CVE-2025-62088 Patch Status Unpatched Published Dec 31, 2025 Affected Software WordPress & WooCommerce Scraper Plugin, Import Data from Any WebSite. Researcher Bonds More Details > Youzify <= 1.3.5 - Authenticated (Subscriber+) Server-Side Request Forgery 7.2 CVSS Rating High (7.2) CVE-ID CVE-2025-69014 Patch Status Unpatched Published Dec 27, 2025 Affected Software Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress Researcher NumeX More Details > Easy Invoice <= 2.1.4 - Authenticated (Administrator+) Local File Inclusion 6.6 CVSS Rating Medium (6.6) CVE-ID CVE-2025-66115 Patch Status Patched Published Dec 15, 2025 Affected Software Easy Invoice – PDF Invoice Generator & Quote Builder Researcher Tarcísio Luchesi(Poystick) More Details > Brands for WooCommerce <= 3.8.6.3 - Authenticated (Contributor+) SQL Injection 6.5 CVSS Rating Medium (6.5) CVE-ID CVE-2025-68519 Patch Status Patched Published Dec 26, 2025 Affected Software Brands for WooCommerce Researcher 0xd4rk5id3 More Details > BWL Pro Voting Manager <= 1.4.9 - Authenticated (Contributor+) SQL Injection 6.5 CVSS Rating Medium (6.5) CVE-ID CVE-2025-68990 Patch Status Unpatched Published Dec 22, 2025 Affected Software BWL Pro Voting Manager Researcher Phat RiO - BlueRock More Details > Fancy Product Designer | WooCommerce WordPress <= 6.4.8 - Unauthenticated Server-Side Request Forgery via Race Condition 6.5 CVSS Rating Medium (6.5) CVE-ID CVE-2025-13231 Patch Status Patched Published Dec 15, 2025 Affected Software Fancy Product Designer Researcher Muhammad Zeeshan (Xib3rR4dAr) More Details > MailerLite - WooCommerce integration <= 3.1.3 - Missing Authorization to Data Deletion 6.5 CVSS Rating Medium (6.5) CVE-ID Unknown Patch Status Patched Published Dec 15, 2025 Affected Software MailerLite – WooCommerce integration Researcher shark3y More Details > Tablesome <= 1.1.35.1 - Authenticated (Subscriber+) Information Exposure 6.5 CVSS Rating Medium (6.5) CVE-ID CVE-2025-68516 Patch Status Patched Published Dec 22, 2025 Affected Software Tablesome Table – Contact Form DB – WPForms, CF7, Gravity, Forminator, Fluent Researcher daroo More Details > WP Social Ninja - Embed Social Feeds, Customer Reviews, Chat Widgets (Google Reviews, YouTube Feed, Photo Feeds, and More) <= 4.0.1 - Missing Authorization to Unauthenticated Plugin's Settings Disclosure And Modification 6.5 CVSS Rating Medium (6.5) CVE-ID CVE-2025-13880 Patch Status Patched Published Dec 16, 2025 Affected Software WP Social Ninja – Embed Social Feeds, User Reviews & Chat Widgets Researcher shark3y More Details > WPBulky <= 1.1.13 - Authenticated (Author+) SQL Injection 6.5 CVSS Rating Medium (6.5) CVE-ID CVE-2025-68550 Patch Status Patched Published Dec 23, 2025 Affected Software WPBulky – WordPress Bulk Edit Post Types Researcher benzdeus More Details > 6Storage Rentals <= 2.20.0 - Authenticated (Subscriber+) Server-Side Request Forgery 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-67623 Patch Status Unpatched Published Dec 20, 2025 Affected Software 6Storage Rentals Researcher Jarno Vos (jarnovos) More Details > Academy LMS <= 3.4.0 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-68527 Patch Status Patched Published Dec 30, 2025 Affected Software Academy LMS – WordPress LMS Plugin for Complete eLearning Solution Researcher Muhammad Yudha - DJ More Details > Add Custom Codes <= 4.80 - Authenticated (Author+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-62149 Patch Status Unpatched Published Dec 31, 2025 Affected Software Add Custom Codes – Insert Header, Footer, Custom PHP Snippets, CSS, Javascript Researcher Certus Cybersecurity More Details > Add Featured Image Custom Link <= 2.0.0 - Authenticated (Author+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-62119 Patch Status Unpatched Published Dec 31, 2025 Affected Software Add Featured Image Custom Link Researcher Nabil Irawan More Details > AdWords Conversion Tracking Code <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-62118 Patch Status Unpatched Published Dec 31, 2025 Affected Software AdWords Conversion Tracking Code Researcher Muhammad Yudha - DJ More Details > Audiomack <= 1.4.8 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-49357 Patch Status Unpatched Published Dec 31, 2025 Affected Software Audiomack Researcher Jarno Vos (jarnovos) More Details > Auto Listings <= 2.7.1 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-69089 Patch Status Patched Published Dec 30, 2025 Affected Software Auto Listings – Car Listings & Car Dealership Plugin for WordPress Researcher Muhammad Yudha - DJ More Details > BA Book Everything <= 1.8.14 - Authenticated (Contributor+) Stored Cross-Site Scripting via babe-search-form Shortcode 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-14449 Patch Status Patched Published Dec 18, 2025 Affected Software BA Book Everything Researcher Muhammad Yudha - DJ More Details > Blog Filter <= 1.7.3 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-69033 Patch Status Unpatched Published Dec 29, 2025 Affected Software Blog Filter Post Filtering Researcher Muhammad Yudha - DJ More Details > Bold Timeline Lite <= 1.2.7 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-68513 Patch Status Patched Published Dec 27, 2025 Affected Software Bold Timeline Lite Researcher zaim More Details > Bootstrap Modals <= 1.3.2 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-62095 Patch Status Unpatched Published Dec 31, 2025 Affected Software Bootstrap Modals Researcher Muhammad Yudha - DJ More Details > BuddyPress Activity Shortcode <= 1.1.8 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-62760 Patch Status Patched Published Dec 31, 2025 Affected Software BuddyPress Activity Shortcode Researcher Muhammad Yudha - DJ More Details > BWL Knowledge Base Manager <= 1.6.3 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-68992 Patch Status Unpatched Published Dec 22, 2025 Affected Software BWL Knowledge Base Manager Researcher Phat RiO - BlueRock More Details > BWL Pro Voting Manager <= 1.4.9 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-68991 Patch Status Unpatched Published Dec 22, 2025 Affected Software BWL Pro Voting Manager Researcher Phat RiO - BlueRock More Details > Calendar <= 1.3.16 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'event_desc' 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-14548 Patch Status Patched Published Dec 22, 2025 Affected Software Calendar Researcher Hieus More Details > Calendar.online / Kalender.digital <= 1.0.11 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-62752 Patch Status Unpatched Published Dec 31, 2025 Affected Software Calendar.online / Kalender.digital – Plugin Researcher Muhammad Yudha - DJ More Details > CC Child Pages <= 2.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'child_pages' Shortcode 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-13608 Patch Status Patched Published Dec 15, 2025 Affected Software CC Child Pages Researcher Muhammad Yudha - DJ More Details > Colibri Page Builder <= 1.0.345 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-11747 Patch Status Patched Published Dec 18, 2025 Affected Software Colibri Page Builder Researcher Abu Hurayra (HurayraIIT) More Details > Combo Offers WooCommerce <= 4.2 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-69088 Patch Status Patched Published Dec 30, 2025 Affected Software Combo Offers WooCommerce Researcher Muhammad Yudha - DJ More Details > Consulting <= 1.5.0 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-63032 Patch Status Unpatched Published Dec 31, 2025 Affected Software Consulting Researcher Peter Thaleikis More Details > Content Fetcher <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-49358 Patch Status Unpatched Published Dec 31, 2025 Affected Software Content Fetcher Researcher Athiwat Tiprasaharn (Jitlada) More Details > Curator.io <= 1.9.5 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-62742 Patch Status Unpatched Published Dec 31, 2025 Affected Software Curator.io Researcher Jarno Vos (jarnovos) More Details > Custom Background Changer <= 3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-62125 Patch Status Unpatched Published Dec 31, 2025 Affected Software Custom Background Changer Researcher Muhammad Yudha - DJ More Details > Custom Field Template <= 2.7.5 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-68607 Patch Status Unpatched Published Dec 24, 2025 Affected Software Custom Field Template Researcher Muhammad Yudha - DJ More Details > DesignThemes Core <= 1.6 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-68978 Patch Status Unpatched Published Dec 17, 2025 Affected Software DesignThemes Core Researcher Phat RiO - BlueRock More Details > DesignThemes Portfolio Addon <= 1.5 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-68977 Patch Status Unpatched Published Dec 17, 2025 Affected Software DesignThemes Portfolio Addon Researcher Phat RiO - BlueRock More Details > Elementor <= 3.33.3 - Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via Text Path 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-11220 Patch Status Patched Published Dec 15, 2025 Affected Software Elementor Website Builder – More Than Just a Page Builder Researcher Asaf Mozes More Details > Embed Any Document <= 2.7.10 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-12885 Patch Status Patched Published Dec 17, 2025 Affected Software Embed Any Document – Embed PDF, Word, PowerPoint and Excel Files Researcher Muhammad Yudha - DJ More Details > Essential Addons for Elementor – Popular Elementor Templates & Widgets <= 6.5.3 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-13977 Patch Status Patched Published Dec 16, 2025 Affected Software Essential Addons for Elementor – Popular Elementor Templates & Widgets Researcher Webbernaut More Details > Events Manager <= 7.2.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'events_list_grouped' Shortcode 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-12976 Patch Status Patched Published Dec 17, 2025 Affected Software Events Manager – Calendar, Bookings, Tickets, and more! Researcher Muhammad Yudha - DJ More Details > Extra Shortcodes <= 2.2 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-62111 Patch Status Unpatched Published Dec 31, 2025 Affected Software Extra Shortcodes Researcher Muhammad Yudha - DJ More Details > Featured Video for WordPress – VideographyWP <= 1.0.18 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-62746 Patch Status Patched Published Dec 30, 2025 Affected Software Featured Video for WordPress – VideographyWP Researcher Muhammad Yudha - DJ More Details > FlippingBook <= 2.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-69019 Patch Status Unpatched Published Dec 28, 2025 Affected Software FlippingBook Researcher Muhammad Yudha - DJ More Details > FluentAuth - Auth Security Plugin <= 2.0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'fluent_auth_reset_password' Shortcode 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-13728 Patch Status Patched Published Dec 15, 2025 Affected Software FluentAuth – The Ultimate Authorization & Security Plugin for WordPress Researcher Muhammad Yudha - DJ More Details > Free Shipping Bar: Amount Left for Free Shipping for WooCommerce <= 2.4.9 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-68528 Patch Status Patched Published Dec 30, 2025 Affected Software Free Shipping Bar: Amount Left for Free Shipping for WooCommerce Researcher Muhammad Yudha - DJ More Details > Funnelforms Free <= 3.8 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-62758 Patch Status Unpatched Published Dec 31, 2025 Affected Software Interactive Contact Form and Multi Step Form Builder with Drag & Drop Editor – Funnelforms Free Researcher Muhammad Yudha - DJ More Details > Genemy <= 1.6.6 - Authenticated (Subscriber+) Server-Side Request Forgery 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-59138 Patch Status Unpatched Published Dec 31, 2025 Affected Software Genemy - Creative Minimal Landing Page Builder for Digital Startup Design Studio Agency in Marketing Researcher Tran Nguyen Bao Khanh More Details > Happy Addons for Elementor <= 3.20.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Custom JS 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-14635 Patch Status Patched Published Dec 22, 2025 Affected Software Happy Addons for Elementor Researcher zer0gh0st More Details > Image Photo Gallery Final Tiles Grid <= 3.6.8 - Authenticated (Author+) Stored Cross-Site Scripting via 'Custom Scripts' Setting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-13693 Patch Status Patched Published Dec 20, 2025 Affected Software Image Photo Gallery Final Tiles Grid Researchers Athiwat Tiprasaharn (Jitlada)Itthidej Aramsri (Boeing777)PowpyWaris DamkhamVarakorn Chanthasri (iCreaM)Peerapat Samatathanyakorn More Details > JetSearch <= 3.5.16 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-68504 Patch Status Patched Published Dec 30, 2025 Affected Software JetSearch Researcher Bonds More Details > JetTabs <= 2.2.12 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-68499 Patch Status Patched Published Dec 30, 2025 Affected Software JetTabs Researcher Bonds More Details > Jobs for WordPress <= 2.7.17 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-68597 Patch Status Unpatched Published Dec 22, 2025 Affected Software Job Postings Researcher Muhammad Yudha - DJ More Details > Knowledge Base documentation & wiki plugin – BasePress <= 2.17.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-62761 Patch Status Unpatched Published Dec 31, 2025 Affected Software Knowledge Base documentation & wiki plugin – BasePress Docs Researcher Muhammad Yudha - DJ More Details > LearnPress – WordPress LMS Plugin <= 4.3.1 - Authenticated (Subscriber+) Stored Cross-Site Scripting via get_profile_social 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-14387 Patch Status Patched Published Dec 15, 2025 Affected Software LearnPress – WordPress LMS Plugin Researcher Arkadiusz Hydzik More Details > Link Library <= 7.8.5 - Authenticated (Contributor+) Server-Side Request Forgery 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-68600 Patch Status Unpatched Published Dec 24, 2025 Affected Software Link Library Researcher Krissaphat Jankaew More Details > Live Composer – Free WordPress Website Builder <= 2.0.2 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-13537 Patch Status Unpatched Published Dec 16, 2025 Affected Software Live Composer – Free WordPress Website Builder Researcher Webbernaut More Details > Livemesh Addons for Beaver Builder <= 3.9.2 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-62990 Patch Status Unpatched Published Dec 31, 2025 Affected Software Livemesh Addons for Beaver Builder Researcher Peter Thaleikis More Details > Maximum Products per User for WooCommerce <= 4.4.2 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-62096 Patch Status Unpatched Published Dec 31, 2025 Affected Software Maximum Products per User for WooCommerce Researcher Muhammad Yudha - DJ More Details > Melos <= 1.6.0 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-62136 Patch Status Unpatched Published Dec 31, 2025 Affected Software Melos Researcher Peter Thaleikis More Details > Membership Plugin – Restrict Content <= 3.2.15 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcodes 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-14000 Patch Status Patched Published Dec 22, 2025 Affected Software Membership Plugin – Restrict Content Researcher Muhammad Yudha - DJ More Details > Minamaze <= 1.10.1 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-62991 Patch Status Unpatched Published Dec 31, 2025 Affected Software Minamaze Researcher Peter Thaleikis More Details > ModelTheme Addons for WPBakery and Elementor < 1.5.6 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-68532 Patch Status Patched Published Dec 17, 2025 Affected Software ModelTheme Addons for WPBakery and Elementor Researcher Phat RiO - BlueRock More Details > MX Time Zone Clocks <= 5.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-62146 Patch Status Unpatched Published Dec 31, 2025 Affected Software MX Time Zone Clocks Researcher Nabil Irawan More Details > MyBookTable Bookstore <= 3.5.6 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-62743 Patch Status Unpatched Published Dec 31, 2025 Affected Software MyBookTable Bookstore by Stormhill Media Researcher Muhammad Yudha - DJ More Details > Newsletters <= 4.12 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-69020 Patch Status Unpatched Published Dec 28, 2025 Affected Software Newsletters Researcher Muhammad Yudha - DJ More Details > OpenID Connect Generic Client <= 3.10.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-13730 Patch Status Patched Published Dec 17, 2025 Affected Software OpenID Connect Generic Client Researcher Muhammad Yudha - DJ More Details > Page Builder: Live Composer <= 2.0.6 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-68598 Patch Status Unpatched Published Dec 22, 2025 Affected Software Live Composer – Free WordPress Website Builder Researcher Muhammad Yudha - DJ More Details > Page Title Splitter <= 2.5.9 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-62744 Patch Status Unpatched Published Dec 31, 2025 Affected Software Page Title Splitter Researcher Muhammad Yudha - DJ More Details > Post Grid and Gutenberg Blocks <= 2.3.21 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-68605 Patch Status Unpatched Published Dec 21, 2025 Affected Software Post Grid Researcher Muhammad Yudha - DJ More Details > Post Signature <= 0.4.1 - Authenticated (Author+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-62124 Patch Status Unpatched Published Dec 31, 2025 Affected Software WP Post Signature Researcher Nabil Irawan More Details > Postie <= 1.9.73 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-63020 Patch Status Unpatched Published Dec 31, 2025 Affected Software Postie Researcher Athiwat Tiprasaharn (Jitlada) More Details > Real 3D FlipBook <= 4.11.4 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-68512 Patch Status Patched Published Dec 22, 2025 Affected Software Real 3D Flipbook – 3D FlipBook, PDF FlipBook, PDF Viewer, PDF Embedder Researcher Muhammad Yudha - DJ More Details > RegistrationMagic <= 6.0.6.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'RM_Forms' Shortcode 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-13610 Patch Status Patched Published Dec 15, 2025 Affected Software RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login Researcher Muhammad Yudha - DJ More Details > Responsive Block Control <= 1.2.9 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-62135 Patch Status Unpatched Published Dec 31, 2025 Affected Software Responsive Block Control – Hide blocks based on display width Researcher Peter Thaleikis More Details > Responsive Posts Carousel Pro <= 15.2 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-68548 Patch Status Patched Published Dec 23, 2025 Affected Software Responsive Posts Carousel WordPress Plugin Researcher Phat RiO - BlueRock More Details > RestroPress <= 3.2.4.2 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-69017 Patch Status Unpatched Published Dec 27, 2025 Affected Software RestroPress – Online Food Ordering System Researcher zaim More Details > SEO Slider <= 1.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-62097 Patch Status Unpatched Published Dec 31, 2025 Affected Software SEO Slider Researcher Muhammad Yudha - DJ More Details > Series <= 2.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-62759 Patch Status Unpatched Published Dec 31, 2025 Affected Software Series Researcher Muhammad Yudha - DJ More Details > Sermon Manager <= 2.30.0 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-63000 Patch Status Unpatched Published Dec 31, 2025 Affected Software Sermon Manager Researcher zaim More Details > Shuttle <= 1.5.0 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-62137 Patch Status Unpatched Published Dec 31, 2025 Affected Software Shuttle Researcher Peter Thaleikis More Details > Text Slider Widget <= 1.0 - Authenticated (Subscriber+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-68868 Patch Status Unpatched Published Dec 25, 2025 Affected Software Wp Text Slider Widget Researcher Nguyen Xuan Chien More Details > The Moneytizer <= 10.0.6 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-62756 Patch Status Unpatched Published Dec 31, 2025 Affected Software The Moneytizer Researcher Muhammad Yudha - DJ More Details > Themify Portfolio Post <= 1.3.0 - Authenticated (Author+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-67533 Patch Status Patched Published Dec 15, 2025 Affected Software Themify Portfolio Post Researcher Muhammad Yudha - DJ More Details > ThirstyAffiliates <= 3.11.8 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-67537 Patch Status Patched Published Dec 15, 2025 Affected Software ThirstyAffiliates – Affiliate Links, Link Branding, Link Tracking & Marketing Plugin Researcher Muhammad Yudha - DJ More Details > Tooltips <= 10.8.3 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-63005 Patch Status Unpatched Published Dec 31, 2025 Affected Software Tooltips for WordPress Researcher zaim More Details > Ultimate Member <= 2.11.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-13220 Patch Status Patched Published Dec 20, 2025 Affected Software Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin Researcher Muhammad Yudha - DJ More Details > Ultimate Member <= 2.11.0 - Authenticated (Subscriber+) Stored Cross-Site Scripting via 'value' 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-13217 Patch Status Patched Published Dec 16, 2025 Affected Software Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin Researcher tiborisaak More Details > User Registration & Membership – Custom Registration Form Builder, Custom Login Form, User Profile, Content Restriction & Membership Plugin <= 4.4.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-13367 Patch Status Patched Published Dec 15, 2025 Affected Software User Registration & Membership – Custom Registration Form Builder, Custom Login Form, User Profile, Content Restriction & Membership Plugin Researcher Muhammad Yudha - DJ More Details > User Specific Content <= 1.0.6 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-62749 Patch Status Unpatched Published Dec 31, 2025 Affected Software User Specific Content Researcher Muhammad Yudha - DJ More Details > UseStrict's Calendly Embedder <= 1.1.7.2 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-67555 Patch Status Patched Published Dec 15, 2025 Affected Software UseStrict's Calendly Embedder Researcher Nabil Irawan More Details > Valenti Engine <= 1.0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-63021 Patch Status Unpatched Published Dec 31, 2025 Affected Software Valenti Engine Researcher João Pedro S Alcântara (Kinorth) More Details > Visitor Statistics (Real Time Traffic) <= 8.3 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-67983 Patch Status Patched Published Dec 15, 2025 Affected Software WP Visitor Statistics (Real Time Traffic) Researcher Muhammad Yudha - DJ More Details > VK Google Job Posting Manager <= 1.2.22 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-68070 Patch Status Patched Published Dec 15, 2025 Affected Software VK Google Job Posting Manager Researcher Nabil Irawan More Details > WBC907 Core <= 3.4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-63027 Patch Status Patched Published Dec 30, 2025 Affected Software 907 - Responsive Multi-Purpose WordPress Theme Researcher João Pedro S Alcântara (Kinorth) More Details > WC Builder <= 1.2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-68533 Patch Status Patched Published Dec 27, 2025 Affected Software WC Builder – WooCommerce Page Builder for WPBakery Researcher zaim More Details > Web and WooCommerce Addons for WPBakery Builder <= 1.5 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-62748 Patch Status Unpatched Published Dec 31, 2025 Affected Software Web and WooCommerce Addons for WPBakery Builder Researcher Muhammad Yudha - DJ More Details > Web Directory Free <= 1.7.12 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-69018 Patch Status Patched Published Dec 28, 2025 Affected Software Web Directory Free Researcher Muhammad Yudha - DJ More Details > WebMan Amplifier <= 1.5.12 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-62757 Patch Status Unpatched Published Dec 31, 2025 Affected Software WebMan Amplifier Researcher Muhammad Yudha - DJ More Details > WishSuite <= 1.5.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'button_text' Shortcode Attribute 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-13838 Patch Status Patched Published Dec 20, 2025 Affected Software WishSuite – Wishlist for WooCommerce Researcher zaim More Details > WP Import – Ultimate CSV XML Importer for WordPress <= 7.35 - Authenticated (Contributor+) Server-Side Request Forgery via Bitly Shortlink Bypass 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-14627 Patch Status Patched Published Jan 1, 2026 Affected Software WP Import – Ultimate CSV XML Importer for WordPress Researchers Dieu LinkGCSC Vietnam More Details > WP Recipe Maker <= 10.2.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-14385 Patch Status Patched Published Dec 16, 2025 Affected Software WP Recipe Maker Researcher Abhinav Jaswal (wrath_exe) More Details > WP-ShowHide <= 1.05 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-67541 Patch Status Patched Published Dec 15, 2025 Affected Software WP-ShowHide Researcher Muhammad Yudha - DJ More Details > WPBakery Visual Composer WHMCS Elements <= 1.0.4.3 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-68574 Patch Status Unpatched Published Dec 17, 2025 Affected Software Innovs WPBakery Visual Composer WHMCS Elements Researcher Nabil Irawan More Details > WPCal.io <= 0.9.5.9 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-66103 Patch Status Patched Published Dec 30, 2025 Affected Software WPCal.io – Easy Meeting Scheduler Researcher Peter Thaleikis More Details > XStore Core < 5.6 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-64190 Patch Status Patched Published Dec 30, 2025 Affected Software XStore Core Researcher João Pedro S Alcântara (Kinorth) More Details > Yada Wiki <= 3.5 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-66094 Patch Status Patched Published Dec 30, 2025 Affected Software Yada Wiki Researcher Muhammad Yudha - DJ More Details > YouTube Embed <= 5.4 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating Medium (6.4) CVE-ID CVE-2025-68599 Patch Status Unpatched Published Dec 22, 2025 Affected Software Embeds for YouTube Researcher Muhammad Yudha - DJ More Details > Advanced Custom CSS <= 1.1.0 - Reflected Cross-Site Scripting 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2025-68878 Patch Status Unpatched Published Dec 26, 2025 Affected Software Advanced Custom CSS Researcher Nguyen Xuan Chien More Details > Attachments Handler <= 1.1.7 - Reflected Cross-Site Scripting 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2025-12581 Patch Status Unpatched Published Dec 19, 2025 Affected Software Attachments Handler Researcher johska More Details > Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss <= 2.10.2 - Unauthenticated Stored Cross-Site Scripting 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2025-14154 Patch Status Patched Published Dec 16, 2025 Affected Software Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss Researcher zer0gh0st More Details > Content Grid Slider <= 1.5 - Reflected Cross-Site Scripting 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2025-68879 Patch Status Unpatched Published Dec 25, 2025 Affected Software Content Grid Slider Researcher Nguyen Xuan Chien More Details > Five Star Restaurant Reservations – WordPress Booking Plugin <= 2.7.5 - Unauthenticated Stored Cross-Site Scripting 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2025-11496 Patch Status Patched Published Dec 20, 2025 Affected Software Five Star Restaurant Reservations – WordPress Booking Plugin Researcher zer0gh0st More Details > HTML Forms – Simple WordPress Forms Plugin <= 1.6.0 - Unauthenticated Stored Cross-Site Scripting 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2025-13861 Patch Status Patched Published Dec 16, 2025 Affected Software HTML Forms – Simple WordPress Forms Plugin Researcher Itthidej Aramsri (Boeing777) More Details > Invelity SPS connect <= 1.0.8 - Reflected Cross-Site Scripting 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2025-68876 Patch Status Unpatched Published Dec 26, 2025 Affected Software Invelity SPS connect Researcher Nguyen Xuan Chien More Details > Overstock Affiliate Links <= 1.1 - Reflected Cross-Site Scripting via $_SERVER['PHP_SELF'] 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2025-13624 Patch Status Unpatched Published Dec 19, 2025 Affected Software Overstock Affiliate Links Researcher Abdulsamad Yusuf (0xVenus) More Details > Product Table for WooCommerce <= 5.0.8 - Reflected Cross-Site Scripting 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2025-12398 Patch Status Patched Published Dec 20, 2025 Affected Software Product Table for WooCommerce Researcher Athiwat Tiprasaharn (Jitlada) More Details > WP Hallo Welt <= 1.4. - Cross-Site Request Forgery to Stored Cross-Site Scripting 6.1 CVSS Rating Medium (6.1) CVE-ID CVE-2025-13365 Patch Status Unpatched Published Dec 19, 2025 Affected Software WP Hallo Welt Researcher johska More Details > Fancy Product Designer | WooCommerce WordPress <= 6.4.8 - Unauthenticated Information Disclosure via 'url' Parameter 5.9 CVSS Rating Medium (5.9) CVE-ID CVE-2025-13439 Patch Status Patched Published Dec 15, 2025 Affected Software Fancy Product Designer Researcher Muhammad Zeeshan (Xib3rR4dAr) More Details > Directorist <= 8.5.6 - Unauthenticated Open Redirect 5.8 CVSS Rating Medium (5.8) CVE-ID CVE-2025-64250 Patch Status Unpatched Published Dec 15, 2025 Affected Software Directorist: AI-Powered Business Directory Plugin with Classified Ads Listings Researcher daroo More Details > Responsive and Swipe slider <= 1.0.2 - Authenticated (Editor+) Stored Cross-Site Scripting via Shortcode 5.5 CVSS Rating Medium (5.5) CVE-ID CVE-2025-14721 Patch Status Unpatched Published Dec 19, 2025 Affected Software RESPONSIVE AND SWIPE SLIDER! Researcher Bhumividh Treloges More Details > Amazon affiliate lite Plugin <= 1.0.0 - Cross-Site Request Forgery to Plugin Settings Update 5.4 CVSS Rating Medium (5.4) CVE-ID CVE-2025-14734 Patch Status Unpatched Published Dec 19, 2025 Affected Software Amazon affiliate lite Plugin Researcher afnaan More Details > FiboSearch – Ajax Search for WooCommerce <= 1.32.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via thegem_te_search Shortcode 5.4 CVSS Rating Medium (5.4) CVE-ID CVE-2025-14298 Patch Status Patched Published Dec 19, 2025 Affected Software FiboSearch – Ajax Search for WooCommerce Researcher zaim More Details > Image Photo Gallery Final Tiles Grid <= 3.6.7 - Missing Authorization to Authenticated (Contributor+) Gallery Management 5.4 CVSS Rating Medium (5.4) CVE-ID CVE-2025-14455 Patch Status Patched Published Dec 18, 2025 Affected Software Image Photo Gallery Final Tiles Grid Researcher JongHwan Shin (zzzsleep) More Details > Addonify <= 2.0.4 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-68578 Patch Status Unpatched Published Dec 22, 2025 Affected Software Addonify – Quick View For WooCommerce Researcher Legion Hunter More Details > Advanced PDF <= 1.1.7 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-62138 Patch Status Unpatched Published Dec 31, 2025 Affected Software WP Advanced PDF Researcher NumeX More Details > AI Copilot <= 1.4.7 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-62116 Patch Status Unpatched Published Dec 31, 2025 Affected Software AI Copilot – ChatGPT Chatbot & AI Engine for Post Automation Researcher Nabil Irawan More Details > Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin <= 1.6.9.16 - Missing Authorization to Unauthenticated Sensitive Information Exposure 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-13754 Patch Status Patched Published Dec 18, 2025 Affected Software Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin Researcher Marcin Dudek (dudekmar) More Details > Arcane <= 3.6.6 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-69031 Patch Status Unpatched Published Dec 29, 2025 Affected Software Arcane - The Gaming Community Theme Researcher Tran Nguyen Bao Khanh More Details > BBP Core <= 1.4.1 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-68572 Patch Status Patched Published Dec 24, 2025 Affected Software Forumax – Advanced Community Forum Plugin Researcher daroo More Details > Bit Assist <= 1.5.11 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-68596 Patch Status Patched Published Dec 19, 2025 Affected Software Chat Widget: Floating Customer Support Button for 30+ Channels, Supporting SMS, Calls, and Chat – Bit Assist Researcher NumeX More Details > Booking calendar, Appointment Booking System <= 3.2.30 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-67574 Patch Status Patched Published Dec 15, 2025 Affected Software Booking calendar, Appointment Booking System Researcher Legion Hunter More Details > BoomDevs WordPress Coming Soon <= 1.0.4 - Unauthenticated Information Exposure 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-62083 Patch Status Unpatched Published Dec 31, 2025 Affected Software BoomDevs WordPress Coming Soon Plugin Researcher Athiwat Tiprasaharn (Jitlada) More Details > Brave <= 0.8.3 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-68508 Patch Status Patched Published Dec 23, 2025 Affected Software Brave – Create Popup, Optins, Lead Generation, Survey, Sticky Elements & Interactive Content Researcher daroo More Details > Claspo – Popups, Spin the Wheel & Email Capture <= 1.0.7 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-68568 Patch Status Unpatched Published Dec 17, 2025 Affected Software Claspo – Popups, Spin the Wheel & Email Capture Researcher Legion Hunter More Details > Cooked <= 1.11.2 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-68586 Patch Status Unpatched Published Dec 24, 2025 Affected Software Cooked – Recipe Management Researcher Legion Hunter More Details > Cookie Banner, Cookie Consent, Consent Log, Cookie Scanner, Script Blocker (for GDPR, CCPA & ePrivacy) : WP Cookie Consent <= 4.0.7 - Missing Authorization to Unauthenticated Arbitrary Post Deletion 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-14061 Patch Status Patched Published Dec 16, 2025 Affected Software Cookie Banner for GDPR / CCPA – WPLP Cookie Consent Researcher shark3y More Details > Cookie Notice for GDPR, CCPA & ePrivacy Consent <= 4.0.3 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-66080 Patch Status Patched Published Dec 30, 2025 Affected Software Cookie Banner for GDPR / CCPA – WPLP Cookie Consent Researcher Legion Hunter More Details > Cookie Notice for GDPR, CCPA & ePrivacy Consent <= 4.0.7 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-66133 Patch Status Patched Published Dec 15, 2025 Affected Software Cookie Banner for GDPR / CCPA – WPLP Cookie Consent Researcher Legion Hunter More Details > CubeWP <= 1.1.27 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-68036 Patch Status Patched Published Dec 26, 2025 Affected Software CubeWP Framework Researcher MD ISMAIL More Details > DesignThemes LMS Addon <= 2.6 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-68982 Patch Status Unpatched Published Dec 18, 2025 Affected Software DesignThemes LMS Addon Researcher Phat RiO - BlueRock More Details > DMCA Protection Badge <= 2.2.0 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-62145 Patch Status Unpatched Published Dec 31, 2025 Affected Software DMCA Protection Badge Researcher Nabil Irawan More Details > Document Library Lite <= 1.1.7 - Unauthenticated Insecure Direct Object Reference 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-67985 Patch Status Patched Published Dec 15, 2025 Affected Software Document Library Lite Researcher Zeeshan Haider More Details > dokan pro <= 4.1.3 - Missing Authorization to Unauthenticated Sensitive Information Exposure 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-12809 Patch Status Patched Published Dec 15, 2025 Affected Software Dokan Pro Researcher Ahmed Rayen Ayari More Details > E-Invoice App Malaysia <= 1.3.0 - Unauthenticated Information Exposure 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-68988 Patch Status Unpatched Published Dec 21, 2025 Affected Software EInvoice App Malaysia Researcher Rapid0nion More Details > Easy Form Builder <= 3.8.20 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-67577 Patch Status Patched Published Dec 15, 2025 Affected Software Easy Form Builder by WhiteStudio — Drag & Drop Form Builder Researcher daroo More Details > EasyTest <= 1.0.1 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-63031 Patch Status Unpatched Published Dec 31, 2025 Affected Software EasyTest – Simplify A/B Testing Researcher Legion Hunter More Details > Export Categories & Taxonomies <= 1.0.3 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-62079 Patch Status Unpatched Published Dec 31, 2025 Affected Software WP Export Categories & Taxonomies Researcher Legion Hunter More Details > F70 Lead Document Download <= 1.4.4 - Missing Authorization to Unauthenticated Arbitrary Media File Download 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-14633 Patch Status Unpatched Published Dec 19, 2025 Affected Software F70 Lead Document Download Researcher ChamlaVic More Details > Fancy Product Designer | WooCommerce WordPress <= 6.4.8 - Unauthenticated Full Path Disclosure via 'pdf' Parameter 5.3 CVSS Rating Medium (5.3) CVE-ID Unknown Patch Status Patched Published Dec 15, 2025 Affected Software Fancy Product Designer Researcher Muhammad Zeeshan (Xib3rR4dAr) More Details > FAPI Member <= 2.2.29 - Unauthenticated Insecure Direct Object Reference 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-66132 Patch Status Unpatched Published Dec 15, 2025 Affected Software FAPI Member Researcher NumeX More Details > Featured Image Generator <= 1.3.3 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-62747 Patch Status Unpatched Published Dec 31, 2025 Affected Software Featured Image Generator Researcher Legion Hunter More Details > Flowbox <= 1.1.5 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-49338 Patch Status Unpatched Published Dec 31, 2025 Affected Software Flowbox Researcher Muhammad Nur Ibnu Hubab (Ibnu) More Details > Frontend Post Submission Manager Lite <= 1.2.5 - Missing Authorization to Unauthenticated Arbitrary Post Modification 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-14080 Patch Status Patched Published Dec 20, 2025 Affected Software Frontend Post Submission Manager Lite – Frontend Posting WordPress Plugin Researcher Md. Moniruzzaman Prodhan (NomanProdhan) More Details > Frontend Post Submission Manager Lite <= 1.2.6 - Incorrect Authorization to Unauthenticated Arbitrary Attachment Deletion 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-14913 Patch Status Patched Published Dec 25, 2025 Affected Software Frontend Post Submission Manager Lite – Frontend Posting WordPress Plugin Researcher Md. Moniruzzaman Prodhan (NomanProdhan) More Details > Funnelforms Free <= 3.8 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-68582 Patch Status Unpatched Published Dec 25, 2025 Affected Software Interactive Contact Form and Multi Step Form Builder with Drag & Drop Editor – Funnelforms Free Researcher Legion Hunter More Details > FV Simpler SEO <= 1.9.6 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-68579 Patch Status Patched Published Dec 22, 2025 Affected Software FV Simpler SEO Researcher Legion Hunter More Details > Gerencianet Oficial <= 3.1.3 - Unauthenticated Information Exposure 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-59136 Patch Status Unpatched Published Dec 31, 2025 Affected Software Efí Bank Researcher Legion Hunter More Details > Google Calendar Events <= 3.5.9 - Unauthenticated Insecure Direct Object Reference 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-68979 Patch Status Unpatched Published Dec 18, 2025 Affected Software Simple Calendar – Google Calendar Plugin Researcher Doan Dinh Van (DinhVan52) More Details > GS Portfolio for Envato <= 1.4.2 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-62755 Patch Status Unpatched Published Dec 31, 2025 Affected Software GS Portfolio for Envato Researcher Legion Hunter More Details > H5P <= 1.16.1 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-68505 Patch Status Patched Published Dec 28, 2025 Affected Software Interactive Content – H5P Researcher Bao - BlueRock More Details > HAPPY <= 1.0.9 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-68556 Patch Status Patched Published Dec 23, 2025 Affected Software HAPPY – Helpdesk Support Ticket System Researcher benzdeus More Details > Highlight and Share <= 5.2.0 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-67586 Patch Status Patched Published Dec 15, 2025 Affected Software Highlight and Share – Social Text and Image Sharing Researcher Zeeshan Haider More Details > HomeFix Elementor Portfolio <= 1.0.1 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-68981 Patch Status Unpatched Published Dec 18, 2025 Affected Software HomeFix Elementor Portfolio Researcher Phat RiO - BlueRock More Details > Hotel Booking <= 3.8 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-63001 Patch Status Unpatched Published Dec 31, 2025 Affected Software Hotel Booking Researcher benzdeus More Details > JetFormBuilder <= 3.5.3 - Missing Authorization to Unauthenticated Form Generation 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-11991 Patch Status Patched Published Dec 15, 2025 Affected Software JetFormBuilder — Dynamic Blocks Form Builder Researcher Tri Firdyanto (Firdy) More Details > LearnPress – WordPress LMS Plugin <= 4.3.1 - Missing Authorization to Unauthenticated Orders Statistics Exposure 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-13956 Patch Status Patched Published Dec 15, 2025 Affected Software LearnPress – WordPress LMS Plugin Researcher Sarawut Poolkhet (MisterHelloz) More Details > Live Shopping & Shoppable Videos For WooCommerce <= 2.2.0 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-62081 Patch Status Unpatched Published Dec 31, 2025 Affected Software Live Shopping & Shoppable Videos For WooCommerce Researcher Muhammad Nur Ibnu Hubab (Ibnu) More Details > Master Addons for Elementor <= 2.0.9.9.4 - Unauthenticated Insecure Direct Object Reference 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-63053 Patch Status Unpatched Published Dec 31, 2025 Affected Software Master Addons For Elementor – White Label, Free Widgets, Hover Effects, Conditions, & Animations Researcher Mdr More Details > Medical Equipment eCommerce WordPress Theme <= 1.0.9 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-69009 Patch Status Unpatched Published Dec 26, 2025 Affected Software Medical Equipment eCommerce WordPress Theme Researcher Phat RiO - BlueRock More Details > Membership For WooCommerce <= 3.0.3 - Unauthenticated Insecure Direct Object Reference 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-67909 Patch Status Patched Published Dec 24, 2025 Affected Software Membership For WooCommerce – WordPress Membership Plugin, Restrict Content, Build Online Communities, Paywall & Content Dripping Researcher timomangcut More Details > MyD Delivery <= 1.3.7 - Unauthenticated Insecure Direct Object Reference 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-49334 Patch Status Unpatched Published Dec 31, 2025 Affected Software MyD Delivery Researcher Powpy More Details > OneSignal – Web Push Notifications <= 3.6.1 - Missing Authorization to Unauthenticated Plugin Settings Update 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-13950 Patch Status Patched Published Dec 15, 2025 Affected Software OneSignal – Web Push Notifications Researcher Marcin Dudek (dudekmar) More Details > Pixel Manager for WooCommerce <= 1.51.1 - Unauthenticated Information Exposure 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-67564 Patch Status Patched Published Dec 15, 2025 Affected Software Pixel Manager for WooCommerce – Track Conversions and Analytics, Google Ads, TikTok and more Researcher Bao - BlueRock More Details > PixelYourSite <= 11.1.5 - Sensitive Information Exposure via Log File 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-14280 Patch Status Patched Published Dec 29, 2025 Affected Software PixelYourSite – Your smart PIXEL (TAG) & API Manager Researcher Marcin Dudek (dudekmar) More Details > Poll, Survey & Quiz Maker Plugin by Opinion Stage <= 19.12.2 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-68594 Patch Status Unpatched Published Dec 22, 2025 Affected Software Poll, Survey & Quiz Maker Plugin by Opinion Stage Researcher daroo More Details > PostX <= 5.0.3 - Unauthenticated Information Exposure 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-68606 Patch Status Patched Published Dec 21, 2025 Affected Software Post Grid Gutenberg Blocks for News, Magazines, Blog Websites – PostX Researcher Doan Dinh Van (DinhVan52) More Details > Premium Addons for Elementor <= 4.11.53 - Missing Authorization to Unauthenticated Sensitive Information Exposure via 'get_template_content' 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-14155 Patch Status Patched Published Dec 22, 2025 Affected Software Premium Addons for Elementor – Powerful Elementor Templates & Widgets Researcher Dmitrii Ignatyev More Details > Pretty Google Calendar <= 2.0.0 - Missing Authorization to Unauthenticated Google API Key Exposure 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-12898 Patch Status Patched Published Dec 19, 2025 Affected Software Pretty Google Calendar Researcher Ahmad Salem (a7mad.cc) More Details > Product Loops for WooCommerce <= 2.1.2 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-68994 Patch Status Unpatched Published Dec 23, 2025 Affected Software Product Loops for WooCommerce Researcher Phat RiO - BlueRock More Details > Protect WP Admin <= 4.1 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-64249 Patch Status Unpatched Published Dec 15, 2025 Affected Software Protect WP Admin Researcher Legion Hunter More Details > QuadLayers TikTok Feed <= 4.6.4 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-63016 Patch Status Unpatched Published Dec 31, 2025 Affected Software QuadLayers TikTok Feed Researcher Legion Hunter More Details > Realbig <= 1.1.3 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-62147 Patch Status Unpatched Published Dec 31, 2025 Affected Software Realbig For WordPress Researcher Nabil Irawan More Details > RestroPress <= 3.2.4.2 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-62129 Patch Status Unpatched Published Dec 31, 2025 Affected Software RestroPress – Online Food Ordering System Researcher daroo More Details > Reuters Direct <= 3.0.0 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-49349 Patch Status Unpatched Published Dec 31, 2025 Affected Software Reuters Direct Researcher Nabil Irawan More Details > Sailing < 4.4.6 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-67573 Patch Status Patched Published Dec 15, 2025 Affected Software Sailing Researcher João Pedro S Alcântara (Kinorth) More Details > SALESmanago <= 3.9.0 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-68571 Patch Status Patched Published Dec 24, 2025 Affected Software SALESmanago & Leadoo Researcher Legion Hunter More Details > Share, Print and PDF Products for WooCommerce <= 3.1.2 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-68993 Patch Status Unpatched Published Dec 23, 2025 Affected Software Share, Print and PDF Products for WooCommerce Researcher Phat RiO - BlueRock More Details > Simple Like Page <= 1.5.3 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-63022 Patch Status Unpatched Published Dec 31, 2025 Affected Software Simple Like Page Plugin Researcher Legion Hunter More Details > Simple Link Directory <= 8.8.3 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-67576 Patch Status Patched Published Dec 15, 2025 Affected Software Simple Link Directory Researcher daroo More Details > Sitewide Notice WP <= 2.4.1 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-67575 Patch Status Patched Published Dec 15, 2025 Affected Software Sitewide Notice WP Researcher Legion Hunter More Details > Sober <= 3.5.11 - Unauthenticated Information Exposure 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-67567 Patch Status Patched Published Dec 15, 2025 Affected Software Sober Researcher Phat RiO - BlueRock More Details > Tainacan <= 1.0.1 - Missing Authorization to Unauthenticated Arbitrary Metadata Section Creation 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-14043 Patch Status Patched Published Dec 20, 2025 Affected Software Tainacan Researcher Deadbee More Details > Telegram Widget and Join Link <= 2.2.12 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-68589 Patch Status Unpatched Published Dec 22, 2025 Affected Software WP Telegram Widget and Join Link Researcher Legion Hunter More Details > Themebeez Toolkit <= 1.3.5 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-69010 Patch Status Unpatched Published Dec 26, 2025 Affected Software Themebeez Toolkit Researcher Legion Hunter More Details > Trash Duplicate and 301 Redirect <= 1.9.1 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-62122 Patch Status Unpatched Published Dec 31, 2025 Affected Software Trash Duplicate and 301 Redirect Researcher Nabil Irawan More Details > TrueBooker <= 1.1.0 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-67581 Patch Status Patched Published Dec 15, 2025 Affected Software Appointment Booking and Scheduler Plugin – Truebooker Researcher daroo More Details > Twitch Player <= 2.1.3 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-68565 Patch Status Unpatched Published Dec 19, 2025 Affected Software Twitch Player Researcher Legion Hunter More Details > Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin <= 2.11.0 - Unauthenticated Sensitive Information Exposure 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-12492 Patch Status Patched Published Dec 19, 2025 Affected Software Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin Researcher Athiwat Tiprasaharn (Jitlada) More Details > User Extra Fields <= 16.8 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-67579 Patch Status Patched Published Dec 15, 2025 Affected Software WordPress User Extra Fields Researcher Phat RiO - BlueRock More Details > User Submitted Posts <= 20251121 - Unauthenticated Open Redirect 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-68509 Patch Status Patched Published Jan 1, 2026 Affected Software User Submitted Posts – Enable Users to Submit Posts from the Front End Researcher benzdeus More Details > Userpro <= 5.1.9 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-68608 Patch Status Unpatched Published Dec 25, 2025 Affected Software UserPro - Community and User Profile WordPress Plugin Researcher Ananda Dhakal More Details > Wappointment <=2.7.2 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-68575 Patch Status Unpatched Published Dec 21, 2025 Affected Software Appointment Bookings for Zoom GoogleMeet and more – Wappointment Researcher daroo More Details > Wawp <= 4.0.5 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-62141 Patch Status Unpatched Published Dec 31, 2025 Affected Software Wawp – Order Notifications, OTP Login, Checkout Verifications and Country Code Researcher Legion Hunter More Details > Wbcom Designs <= 2.1.1 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-67582 Patch Status Patched Published Dec 15, 2025 Affected Software Wbcom Designs – Private Community for BuddyPress Researcher NumeX More Details > WeDesignTech Portfolio <= 1.0.2 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-68980 Patch Status Unpatched Published Dec 18, 2025 Affected Software WeDesignTech Portfolio Researcher Phat RiO - BlueRock More Details > weForms <= 1.6.25 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-69028 Patch Status Patched Published Dec 29, 2025 Affected Software weForms – Easy Drag & Drop Contact Form Builder For WordPress Researcher Doan Dinh Van (DinhVan52) More Details > Widgets for Social Photo Feed <= 1.7.7 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-68595 Patch Status Unpatched Published Dec 23, 2025 Affected Software Widgets for Social Photo Feed Researcher NumeX More Details > Wiremo <= 1.4.99 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-62092 Patch Status Unpatched Published Dec 31, 2025 Affected Software Wiremo – Product Reviews for WooCommerce Researcher Legion Hunter More Details > WP User Frontend <= 4.2.4 - Missing Authorization to Unauthenticated Arbitrary Attachment Deletion 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-14047 Patch Status Patched Published Jan 1, 2026 Affected Software User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration Researcher shark3y More Details > wpDiscuz <= 7.6.42 - Unauthenticated Insecure Direct Object Reference 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-68997 Patch Status Unpatched Published Dec 25, 2025 Affected Software Comments – wpDiscuz Researcher Doan Dinh Van (DinhVan52) More Details > WpStream <= 4.9.5 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-68521 Patch Status Patched Published Dec 29, 2025 Affected Software WpStream – Live Streaming, Video on Demand, Pay Per View Researcher Que Thanh Tuan - Blue Rock More Details > Yaad Sarig Payment Gateway For WC <= 2.2.10 - Missing Authorization 5.3 CVSS Rating Medium (5.3) CVE-ID CVE-2025-66131 Patch Status Unpatched Published Dec 15, 2025 Affected Software Yaad Sarig Payment Gateway For WC Researcher Nabil Irawan More Details > Appointify <= 1.0.8 - Authenticated (Administrator+) SQL Injection 4.9 CVSS Rating Medium (4.9) CVE-ID CVE-2025-59129 Patch Status Unpatched Published Dec 30, 2025 Affected Software Appointify Researcher Abdulsamad Yusuf (0xVenus) More Details > Captivate Sync <= 3.2.2 - Authenticated (Administrator+) SQL Injection 4.9 CVSS Rating Medium (4.9) CVE-ID CVE-2025-68570 Patch Status Unpatched Published Dec 21, 2025 Affected Software Captivate Sync Researcher w41bu1 More Details > Integration for Contact Form 7 HubSpot <= 1.4.2 - Authenticated (Administrator+) SQL Injection 4.9 CVSS Rating Medium (4.9) CVE-ID CVE-2025-68590 Patch Status Patched Published Dec 25, 2025 Affected Software Integration for HubSpot and Contact Form 7, WPForms, Elementor, Ninja Forms Researcher Offensive Labs More Details > Newsletter <= 9.0.9 - Authenticated (Administrator+) SQL Injection 4.9 CVSS Rating Medium (4.9) CVE-ID CVE-2025-67999 Patch Status Patched Published Dec 15, 2025 Affected Software Newsletter – Send awesome emails from WordPress Researcher Doan Dinh Van (DinhVan52) More Details > Ninja Tables <= 5.2.3 - Authenticated (Administrator+) SQL Injection 4.9 CVSS Rating Medium (4.9) CVE-ID CVE-2025-67519 Patch Status Patched Published Dec 15, 2025 Affected Software Ninja Tables – Easy Data Table Builder Researcher w41bu1 More Details > User Feedback <= 1.10.0 - Authenticated (Editor+) SQL Injection 4.9 CVSS Rating Medium (4.9) CVE-ID CVE-2025-68496 Patch Status Patched Published Dec 22, 2025 Affected Software User Feedback – Create Interactive Feedback Form, User Surveys, and Polls in Seconds Researcher daroo More Details > Zephyr Project Manager <= 3.3.203 - Authenticated (Custom+) Arbitrary File Read And Server-Side Request Forgery 4.9 CVSS Rating Medium (4.9) CVE-ID CVE-2025-12496 Patch Status Patched Published Dec 16, 2025 Affected Software Zephyr Project Manager Researcher type5afe More Details > Accept Donations with PayPal <= 1.5.2 - Unauthenticated Open Redirect 4.7 CVSS Rating Medium (4.7) CVE-ID CVE-2025-68602 Patch Status Unpatched Published Dec 25, 2025 Affected Software Accept Donations with PayPal & Stripe Researcher Legion Hunter More Details > Accessibility Press <= 1.0.2 - Authenticated (Administrator+) Stored Cross-Site Scripting 4.4 CVSS Rating Medium (4.4) CVE-ID CVE-2025-49355 Patch Status Unpatched Published Dec 31, 2025 Affected Software Accessibility Press Researcher HunSec More Details > AM Events <= 1.13.1 - Authenticated (Administrator+) Stored Cross-Site Scripting 4.4 CVSS Rating Medium (4.4) CVE-ID CVE-2025-69006 Patch Status Unpatched Published Dec 26, 2025 Affected Software AM Events Researcher Muhammad Nur Ibnu Hubab (Ibnu) More Details > Amazon affiliate lite Plugin <= 1.0.0 - Authenticated (Administrator+) Stored Cross-Site Scripting 4.4 CVSS Rating Medium (4.4) CVE-ID CVE-2025-14735 Patch Status Unpatched Published Dec 19, 2025 Affected Software Amazon affiliate lite Plugin Researcher afnaan More Details > Astra Widgets <= 1.2.16 - Authenticated (Editor+) Stored Cross-Site Scripting 4.4 CVSS Rating Medium (4.4) CVE-ID CVE-2025-68497 Patch Status Patched Published Dec 28, 2025 Affected Software Astra Widgets Researcher benzdeus More Details > Basticom Framework <= 1.5.2 - Authenticated (Administrator+) Stored Cross-Site Scripting 4.4 CVSS Rating Medium (4.4) CVE-ID CVE-2025-67629 Patch Status Unpatched Published Dec 21, 2025 Affected Software Basticom Framework Researcher Muhammad Nur Ibnu Hubab (Ibnu) More Details > Behance Portfolio Manager <= 1.7.5 - Authenticated (Administrator+) Stored Cross-Site Scripting 4.4 CVSS Rating Medium (4.4) CVE-ID CVE-2025-59135 Patch Status Unpatched Published Dec 31, 2025 Affected Software Behance Portfolio Manager Researcher Nguyen Tran Tuan Dung (domiee13) More Details > Category Icon <= 1.0.2 - Authenticated (Editor+) Stored Cross-Site Scripting 4.4 CVSS Rating Medium (4.4) CVE-ID CVE-2025-68525 Patch Status Patched Published Dec 25, 2025 Affected Software Category Icon Researcher Nabil Irawan More Details > Cooked <= 1.11.2 - Authenticated (Administrator+) Stored Cross-Site Scripting 4.4 CVSS Rating Medium (4.4) CVE-ID CVE-2025-62989 Patch Status Unpatched Published Dec 31, 2025 Affected Software Cooked – Recipe Management Researcher ch1mk More Details > Dashboard Beacon <= 1.2.0 - Authenticated (Administrator+) Stored Cross-Site Scripting 4.4 CVSS Rating Medium (4.4) CVE-ID CVE-2025-49337 Patch Status Unpatched Published Dec 31, 2025 Affected Software Dashboard Beacon Researcher HunSec More Details > Document Library Lite <= 1.1.7 - Authenticated (Administrator+) Stored Cross-Site Scripting 4.4 CVSS Rating Medium (4.4) CVE-ID CVE-2025-67986 Patch Status Patched Published Dec 15, 2025 Affected Software Document Library Lite Researcher Zeeshan Haider More Details > Draft Notify <= 1.5 - Authenticated (Administrator+) Stored Cross-Site Scripting 4.4 CVSS Rating Medium (4.4) CVE-ID CVE-2025-67627 Patch Status Unpatched Published Dec 21, 2025 Affected Software Draft Notify Researcher Muhammad Nur Ibnu Hubab (Ibnu) More Details > eBay Product Feeds <= 3.4.9 - Authenticated (Administrator+) Stored Cross-Site Scripting 4.4 CVSS Rating Medium (4.4) CVE-ID CVE-2025-67557 Patch Status Patched Published Dec 15, 2025 Affected Software WP eBay Product Feeds Researcher Tarcísio Luchesi(Poystick) More Details > Gift Hunt <= 2.0.2 - Authenticated (Administrator+) Stored Cross-Site Scripting 4.4 CVSS Rating Medium (4.4) CVE-ID CVE-2025-67631 Patch Status Unpatched Published Dec 24, 2025 Affected Software Gift Hunt Researcher LIM MINHYEOK More Details > Google AdSense for Responsive Design – GARD <= 2.23 - Authenticated (Administrator+) Stored Cross-Site Scripting 4.4 CVSS Rating Medium (4.4) CVE-ID CVE-2025-67632 Patch Status Unpatched Published Dec 21, 2025 Affected Software Google AdSense for Responsive Design – GARD Researcher Muhammad Nur Ibnu Hubab (Ibnu) More Details > Greenhouse Job Board <= 2.7.3 - Authenticated (Administrator+) Stored Cross-Site Scripting 4.4 CVSS Rating Medium (4.4) CVE-ID CVE-2025-67633 Patch Status Unpatched Published Dec 21, 2025 Affected Software Greenhouse Job Board Researcher Muhammad Nur Ibnu Hubab (Ibnu) More Details > Inboxify Sign Up Form <= 1.0.4 - Authenticated (Administrator+) Stored Cross-Site Scripting 4.4 CVSS Rating Medium (4.4) CVE-ID CVE-2025-69008 Patch Status Unpatched Published Dec 26, 2025 Affected Software Inboxify Sign Up Form Researcher Muhammad Nur Ibnu Hubab (Ibnu) More Details > Locatoraid Store Locator <= 3.9.65 - Authenticated (Administrator+) Stored Cross-Site Scripting 4.4 CVSS Rating Medium (4.4) CVE-ID CVE-2025-62140 Patch Status Unpatched Published Dec 31, 2025 Affected Software Locatoraid Store Locator Researcher Zeeshan Haider More Details > Logo Slider , Logo Carousel , Logo showcase , Client Logo <= 1.8.1 - Authenticated (Editor+) Stored Cross-Site Scripting 4.4 CVSS Rating Medium (4.4) CVE-ID CVE-2025-62121 Patch Status Unpatched Published Dec 31, 2025 Affected Software Logo Slider , Logo Carousel , Logo showcase , Client Logo Researcher Nabil Irawan More Details > Multi-Step Checkout for WooCommerce <= 2.33 - Authenticated (Administrator+) Stored Cross-Site Scripting 4.4 CVSS Rating Medium (4.4) CVE-ID CVE-2025-67542 Patch Status Patched Published Dec 15, 2025 Affected Software Multi-Step Checkout for WooCommerce Researcher benzdeus More Details > My auctions allegro <= 3.6.33 - Authenticated (Administrator+) Stored Cross-Site Scripting 4.4 CVSS Rating Medium (4.4) CVE-ID CVE-2025-68566 Patch Status Unpatched Published Dec 17, 2025 Affected Software My auctions allegro Researcher Muhammad Nur Ibnu Hubab (Ibnu) More Details > Popping Sidebars and Widgets Light <= 1.27 - Authenticated (Administrator+) Stored Cross-Site Scripting 4.4 CVSS Rating Medium (4.4) CVE-ID CVE-2025-69007 Patch Status Unpatched Published Dec 26, 2025 Affected Software Popping Sidebars and Widgets Light Researcher Muhammad Nur Ibnu Hubab (Ibnu) More Details > Post Video Players <= 1.163 - Authenticated (Editor+) Stored Cross-Site Scripting 4.4 CVSS Rating Medium (4.4) CVE-ID CVE-2025-62142 Patch Status Unpatched Published Dec 31, 2025 Affected Software Cincopa video and media plug-in Researcher Nabil Irawan More Details > Rencontre <= 3.13.7 - Authenticated (Administrator+) Stored Cross-Site Scripting 4.4 CVSS Rating Medium (4.4) CVE-ID CVE-2025-67558 Patch Status Patched Published Dec 15, 2025 Affected Software Rencontre – Dating Site Researcher Myungju Kim More Details > Review Disclaimer <= 2.0.3 - Authenticated (Administrator+) Stored Cross-Site Scripting 4.4 CVSS Rating Medium (4.4) CVE-ID CVE-2025-67628 Patch Status Unpatched Published Dec 21, 2025 Affected Software Review Disclaimer Researcher Muhammad Nur Ibnu Hubab (Ibnu) More Details > WC Builder <= 1.2.0 - Authenticated (Shop Manager+) Stored Cross-Site Scripting via 'heading_color' Shortcode Attribute 4.4 CVSS Rating Medium (4.4) CVE-ID CVE-2025-14054 Patch Status Patched Published Dec 20, 2025 Affected Software WC Builder – WooCommerce Page Builder for WPBakery Researcher zaim More Details > WH Tweaks <= 1.0.2 - Authenticated (Administrator+) Stored Cross-Site Scripting 4.4 CVSS Rating Medium (4.4) CVE-ID CVE-2025-67630 Patch Status Unpatched Published Dec 21, 2025 Affected Software WH Tweaks Researcher Muhammad Nur Ibnu Hubab (Ibnu) More Details > WooCommerce Parcelas <= 1.3.5 - Authenticated (Shop manager+) Stored Cross-Site Scripting 4.4 CVSS Rating Medium (4.4) CVE-ID CVE-2025-62750 Patch Status Unpatched Published Dec 31, 2025 Affected Software WooCommerce Parcelas Researcher Muhammad Yudha - DJ More Details > Accordion Slider Gallery <= 2.7 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-62130 Patch Status Unpatched Published Dec 31, 2025 Affected Software Accordion Slider Gallery Researcher Nabil Irawan More Details > Add Custom Codes <= 4.80 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-62108 Patch Status Unpatched Published Dec 31, 2025 Affected Software Add Custom Codes – Insert Header, Footer, Custom PHP Snippets, CSS, Javascript Researcher Nabil Irawan More Details > Admin and Site Enhancements (ASE) <= 8.0.8 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-64255 Patch Status Patched Published Dec 15, 2025 Affected Software Admin and Site Enhancements (ASE) Researcher daroo More Details > Adminify <= 4.0.6.1 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-68593 Patch Status Patched Published Dec 18, 2025 Affected Software WP Adminify – White Label WordPress, Admin Menu Editor, Login Customizer Researcher daroo More Details > Adminify <= 4.0.6.1 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-68592 Patch Status Patched Published Dec 18, 2025 Affected Software WP Adminify – White Label WordPress, Admin Menu Editor, Login Customizer Researcher daroo More Details > Advanced Classifieds & Directory Pro <= 3.2.9 - Cross-Site Request Forgery 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-68580 Patch Status Patched Published Dec 24, 2025 Affected Software Advanced Classifieds & Directory Pro Researcher Nabil Irawan More Details > AI Content Writing Assistant (Content Writer, ChatGPT, Image Generator) All in One <= 1.1.7 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-62154 Patch Status Unpatched Published Dec 31, 2025 Affected Software AI Content Writing Assistant Researcher NumeX More Details > All in One Accessibility <= 1.14 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-63004 Patch Status Unpatched Published Dec 31, 2025 Affected Software All in One Accessibility Researcher Legion Hunter More Details > Animation Addons for Elementor <= 2.4.5 - Authenticated (Contributor+) Arbitrary Content Deletion 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-67540 Patch Status Patched Published Dec 15, 2025 Affected Software Animation Addons for Elementor – GSAP Powered Elementor Addons & Website Templates Researcher Denver Jackson More Details > AnyComment <= 0.3.6 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-62874 Patch Status Unpatched Published Dec 31, 2025 Affected Software AnyComment Researcher Rooting More Details > Appender <= 1.1.1 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-66150 Patch Status Unpatched Published Dec 31, 2025 Affected Software Appender – Copycat Content Protection for WordPress Researcher Phat RiO - BlueRock More Details > Appointify <= 1.0.8 - Cross-Site Request Forgery 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-59130 Patch Status Unpatched Published Dec 31, 2025 Affected Software Appointify Researcher Abdulsamad Yusuf (0xVenus) More Details > Attachments <= 5.2 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-62888 Patch Status Unpatched Published Dec 31, 2025 Affected Software WP Attachments Researcher Athiwat Tiprasaharn (Jitlada) More Details > Auto Featured Image <= 4.2.1 - Missing Authorization to Authenticated (Contributor+) Post Thumbnail Modification 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-13794 Patch Status Patched Published Dec 15, 2025 Affected Software Auto Featured Image (Auto Post Thumbnail) Researcher Dmitrii Ignatyev More Details > Backpack Traveler <= 2.10.3 - Authenticated (Subscriber+) Insecure Direct Object Reference 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-69030 Patch Status Unpatched Published Dec 29, 2025 Affected Software Backpack Traveler - Modern Travel Blog WordPress Theme Researcher Tran Nguyen Bao Khanh More Details > Behance Portfolio Manager <= 1.7.5 - Cross-Site Request Forgery 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-59137 Patch Status Unpatched Published Dec 31, 2025 Affected Software Behance Portfolio Manager Researcher Muhammad Nur Ibnu Hubab (Ibnu) More Details > BizPrint <= 4.6.7 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-69024 Patch Status Patched Published Dec 29, 2025 Affected Software Print Anywhere & Create PDFs of Order Receipts, Invoices, Labels & More. Researcher daroo More Details > Business Directory <= 6.4.19 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-64630 Patch Status Patched Published Dec 15, 2025 Affected Software Business Directory Plugin – Easy Listing Directories for WordPress Researcher daroo More Details > Chakra test <= 1.0.1 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-68557 Patch Status Patched Published Dec 23, 2025 Affected Software Chakra test Researcher Athiwat Tiprasaharn (Jitlada) More Details > Co-marquage service-public.fr <= 0.5.77 - Cross-Site Request Forgery 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-62113 Patch Status Unpatched Published Dec 31, 2025 Affected Software Co-marquage service-public.fr Researcher Nabil Irawan More Details > Conformer for Elementor <= 1.0.7 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-66148 Patch Status Unpatched Published Dec 31, 2025 Affected Software Contact Form 7 styler for Elementor – Conformer Researcher Phat RiO - BlueRock More Details > Contact Form 7 Extension For Mailchimp <= 0.9.54 - Authenticated (Contributor+) Information Exposure 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-68989 Patch Status Unpatched Published Dec 21, 2025 Affected Software Connect Contact Form 7 and Mailchimp Researcher Bao - BlueRock More Details > Contact Form Widget <= 1.5.1 - Cross-Site Request Forgery 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-62134 Patch Status Unpatched Published Dec 31, 2025 Affected Software Contact Form Widget Researcher Nabil Irawan More Details > Converter for Media <= 6.3.2 - Missing Authorization to Authenticated (Subscriber+) Optimized Image Deletion via regenerate-attachment REST Endpoint 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-13750 Patch Status Patched Published Dec 16, 2025 Affected Software Converter for Media – Optimize images | Convert WebP & AVIF Researcher Marcin Dudek (dudekmar) More Details > Core Web Vitals & PageSpeed Booster <= 1.0.27 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-62144 Patch Status Unpatched Published Dec 31, 2025 Affected Software Core Web Vitals & PageSpeed Booster Researcher Nabil Irawan More Details > Countdowner for Elementor <= 1.0.4 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-66151 Patch Status Unpatched Published Dec 31, 2025 Affected Software Countdowner – Countdown Timer for Elementor Researcher Phat RiO - BlueRock More Details > Couponer for Elementor <= 1.1.7 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-66154 Patch Status Unpatched Published Dec 31, 2025 Affected Software Couponer – Discount Coupons for Elementor Researcher Phat RiO - BlueRock More Details > Criptopayer for Elementor <= 1.0.1 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-66152 Patch Status Unpatched Published Dec 31, 2025 Affected Software Criptopayer – Crypto Payment Button for Elementor Researcher Phat RiO - BlueRock More Details > Crowdsignal Forms <= 1.7.2 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-69015 Patch Status Unpatched Published Dec 27, 2025 Affected Software Crowdsignal Forms Researcher Doan Dinh Van (DinhVan52) More Details > Custom Admin Interface <= 7.40 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-63038 Patch Status Unpatched Published Dec 31, 2025 Affected Software WP Custom Admin Interface Researcher Athiwat Tiprasaharn (Jitlada) More Details > Custom Post Status <= 1.1.0 - Cross-Site Request Forgery 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-68885 Patch Status Unpatched Published Dec 31, 2025 Affected Software Custom Post Status Researcher Skalucy More Details > Custom Style <= 1.0 - Cross-Site Request Forgery 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-49342 Patch Status Unpatched Published Dec 31, 2025 Affected Software Custom Style Researcher Skalucy More Details > CWW Companion <= 1.3.2 - Cross-Site Request Forgery 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-67473 Patch Status Patched Published Dec 15, 2025 Affected Software CWW Companion Researcher Trương Hữu Phúc (truonghuuphuc) More Details > Direct Payments WP <= 1.3.0 - Authenticated (Subscriber+) Sensitive Information Exposure 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-49340 Patch Status Unpatched Published Dec 31, 2025 Affected Software Direct Payments WP Researcher Athiwat Tiprasaharn (Jitlada) More Details > Direct Payments WP <= 1.3.0 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-49339 Patch Status Unpatched Published Dec 31, 2025 Affected Software Direct Payments WP Researcher Powpy More Details > Discussion Board <= 2.5.7 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-69023 Patch Status Unpatched Published Dec 28, 2025 Affected Software Discussion Board – WordPress Forum Plugin Researcher Nabil Irawan More Details > Document Revisions <= 3.7.2 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-68585 Patch Status Patched Published Dec 25, 2025 Affected Software WP Document Revisions Researcher Nabil Irawan More Details > Download Manager <= 3.3.32 - Missing Authorization to Authenticated (Subscriber+) Media Attachment Password Disclosure 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-13498 Patch Status Patched Published Dec 17, 2025 Affected Software Download Manager Researcher type5afe More Details > Download Plugins and Themes from Dashboard <= 1.9.6 - Cross-Site Request Forgery to Bulk Plugin/Theme Archival 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-14399 Patch Status Patched Published Dec 16, 2025 Affected Software Download Plugins and Themes in ZIP from Dashboard Researcher bosz More Details > Easy Digital Downloads <= 3.6.2 - Unvalidated Redirect in Password Reset Flow via edd_redirect 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-14783 Patch Status Patched Published Dec 30, 2025 Affected Software Easy Digital Downloads – eCommerce Payments and Subscriptions made easy Researcher shark3y More Details > Easy Upload Files During Checkout <= 3.0.0 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-62078 Patch Status Unpatched Published Dec 31, 2025 Affected Software Easy Upload Files During Checkout Researcher Legion Hunter More Details > EasyIndex <= 1.1.1704 - Cross-Site Request Forgery 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-62117 Patch Status Unpatched Published Dec 31, 2025 Affected Software EasyIndex Researcher Nabil Irawan More Details > Editorial Calendar <= 3.8.8 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-68603 Patch Status Unpatched Published Dec 20, 2025 Affected Software Editorial Calendar Researcher Doan Dinh Van (DinhVan52) More Details > Eight Day Week Print Workflow <= 1.2.5 - Authenticated (Custom+) Information Exposure 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-67621 Patch Status Patched Published Dec 21, 2025 Affected Software Eight Day Week Print Workflow Researcher PPzzAArr More Details > Email Capture <= 3.12.5 - Cross-Site Request Forgery 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-68529 Patch Status Patched Published Dec 31, 2025 Affected Software Email Marketing Plugin – WP Email Capture Researcher Arif Shaikh More Details > Essential Blocks <= 5.7.2 - Missing Authorization To Authenticated (Author+) Information Disclosure 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-11369 Patch Status Patched Published Dec 16, 2025 Affected Software Gutenberg Essential Blocks – Page Builder for Gutenberg Blocks & Patterns Researcher Dmitrii Ignatyev More Details > Event Organiser <= 3.12.8 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-69012 Patch Status Unpatched Published Dec 27, 2025 Affected Software Event Organiser Researcher Doan Dinh Van (DinhVan52) More Details > Everest Backup <= 2.3.9 - Cross-Site Request Forgery 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-62992 Patch Status Unpatched Published Dec 31, 2025 Affected Software Everest Backup – WordPress Cloud Backup, Migration, Restore & Cloning Plugin Researcher 0xd4rk5id3 More Details > Evergreen Post Tweeter <= 1.8.9 - Cross-Site Request Forgery 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-67622 Patch Status Unpatched Published Dec 18, 2025 Affected Software Evergreen Post Tweeter Researcher Skalucy More Details > Fast User Switching <= 1.4.10 - Cross-Site Request Forgery 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-68583 Patch Status Unpatched Published Dec 25, 2025 Affected Software Fast User Switching Researcher Nabil Irawan More Details > FileBird – WordPress Media Library Folders & File Manager <= 6.5.1 - Missing Authorization to Authenticated (Author+) Global Folders Tampering 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-12900 Patch Status Patched Published Dec 15, 2025 Affected Software FileBird – WordPress Media Library Folders & File Manager Researcher type5afe More Details > Five Star Restaurant Reservations <= 2.7.8 - Cross-Site Request Forgery 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-68601 Patch Status Patched Published Dec 24, 2025 Affected Software Five Star Restaurant Reservations – WordPress Booking Plugin Researcher benzdeus More Details > FiveStar <= 1.7 - Authenticated (Subscriber+) Insecure Direct Object Reference 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-69032 Patch Status Unpatched Published Dec 29, 2025 Affected Software FiveStar - Hotel Booking WordPress Theme Researcher Tran Nguyen Bao Khanh More Details > FormFacade <= 1.4.1 - Cross-Site Request Forgery 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-62133 Patch Status Unpatched Published Dec 31, 2025 Affected Software FormFacade – Embed Google Forms in your website Researcher Nabil Irawan More Details > GiveWP <= 4.13.1 - Cross-Site Request Forgery 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-67467 Patch Status Patched Published Dec 23, 2025 Affected Software GiveWP – Donation Plugin and Fundraising Platform Researcher Drew Webber (mcdruid) More Details > Gmail SMTP <= 1.0.7 - Cross-Site Request Forgery 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-62123 Patch Status Unpatched Published Dec 31, 2025 Affected Software WP Gmail SMTP Researcher Nabil Irawan More Details > Gmaper for Elementor <= 1.0.9 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-66158 Patch Status Unpatched Published Dec 31, 2025 Affected Software Google Maps for Elementor Researcher Phat RiO - BlueRock More Details > Gmedia Photo Gallery <= 1.24.1 - Cross-Site Request Forgery 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-63014 Patch Status Unpatched Published Dec 31, 2025 Affected Software Gmedia Photo Gallery Researcher daroo More Details > Graphist <= 1.2.10 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-66160 Patch Status Unpatched Published Dec 31, 2025 Affected Software Graphist – Graphs & Charts for Elementor Researcher Phat RiO - BlueRock More Details > Gutenverse Form <= 2.3.1 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-68511 Patch Status Patched Published Dec 20, 2025 Affected Software Gutenverse Form – Contact Form Builder, Booking, Reservation, Subscribe for Block Editor Researcher daroo More Details > Headinger for Elementor <= 1.1.4 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-66153 Patch Status Unpatched Published Dec 31, 2025 Affected Software Customizable heading for Elementor Researcher Phat RiO - BlueRock More Details > Heateor Social Login <= 1.1.39 - Cross-Site Request Forgery 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-68998 Patch Status Unpatched Published Dec 26, 2025 Affected Software Heateor Social Login WordPress Researcher Trương Hữu Phúc (truonghuuphuc) More Details > Hide Plugins <= 1.0.4 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-62115 Patch Status Unpatched Published Dec 31, 2025 Affected Software Hide Plugins Researcher Nabil Irawan More Details > History Timeline <= 1.0.6 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-62150 Patch Status Unpatched Published Dec 31, 2025 Affected Software History Timeline for Biography, Company History & Event Timeline Researcher Legion Hunter More Details > HR Management Lite <= 3.5 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-69022 Patch Status Unpatched Published Dec 28, 2025 Affected Software HR Management Lite Researcher benzdeus More Details > HUSKY – Products Filter Professional for WooCommerce <= 1.3.7.3 - Authenticated (Subscriber+) Insecure Direct Object Reference via 'woof_add_subscr' 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-13110 Patch Status Patched Published Dec 17, 2025 Affected Software HUSKY – Products Filter Professional for WooCommerce Researcher Athiwat Tiprasaharn (Jitlada) More Details > Image Caption Hover Pro < 20.0 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-67562 Patch Status Patched Published Dec 15, 2025 Affected Software Image Caption Hover Pro Researcher Phat RiO - BlueRock More Details > Image Gallery – Photo Grid & Video Gallery <= 2.13.3 - Missing Authorization to Authenticated (Author+) Arbitrary Gallery Modification 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-14003 Patch Status Patched Published Dec 15, 2025 Affected Software Modula Image Gallery – Photo Grid & Video Gallery Researchers Athiwat Tiprasaharn (Jitlada)Itthidej Aramsri (Boeing777)PowpyWaris DamkhamVarakorn Chanthasri (iCreaM)Peerapat SamatathanyakornSopon Tangpathum (SoNaJaa) More Details > Import into Easy Property Listings <= 2.2.1 - Cross-Site Request Forgery 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-62112 Patch Status Patched Published Dec 30, 2025 Affected Software Import into Easy Property Listings Researcher Nabil Irawan More Details > iNext Woo Pincode Checker <= 2.3.1 - Cross-Site Request Forgery 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-62084 Patch Status Unpatched Published Dec 31, 2025 Affected Software iNext Woo Pincode Checker Researcher Muhammad Nur Ibnu Hubab (Ibnu) More Details > JetBlog <= 2.4.7 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-68503 Patch Status Patched Published Dec 30, 2025 Affected Software JetBlog Researcher Bonds More Details > JetPopup <= 2.0.20.1 - Authenticated (Contributor+) Insecure Direct Object Reference 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-68502 Patch Status Patched Published Dec 30, 2025 Affected Software JetPopup Researcher Bonds More Details > JetTabs <= 2.2.12 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-68498 Patch Status Patched Published Dec 30, 2025 Affected Software JetTabs Researcher Bonds More Details > Listdom <= 5.0.1 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-67560 Patch Status Patched Published Dec 15, 2025 Affected Software AI-Powered Business Directory and Classified Ads Listings – Listdom Researcher daroo More Details > Live Shopping & Shoppable Videos For WooCommerce <= 2.2.0 - Cross-Site Request Forgery 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-62080 Patch Status Unpatched Published Dec 31, 2025 Affected Software Live Shopping & Shoppable Videos For WooCommerce Researcher Muhammad Nur Ibnu Hubab (Ibnu) More Details > Logger for Elementor <= 1.0.9 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-66146 Patch Status Unpatched Published Dec 31, 2025 Affected Software Changelog & Custom List for Elementor Researcher Phat RiO - BlueRock More Details > Meks Quick Plugin Disabler <= 1.0 - Cross-Site Request Forgery 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-68083 Patch Status Unpatched Published Dec 15, 2025 Affected Software Meks Quick Plugin Disabler Researcher Nabil Irawan More Details > Mergado Pack <= 4.2.0 - Cross-Site Request Forgery 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-62089 Patch Status Unpatched Published Dec 31, 2025 Affected Software Mergado Pack Researcher Muhammad Nur Ibnu Hubab (Ibnu) More Details > My auctions allegro <= 3.6.33 - Cross-Site Request Forgery 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-68567 Patch Status Unpatched Published Dec 17, 2025 Affected Software My auctions allegro Researcher Muhammad Nur Ibnu Hubab (Ibnu) More Details > My Calendar <= 3.6.16 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-67592 Patch Status Patched Published Dec 15, 2025 Affected Software My Calendar – Accessible Event Manager Researcher Doan Dinh Van (DinhVan52) More Details > My Sticky Elements <= 2.3.3 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-68995 Patch Status Patched Published Dec 25, 2025 Affected Software All-in-one Sticky Floating Contact Form, Call, Click to Chat, and 50+ Social Icon Tabs – My Sticky Elements Researcher daroo More Details > My Sticky Elements <= 2.3.3 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Bulk Lead Deletion 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-14428 Patch Status Patched Published Dec 31, 2025 Affected Software All-in-one Sticky Floating Contact Form, Call, Click to Chat, and 50+ Social Icon Tabs – My Sticky Elements Researcher shark3y More Details > myCred – Points Management System For Gamification, Ranks, Badges, and Loyalty Program <= 2.9.7.1 - Missing Authorization to Sensitive Information Exposure 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-12361 Patch Status Patched Published Dec 18, 2025 Affected Software myCred – Points Management System For Gamification, Ranks, Badges, and Loyalty Program. Researcher Rafshanzani Suhada More Details > Noindex by Path <= 1.0 - Cross-Site Request Forgery 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-49353 Patch Status Unpatched Published Dec 31, 2025 Affected Software Noindex by Path Researcher Skalucy More Details > OpenHook <= 4.3.1 - Cross-Site Request Forgery 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-62120 Patch Status Unpatched Published Dec 31, 2025 Affected Software OpenHook Researcher Nabil Irawan More Details > Order Cancellation & Returns for WooCommerce <= 1.1.10 - Authenticated (Subscriber+) Insecure Direct Object Reference 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-49352 Patch Status Unpatched Published Dec 31, 2025 Affected Software Order Cancellation & Returns for WooCommerce Researcher Powpy More Details > Orders Chat for WooCommerce <= 1.2.0 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-49356 Patch Status Unpatched Published Dec 31, 2025 Affected Software Orders Chat for WooCommerce Researcher Powpy More Details > Pardakht Delkhah <= 3.0.0 - Cross-Site Request Forgery 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-62101 Patch Status Unpatched Published Dec 31, 2025 Affected Software پلاگین پرداخت دلخواه Researcher Nabil Irawan More Details > Photo Block <= 1.5.1 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-64254 Patch Status Patched Published Dec 15, 2025 Affected Software Photo Block – A Modern Image Block With Lightbox and Caption Support Researcher Athiwat Tiprasaharn (Jitlada) More Details > Plugin Optimizer <= 1.3.7 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-68861 Patch Status Unpatched Published Dec 25, 2025 Affected Software Plugin Optimizer – Speed Up Your WordPress Like Never Before Researcher Legion Hunter More Details > Poptics <= 1.0.20 - Authenticated (Contributor+) Information Exposure 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-69025 Patch Status Patched Published Dec 29, 2025 Affected Software Poptics – Popup Builder, Email Opt-ins, Exit-Intent & WooCommerce Popups Sales Researcher daroo More Details > Popup box <= 6.0.7 - Cross-Site Request Forgery 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-69021 Patch Status Patched Published Dec 28, 2025 Affected Software Popup Box – Create Countdown, Coupon, Video, Contact Form Popups Researcher Doan Dinh Van (DinhVan52) More Details > PopupKit <= 2.2.1 - Authenticated (Subscriber+) Information Exposure 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-69026 Patch Status Unpatched Published Dec 29, 2025 Affected Software Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers Researcher daroo More Details > Portfolio Gallery <= 1.4.8 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-62098 Patch Status Unpatched Published Dec 31, 2025 Affected Software Portfolio Gallery – Responsive Image Gallery Researcher Nabil Irawan More Details > Post Snippets <= 4.0.11 - Cross-Site Request Forgery 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-63040 Patch Status Unpatched Published Dec 31, 2025 Affected Software Post Snippets – Custom WordPress Code Snippets Customizer Researcher Nabil Irawan More Details > Post Video Players <= 1.163 - Authenticated (Contributor+) Information Exposure 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-62143 Patch Status Unpatched Published Dec 31, 2025 Affected Software Cincopa video and media plug-in Researcher Nabil Irawan More Details > Premium Addons for Elementor <= 4.11.53 - Cross-Site Request Forgery via 'insert_inner_template' 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-14163 Patch Status Patched Published Dec 22, 2025 Affected Software Premium Addons for Elementor – Powerful Elementor Templates & Widgets Researcher Dmitrii Ignatyev More Details > Prime Slider – Addons for Elementor <= 4.0.9 - Authenticated (Subscriber+) Server-Side Request Forgery 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-14277 Patch Status Patched Published Dec 17, 2025 Affected Software Prime Slider – Addons for Elementor Researcher Deadbee More Details > Product Delivery Date for WooCommerce – Lite <= 3.2.0 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-69027 Patch Status Unpatched Published Dec 29, 2025 Affected Software Product Delivery Date for WooCommerce – Lite Researcher Legion Hunter More Details > Project Manager <= 3.0.1 - Authenticated (Subscriber+) Information Exposure 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-68040 Patch Status Unpatched Published Dec 26, 2025 Affected Software Project Manager – AI-Powered Project & Task Manager with Kanban Board & Gantt Chart Researcher MD ISMAIL More Details > Questionar for Elementor <= 1.1.7 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-66155 Patch Status Unpatched Published Dec 31, 2025 Affected Software Questionar – FAQ Accordions for Elementor Researcher Phat RiO - BlueRock More Details > Quran Gateway <= 1.5 - Cross-Site Request Forgery to Settings Update 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-14164 Patch Status Unpatched Published Dec 19, 2025 Affected Software Quran Gateway Researcher Muhammad Nur Ibnu Hubab (Ibnu) More Details > Read More & Accordion <= 3.5.5.1 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-64247 Patch Status Unpatched Published Dec 15, 2025 Affected Software Read More & Accordion Researcher Legion Hunter More Details > Recent Posts From Each Category <= 1.4 - Cross-Site Request Forgery 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-49354 Patch Status Unpatched Published Dec 31, 2025 Affected Software Recent Posts From Each Category Researcher Skalucy More Details > Request a Quote <= 2.5.3 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-64248 Patch Status Patched Published Dec 15, 2025 Affected Software Request a Quote Form Plugin – Price Quote Request Management Made Easy Researcher Legion Hunter More Details > Robots.txt rewrite <= 1.6.1 - Cross-Site Request Forgery 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-62148 Patch Status Unpatched Published Dec 31, 2025 Affected Software Robots.txt rewrite Researcher Nabil Irawan More Details > Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories <= 4.9.2 - Missing Authorization to Authenticated (Contributor+) Authors' Emails Exposure 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-13741 Patch Status Patched Published Dec 15, 2025 Affected Software Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories Researcher Athiwat Tiprasaharn (Jitlada) More Details > Semrush Content Toolkit <= 1.1.32 - Cross-Site Request Forgery 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-68082 Patch Status Unpatched Published Dec 15, 2025 Affected Software Semrush Content Toolkit Researcher Nabil Irawan More Details > SensitiveTagCloud <= 1.4.1 - Cross-Site Request Forgery 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-49344 Patch Status Unpatched Published Dec 31, 2025 Affected Software SensitiveTagCloud Researcher Skalucy More Details > Serial Codes Generator and Validator with WooCommerce Support <= 2.8.2 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-62091 Patch Status Unpatched Published Dec 31, 2025 Affected Software Serial Codes Generator and Validator with WooCommerce Support Researcher Athiwat Tiprasaharn (Jitlada) More Details > Shortcodes and extra features for Phlox <= 2.17.14 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-69016 Patch Status Unpatched Published Dec 27, 2025 Affected Software Shortcodes and extra features for Phlox theme Researcher Legion Hunter More Details > Signature Add-On for Gravity Forms <= 1.8.6 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-62099 Patch Status Patched Published Dec 31, 2025 Affected Software Signature Add-On for Gravity Forms Researcher Nabil Irawan More Details > Simple Archive Generator <= 5.2 - Cross-Site Request Forgery 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-49346 Patch Status Unpatched Published Dec 31, 2025 Affected Software Simple Archive Generator Researcher Skalucy More Details > Simple File List <= 6.1.16 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-68591 Patch Status Unpatched Published Dec 25, 2025 Affected Software Simple File List Researcher daroo More Details > Simple Folio <= 1.1.0 - Cross-Site Request Forgery 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-64256 Patch Status Patched Published Dec 15, 2025 Affected Software Simple Folio Researcher Skalucy More Details > Simple Keyword to Link <= 1.5 - Cross-Site Request Forgery 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-68573 Patch Status Unpatched Published Dec 17, 2025 Affected Software Simple Keyword to Link Researcher Nabil Irawan More Details > Simple Link Directory <= 8.8.3 - Cross-Site Request Forgery 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-67465 Patch Status Patched Published Dec 15, 2025 Affected Software Simple Link Directory Researcher daroo More Details > SiteLock Security <= 5.0.1 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-62128 Patch Status Patched Published Dec 30, 2025 Affected Software SiteLock Security – WP Hardening, Login Security & Malware Scans Researcher Legion Hunter More Details > Sliper for Elementor <= 1.0.10 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-66157 Patch Status Unpatched Published Dec 31, 2025 Affected Software Sliper – Full-screen Slider for Elementor Researcher Phat RiO - BlueRock More Details > Social Profilr <= 1.0 - Cross-Site Request Forgery 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-49343 Patch Status Unpatched Published Dec 31, 2025 Affected Software Social Profilr Researcher Skalucy More Details > Sticky Notes for WP Dashboard <= 1.2.4 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-62087 Patch Status Unpatched Published Dec 31, 2025 Affected Software Sticky Notes for WP Dashboard Researcher Legion Hunter More Details > Stratum Widgets for Elementor <= 1.6.1 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-69013 Patch Status Patched Published Dec 27, 2025 Affected Software Stratum Widgets for Elementor Researcher benzdeus More Details > Strong Testimonials <= 3.2.18 - Missing Authorization to Authenticated (Contributor+) Rating Meta Update 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-14426 Patch Status Patched Published Dec 29, 2025 Affected Software Strong Testimonials Researcher type5afe More Details > Struktur <= 2.5.1 - Authenticated (Subscriber+) Insecure Direct Object Reference 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-69029 Patch Status Unpatched Published Dec 29, 2025 Affected Software Struktur - Creative Agency WordPress Theme Researcher Tran Nguyen Bao Khanh More Details > Sunshine Photo Cart <= 3.5.7.1 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-68535 Patch Status Patched Published Dec 30, 2025 Affected Software Sunshine Photo Cart: Free Client Photo Galleries for Photographers Researcher Que Thanh Tuan - Blue Rock More Details > Sweet Energy Efficiency <= 1.0.6 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Graph Deletion 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-14618 Patch Status Patched Published Dec 17, 2025 Affected Software Sweet Energy Efficiency Researcher Paolo Tresso More Details > Tablesome <= 1.1.35.1 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-68517 Patch Status Patched Published Dec 22, 2025 Affected Software Tablesome Table – Contact Form DB – WPForms, CF7, Gravity, Forminator, Fluent Researcher daroo More Details > Tasty Recipes Lite <= 1.1.5 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-62132 Patch Status Unpatched Published Dec 31, 2025 Affected Software Tasty Recipes Lite Researcher daroo More Details > Tasty Recipes Lite <= 1.1.5 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-62131 Patch Status Unpatched Published Dec 31, 2025 Affected Software Tasty Recipes Lite Researcher daroo More Details > Time Slots Booking Form <= 1.2.39 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-68569 Patch Status Patched Published Dec 20, 2025 Affected Software WP Time Slots Booking Form Researcher daroo More Details > TS Poll <= 2.5.3 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-68588 Patch Status Unpatched Published Dec 22, 2025 Affected Software TS Poll – Survey, Versus Poll, Image Poll, Video Poll Researcher daroo More Details > Ultimate Member <= 2.11.0 - Authenticated (Subscriber+) Profile Privacy Setting Bypass 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-14081 Patch Status Patched Published Dec 16, 2025 Affected Software Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin Researcher Boris Bogosavac More Details > UnGrabber <= 3.1.3 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-66149 Patch Status Unpatched Published Dec 31, 2025 Affected Software UnGrabber Researcher Phat RiO - BlueRock More Details > UsersWP <= 1.2.48 - Cross-Site Request Forgery 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-67593 Patch Status Patched Published Dec 15, 2025 Affected Software UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WP Researcher daroo More Details > Vimeotheque <= 2.3.5.2 - Cross-Site Request Forgery 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-68584 Patch Status Patched Published Dec 25, 2025 Affected Software Vimeotheque – Vimeo WordPress Plugin & Video Gallery Researcher Nabil Irawan More Details > Vireo <= 1.0.24 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-62751 Patch Status Unpatched Published Dec 31, 2025 Affected Software Vireo Researcher Rooting More Details > Virusdie <= 1.1.6 - Authenticated (Subscriber+) Information Exposure 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-68576 Patch Status Patched Published Dec 21, 2025 Affected Software Virusdie – One-click website security Researcher Nabil Irawan More Details > Virusdie <= 1.1.6 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-68577 Patch Status Patched Published Dec 21, 2025 Affected Software Virusdie – One-click website security Researcher Nabil Irawan More Details > VPSUForm <= 3.2.24 - Authenticated (Contributor+) Information Exposure 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-68551 Patch Status Patched Published Dec 23, 2025 Affected Software VPSUForm – Drag & Drop Contact Form Builder with Email Automation Researcher Athiwat Tiprasaharn (Jitlada) More Details > Walker for Elementor <= 1.1.6 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-66159 Patch Status Unpatched Published Dec 31, 2025 Affected Software Google Street View for Elementor – Walker Researcher Phat RiO - BlueRock More Details > Watcher for Elementor <= 1.0.9 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-66156 Patch Status Unpatched Published Dec 31, 2025 Affected Software Watcher – Flexible Video Player for Elementor Researcher Phat RiO - BlueRock More Details > Watu Quiz <= 3.4.5 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-68587 Patch Status Patched Published Dec 17, 2025 Affected Software Watu Quiz Researcher daroo More Details > Watu Quiz <= 3.4.5 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-67976 Patch Status Patched Published Dec 15, 2025 Affected Software Watu Quiz Researcher daroo More Details > WCFM – Frontend Manager for WooCommerce <= 6.7.21 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-54004 Patch Status Unpatched Published Dec 15, 2025 Affected Software WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible Researcher benzdeus More Details > WCFM Marketplace <= 3.6.17 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-64631 Patch Status Unpatched Published Dec 15, 2025 Affected Software WCFM Marketplace – Multivendor Marketplace for WooCommerce Researcher benzdeus More Details > Web to SugarCRM Lead <= 1.0.0 - Cross-Site Request Forgery to Custom Field Deletion 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-13361 Patch Status Patched Published Dec 20, 2025 Affected Software Web to SugarCRM Lead Researcher dayea song More Details > Webba Booking <= 6.2.1 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-66530 Patch Status Patched Published Dec 15, 2025 Affected Software Easy Appointment Booking & Scheduling System – Webba Booking Calendar Researcher daroo More Details > WING WordPress Migrator <= 1.1.9 - Cross-Site Request Forgery 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-52835 Patch Status Unpatched Published Dec 30, 2025 Affected Software WING WordPress Migrator Researcher Nguyen Tran Tuan Dung (domiee13) More Details > Worker for Elementor <= 1.0.10 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-66144 Patch Status Unpatched Published Dec 31, 2025 Affected Software Business hours widget for Elementor – Worker Researcher Phat RiO - BlueRock More Details > Worker for WPBakery <= 1.1.1 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-66145 Patch Status Unpatched Published Dec 31, 2025 Affected Software Business Hours for WPBakery – Worker Researcher Phat RiO - BlueRock More Details > WP DB Booster <= 1.0.1 - Cross-Site Request Forgery to Database Cleanup 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-14168 Patch Status Unpatched Published Dec 19, 2025 Affected Software WP DB Booster Researcher Muhammad Nur Ibnu Hubab (Ibnu) More Details > WP JobHunt <= 7.7 - Authenticated (Candidate+) Insecure Direct Object Reference 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-7733 Patch Status Unpatched Published Dec 20, 2025 Affected Software WP JobHunt Researcher meghnine islem More Details > WP-CalDav2ICS <= 1.3.4 - Cross-Site Request Forgery 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-59131 Patch Status Unpatched Published Dec 30, 2025 Affected Software WP-CalDav2ICS Researcher Muhammad Nur Ibnu Hubab (Ibnu) More Details > WP-EasyArchives <= 3.1.2 - Cross-Site Request Forgery 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-49345 Patch Status Unpatched Published Dec 31, 2025 Affected Software WP-EasyArchives Researcher Skalucy More Details > WpStream <= 4.9.5 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-68522 Patch Status Patched Published Dec 30, 2025 Affected Software WpStream – Live Streaming, Video on Demand, Pay Per View Researcher Que Thanh Tuan - Blue Rock More Details > YITH Slider for page builders <= 1.0.11 - Missing Authorization 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-68581 Patch Status Unpatched Published Dec 24, 2025 Affected Software YITH Slider for page builders Researcher Nabil Irawan More Details > Zoho ZeptoMail <= 3.3.1 - Cross-Site Request Forgery 4.3 CVSS Rating Medium (4.3) CVE-ID CVE-2025-49028 Patch Status Unpatched Published Dec 31, 2025 Affected Software Zoho ZeptoMail Researcher Nguyen Xuan Chien More Details > Health Check & Troubleshooting <= 1.7.1 - Authenticated (Admin+) Path Traversal 2.7 CVSS Rating Low (2.7) CVE-ID CVE-2025-64253 Patch Status Unpatched Published Dec 15, 2025 Affected Software Health Check & Troubleshooting Researcher PPzzAArr More Details > Migration, Backup, Staging – WPvivid Backup & Migration <= 0.9.120 - Authenticated (Admin+) Arbitrary Directory Creation 2.7 CVSS Rating Low (2.7) CVE-ID CVE-2025-12654 Patch Status Patched Published Dec 20, 2025 Affected Software Migration, Backup, Staging – WPvivid Backup & Migration Researcher blue0x1 More Details > As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence. This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us through our Bug Bounty Program, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can. Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published. The post Wordfence Intelligence Weekly WordPress Vulnerability Report (December 15, 2025 to January 4, 2026) appeared first on Wordfence.