| CVE-2025-11456 | ELEX WordPress HelpDesk & Customer Ticketing System <= 3.3.1 - Unauthenticated Arbitrary File Upload | elextensions | ELEX WordPress HelpDesk & Customer Ticketing System | Critical | 9.8 | 2025-11-21 07:31:54 | Deep Dive |
| CVE-2025-11770 | BrightTALK WordPress Shortcode <= 2.4.0 - Authenticated (Contributor+) Stored Cross-Site Scripting | billybigpotatoes | BrightTALK WordPress Shortcode | Medium | 6.4 | 2025-11-21 07:31:50 | Deep Dive |
| CVE-2025-12894 | Import WP – Export and Import CSV and XML files to WordPress <= 2.14.17 - Unauthenticated Information Exposure | jcollings | Import WP – Export and Import CSV and XML files to WordPress | Medium | 5.3 | 2025-11-21 07:31:49 | Deep Dive |
| CVE-2025-12169 | ELEX WordPress HelpDesk & Customer Ticketing System <= 3.3.0 - Missing Authorization to Authenitcated (Subscriber+) to Scheduled Trigger Deletion | elextensions | ELEX WordPress HelpDesk & Customer Ticketing System | Medium | 4.3 | 2025-11-21 05:32:08 | Deep Dive |
| CVE-2025-12022 | ELEX WordPress HelpDesk & Customer Ticketing System <= 3.3.1 - Missing Authorization to Authenticated (Subscriber+) Trash Restore | elextensions | ELEX WordPress HelpDesk & Customer Ticketing System | Medium | 4.3 | 2025-11-21 05:32:06 | Deep Dive |
| CVE-2025-12023 | ELEX WordPress HelpDesk & Customer Ticketing System <= 3.3.1 - Missing Authorization to Authenticated (Subscriber+) Ticket Restore | elextensions | ELEX WordPress HelpDesk & Customer Ticketing System | Medium | 4.3 | 2025-11-21 05:32:06 | Deep Dive |
| CVE-2025-12085 | ELEX WordPress HelpDesk & Customer Ticketing System <= 3.3.1 - Missing Authorization to Authenticated (Subscriber+) Trash Empty | elextensions | ELEX WordPress HelpDesk & Customer Ticketing System | Medium | 4.3 | 2025-11-21 05:32:06 | Deep Dive |
| CVE-2025-11368 | LearnPress – WordPress LMS Plugin <= 4.2.9.4 - Missing Authorization to Unauthenticated Arbitrary Callback Execution to Information Exposure | thimpress | LearnPress – WordPress LMS Plugin for Create and Sell Online Courses | Medium | 5.3 | 2025-11-21 05:32:05 | Deep Dive |
| CVE-2025-5092 | Multiple Plugins and Themes <= (Various Versions) - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting via lightGallery JavaScript Library | lightgalleryteam | LightGallery WP | Medium | 6.4 | 2025-11-20 06:38:42 | Deep Dive |
| CVE-2025-12778 | Ultimate Member Widgets for Elementor <= 2.3 - Missing Authorization to Unauthenticated Information Exposure | userelements | Ultimate Member Widgets for Elementor – WordPress User Directory | Medium | 5.3 | 2025-11-20 04:37:14 | Deep Dive |
| CVE-2025-13145 | WP Import – Ultimate CSV XML Importer for WordPress <= 7.33.1 - Authenticated (Administrator+) PHP Object Injection via CSV Import | smackcoders | WP Ultimate CSV Importer – Import CSV, XML & Excel into WordPress | High | 7.2 | 2025-11-19 05:45:13 | Deep Dive |
| CVE-2025-12751 | WSChat – WordPress Live Chat <= 3.1.6 - Missing Authorization to Authenticated (Subscriber+) Settings Reset | elextensions | WSChat – WordPress Live Chat | Medium | 4.3 | 2025-11-19 05:45:11 | Deep Dive |
| CVE-2025-12842 | Booking Plugin for WordPress Appointments – Time Slot <= 1.4.7 - Unauthenticated Arbitrary Email Sending | timeslotplugins | Time Slot – Booking and Appointment System | Medium | 5.3 | 2025-11-19 05:45:10 | Deep Dive |
| CVE-2025-12349 | Email Subscribers & Newsletters <= 5.9.10 - Missing Authentication to Unauthenticated Mailing Queue Trigger | icegram | Email Subscribers & Newsletters – Email Marketing, Post Notifications & Newsletter Plugin for WordPress | Medium | 5.3 | 2025-11-19 04:28:19 | Deep Dive |
| CVE-2025-11427 | WP Migrate Lite <= 2.7.6 - Unauthenticated Blind Server-Side Request Forgery | wpengine | WP Migrate Lite – Migration Made Easy | Medium | 5.8 | 2025-11-18 11:00:48 | Deep Dive |
| CVE-2025-12377 | Gallery Plugin for WordPress – Envira Photo Gallery <= 1.12.0 - Missing Authorization to Authenticated (Author+) Multiple Gallery Actions | smub | Envira Gallery – Image Photo Gallery, Albums, Video Gallery, Slideshows & More | Medium | 4.3 | 2025-11-13 11:29:03 | Deep Dive |
| CVE-2025-64259 | WordPress Theater for WordPress plugin <= 0.18.8 - Broken Access Control vulnerability | Jeroen Schmit | Theater for WordPress | Medium | 5.3 | 2025-11-13 09:24:27 | Deep Dive |
| CVE-2025-11769 | WordPress Content Flipper <= 0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting | aumsrini | WordPress Content Flipper | Medium | 6.4 | 2025-11-13 08:27:48 | Deep Dive |
| CVE-2025-10295 | Angel – Fashion Model Agency WordPress CMS Theme <= 3.2.3 - Authenticated (Subscriber+) Stored Cross-Site Scripting | kayapati | Angel – Fashion Model Agency WordPress CMS Theme | Medium | 6.4 | 2025-11-13 08:27:47 | Deep Dive |
| CVE-2025-12733 | Import any XML, CSV or Excel File to WordPress (WP All Import) <= 3.9.6 - Authenticated (Administrator+) Remote Code Execution via Conditional Logic | wpallimport | WP All Import – Drag & Drop Import for CSV, XML, Excel & Google Sheets | High | 8.8 | 2025-11-13 03:27:39 | Deep Dive |