| CVE-2025-12732 | WP Import – Ultimate CSV XML Importer for WordPress <= 7.33 - Missing Authorization to Authenticated (Author+) Sensitive Information Exposure | smackcoders | WP Ultimate CSV Importer – Import CSV, XML & Excel into WordPress | Medium | 4.3 | 2025-11-12 08:28:04 | Deep Dive |
| CVE-2025-12651 | Live Photos on WordPress <= 0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode | eggemplo | Live Photos on WordPress | Medium | 6.4 | 2025-11-11 03:30:53 | Deep Dive |
| CVE-2025-11457 | EasyCommerce – AI-Powered, Blazing-Fast & Beautiful WordPress Ecommerce Plugin 0.9.0-beta2 - 1.8.2 - Unauthenticated Privilege Escalation | easycommerce | EasyCommerce – AI-Powered WordPress Ecommerce Plugin to Sell Digital Products, Subscriptions & Physical Goods | Critical | 9.8 | 2025-11-11 03:30:43 | Deep Dive |
| CVE-2025-12644 | Nonaki – Drag and Drop Email Template builder and Newsletter plugin for WordPress <= 1.0.11 - Authenticated (Contributor+) Stored Cross-Site Scripting via Custom Fields | wpcox | Nonaki – Drag and Drop Email Template builder and Newsletter plugin for WordPress | Medium | 6.4 | 2025-11-11 03:30:38 | Deep Dive |
| CVE-2025-11448 | Gallery Plugin for WordPress – Envira Photo Gallery <= 1.11.0 - Missing Authorization to Authenticated (Contributor+) Gallery Conversion | smub | Envira Gallery – Image Photo Gallery, Albums, Video Gallery, Slideshows & More | Medium | 4.3 | 2025-11-08 09:28:11 | Deep Dive |
| CVE-2025-12099 | Academy LMS – WordPress LMS Plugin for Complete eLearning Solution <= 3.3.8 - Authenticated (Administrator+) PHP Object Injection via 'import_all_courses' | kodezen | Academy LMS – WordPress LMS Plugin for Complete eLearning Solution | High | 7.2 | 2025-11-08 08:27:41 | Deep Dive |
| CVE-2025-12125 | HTML Forms <= 1.5.5 - Authenticated (Admin+) Stored Cross-Site Scripting | linksoftware | HTML Forms – Simple WordPress Forms Plugin | Medium | 4.4 | 2025-11-08 03:27:51 | Deep Dive |
| CVE-2025-12000 | WPFunnels <= 3.6.2 - Authenticated (Administrator+) Arbitrary File Deletion via Path Traversal | getwpfunnels | WPFunnels – Funnel Builder for WooCommerce with Checkout & One Click Upsell | Medium | 6.5 | 2025-11-08 03:27:50 | Deep Dive |
| CVE-2025-12353 | WPFunnels <= 3.6.2 - Unauthorized User Registration | getwpfunnels | WPFunnels – Funnel Builder for WooCommerce with Checkout & One Click Upsell | Medium | 5.3 | 2025-11-08 03:27:47 | Deep Dive |
| CVE-2025-60199 | WordPress InHype - Blog & Magazine WordPress Theme theme <= 1.5.2 - Local File Inclusion vulnerability | dedalx | InHype - Blog & Magazine WordPress Theme | High | 8.1 | 2025-11-06 15:54:57 | Deep Dive |
| CVE-2025-60198 | WordPress Saxon - Viral Content Blog & Magazine Marketing WordPress Theme theme <= 1.9.3 - Local File Inclusion vulnerability | dedalx | Saxon - Viral Content Blog & Magazine Marketing WordPress Theme | 中危 | - | 2025-11-06 15:54:56 | Deep Dive |
| CVE-2025-60190 | WordPress Immocaster WordPress Plugin plugin <= 1.3.6 - Local File Inclusion vulnerability | Hinnerk Altenburg | Immocaster WordPress Plugin | High | 8.1 | 2025-11-06 15:54:48 | Deep Dive |
| CVE-2025-48090 | WordPress Blanka - One Page WordPress Theme Theme < 1.5 - Local File Inclusion Vulnerability | CocoBasic | Blanka - One Page WordPress Theme | High | 8.1 | 2025-11-06 15:53:44 | Deep Dive |
| CVE-2025-48089 | WordPress Education WordPress Theme | HiStudy theme < 3.1.0 - SQL Injection vulnerability | Rainbow-Themes | Education WordPress Theme | HiStudy | Critical | 9.3 | 2025-11-06 15:53:43 | Deep Dive |
| CVE-2025-22288 | WordPress Smush Image Compression and Optimization plugin <= 3.17.0 - Directory Traversal vulnerability | WPMU DEV - Your All-in-One WordPress Platform | Smush Image Compression and Optimization | 中危 | - | 2025-11-06 15:53:18 | Deep Dive |
| CVE-2025-12469 | FunnelKit Automations – Email Marketing Automation and CRM for WordPress & WooCommerce <= 3.6.4.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Email Sending | amans2k | FunnelKit Automations – Email Marketing Automation and CRM for WordPress & WooCommerce | Medium | 4.3 | 2025-11-05 09:27:40 | Deep Dive |
| CVE-2025-12468 | FunnelKit Automations – Email Marketing Automation and CRM for WordPress & WooCommerce <= 3.6.4.1 - Unauthenticated Sensitive Information Exposure | amans2k | FunnelKit Automations – Email Marketing Automation and CRM for WordPress & WooCommerce | Medium | 5.3 | 2025-11-05 09:27:39 | Deep Dive |
| CVE-2025-12580 | SMS for WordPress <= 1.1.8 - Reflected Cross-Site Scripting | stanleychoi | SMS for WordPress | Medium | 6.1 | 2025-11-05 03:27:57 | Deep Dive |
| CVE-2025-12324 | TablePress – Tables in WordPress made easy <= 3.2.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes | tobiasbg | TablePress – Tables in WordPress made easy | Medium | 6.4 | 2025-11-04 02:26:55 | Deep Dive |
| CVE-2025-6988 | Kallyas <= 4.23.0 - Authenticated (Contributor+) Stored Cross-Site Scripting | hogash | KALLYAS - Creative eCommerce Multi-Purpose WordPress Theme | Medium | 6.4 | 2025-11-01 07:30:05 | Deep Dive |