| CVE-2025-6990 | Kallyas <= 4.24.0 - Authenticated (Contributor+) Remote Code Execution | hogash | KALLYAS - Creative eCommerce Multi-Purpose WordPress Theme | High | 8.8 | 2025-11-01 07:30:03 | Deep Dive |
| CVE-2025-12137 | Import WP – Export and Import CSV and XML files to WordPress <= 2.14.16 - Authenticated (Admin+) Arbitrary File Read | jcollings | Import WP – Export and Import CSV and XML files to WordPress | Medium | 4.9 | 2025-11-01 06:40:40 | Deep Dive |
| CVE-2025-11816 | Privacy Policy Generator, Terms & Conditions Generator WordPress Plugin : WP Legal Pages <= 3.5.1 - Missing Authorization to Unauthenticated API Disconnect | wplegalpages | Privacy Policy Generator – WPLP Legal Pages | Medium | 5.3 | 2025-11-01 01:47:40 | Deep Dive |
| CVE-2025-12094 | OOPSpam Anti-Spam: Spam Protection for WordPress Forms & Comments (No CAPTCHA) <= 1.2.53 - Unauthenticated IP Header Spoofing | oopspam | OOPSpam Anti-Spam: Spam Protection for WordPress Forms & Comments (No CAPTCHA) | Medium | 5.3 | 2025-10-31 08:25:55 | Deep Dive |
| CVE-2025-7846 | WordPress User Extra Fields <= 16.7 - Authenticated (Subscriber+) Arbitrary File Deletion via save_fields Function | vanquish | WordPress User Extra Fields | High | 8.8 | 2025-10-31 06:42:56 | Deep Dive |
| CVE-2025-11975 | FuseWP – WordPress User Sync to Email List & Marketing Automation (Mailchimp, Constant Contact, ActiveCampaign etc.) <= 1.1.23.0 - Missing Authorization to Authenticated (Subscriber+) Sync Rule Creation | fusewp | FuseWP – WordPress User Sync to Email List & Marketing Automation (Mailchimp, Constant Contact, ActiveCampaign etc.) | Medium | 4.3 | 2025-10-31 02:26:04 | Deep Dive |
| CVE-2025-10008 | Translate WordPress and go Multilingual – Weglot <= 5.1 - Missing Authorization to Unauthenticated Limited Transient Deletion | remyb92 | Translate WordPress with Weglot – Multilingual AI Translation | Medium | 5.3 | 2025-10-30 05:28:28 | Deep Dive |
| CVE-2025-11587 | Call Now Button <= 1.5.3 - Missing Authorization to Authenticated (Subscriber+) Limited Plugin Settings Update | jgrietveld | Call Now Button – The #1 Click to Call Button for WordPress | Medium | 4.3 | 2025-10-29 12:31:52 | Deep Dive |
| CVE-2025-11632 | Call Now Button <= 1.5.4 - Authenticated (Subscriber+) Missing Authorization to Multiple Functions | jgrietveld | Call Now Button – The #1 Click to Call Button for WordPress | Medium | 4.3 | 2025-10-29 12:31:51 | Deep Dive |
| CVE-2025-60075 | WordPress hpb seo plugin for WordPress plugin <= 3.0.1 - Cross Site Request Forgery (CSRF) vulnerability | Allegro Marketing | hpb seo plugin for WordPress | - | - | 2025-10-29 08:38:03 | Deep Dive |
| CVE-2025-4665 | WordPress plugin Contact Form CFDB7 安全漏洞 | WordPress Contact Form 7 Database Addon CFDB7 By Arshid | CFDB7 | Critical | 9.6 | 2025-10-28 23:54:29 | Deep Dive |
| CVE-2025-62987 | WordPress Builderall Builder for WordPress plugin <= 3.0.1 - Cross Site Scripting (XSS) vulnerability | Builderall | Builderall Builder for WordPress | - | - | 2025-10-27 01:34:22 | Deep Dive |
| CVE-2025-11897 | The7 — Ultimate WordPress & WooCommerce Theme <= 12.9.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'the7_fancy_title_css' | Dream-Theme | The7 — Website and eCommerce Builder for WordPress | Medium | 6.4 | 2025-10-25 12:26:29 | Deep Dive |
| CVE-2025-11976 | FuseWP – WordPress User Sync to Email List & Marketing Automation (Mailchimp, Constant Contact, ActiveCampaign etc.) <= 1.1.23.0 - Cross-Site Request Forgery to Sync Rule Creation | fusewp | FuseWP – WordPress User Sync to Email List & Marketing Automation (Mailchimp, Constant Contact, ActiveCampaign etc.) | Medium | 4.3 | 2025-10-25 06:49:25 | Deep Dive |
| CVE-2025-8483 | Discussion Board – WordPress Forum Plugin <= 2.5.5 - Authenticated (Subscriber+) Arbitrary Shortcode Execution | marketingfire | Discussion Board – WordPress Forum Plugin | Medium | 6.3 | 2025-10-25 06:49:24 | Deep Dive |
| CVE-2025-11893 | Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More <= 1.8.8.4 - Authenticated (Subscriber+) SQL Injection | smub | Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More | Medium | 6.5 | 2025-10-25 06:49:22 | Deep Dive |
| CVE-2025-12005 | WP VR – 360 Panorama and Free Virtual Tour Builder For WordPress <= 8.5.41 - Improper Authorization to Authenticated (Contributor+) Plugin Settings Update | rextheme | WP VR – 360 Panorama and Free Virtual Tour Builder For WordPress | Medium | 4.3 | 2025-10-25 05:31:23 | Deep Dive |
| CVE-2025-8413 | Listeo <= 2.0.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via soundcloud Shortcode | purethemes | Listeo - Directory & Listings With Booking - WordPress Theme | Medium | 6.4 | 2025-10-25 05:31:19 | Deep Dive |
| CVE-2025-10579 | BackWPup <= 5.5.0 - Missing Authorization to Sensitive Information Exposure | wp_media | BackWPup – WordPress Backup & Restore Plugin | Medium | 5.3 | 2025-10-25 04:22:44 | Deep Dive |
| CVE-2025-10749 | Microsoft Azure Storage for WordPress <= 4.5.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Media Deletion | 10up | Microsoft Azure Storage for WordPress | Medium | 5.4 | 2025-10-24 08:24:05 | Deep Dive |