| CVE-2025-2158 | WordPress Review Plugin: The Ultimate Solution for Building a Review Website <= 5.3.5 - Authenticated (Contributor+) Local File Inclusion via Post Custom Fields | mythemeshop | WordPress Review Plugin: The Ultimate Solution for Building a Review Website | High | 8.8 | 2025-05-10 09:23:01 | Deep Dive |
| CVE-2025-3794 | WPForms Lite <= 1.9.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'start_timestamp' Parameter | smub | WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More | Medium | 5.4 | 2025-05-09 22:22:13 | Deep Dive |
| CVE-2025-4206 | WordPress CRM, Email & Marketing Automation for WordPress | Award Winner — Groundhogg <= 4.1.1.2 - Authenticated (Administrator+) Arbitrary File Deletion | trainingbusinesspros | Groundhogg — CRM, Newsletters, and Marketing Automation | High | 7.2 | 2025-05-09 11:11:19 | Deep Dive |
| CVE-2025-3455 | 1 Click WordPress Migration Plugin – 100% FREE for a limited time <= 2.2 - Missing Authorization to Authenticated (Subscriber+) Arbitrary File Upload | 1clickmigration | 1 Click Migration & Backup: Free WordPress Migration Plugin with Zero Downtime & Easy Clone | High | 8.8 | 2025-05-09 06:42:36 | Deep Dive |
| CVE-2025-3468 | NEX-Forms – Ultimate Form Builder – Contact forms and much more <= 8.9.1 - Authenticated (Custom) Stored Cross-Site Scripting | webaways | NEX-Forms – Ultimate Forms Plugin for WordPress | Medium | 6.4 | 2025-05-08 11:13:45 | Deep Dive |
| CVE-2025-4208 | NEX-Forms – Ultimate Form Builder – Contact forms and much more <= 8.9.1 - Authenticated (Custom) Limited Code Execution via get_table_records Function | webaways | NEX-Forms – Ultimate Forms Plugin for WordPress | Medium | 6.3 | 2025-05-08 11:13:44 | Deep Dive |
| CVE-2025-3851 | Download Manager and Payment Form WordPress Plugin – WP SmartPay 1.1.0 - 2.7.13 - Authenticated (Subscriber+) Information Exposure | themesgrove | Download Manager and Payment Form WordPress Plugin – WP SmartPay | Medium | 4.3 | 2025-05-07 01:43:07 | Deep Dive |
| CVE-2025-3815 | SurveyJS <= 1.12.32 - Authenticated (Contributor+) Stored Cross-Site Scripting via id Parameter | devsoftbaltic | SurveyJS: Drag & Drop Form Builder | Medium | 6.4 | 2025-05-03 07:22:57 | Deep Dive |
| CVE-2024-13738 | Motors - Car Dealer, Rental & Listing WordPress theme <= 5.6.65 - Unauthenticated Arbitrary Shortcode Execution | StylemixThemes | Motors - Car Dealer, Rental & Listing WordPress theme | High | 7.3 | 2025-05-03 02:21:56 | Deep Dive |
| CVE-2024-13322 | Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager <= 4.88 - Unauthenticated SQL Injection | scripteo | Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager | High | 7.5 | 2025-05-02 03:21:19 | Deep Dive |
| CVE-2025-3890 | WordPress Simple PayPal Shopping Cart <= 5.1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode | mra13 | Simple Shopping Cart | Medium | 6.4 | 2025-05-01 11:11:42 | Deep Dive |
| CVE-2025-3889 | WordPress Simple PayPal Shopping Cart <= 5.1.3 - Insecure Direct Object Reference via 'quantity' | mra13 | Simple Shopping Cart | Medium | 5.3 | 2025-05-01 11:11:42 | Deep Dive |
| CVE-2025-3874 | WordPress Simple PayPal Shopping Cart <= 5.1.3 - Insecure Direct Object Reference | mra13 | Simple Shopping Cart | Medium | 6.5 | 2025-05-01 11:11:42 | Deep Dive |
| CVE-2025-3521 | Team Members – Best WordPress Team Plugin with Team Slider, Team Showcase & Team Builder <= 3.4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting | wpspeedo | Team Members Showcase | Medium | 6.4 | 2025-05-01 06:40:16 | Deep Dive |
| CVE-2025-3952 | Projectopia – WordPress Project Management <= 5.1.16 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Option Deletion | projectopia | Projectopia – Project Management Tool | High | 8.1 | 2025-05-01 04:22:58 | Deep Dive |
| CVE-2025-3452 | SecuPress Free <= 2.3.9 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Installation | secupress | SecuPress with Simple SSL – Simple and Performant Security | Medium | 4.3 | 2025-04-29 08:21:44 | Deep Dive |
| CVE-2025-0627 | AI Autotagger < 3.30.0 - Admin+ Stored XSS | Unknown | WordPress Tag, Category, and Taxonomy Manager | - | - | 2025-04-28 06:00:03 | Deep Dive |
| CVE-2025-2101 | Edumall <= 4.2.4 - Unauthenticated Local File Inclusion | ThemeMove | EduMall - Professional LMS Education Center WordPress Theme | High | 8.1 | 2025-04-26 08:23:21 | Deep Dive |
| CVE-2025-2801 | Create custom forms for WordPress with a smart form plugin for smart businesses <= 1.2.4 - Unauthenticated Arbitrary Shortcode Execution | dorinabc | Create custom forms for WordPress with a smart form plugin for smart businesses – Form builder for WordPress | High | 7.3 | 2025-04-26 03:24:24 | Deep Dive |
| CVE-2025-3912 | WS Form LITE – Drag & Drop Contact Form Builder for WordPress <= 1.10.35 - Missing Authorization to Unauthenticated Sensitive Information Exposure | westguard | WS Form LITE – Drag & Drop Contact Form Builder | Medium | 5.3 | 2025-04-25 11:12:52 | Deep Dive |