| CVE-2025-13956 | LearnPress – WordPress LMS Plugin <= 4.3.1 - Missing Authorization to Unauthenticated Orders Statistics Exposure | thimpress | LearnPress – WordPress LMS Plugin for Create and Sell Online Courses | Medium | 5.3 | 2025-12-16 04:31:35 | Deep Dive |
| CVE-2025-14387 | LearnPress – WordPress LMS Plugin <= 4.3.1 - Authenticated (Subscriber+) Stored Cross-Site Scripting via get_profile_social | thimpress | LearnPress – WordPress LMS Plugin for Create and Sell Online Courses | Medium | 6.4 | 2025-12-15 15:30:55 | Deep Dive |
| CVE-2025-14156 | Fox LMS – WordPress LMS Plugin 1.0.4.7 - 1.0.5.1 - Unauthenticated Privilege Escalation via 'createOrder' | ays-pro | Fox LMS – WordPress LMS Plugin | Critical | 9.8 | 2025-12-15 14:25:13 | Deep Dive |
| CVE-2025-13728 | FluentAuth - Auth Security Plugin <= 2.0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'fluent_auth_reset_password' Shortcode | techjewel | FluentAuth – The Ultimate Authorization & Security Plugin for WordPress | Medium | 6.4 | 2025-12-15 14:25:12 | Deep Dive |
| CVE-2025-10738 | URL Shortener Plugin For WordPress <= 3.0.7 - Unauthenticated SQL Injection | rupok98 | URL Shortener Plugin For WordPress | Critical | 9.8 | 2025-12-13 06:33:56 | Deep Dive |
| CVE-2025-12348 | Email Subscribers & Newsletters <= 5.9.10 - Missing Authentication to Unauthenticated Action Scheduler Task Execution | icegram | Email Subscribers & Newsletters – Email Marketing, Post Notifications & Newsletter Plugin for WordPress | Medium | 5.3 | 2025-12-12 09:20:29 | Deep Dive |
| CVE-2025-14162 | BMLT WordPress Plugin <= 3.11.4 - Cross-Site Request Forgery to Settings Creation and Deletion | magblogapi | BMLT WordPress Satellite | Medium | 4.3 | 2025-12-12 03:20:37 | Deep Dive |
| CVE-2025-12577 | Listar – Directory Listing & Classifieds WordPress Plugin <= 3.0.0 - Missing Authorization to Authenticated (Subscriber+) Listing Update | passionui | Listar – Directory Listing & Classifieds WordPress Plugin | Medium | 4.3 | 2025-12-06 05:49:31 | Deep Dive |
| CVE-2025-12574 | Listar – Directory Listing & Classifieds WordPress Plugin <= 3.0.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Deletion | passionui | Listar – Directory Listing & Classifieds WordPress Plugin | Medium | 4.3 | 2025-12-06 05:49:25 | Deep Dive |
| CVE-2025-13006 | SurveyFunnel – Survey Plugin for WordPress <= 1.1.5 - Unauthenticated Information Exposure | wpeka-club | SurveyFunnel – Survey Plugin for WordPress | Medium | 5.3 | 2025-12-05 04:29:13 | Deep Dive |
| CVE-2025-12417 | SurveyFunnel – Survey Plugin for WordPress <= 1.1.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode | wpeka-club | SurveyFunnel – Survey Plugin for WordPress | Medium | 6.4 | 2025-12-05 04:29:11 | Deep Dive |
| CVE-2025-10304 | Everest Backup – WordPress Cloud Backup, Migration, Restore & Cloning Plugin <= 2.3.8 - Missing Authorization to Unauthenticated Backup Failure | everestthemes | Everest Backup – WordPress Cloud Backup, Migration, Restore & Cloning Plugin | Medium | 5.3 | 2025-12-03 03:27:15 | Deep Dive |
| CVE-2025-13697 | BlockArt Blocks – Gutenberg Blocks, Page Builder Blocks ,WordPress Block Plugin, Sections & Template Library <= 2.2.13 - Authenticated (Contributor+) Stored Cross-Site Scripting via `timestamp` Attribute | wpblockart | BlockArt Blocks – Gutenberg Blocks, Page Builder Blocks ,WordPress Block Plugin, Sections & Template Library | Medium | 6.4 | 2025-12-02 01:51:57 | Deep Dive |
| CVE-2024-14015 | Studiocart <= 2.9.0 - Reflected XSS | Unknown | WordPress eCommerce Plugin | - | - | 2025-11-24 06:00:03 | Deep Dive |
| CVE-2025-7402 | Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager <= 4.95 - Unauthenticated SQL Injection via site_id | scripteo | Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager | High | 7.5 | 2025-11-24 04:36:41 | Deep Dive |
| CVE-2025-11368 | LearnPress – WordPress LMS Plugin <= 4.2.9.4 - Missing Authorization to Unauthenticated Arbitrary Callback Execution to Information Exposure | thimpress | LearnPress – WordPress LMS Plugin for Create and Sell Online Courses | Medium | 5.3 | 2025-11-21 05:32:05 | Deep Dive |
| CVE-2025-12842 | Booking Plugin for WordPress Appointments – Time Slot <= 1.4.7 - Unauthenticated Arbitrary Email Sending | timeslotplugins | Time Slot – Booking and Appointment System | Medium | 5.3 | 2025-11-19 05:45:10 | Deep Dive |
| CVE-2025-12349 | Email Subscribers & Newsletters <= 5.9.10 - Missing Authentication to Unauthenticated Mailing Queue Trigger | icegram | Email Subscribers & Newsletters – Email Marketing, Post Notifications & Newsletter Plugin for WordPress | Medium | 5.3 | 2025-11-19 04:28:19 | Deep Dive |
| CVE-2025-12377 | Gallery Plugin for WordPress – Envira Photo Gallery <= 1.12.0 - Missing Authorization to Authenticated (Author+) Multiple Gallery Actions | smub | Envira Gallery – Image Photo Gallery, Albums, Video Gallery, Slideshows & More | Medium | 4.3 | 2025-11-13 11:29:03 | Deep Dive |
| CVE-2025-11457 | EasyCommerce – AI-Powered, Blazing-Fast & Beautiful WordPress Ecommerce Plugin 0.9.0-beta2 - 1.8.2 - Unauthenticated Privilege Escalation | easycommerce | EasyCommerce – AI-Powered WordPress Ecommerce Plugin to Sell Digital Products, Subscriptions & Physical Goods | Critical | 9.8 | 2025-11-11 03:30:43 | Deep Dive |