| CVE-2025-13856 | Extra Post Images <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes | michaelcole1991 | Extra Post Images | Medium | 6.4 | 2025-12-06 05:49:33 | Deep Dive |
| CVE-2025-12826 | Custom Post Type UI <= 1.18.0 - Missing Authorization to Unauthenticated (Previously Administrator+) Custom Post Type Modification | webdevstudios | Custom Post Type UI | Medium | 4.8 | 2025-12-04 06:48:41 | Deep Dive |
| CVE-2025-12887 | Post SMTP – Complete SMTP Solution with Logs, Alerts, Backup SMTP & Mobile App <= 3.6.1 - Missing Authorization to Authenticated (Subscriber+) OAuth Token Update | saadiqbal | Post SMTP – Complete Email Deliverability and SMTP Solution with Email Logs, Alerts, Backup SMTP & Mobile App | Medium | 5.4 | 2025-12-03 12:29:54 | Deep Dive |
| CVE-2025-12649 | SortTable Post <= 4.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode | sscovil | SortTable Post | Medium | 6.4 | 2025-11-27 02:26:14 | Deep Dive |
| CVE-2025-13405 | Ace Post Type Builder <= 1.9 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Custom Taxonomy Deletion via 'taxonomy' Parameter | buywptemplates | Ace Post Type Builder | Medium | 5.3 | 2025-11-25 07:28:25 | Deep Dive |
| CVE-2025-13404 | atec Duplicate Page & Post <= 1.2.20 - Missing Authorization to Authenticated (Contributor+) Arbitrary Post Duplication and Data Exposure | docjojo | atec Duplicate Page & Post | Medium | 5.3 | 2025-11-25 07:28:24 | Deep Dive |
| CVE-2025-13558 | Blog2Social <= 8.7.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Trashing | pr-gateway | Blog2Social: Social Media Auto Post & Scheduler | Medium | 5.4 | 2025-11-25 04:38:00 | Deep Dive |
| CVE-2025-66106 | WordPress Featured Post Creative plugin <= 1.5.5 - Broken Access Control vulnerability | Essential Plugin | Featured Post Creative | Medium | 4.3 | 2025-11-21 12:30:04 | Deep Dive |
| CVE-2025-12066 | WP Delete Post Copies <= 6.0.2 - Authenticated (Admin+) Stored Cross-Site Scripting | etruel | WP Delete Post Copies | Medium | 4.4 | 2025-11-21 09:27:01 | Deep Dive |
| CVE-2025-13149 | Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories <= 4.9.1 - Authenticated (Author+) Missing Authorization to Post/Page Status Modification | publishpress | Schedule Post Changes With PublishPress Future: Unpublish, Delete, Change Status, Trash, Change Categories | Medium | 4.3 | 2025-11-21 08:28:13 | Deep Dive |
| CVE-2025-13142 | Custom Post Type <= 1.0 - Cross-Site Request Forgery to Custom Post Type Deletion | farvehandleren | Custom Post Type | Medium | 4.3 | 2025-11-21 07:31:51 | Deep Dive |
| CVE-2025-12349 | Email Subscribers & Newsletters <= 5.9.10 - Missing Authentication to Unauthenticated Mailing Queue Trigger | icegram | Email Subscribers & Newsletters – Email Marketing, Post Notifications & Newsletter Plugin for WordPress | Medium | 5.3 | 2025-11-19 04:28:19 | Deep Dive |
| CVE-2025-12524 | Post Type Switcher <= 4.0.0 - Insecure Direct Object Reference to Authenticated (Author+) Post Type Change | johnjamesjacoby | Post Type Switcher | Medium | 5.4 | 2025-11-18 06:43:10 | Deep Dive |
| CVE-2025-12813 | Holiday class post calendar <= 7.1 - Unauthenticated Remote Code Execution via 'contents' | strix-bubol5 | Holiday class post calendar | Critical | 9.8 | 2025-11-11 03:30:43 | Deep Dive |
| CVE-2025-11967 | Mail Mint <= 1.18.10 - Authenticated (Admin+) Arbitrary File Upload | getwpfunnels | Mail Mint – Email Marketing, Newsletter, Email Automation & WooCommerce Emails | High | 7.2 | 2025-11-08 09:28:12 | Deep Dive |
| CVE-2025-12527 | Page & Post Notes <= 1.3.4 - Missing Authorization to Authenticated (Subscriber+) Note Update/Deletion | yydevelopment | Page & Post Notes | Medium | 4.3 | 2025-11-07 05:29:58 | Deep Dive |
| CVE-2025-64224 | WordPress Grand Conference Theme Custom Post Type plugin < 2.6.4 - Cross Site Scripting (XSS) vulnerability | ThemeGoods | Grand Conference Theme Custom Post Type | 中危 | - | 2025-11-06 15:56:10 | Deep Dive |
| CVE-2025-12560 | Blog2Social: Social Media Auto Post & Scheduler <= 8.6.0 - Authenticated (Subscriber+) Blind Server-Side Request Forgery via post_url | pr-gateway | Blog2Social: Social Media Auto Post & Scheduler | Medium | 4.3 | 2025-11-06 05:31:25 | Deep Dive |
| CVE-2025-12563 | Blog2Social: Social Media Auto Post & Scheduler <= 8.6.0 - Incorrect Authorization to Video File Upload | pr-gateway | Blog2Social: Social Media Auto Post & Scheduler | Medium | 4.3 | 2025-11-06 04:36:22 | Deep Dive |
| CVE-2025-11373 | Popup and Slider Builder by Depicter – Add Email collecting Popup, Popup Modal, Coupon Popup, Image Slider, Carousel Slider, Post Slider Carousel <= 4.0.4 - Missing Authorization to Authenticated (Contributor+) Safe File Type Upload | averta | Depicter — Popup & Slider Builder | Medium | 4.3 | 2025-11-05 06:35:01 | Deep Dive |