| CVE-2025-12644 | Nonaki – Drag and Drop Email Template builder and Newsletter plugin for WordPress <= 1.0.11 - Authenticated (Contributor+) Stored Cross-Site Scripting via Custom Fields | wpcox | Nonaki – Drag and Drop Email Template builder and Newsletter plugin for WordPress | Medium | 6.4 | 2025-11-11 03:30:38 | Deep Dive |
| CVE-2025-11448 | Gallery Plugin for WordPress – Envira Photo Gallery <= 1.11.0 - Missing Authorization to Authenticated (Contributor+) Gallery Conversion | smub | Envira Gallery – Image Photo Gallery, Albums, Video Gallery, Slideshows & More | Medium | 4.3 | 2025-11-08 09:28:11 | Deep Dive |
| CVE-2025-12099 | Academy LMS – WordPress LMS Plugin for Complete eLearning Solution <= 3.3.8 - Authenticated (Administrator+) PHP Object Injection via 'import_all_courses' | kodezen | Academy LMS – WordPress LMS Plugin for Complete eLearning Solution | High | 7.2 | 2025-11-08 08:27:41 | Deep Dive |
| CVE-2025-12125 | HTML Forms <= 1.5.5 - Authenticated (Admin+) Stored Cross-Site Scripting | linksoftware | HTML Forms – Simple WordPress Forms Plugin | Medium | 4.4 | 2025-11-08 03:27:51 | Deep Dive |
| CVE-2025-60190 | WordPress Immocaster WordPress Plugin plugin <= 1.3.6 - Local File Inclusion vulnerability | Hinnerk Altenburg | Immocaster WordPress Plugin | High | 8.1 | 2025-11-06 15:54:48 | Deep Dive |
| CVE-2025-11816 | Privacy Policy Generator, Terms & Conditions Generator WordPress Plugin : WP Legal Pages <= 3.5.1 - Missing Authorization to Unauthenticated API Disconnect | wplegalpages | Privacy Policy Generator – WPLP Legal Pages | Medium | 5.3 | 2025-11-01 01:47:40 | Deep Dive |
| CVE-2025-60075 | WordPress hpb seo plugin for WordPress plugin <= 3.0.1 - Cross Site Request Forgery (CSRF) vulnerability | Allegro Marketing | hpb seo plugin for WordPress | - | - | 2025-10-29 08:38:03 | Deep Dive |
| CVE-2025-8483 | Discussion Board – WordPress Forum Plugin <= 2.5.5 - Authenticated (Subscriber+) Arbitrary Shortcode Execution | marketingfire | Discussion Board – WordPress Forum Plugin | Medium | 6.3 | 2025-10-25 06:49:24 | Deep Dive |
| CVE-2025-11893 | Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More <= 1.8.8.4 - Authenticated (Subscriber+) SQL Injection | smub | Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More | Medium | 6.5 | 2025-10-25 06:49:22 | Deep Dive |
| CVE-2025-10579 | BackWPup <= 5.5.0 - Missing Authorization to Sensitive Information Exposure | wp_media | BackWPup – WordPress Backup & Restore Plugin | Medium | 5.3 | 2025-10-25 04:22:44 | Deep Dive |
| CVE-2025-10701 | Time Clock – A WordPress Employee & Volunteer Time Clock Plugin <= 1.3.1 - Authenticated (Custom+) Stored Cross-Site Scripting | scottpaterson | Time Clock – A WordPress Employee & Volunteer Time Clock Plugin | Medium | 6.4 | 2025-10-24 08:23:58 | Deep Dive |
| CVE-2025-10740 | URL Shortener Plugin For WordPress <= 3.0.7 - Missing Authorization to Authenticated (Subscriber+) Link Manipulation | rupok98 | URL Shortener Plugin For WordPress | Medium | 6.3 | 2025-10-24 08:23:57 | Deep Dive |
| CVE-2025-49960 | WordPress LeadBI Plugin for WordPress plugin <= 1.7 - Cross Site Scripting (XSS) vulnerability | leadbi | LeadBI Plugin for WordPress | - | - | 2025-10-22 14:32:21 | Deep Dive |
| CVE-2025-11372 | LearnPress – WordPress LMS Plugin <= 4.2.9.3 - Missing Authorization to Unauthenticated Database Table Manipulation | thimpress | LearnPress – WordPress LMS Plugin for Create and Sell Online Courses | Medium | 6.5 | 2025-10-18 06:42:49 | Deep Dive |
| CVE-2025-10187 | GSpeech TTS – WordPress Text To Speech Plugin <= 3.17.13 - Authenticated (Admin+) SQL injection | creative-solutions-1 | GSpeech TTS – WordPress Text To Speech Plugin | Medium | 4.9 | 2025-10-18 06:42:45 | Deep Dive |
| CVE-2025-6042 | Lisfinity Core - Lisfinity Core plugin used for pebas® Lisfinity WordPress theme <= 1.4.0 - Unauthenticated Privilege Escalation to Editor | pebas | Lisfinity Core - Lisfinity Core plugin used for pebas® Lisfinity WordPress theme | High | 7.3 | 2025-10-15 05:23:49 | Deep Dive |
| CVE-2011-10033 | WordPress Plugin is-human <= v1.4.2 Eval Injection RCE | is-human WordPress Plugin | is-human WordPress Plugin | - | - | 2025-10-15 01:23:47 | Deep Dive |
| CVE-2025-10185 | NEX-Forms – Ultimate Forms Plugin for WordPress <= 9.1.6 - Authenticated (Admin+) SQL Injection | webaways | NEX-Forms – Ultimate Forms Plugin for WordPress | Medium | 4.9 | 2025-10-11 07:25:58 | Deep Dive |
| CVE-2025-11380 | Everest Backup <= 2.3.5 - Missing Authorization to Unauthenticated Information Exposure | everestthemes | Everest Backup – WordPress Cloud Backup, Migration, Restore & Cloning Plugin | Medium | 5.9 | 2025-10-11 02:24:52 | Deep Dive |
| CVE-2025-6038 | Lisfinity Core - Lisfinity Core plugin used for pebas® Lisfinity WordPress theme <= 1.4.0 - Authenticated (Subscriber+) Privilege Escalation | pebas | Lisfinity Core - Lisfinity Core plugin used for pebas® Lisfinity WordPress theme | High | 8.8 | 2025-10-09 03:23:30 | Deep Dive |