| CVE-2025-14976 | User Registration & Membership <= 4.4.8 - Cross-Site Request Forgery to Arbitrary Post Deletion | wpeverest | User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder | Medium | 5.4 | 2026-01-10 08:22:57 | Deep Dive |
| CVE-2025-13419 | Guest posting / Frontend Posting / Front Editor – WP Front User Submit <= 5.0.0 - Missing Authorization to Unauthenticated Media Deletion | aharonyan | Guest posting / Frontend Posting / Front Editor – WP Front User Submit | Medium | 5.3 | 2026-01-07 09:21:00 | Deep Dive |
| CVE-2025-11877 | User Activity Log <= 2.2 - Unauthenticated Limited Options Update via Failed Login | solwininfotech | User Activity Log | High | 7.5 | 2026-01-07 08:21:50 | Deep Dive |
| CVE-2025-12449 | aBlocks – WordPress Gutenberg Blocks <= 2.4.0 - Missing Authorization to Authenticated (Subscriber+) Settings Modification | kodezen | aBlocks – Gutenberg Blocks, User Dashboard Builder, Popup Builder, Form Builder & Animation Builder | Medium | 5.4 | 2026-01-07 07:17:34 | Deep Dive |
| CVE-2025-14888 | Simple User Meta Editor <= 1.0.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via User Meta Value Field | anjan011 | Simple User Meta Editor | Medium | 4.4 | 2026-01-07 06:36:01 | Deep Dive |
| CVE-2025-14047 | WP User Frontend <= 4.2.4 - Missing Authorization to Unauthenticated Arbitrary Attachment Deletion | wedevs | User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration | Medium | 5.3 | 2026-01-02 01:48:20 | Deep Dive |
| CVE-2025-62096 | WordPress Maximum Products per User for WooCommerce plugin <= 4.4.3 - Cross Site Scripting (XSS) vulnerability | WPFactory | Maximum Products per User for WooCommerce | Medium | 6.5 | 2025-12-31 13:12:18 | Deep Dive |
| CVE-2025-62749 | WordPress User Specific Content plugin <= 1.0.6 - Cross Site Scripting (XSS) vulnerability | Bainternet | User Specific Content | Medium | 6.5 | 2025-12-31 11:59:32 | Deep Dive |
| CVE-2025-68583 | WordPress Fast User Switching plugin <= 1.4.10 - Cross Site Request Forgery (CSRF) vulnerability | Tikweb Management | Fast User Switching | Medium | 4.3 | 2025-12-24 13:10:41 | Deep Dive |
| CVE-2025-68509 | WordPress User Submitted Posts plugin <= 20251121 - Open Redirection vulnerability | Jeff Starr | User Submitted Posts | Medium | 4.7 | 2025-12-24 12:31:21 | Deep Dive |
| CVE-2025-68496 | WordPress User Feedback plugin <= 1.10.0 - SQL Injection vulnerability | Syed Balkhi | User Feedback | High | 7.6 | 2025-12-24 12:31:20 | Deep Dive |
| CVE-2025-13220 | Ultimate Member <= 2.11.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes | ultimatemember | Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin | Medium | 6.4 | 2025-12-21 03:20:06 | Deep Dive |
| CVE-2025-12492 | Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin <= 2.11.0 - Unauthenticated Sensitive Information Exposure | ultimatemember | Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin | Medium | 5.3 | 2025-12-20 08:22:10 | Deep Dive |
| CVE-2025-14081 | Ultimate Member <= 2.11.0 - Authenticated (Subscriber+) Profile Privacy Setting Bypass | ultimatemember | Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin | Medium | 4.3 | 2025-12-17 18:21:36 | Deep Dive |
| CVE-2025-13217 | Ultimate Member <= 2.11.0 - Authenticated (Subscriber+) Stored Cross-Site Scripting via 'value' | ultimatemember | Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin | Medium | 6.4 | 2025-12-17 18:21:35 | Deep Dive |
| CVE-2025-13880 | WP Social Ninja - Embed Social Feeds, Customer Reviews, Chat Widgets (Google Reviews, YouTube Feed, Photo Feeds, and More) <= 4.0.1 - Missing Authorization to Unauthenticated Plugin's Settings Disclosure And Modification | adreastrian | WP Social Ninja – Embed Social Feeds, User Reviews & Chat Widgets | Medium | 6.5 | 2025-12-17 04:31:31 | Deep Dive |
| CVE-2025-68080 | WordPress User Avatar - Reloaded plugin <= 1.2.2 - Cross Site Scripting (XSS) vulnerability | Saad Iqbal | User Avatar - Reloaded | - | - | 2025-12-16 08:13:05 | Deep Dive |
| CVE-2025-13610 | RegistrationMagic <= 6.0.6.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'RM_Forms' Shortcode | metagauss | RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login | Medium | 6.4 | 2025-12-15 14:25:11 | Deep Dive |
| CVE-2025-13367 | User Registration & Membership – Custom Registration Form Builder, Custom Login Form, User Profile, Content Restriction & Membership Plugin <= 4.4.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes | wpeverest | User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder | Medium | 6.4 | 2025-12-15 14:25:10 | Deep Dive |
| CVE-2025-13320 | WP User Manager <= 2.9.12 - Authenticated (Subscriber+) Arbitrary File Deletion via 'current_user_avatar' Parameter | wpusermanager | WP User Manager – User Profile Builder & Membership | Medium | 6.8 | 2025-12-12 03:20:51 | Deep Dive |