| CVE-2025-12165 | Webcake – Landing Page Builder <= 1.1 - Missing Authorization to Authenticated (Subscriber+) Settings Update | huyme | Webcake – Landing Page Builder | Medium | 4.3 | 2025-12-05 05:31:22 | Deep Dive |
| CVE-2025-12782 | Beaver Builder – WordPress Page Builder <= 2.9.4 - Missing Authorization to Authenticated (Contributor+) Builder Status Tampering | beaverbuilder | Beaver Builder Page Builder – Drag and Drop Website Builder | Medium | 4.3 | 2025-12-04 06:48:40 | Deep Dive |
| CVE-2025-11726 | Beaver Builder – WordPress Page Builder <= 2.9.4 - Missing Authorization to Authenticated (Contributor+) Global Preset Modification | beaverbuilder | Beaver Builder Page Builder – Drag and Drop Website Builder | Medium | 4.3 | 2025-12-02 07:24:31 | Deep Dive |
| CVE-2025-13697 | BlockArt Blocks – Gutenberg Blocks, Page Builder Blocks ,WordPress Block Plugin, Sections & Template Library <= 2.2.13 - Authenticated (Contributor+) Stored Cross-Site Scripting via `timestamp` Attribute | wpblockart | BlockArt Blocks – Gutenberg Blocks, Page Builder Blocks ,WordPress Block Plugin, Sections & Template Library | Medium | 6.4 | 2025-12-02 01:51:57 | Deep Dive |
| CVE-2025-13404 | atec Duplicate Page & Post <= 1.2.20 - Missing Authorization to Authenticated (Contributor+) Arbitrary Post Duplication and Data Exposure | docjojo | atec Duplicate Page & Post | Medium | 5.3 | 2025-11-25 07:28:24 | Deep Dive |
| CVE-2025-66057 | WordPress Bold Page Builder plugin <= 5.5.2 - Cross Site Scripting (XSS) vulnerability | boldthemes | Bold Page Builder | Medium | 6.5 | 2025-11-21 12:29:54 | Deep Dive |
| CVE-2025-12481 | WP Duplicate Page <= 1.7 - Missing Authorization to Authenticated (Contributor+) Sensitive Information Disclosure | ninjateam | WP Duplicate Page | Medium | 4.3 | 2025-11-18 09:27:38 | Deep Dive |
| CVE-2025-12366 | Page Builder: Pagelayer – Drag and Drop website builder <= 2.0.5 - Authenticated (Author+) Insecure Direct Object Reference | softaculous | Page Builder: Pagelayer – Drag and Drop website builder | Medium | 4.3 | 2025-11-13 03:27:37 | Deep Dive |
| CVE-2025-12132 | WP Custom Admin Login Page Logo <= 1.4.8.4 - Cross-Site Request Forgery to Settings Update | larsactionhero | WP Custom Admin Login Page Logo | Medium | 4.3 | 2025-11-11 03:30:41 | Deep Dive |
| CVE-2025-12527 | Page & Post Notes <= 1.3.4 - Missing Authorization to Authenticated (Subscriber+) Note Update/Deletion | yydevelopment | Page & Post Notes | Medium | 4.3 | 2025-11-07 05:29:58 | Deep Dive |
| CVE-2025-48090 | WordPress Blanka - One Page WordPress Theme Theme < 1.5 - Local File Inclusion Vulnerability | CocoBasic | Blanka - One Page WordPress Theme | High | 8.1 | 2025-11-06 15:53:44 | Deep Dive |
| CVE-2025-12045 | Orbit Fox Companion <= 3.0.2 - Authenticated (Author+) Stored Cross-Site Scripting via Post Taxonomy | themeisle | Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More | Medium | 6.4 | 2025-11-04 11:19:28 | Deep Dive |
| CVE-2025-11841 | Greenshift – animation and page builder blocks <= 12.2.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Chart Data Attributes | wpsoul | Greenshift – animation and page builder blocks | Medium | 6.4 | 2025-11-04 01:50:26 | Deep Dive |
| CVE-2025-11927 | Flying Images: Optimize and Lazy Load Images for Faster Page Speed <= 2.4.14 - Authenticated (Admin+) Stored Cross-Site Scripting | gijo | Flying Images: Optimize and Lazy Load Images for Faster Page Speed | Medium | 4.4 | 2025-11-01 04:27:43 | Deep Dive |
| CVE-2025-48088 | WordPress Ultimate Addons for WPBakery Page Builder plugin < 3.21.1 - Cross Site Scripting (XSS) vulnerability | Brainstorm_Force | Ultimate Addons for WPBakery Page Builder | Medium | 6.5 | 2025-10-27 02:09:52 | Deep Dive |
| CVE-2025-62943 | WordPress Next Page, Not Next Post plugin <= 0.3.0 - Cross Site Scripting (XSS) vulnerability | Matt McInvale | Next Page, Not Next Post | Medium | 6.5 | 2025-10-27 01:34:06 | Deep Dive |
| CVE-2025-10861 | Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers <= 2.1.4 - Unauthenticated Server-Side Request Forgery | roxnor | Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers | High | 7.5 | 2025-10-24 11:25:46 | Deep Dive |
| CVE-2025-10874 | Orbit Fox < 3.0.2 - Author+ Server-Side Request Forgery | Unknown | Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More | 中危 | - | 2025-10-24 06:00:09 | Deep Dive |
| CVE-2025-7730 | Bold Page Builder <= 5.4.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via `percentage` Parameter | boldthemes | Bold Page Builder | Medium | 6.4 | 2025-10-23 22:25:23 | Deep Dive |
| CVE-2025-62052 | WordPress One Page Express Companion plugin <= 1.6.43 - Broken Access Control vulnerability | Horea Radu | One Page Express Companion | Medium | 4.3 | 2025-10-22 14:32:52 | Deep Dive |