| CVE-2025-5275 | Charitable <= 1.8.6.1 - Authenticated (Administrator+) Stored Cross-Site Scripting via Plugin's Privacy Settings | smub | Charitable – Donation Plugin for WordPress – Fundraising with Recurring Donations & More | Medium | 4.4 | 2025-06-26 02:22:22 | Deep Dive |
| CVE-2025-49974 | WordPress UpStream: a Project Management Plugin for WordPress plugin <= 2.1.1 - Broken Access Control Vulnerability | upstreamplugin | UpStream: a Project Management Plugin for WordPress | Medium | 4.3 | 2025-06-20 15:04:17 | Deep Dive |
| CVE-2025-49312 | WordPress Echo RSS Feed Post Generator Plugin for WordPress plugin <= 5.4.8.1 - Reflected Cross Site Scripting (XSS) vulnerability | CodeRevolution | Echo RSS Feed Post Generator Plugin for WordPress | High | 7.1 | 2025-06-17 15:01:24 | Deep Dive |
| CVE-2025-4187 | UserPro - Community and User Profile WordPress Plugin <= 5.1.10 - Unauthenticated Arbitrary File Read | - | UserPro - Community and User Profile WordPress Plugin | Medium | 5.9 | 2025-06-14 08:23:23 | Deep Dive |
| CVE-2025-5487 | AutomatorWP <= 5.2.5 - Authenticated (Administrator+) SQL Injection via field_conditions | rubengc | AutomatorWP – Automator plugin for no-code automations, webhooks & custom integrations in WordPress | High | 7.2 | 2025-06-14 06:41:28 | Deep Dive |
| CVE-2025-5395 | WordPress Automatic Plugin - AI content generator and auto poster plugin <= 3.115.0 - Authenticated (Author+) Arbitrary File Upload | ValvePress | WordPress Automatic Plugin | High | 8.8 | 2025-06-11 06:39:47 | Deep Dive |
| CVE-2025-2918 | Ultimate Blocks – WordPress Blocks Plugin <= 3.3.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets | ultimateblocks | Ultimate Blocks – 25+ Gutenberg Blocks for Block Editor | Medium | 6.4 | 2025-06-10 11:22:52 | Deep Dive |
| CVE-2025-5568 | WpEvently <= 4.4.2 - Authenticated (Contributor+) Stored Cross-Site Scripting | magepeopleteam | Event Booking Manager for WooCommerce | Medium | 6.4 | 2025-06-07 11:17:51 | Deep Dive |
| CVE-2025-29005 | WordPress HR Management Lite plugin <= 3.6 - Cross Site Request Forgery (CSRF) vulnerability | Weblizar - WordPress Themes & Plugin | HR Management Lite | Medium | 4.3 | 2025-06-06 12:54:27 | Deep Dive |
| CVE-2025-5239 | Domain For Sale <= 3.0.10 - Authenticated (Contributor+) Stored Cross-Site Scripting via class_name Parameter | themeatelier | Domain For Sale – Sell Domains with Landing Pages, Offers & Inquiries | Medium | 6.4 | 2025-06-06 11:13:17 | Deep Dive |
| CVE-2025-5018 | Hive Support <= 1.2.5 - Authenticated (Subscriber+) Missing Authorization via hs_update_ai_chat_settings and hive_lite_support_get_all_binbox | hivesupport | Hive Support | AI-Powered Help Desk, Live Chat and Chatbot | High | 7.1 | 2025-06-06 06:42:51 | Deep Dive |
| CVE-2025-5019 | Hive Support <= 1.2.5 - Cross-Site Request Forgery via hs_update_ai_chat_settings Function | hivesupport | Hive Support | AI-Powered Help Desk, Live Chat and Chatbot | Medium | 5.4 | 2025-06-06 06:42:49 | Deep Dive |
| CVE-2025-5539 | Simplify Contact Management: WP Easy Contact <= 4.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting | emarket-design | Simple Contact Form Plugin for WordPress – WP Easy Contact | Medium | 6.4 | 2025-06-04 04:22:42 | Deep Dive |
| CVE-2025-5532 | Faculty Staff and Student Directory Plugin – Campus Directory <= 1.9.0 - Authenticated (Contributor+) Stored Cross-Site Scripting | emarket-design | Campus Directory – Faculty, Staff & Student Directory Plugin for WordPress | Medium | 6.4 | 2025-06-04 03:40:59 | Deep Dive |
| CVE-2025-5531 | Staff Directory – Employee Directory for WordPress <= 4.5.0 - Authenticated (Contributor+) Stored Cross-Site Scripting | emarket-design | Employee Directory – Staff & Team Directory | Medium | 6.4 | 2025-06-04 03:40:58 | Deep Dive |
| CVE-2025-4803 | Glossary by WPPedia <= 1.3.0 - Authenticated (Administrator+) PHP Object Injection | steinrein | Glossary by WPPedia – Best Glossary plugin for WordPress | High | 7.2 | 2025-05-21 09:21:50 | Deep Dive |
| CVE-2025-4611 | Slim SEO <= 4.5.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via slim_seo_breadcrumbs Shortcode | rilwis | Slim SEO – A Fast & Automated SEO Plugin For WordPress | Medium | 6.4 | 2025-05-21 09:21:50 | Deep Dive |
| CVE-2025-39411 | WordPress WhatsApp Click to Chat Plugin for WordPress plugin <= 2.2.12 - Local File Inclusion vulnerability | Indie_Plugins | WhatsApp Click to Chat Plugin for WordPress | High | 7.5 | 2025-05-19 18:58:02 | Deep Dive |
| CVE-2025-3527 | EventON - WordPress Virtual Event Calendar Plugin <= 4.9.6 - Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting | EventON | EventON (Pro) - WordPress Virtual Event Calendar Plugin | Medium | 6.4 | 2025-05-17 11:17:16 | Deep Dive |
| CVE-2025-32306 | WordPress Radio Player Shoutcast & Icecast theme <= 4.4.6 - SQL Injection Vulnerability | LambertGroup | Radio Player Shoutcast & Icecast WordPress Plugin | High | 8.5 | 2025-05-16 15:45:29 | Deep Dive |