| CVE-2025-64272 | WordPress Email marketing for WordPress by GetResponse Official plugin <= 1.5.3 - Sensitive Data Exposure vulnerability | GetResponse | Email marketing for WordPress by GetResponse Official | - | - | 2025-12-18 07:22:15 | Deep Dive |
| CVE-2025-64231 | WordPress WordPress Contact Form 7 PDF, Google Sheet & Database plugin <= 3.0.0 - Arbitrary File Upload vulnerability | RedefiningTheWeb | WordPress Contact Form 7 PDF, Google Sheet & Database | Critical | 9.9 | 2025-12-18 07:22:14 | Deep Dive |
| CVE-2025-13537 | Live Composer – Free WordPress Website Builder <= 2.0.2 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting | livecomposer | Live Composer – Free WordPress Website Builder | Medium | 6.4 | 2025-12-17 18:21:35 | Deep Dive |
| CVE-2025-14154 | Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss <= 2.10.2 - Unauthenticated Stored Cross-Site Scripting | wordplus | Better Messages – Live Chat, Chat Rooms, Real-Time Messaging & Private Messages | Medium | 6.1 | 2025-12-17 05:24:55 | Deep Dive |
| CVE-2025-13861 | HTML Forms – Simple WordPress Forms Plugin <= 1.6.0 - Unauthenticated Stored Cross-Site Scripting | linksoftware | HTML Forms – Simple WordPress Forms Plugin | Medium | 6.1 | 2025-12-17 04:31:31 | Deep Dive |
| CVE-2025-64253 | WordPress Health Check & Troubleshooting plugin <= 1.7.1 - Path Traversal vulnerability | WordPress.org | Health Check & Troubleshooting | - | - | 2025-12-16 08:12:50 | Deep Dive |
| CVE-2025-13956 | LearnPress – WordPress LMS Plugin <= 4.3.1 - Missing Authorization to Unauthenticated Orders Statistics Exposure | thimpress | LearnPress – WordPress LMS Plugin for Create and Sell Online Courses | Medium | 5.3 | 2025-12-16 04:31:35 | Deep Dive |
| CVE-2025-14387 | LearnPress – WordPress LMS Plugin <= 4.3.1 - Authenticated (Subscriber+) Stored Cross-Site Scripting via get_profile_social | thimpress | LearnPress – WordPress LMS Plugin for Create and Sell Online Courses | Medium | 6.4 | 2025-12-15 15:30:55 | Deep Dive |
| CVE-2025-14156 | Fox LMS – WordPress LMS Plugin 1.0.4.7 - 1.0.5.1 - Unauthenticated Privilege Escalation via 'createOrder' | ays-pro | Fox LMS – WordPress LMS Plugin | Critical | 9.8 | 2025-12-15 14:25:13 | Deep Dive |
| CVE-2025-13728 | FluentAuth - Auth Security Plugin <= 2.0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'fluent_auth_reset_password' Shortcode | techjewel | FluentAuth – The Ultimate Authorization & Security Plugin for WordPress | Medium | 6.4 | 2025-12-15 14:25:12 | Deep Dive |
| CVE-2025-12900 | FileBird – WordPress Media Library Folders & File Manager <= 6.5.1 - Missing Authorization to Authenticated (Author+) Global Folders Tampering | ninjateam | FileBird – WordPress Media Library Folders & File Manager | Medium | 4.3 | 2025-12-15 14:25:11 | Deep Dive |
| CVE-2025-10738 | URL Shortener Plugin For WordPress <= 3.0.7 - Unauthenticated SQL Injection | rupok98 | URL Shortener Plugin For WordPress | Critical | 9.8 | 2025-12-13 06:33:56 | Deep Dive |
| CVE-2025-9218 | rtMedia for WordPress, BuddyPress and bbPress 4.7.0 - 4.7.3 - Missing Authorization to Unauthenticated Information Disclosure via handle_rest_pre_dispatch Function | rtcamp | rtMedia for WordPress, BuddyPress and bbPress | Low | 3.7 | 2025-12-13 04:31:26 | Deep Dive |
| CVE-2025-14476 | Doubly <= 1.0.46 - Authenticated (Subscriber+) PHP Object Injection via ZIP File Import | unitecms | Doubly – Cross Domain Copy Paste for WordPress | High | 8.8 | 2025-12-13 04:31:25 | Deep Dive |
| CVE-2025-12348 | Email Subscribers & Newsletters <= 5.9.10 - Missing Authentication to Unauthenticated Action Scheduler Task Execution | icegram | Email Subscribers & Newsletters – Email Marketing, Post Notifications & Newsletter Plugin for WordPress | Medium | 5.3 | 2025-12-12 09:20:29 | Deep Dive |
| CVE-2025-14393 | Wpik WordPress Basic Ajax Form <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting | awanhrp | Wpik WordPress Basic Ajax Form | Medium | 6.4 | 2025-12-12 03:20:41 | Deep Dive |
| CVE-2025-14162 | BMLT WordPress Plugin <= 3.11.4 - Cross-Site Request Forgery to Settings Creation and Deletion | magblogapi | BMLT WordPress Satellite | Medium | 4.3 | 2025-12-12 03:20:37 | Deep Dive |
| CVE-2025-67559 | WordPress Online Booking & Scheduling Calendar for WordPress by vcita plugin <= 4.5.5 - Broken Access Control vulnerability | vcita | Online Booking & Scheduling Calendar for WordPress by vcita | Medium | 5.4 | 2025-12-09 14:14:09 | Deep Dive |
| CVE-2025-67535 | WordPress WP Maps plugin <= 4.8.6 - PHP Object Injection vulnerability | Flipper Code - WordPress Development Company | WP Maps | Medium | 6.6 | 2025-12-09 14:14:04 | Deep Dive |
| CVE-2025-67516 | WordPress Store Locator WordPress plugin <= 1.6.2 - SQL Injection vulnerability | Agile Logix | Store Locator WordPress | High | 8.5 | 2025-12-09 14:13:57 | Deep Dive |