Wordfence Intelligence Weekly WordPress Vulnerability Report (April 21, 2025 to...

Vulnerability Details

Basic Information

Title	Wordfence Intelligence Weekly WordPress Vulnerability Report (April 21, 2025 to April 27, 2025)
Type	wordfence
Published	2025-05-01T15:38:37
Last Seen	2025-05-01T17:24:41
CVSS Score	9.8 (CRITICAL)

CVSS v3 Details

Attack Vector	NETWORK
Attack Complexity	LOW
Privileges Required	NONE
User Interaction	NONE
Scope	UNCHANGED
Confidentiality Impact	HIGH
Integrity Impact	HIGH
Availability Impact	HIGH

CVE Information

CVE IDs	CVE-2024-11299, CVE-2024-11917, CVE-2024-13307, CVE-2024-13808, CVE-2024-13812, CVE-2025-1054, CVE-2025-1279, CVE-2025-1284, CVE-2025-1294, CVE-2025-1458, CVE-2025-1565, CVE-2025-2101, CVE-2025-2105, CVE-2025-2238, CVE-2025-2470, CVE-2025-2543, CVE-2025-2579, CVE-2025-2580, CVE-2025-2801, CVE-2025-2839, CVE-2025-3058, CVE-2025-3065, CVE-2025-3101, CVE-2025-3280, CVE-2025-32921, CVE-2025-32924, CVE-2025-32925, CVE-2025-32926, CVE-2025-32927, CVE-2025-32928, CVE-2025-3300, CVE-2025-3435, CVE-2025-3457, CVE-2025-3458, CVE-2025-3472, CVE-2025-3491, CVE-2025-3529, CVE-2025-3530, CVE-2025-3603, CVE-2025-3604, CVE-2025-3607, CVE-2025-3616, CVE-2025-3743, CVE-2025-3749, CVE-2025-3752, CVE-2025-3761, CVE-2025-3775, CVE-2025-3776, CVE-2025-3793, CVE-2025-3814, CVE-2025-3832, CVE-2025-3861, CVE-2025-3866, CVE-2025-3867, CVE-2025-3868, CVE-2025-3870, CVE-2025-3906, CVE-2025-3912, CVE-2025-3914, CVE-2025-3915, CVE-2025-3923, CVE-2025-39348, CVE-2025-39349, CVE-2025-39350, CVE-2025-39352, CVE-2025-39354, CVE-2025-39355, CVE-2025-39356, CVE-2025-39357, CVE-2025-39359, CVE-2025-39360, CVE-2025-39365, CVE-2025-39366, CVE-2025-39369, CVE-2025-39370, CVE-2025-39371, CVE-2025-39372, CVE-2025-39373, CVE-2025-39374, CVE-2025-39375, CVE-2025-39376, CVE-2025-39377, CVE-2025-39378, CVE-2025-39379, CVE-2025-39380, CVE-2025-39382, CVE-2025-39383, CVE-2025-39384, CVE-2025-39386, CVE-2025-39387, CVE-2025-39389, CVE-2025-39391, CVE-2025-39393, CVE-2025-39397, CVE-2025-39398, CVE-2025-39399, CVE-2025-39400, CVE-2025-43833, CVE-2025-43834, CVE-2025-43835, CVE-2025-43840, CVE-2025-43841, CVE-2025-46225, CVE-2025-46226, CVE-2025-46227, CVE-2025-46228, CVE-2025-46229, CVE-2025-46230, CVE-2025-46231, CVE-2025-46232, CVE-2025-46233, CVE-2025-46234, CVE-2025-46235, CVE-2025-46236, CVE-2025-46237, CVE-2025-46238, CVE-2025-46239, CVE-2025-46240, CVE-2025-46241, CVE-2025-46242, CVE-2025-46243, CVE-2025-46244, CVE-2025-46245, CVE-2025-46246, CVE-2025-46247, CVE-2025-46248, CVE-2025-46249, CVE-2025-46250, CVE-2025-46251, CVE-2025-46252, CVE-2025-46253, CVE-2025-46254, CVE-2025-46260, CVE-2025-46261, CVE-2025-46262, CVE-2025-46263, CVE-2025-46435, CVE-2025-46436, CVE-2025-46437, CVE-2025-46438, CVE-2025-46439, CVE-2025-46442, CVE-2025-46443, CVE-2025-46445, CVE-2025-46446, CVE-2025-46447, CVE-2025-46448, CVE-2025-46449, CVE-2025-46450, CVE-2025-46451, CVE-2025-46452, CVE-2025-46453, CVE-2025-46455, CVE-2025-46457, CVE-2025-46459, CVE-2025-46460, CVE-2025-46461, CVE-2025-46462, CVE-2025-46463, CVE-2025-46465, CVE-2025-46466, CVE-2025-46467, CVE-2025-46468, CVE-2025-46469, CVE-2025-46470, CVE-2025-46471, CVE-2025-46472, CVE-2025-46473, CVE-2025-46474, CVE-2025-46475, CVE-2025-46476, CVE-2025-46477, CVE-2025-46478, CVE-2025-46479, CVE-2025-46480, CVE-2025-46481, CVE-2025-46482, CVE-2025-46483, CVE-2025-46484, CVE-2025-46485, CVE-2025-46489, CVE-2025-46490, CVE-2025-46491, CVE-2025-46492, CVE-2025-46495, CVE-2025-46496, CVE-2025-46497, CVE-2025-46498, CVE-2025-46499, CVE-2025-46501, CVE-2025-46502, CVE-2025-46503, CVE-2025-46504, CVE-2025-46505, CVE-2025-46506, CVE-2025-46507, CVE-2025-46508, CVE-2025-46509, CVE-2025-46510, CVE-2025-46511, CVE-2025-46512, CVE-2025-46513, CVE-2025-46514, CVE-2025-46516, CVE-2025-46517, CVE-2025-46519, CVE-2025-46520, CVE-2025-46521, CVE-2025-46522, CVE-2025-46523, CVE-2025-46524, CVE-2025-46525, CVE-2025-46526, CVE-2025-46528, CVE-2025-46529, CVE-2025-46530, CVE-2025-46531, CVE-2025-46532, CVE-2025-46533, CVE-2025-46534, CVE-2025-46535, CVE-2025-46536, CVE-2025-46538, CVE-2025-46539, CVE-2025-46540, CVE-2025-46541, CVE-2025-46542, CVE-2025-46543
CWE
Bulletin Family	info

Description

* * *

_![📢](https://s.w.org/images/core/emoji/15.0.3/72×72/1f4e2.png)**In case you missed it, Wordfence just published itsannual WordPress security report for 2024. Read it now to learn more about the evolving risk landscape of WordPress so you can keep your sites protected in 2025 and beyond. **_

* * *

Last week, there were 229 vulnerabilities disclosed in 196 WordPress Plugins and 14 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 53 Vulnerability Researchers that contributed to WordPress Security last week. **Review those vulnerabilities in this report now to ensure your site is not affected.**

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data**to implement layered security, aligning with our overarching mission to secure WordPress with defense in depth strategies.** That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our **database of over 26,000 vulnerabilities** and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, **all for free**.

_Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published._

* * *

### New Firewall Rules Deployed Last Week

The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.

The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:

* My Tickets – Accessible Event Ticketing <= 2.0.16 - Authenticated (Subscriber+) Privilege Escalation * WAF-RULE-822 - Data redacted while we work with the vendor on a patch. * WAF-RULE-824 - Data redacted while we work with the vendor on a patch. Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay. * * * ### Total Unpatched & Patched Vulnerabilities Last Week Patch Status | Number of Vulnerabilities ---|--- Patched | 81 Unpatched | 148 * * * ### Total Vulnerabilities by CVSS Severity Last Week Severity Rating | Number of Vulnerabilities ---|--- Medium Severity | 170 High Severity | 34 Critical Severity | 25 * * * ### Total Vulnerabilities by CWE Type Last Week Vulnerability Type by CWE | Number of Vulnerabilities ---|--- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | 91 Cross-Site Request Forgery (CSRF) | 42 Missing Authorization | 20 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') | 17 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') | 15 Deserialization of Untrusted Data | 10 Improper Control of Generation of Code ('Code Injection') | 6 Server-Side Request Forgery (SSRF) | 5 Improper Privilege Management | 4 Unrestricted Upload of File with Dangerous Type | 4 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') | 3 Unverified Password Change | 3 Exposure of Sensitive Information to an Unauthorized Actor | 2 External Control of Assumed-Immutable Web Parameter | 2 Authorization Bypass Through User-Controlled Key | 1 Improper Authentication | 1 Incorrect Authorization | 1 Incorrect Privilege Assignment | 1 Insertion of Sensitive Information Into Sent Data | 1 * * * ### Researchers That Contributed to WordPress Security Last Week Researcher Name | Number of Vulnerabilities ---|--- ![](https://www.gravatar.com/avatar/343456e443c863409724aa97bcfa6e3e.jpg?s=32&d=mp&r=g) johska | 49 ![](https://www.gravatar.com/avatar/86a1429aeb8e473ec62cf8dd3d4e4571.jpg?s=32&d=mp&r=g) Nabil Irawan | 16 ![](https://www.gravatar.com/avatar/97a1f88460217867f45b925b3af1bb6a.jpg?s=32&d=mp&r=g) muhammad yudha | 15 ![](https://www.gravatar.com/avatar/f1b68a12f61846b7fbcd7f1338106a1f.jpg?s=32&d=mp&r=g) Dimas Maulana | 12 ![](https://www.gravatar.com/avatar/e37bf2a629b6924efb95f289b0a7f7e4.jpg?s=32&d=mp&r=g) Nguyen Xuan Chien | 10 ![](https://www.gravatar.com/avatar/dfc42784669accf02da36cb658a6a355.jpg?s=32&d=mp&r=g) ch4r0n | 10 ![](https://www.gravatar.com/avatar/11dfabc58a06f06c9123a7e17a41cecb.jpg?s=32&d=mp&r=g) Aiden (Thái An) | 7 ![](https://www.gravatar.com/avatar/00000000000000000000000000000000.jpg?s=32&d=mp&r=g) Bonds | 7 ![](https://www.gravatar.com/avatar/15c7bc3e71963fdd7c656346bcf8b159.jpg?s=32&d=mp&r=g) Trương Hữu Phúc (truonghuuphuc) | 6 ![](https://www.gravatar.com/avatar/00000000000000000000000000000000.jpg?s=32&d=mp&r=g) Ananda Dhakal | 6 ![](https://www.gravatar.com/avatar/e97952602dfd17f0532ab6202b1dd0db.jpg?s=32&d=mp&r=g) kr0d | 6 ![](https://www.gravatar.com/avatar/b9c98f876000c488fa1e815fe093a085.jpg?s=32&d=mp&r=g) Nguyen Ngoc Quang Bach (maysbachs) | 5 ![](https://www.gravatar.com/avatar/c48b8b9be22c8d030834699df0d43897.jpg?s=32&d=mp&r=g) Tonn | 5 ![](https://www.gravatar.com/avatar/f894d5600bcba5e947d6dde37a3cec1b.jpg?s=32&d=mp&r=g) stealthcopter | 4 ![](https://www.gravatar.com/avatar/00000000000000000000000000000000.jpg?s=32&d=mp&r=g) astra.r3verii | 4 ![](https://www.gravatar.com/avatar/00000000000000000000000000000000.jpg?s=32&d=mp&r=g) timomangcut | 4 ![](https://www.gravatar.com/avatar/a07a4a4ddd21367fd4d51d2d3105e7ef.jpg?s=32&d=mp&r=g) Avraham Shemesh | 4 ![](https://www.gravatar.com/avatar/258c774aecd81b7d1fa67abf3b576b33.jpg?s=32&d=mp&r=g) Peter Thaleikis | 4 ![](https://www.gravatar.com/avatar/00000000000000000000000000000000.jpg?s=32&d=mp&r=g) Skalucy | 3 ![](https://www.gravatar.com/avatar/7b8cd550e860295a0dcf86632e3c79be.jpg?s=32&d=mp&r=g) Phat RiO - BlueRock | 3 ![](https://www.gravatar.com/avatar/00000000000000000000000000000000.jpg?s=32&d=mp&r=g) Dave Jong | 3 ![](https://www.gravatar.com/avatar/8f9a99fa0333fc8418c837d7e0883c3b.jpg?s=32&d=mp&r=g) Lucio Sá | 3 ![](https://www.gravatar.com/avatar/00000000000000000000000000000000.jpg?s=32&d=mp&r=g) 0x1ceKing | 3 ![](https://www.gravatar.com/avatar/305fb970257c915652a3c990285e766e.jpg?s=32&d=mp&r=g) Chuck | 3 ![](https://www.gravatar.com/avatar/7abadae46f0b063bdd43911a30a87f65.jpg?s=32&d=mp&r=g) mikemyers | 2 ![](https://www.gravatar.com/avatar/01dce303f1fab51371215f21992679d9.jpg?s=32&d=mp&r=g) theviper17y | 2 ![](https://www.gravatar.com/avatar/37cc74b0e1957fee81825154abeae540.jpg?s=32&d=mp&r=g) nquangit | 2 ![](https://www.gravatar.com/avatar/00000000000000000000000000000000.jpg?s=32&d=mp&r=g) Michael | 2 ![](https://www.gravatar.com/avatar/385d41daf781fbf4dbac2a1ff894d7fc.jpg?s=32&d=mp&r=g) Le Ngoc Anh | 2 ![](https://www.gravatar.com/avatar/cd164c6348ca2048a891d26c4106e94a.jpg?s=32&d=mp&r=g) Jack Taylor | 2 ![](https://www.gravatar.com/avatar/00000000000000000000000000000000.jpg?s=32&d=mp&r=g) haudayroi | 2 ![](https://www.gravatar.com/avatar/ef74f4dbe7907a62f177592f647c1afa.jpg?s=32&d=mp&r=g) Webbernaut | 2 ![](https://www.gravatar.com/avatar/585bd77d4bbe100a43b04223fd09a74f.jpg?s=32&d=mp&r=g) João Pedro Soares de Alcântara | 1 ![](https://www.gravatar.com/avatar/00000000000000000000000000000000.jpg?s=32&d=mp&r=g) 0xVenus | 1 ![](https://www.gravatar.com/avatar/b52f0ed9bfd356ab8119b9ee6d7d040a.jpg?s=32&d=mp&r=g) 0xbro | 1 ![](https://www.gravatar.com/avatar/e9ce52728f69df70f9bafa79a7a6b548.jpg?s=32&d=mp&r=g) Amin Beheshti | 1 ![](https://www.gravatar.com/avatar/00000000000000000000000000000000.jpg?s=32&d=mp&r=g) Gab | 1 ![](https://www.gravatar.com/avatar/00000000000000000000000000000000.jpg?s=32&d=mp&r=g) Ngo Bui Truong Vu | 1 ![](https://www.gravatar.com/avatar/00000000000000000000000000000000.jpg?s=32&d=mp&r=g) domiee13 | 1 ![](https://www.gravatar.com/avatar/0ad8993a904e3c0dcdc8928248485fd6.jpg?s=32&d=mp&r=g) shaman0x01 | 1 ![](https://www.gravatar.com/avatar/0c476cecff9cf0286378f2943694146f.jpg?s=32&d=mp&r=g) Foxyyy | 1 ![](https://www.gravatar.com/avatar/c36a7211a54c34d3d52be3b1bd8d253e.jpg?s=32&d=mp&r=g) lucky_buddy | 1 ![](https://www.gravatar.com/avatar/563db10a8ff7243299139da63e0d17f7.jpg?s=32&d=mp&r=g) Francesco Carlucci | 1 ![](https://www.gravatar.com/avatar/00000000000000000000000000000000.jpg?s=32&d=mp&r=g) LVT-tholv2k | 1 ![](https://www.gravatar.com/avatar/a964068aac6d7229783a0ea643877251.jpg?s=32&d=mp&r=g) zer0gh0st | 1 ![](https://www.gravatar.com/avatar/00000000000000000000000000000000.jpg?s=32&d=mp&r=g) Psai | 1 ![](https://www.gravatar.com/avatar/00000000000000000000000000000000.jpg?s=32&d=mp&r=g) Khalid Yusuf | 1 ![](https://www.gravatar.com/avatar/2b99835f57008d2a5ee94f41555327d4.jpg?s=32&d=mp&r=g) Alyudin Nafiie | 1 ![](https://www.gravatar.com/avatar/fe75f0e802ed3b22dcf3fc8fa6402026.jpg?s=32&d=mp&r=g) p4 | 1 ![](https://www.gravatar.com/avatar/00000000000000000000000000000000.jpg?s=32&d=mp&r=g) Hiro | 1 ![](https://www.gravatar.com/avatar/328ff846493345d2b275183f36281a9d.jpg?s=32&d=mp&r=g) Tom Broucke | 1 ![](https://www.gravatar.com/avatar/106e34cffb07e9ff1371d99d90540fca.jpg?s=32&d=mp&r=g) Dhabaleshwar Das | 1 ![](https://www.gravatar.com/avatar/4c2bd6964b38518385c4e8d1791fd762.jpg?s=32&d=mp&r=g) zaim | 1 _Are you a security researcher who would like to be featured in our weekly vulnerability report?_ You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through our Bug Bounty Program. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report. * * * ### WordPress Plugins with Reported Vulnerabilities Last Week Software Name | Software Slug ---|--- 1 Decembrie 1918 | 1-decembrie-1918 360 View | 360-view Able Player, accessible HTML5 media player | ableplayer Absolute Links | absolute-links ACF: Google Font Selector | acf-google-font-selector-field Add custom page template | add-custom-page-template Add Google +1 (Plus one) social share Button | add-google-plus-one-social-share-button Advanced Accordion Gutenberg Block | advanced-accordion-block Advanced lazy load | advanced-lazy-load Advanced Linked Variations for Woocommerce | linked-variation Aeropage Sync for Airtable | aeropage-sync-for-airtable affiliate-toolkit – WP Affiliate Plugin with Amazon | affiliate-toolkit-starter Ajax Comment Form CST | ajax-comment-form-cst All in One Time Clock Lite – Tracking Employee Time Has Never Been Easier | aio-time-clock-lite Alt Text AI – Automatically generate image alt text for SEO and accessibility | alttext-ai AnalyticsWP | analyticswp Animate | animate Anps Theme plugin | anps_theme_plugin Anything Popup | anything-popup Appointment Booking Calendar | appointment-booking-calendar Appsero Helper | appsero-helper Author Box After Posts | author-box-after-posts Author Box Plugin With Different Description | author-box-with-different-description Availability Calendar | availability Awesome Wp Image Gallery | awesome-wp-image-gallery BBCode Deluxe | bbcode-deluxe BeerXML Shortcode | beerxml-shortcode Best Posts Summary | best-posts-summary Best Quiz Plugin for WordPress: WP Quiz | wp-quiz Blog Manager WP | blog-manager-wp BM Content Builder | bm-builder Breeze Display | wt-display-breeze Buddypress Force Password Change | buddy-press-force-password-change Bulk Assign Linked Products For WooCommerce | wc-bulk-assign-linked-products Business Contact Widget | business-contact-widget Call Now PHT Blog | call-now-coccoc-pht-blog Capturly | capturly-optimize-your-website Car Park Booking System for WordPress | car-park-booking-system-for-wordpress Carousel-of-post-images | carousel-of-post-images CheckBot | checkbot Checkout Field Visibility for WooCommerce | checkout-field-visibility-for-woocommerce CM Ad Changer – A simple tool to control and optimize your site's banners | cm-ad-changer CM Answers – Easy-to-use forum to grow your WP community | cm-answers Configurator Theme Core | amz-configurator-core Confirm User Registration | confirm-user-registration Contact Form 7 Calendar | cf7-calendar Contact Form by Bit Form: Multi Step Form, Calculation Contact Form, Payment Contact Form & Custom Contact Form builder | bit-form Control Listings – Classifieds Ads Directory Portal Manager | control-listings cookieBAR | cookiebar COVID-19 (Coronavirus) Update Your Customers | covid-19-alert Create custom forms for WordPress with a smart form plugin for smart businesses – Form builder for WordPress | abcsubmit Crossword Compiler Puzzles | crossword-compiler-puzzles Custom Admin-Bar Favorites | admin-bookmarks Custom Functions Plugin | custom-functions Custom Login and Registration | ms-registration Custom Related Posts | custom-related-posts Database Toolset | database-toolset Document Management System | dms Drop Caps | drop-caps Dropdown Content | dropdown-content Easy Child Theme Creator | easy-child-theme-creator eForm - WordPress Form Builder | wp-fsqm-pro Element Pack Addons for Elementor – Best Elementor addons with Ready Templates, Blocks, Widgets and WooCommerce Builder | bdthemes-element-pack-lite ELEX WooCommerce Advanced Bulk Edit Products, Prices & Attributes | elex-bulk-edit-products-prices-attributes-for-woocommerce-basic Enhanced Paypal Shortcodes | enhanced-paypal-shortcodes Event post | event-post External Markdown | external-markdown Fable Extra | fable-extra FAT Services Booking | fat-services-booking Flickr Shortcode Importer | flickr-shortcode-importer Floating Social Bar | floating-social-bar Flynax Bridge | flynax-bridge Foodbakery Sticky Cart | foodbakery-sticky-cart Frontend Dashboard | frontend-dashboard Frontend Login and Registration Blocks | frontend-login-and-registration-blocks FuseDesk | fusedesk GNA Search Shortcode | gna-search-shortcode Google News | google-news Grand Conference | Event WordPress | grandconference Greenshift – animation and page builder blocks | greenshift-animation-and-page-builder-blocks GTDB Guitar Tuners | guitar-tuner GutenKit – Page Builder Blocks, Patterns, and Templates for Gutenberg Block Editor | gutenkit-blocks-addon Hacklog Remote Attachment | hacklog-remote-attachment Hospital Management System for WordPress | hospital-management HTML Forms – Simple WordPress Forms Plugin | html-forms iCafe Library | icafe-library Image Hover Effects For WPBakery Page Builder | image-hover-effects-for-visual-composer Image Optimizer, Resizer and CDN – Sirv | sirv Image Style Hover – Displays content when you hover on image | image-content-show-hover Inline Text Popup | inline-text-popup Integração entre Eduzz e Woocommerce | integracao-entre-eduzz-e-wc-powers JobSearch WP Job Board | wp-jobsearch Jupiter X Core | jupiterx-core Landing pages and Domain aliases for WordPress | landing-pages-and-domain-aliases Libro de Reclamaciones | libro-de-reclamaciones License For Envato | license-envato Lifetime free Drag & Drop Contact Form Builder for WordPress VForm | v-form Link Library | link-library List Last Changes | list-last-changes Loan Calculator | repayment-calculator Lottie Player- Great Lottie Player Solution | embed-lottie-player LSD Custom taxonomy and category meta | custom-taxonomy-category-and-term-fields Mad Mimi for WordPress | mad-mimi Mailing Group Listserv | wp-mailing-group Mang Board WP | mangboard Mayosis Core | mayosis-core Media Library Downloader | media-library-downloader Memberpress | memberpress Message Filter for Contact Form 7 | cf7-message-filter Milat jQuery Automatic Popup | milat-jquery-automatic-popup Mini twitter feed | mini-twitter-feed Mixcloud Embed | mixcloud-embed Modern Polls | modern-polls MPL-Publisher — Ebook & Audiobook Creator | mpl-publisher Multi-Column Taxonomy List | multi-column-taxonomy-list My Custom Widgets | mycustomwidget My Tickets – Accessible Event Ticketing | my-tickets Navegg Analytics | navegg Nepali Post Date | nepali-post-date occupancyplan | occupancyplan Ocean Extra | ocean-extra PayPal Express Checkout | paypal-express-checkout Peadig’s Google +1 Button | google-1 Peekaboo | peekaboo Plugin Central | plugin-central Popup Builder | easy-notify-lite Post in page for Elementor | post-in-page-for-elementor Posts for Page | posts-for-page Prevent Direct Access – Protect WordPress Files | prevent-direct-access Print Science Designer | print-science-designer Product Lister for eBay | product-lister-ebay RAphicon | raphicon Recover abandoned cart for WooCommerce | recover-wc-abandoned-cart Related Posts via Taxonomies | related-posts-via-taxonomies Revy | revy RRSSB | rrssb SCSS-Library | scss-library Send From | send-from Seriously Simple Podcasting | seriously-simple-podcasting Service Finder Bookings | sf-booking SEUR Oficial | seur ShopLentor – WooCommerce Builder for Elementor & Gutenberg +20 Modules – All in One Solution (formerly WooLentor) | woolentor-addons Simple calendar for Elementor | simple-calendar-for-elementor Simple Download Counter | simple-download-counter Simple Google Photos Grid | simple-google-photos-grid SKT Blocks – Gutenberg based Page Builder | skt-blocks Sky Addons for Elementor (Free Templates Library, Live Copy, Animations, Post Grid, Post Carousel, Particles, Sliders, Chart, Blog, Video Gallery) | sky-elementor-addons Smart Hashtags [#hashtagger] | hashtagger Social Counter | social-counter Spreadsheet Price Changer for WooCommerce and WP E-commerce – Light | excel-like-price-change-for-woocommerce-and-wp-e-commerce-light SUMO Reward Points for WooCommerce | rewardsystem Tax Switch for WooCommerce | tax-switch-for-woocommerce Tayori Form Plugin | tayori Textmetrics | webtexttool The Pack Elementor addon | the-pack-addon Theme Switcha – Easily Switch Themes for Development and Testing | theme-switcha Time Based Greeting | time-based-greeting Twitter Card Generator | twitter-card-generator UiCore Elements – Free Elementor widgets and templates | uicore-elements Unsafe Mimetypes | unsafe-mimetypes Upsell Funnel Builder for WooCommerce | upsell-order-bump-offer-for-woocommerce User Registration & Membership – Custom Registration Form, Login Form, and User Profile | user-registration Vasaio QR Code | vasaio-qr-code Verification SMS with TargetSMS | verification-sms-targetsms VikRestaurants Table Reservations and Take-Away | vikrestaurants Visual Composer Website Builder | visualcomposer Watu Quiz | watu Woocommerce Automatic Order Printing | ( Formerly WooCommerce Google Cloud Print) | xc-woo-google-cloud-print WordPress Easy Guide | wp-easy-guide WordPress Events Calendar Registration & Tickets | wpeventplus WordPress Simple Shopping Cart | wordpress-simple-paypal-shopping-cart WordPress Tabs | gt-tabs WordPress Tooltip | wp-tooltip WoWHead Tooltips | wowhead-tooltips WP AVCL Automation Helper (formerly WPFlyLeads) | woozap WP Cookie Consent | wp-cookie-consent Wp Custom CMS Block | wp-custom-cms-block WP Custom Post Popup | custom-post-popup WP Customize Login Page | wp-customize-login-page WP Filter Post Category | wp-filter-post-categories WP Foodbakery | wp-foodbakery WP HRM LITE | wp-hrm-lite-human-resource-management-system WP Import Export Lite | wp-import-export-lite WP Vegas | vegas-fullscreen-background-slider wp-cyr-cho | Конвертира кирилски символи в латиниски | wp-cyr-cho WP-reCAPTCHA-bp | wp-recaptcha-bp WPMasterToolKit (WPMTK) – All in one plugin | wpmastertoolkit WPVN – Username Changer | wpvn-username-changer WpZon – Amazon Affiliate Plugin | wpzon WS Force Login Page | ws-force-login-page WS Form LITE – Drag & Drop Contact Form Builder for WordPress | ws-form Xelion Webchat | xelion-webchat Xpert Tab | xpert-tab Xpro Elementor Addons - Pro | xpro-elementor-addons-pro Zalo Official Live Chat | zalo-official-live-chat Zoho Creator Forms | zohocreator * * * ### WordPress Themes with Reported Vulnerabilities Last Week Software Name | Software Slug ---|--- Altair | altair Arrival | arrival bellevuex | bellevuex CiyaShop - Multipurpose WooCommerce Theme | ciyashop CWW Portfolio | cww-portfolio EduMall - Professional LMS Education Center WordPress Theme | edumall Grace Mag | grace-mag Grand Restaurant WordPress | grandrestaurant JNews - WordPress Newspaper Magazine Blog AMP Theme | jnews Opstore | opstore Reales WP - Real Estate WordPress Theme | reales-wp-real-estate-wordpress-theme Vikinger | vikinger wProject | wproject Xews Lite | xews-lite * * * ### Vulnerability Details Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you'd like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize. #### Altair <= 5.2.2 - Unauthenticated PHP Object Injection 9.8 CVSS Rating **Critical (9.8)** CVE-ID **CVE-2025-32928** Patch Status **Unpatched** Published **Apr 21, 2025** **Affected Software** Altair **Researcher** ![](https://www.gravatar.com/avatar/00000000000000000000000000000000.jpg?s=32&d=mp&r=g)Bonds More Details >

#### Arrival <= 1.4.5 - Unauthenticated Local File Inclusion 9.8 CVSS Rating **Critical (9.8)** CVE-ID **CVE-2025-32921** Patch Status **Unpatched** Published **Apr 21, 2025** **Affected Software** Arrival **Researcher** ![](https://www.gravatar.com/avatar/f1b68a12f61846b7fbcd7f1338106a1f.jpg?s=32&d=mp&r=g)Dimas Maulana More Details >

#### Capturly <= 2.0.1 - Unauthenticated Local File Inclusion 9.8 CVSS Rating **Critical (9.8)** CVE-ID **CVE-2025-39379** Patch Status **Unpatched** Published **Apr 21, 2025** **Affected Software** Capturly **Researcher** ![](https://www.gravatar.com/avatar/f1b68a12f61846b7fbcd7f1338106a1f.jpg?s=32&d=mp&r=g)Dimas Maulana More Details >

#### Checkout Field Visibility for WooCommerce <= 1.2.3 - Unauthenticated Local File Inclusion 9.8 CVSS Rating **Critical (9.8)** CVE-ID **CVE-2025-39391** Patch Status **Unpatched** Published **Apr 21, 2025** **Affected Software** Checkout Field Visibility for WooCommerce **Researcher** ![](https://www.gravatar.com/avatar/f1b68a12f61846b7fbcd7f1338106a1f.jpg?s=32&d=mp&r=g)Dimas Maulana More Details >

#### CiyaShop <= 4.18.0 - Unauthenticated PHP Object Injection 9.8 CVSS Rating **Critical (9.8)** CVE-ID **CVE-2025-39349** Patch Status **Unpatched** Published **Apr 21, 2025** **Affected Software** CiyaShop - Multipurpose WooCommerce Theme **Researcher** ![](https://www.gravatar.com/avatar/00000000000000000000000000000000.jpg?s=32&d=mp&r=g)Bonds More Details >

#### CWW Portfolio <= 1.3.1 - Unauthenticated Local File Inclusion 9.8 CVSS Rating **Critical (9.8)** CVE-ID **CVE-2025-39359** Patch Status **Unpatched** Published **Apr 21, 2025** **Affected Software** CWW Portfolio **Researcher** ![](https://www.gravatar.com/avatar/f1b68a12f61846b7fbcd7f1338106a1f.jpg?s=32&d=mp&r=g)Dimas Maulana More Details >

#### Fable Extra <= 1.0.6 - Unauthenticated Local File Inclusion 9.8 CVSS Rating **Critical (9.8)** CVE-ID **CVE-2025-46468** Patch Status **Patched** Published **Apr 25, 2025** **Affected Software** Fable Extra **Researcher** ![](https://www.gravatar.com/avatar/f894d5600bcba5e947d6dde37a3cec1b.jpg?s=32&d=mp&r=g)stealthcopter More Details >

#### Flynax Bridge <= 2.2.0 - Unauthenticated Privilege Escalation via Account Takeover 9.8 CVSS Rating **Critical (9.8)** CVE-ID **CVE-2025-3604** Patch Status **Unpatched** Published **Apr 23, 2025** **Affected Software** Flynax Bridge **Researcher** ![](https://www.gravatar.com/avatar/e97952602dfd17f0532ab6202b1dd0db.jpg?s=32&d=mp&r=g)kr0d More Details >

#### Flynax Bridge <= 2.2.0 - Unauthenticated Privilege Escalation via Password Update 9.8 CVSS Rating **Critical (9.8)** CVE-ID **CVE-2025-3603** Patch Status **Unpatched** Published **Apr 23, 2025** **Affected Software** Flynax Bridge **Researcher** ![](https://www.gravatar.com/avatar/e97952602dfd17f0532ab6202b1dd0db.jpg?s=32&d=mp&r=g)kr0d More Details >

#### Foodbakery Sticky Cart <= 3.2 - Unauthenticated PHP Object Injection 9.8 CVSS Rating **Critical (9.8)** CVE-ID **CVE-2025-39356** Patch Status **Unpatched** Published **Apr 21, 2025** **Affected Software** Foodbakery Sticky Cart **Researcher** ![](https://www.gravatar.com/avatar/00000000000000000000000000000000.jpg?s=32&d=mp&r=g)Bonds More Details >

#### Grace Mag <= 1.1.5 - Unauthenticated Local File Inclusion 9.8 CVSS Rating **Critical (9.8)** CVE-ID **CVE-2025-39360** Patch Status **Unpatched** Published **Apr 21, 2025** **Affected Software** Grace Mag **Researcher** ![](https://www.gravatar.com/avatar/f1b68a12f61846b7fbcd7f1338106a1f.jpg?s=32&d=mp&r=g)Dimas Maulana More Details >

#### Grand Conference <= 5.2 - Unauthenticated PHP Object Injection 9.8 CVSS Rating **Critical (9.8)** CVE-ID **CVE-2025-39354** Patch Status **Unpatched** Published **Apr 21, 2025** **Affected Software** Grand Conference | Event WordPress **Researcher** ![](https://www.gravatar.com/avatar/00000000000000000000000000000000.jpg?s=32&d=mp&r=g)Bonds More Details >

#### Grand Restaurant WordPress <= 7.0 - Unauthenticated PHP Object Injection 9.8 CVSS Rating **Critical (9.8)** CVE-ID **CVE-2025-39348** Patch Status **Unpatched** Published **Apr 21, 2025** **Affected Software** Grand Restaurant WordPress **Researcher** ![](https://www.gravatar.com/avatar/00000000000000000000000000000000.jpg?s=32&d=mp&r=g)Ananda Dhakal More Details >

#### Grand Restaurant WordPress <= 7.0 - Unauthenticated PHP Object Injection via Path Traversal 9.8 CVSS Rating **Critical (9.8)** CVE-ID **CVE-2025-32926** Patch Status **Unpatched** Published **Apr 21, 2025** **Affected Software** Grand Restaurant WordPress **Researcher** ![](https://www.gravatar.com/avatar/00000000000000000000000000000000.jpg?s=32&d=mp&r=g)Ananda Dhakal More Details >

#### Hospital Management System <= 47.0(20-11-2023) - Unauthenticated Arbitrary File Upload 9.8 CVSS Rating **Critical (9.8)** CVE-ID **CVE-2025-39380** Patch Status **Unpatched** Published **Apr 22, 2025** **Affected Software** Hospital Management System for WordPress **Researcher** ![](https://www.gravatar.com/avatar/11dfabc58a06f06c9123a7e17a41cecb.jpg?s=32&d=mp&r=g)Aiden (Thái An) More Details >

#### License For Envato <= 1.0.0 - Unauthenticated Local File Inclusion 9.8 CVSS Rating **Critical (9.8)** CVE-ID **CVE-2025-39399** Patch Status **Unpatched** Published **Apr 21, 2025** **Affected Software** License For Envato **Researcher** ![](https://www.gravatar.com/avatar/f1b68a12f61846b7fbcd7f1338106a1f.jpg?s=32&d=mp&r=g)Dimas Maulana More Details >

#### Opstore <= 1.4.5 - Unauthenticated Local File Inclusion 9.8 CVSS Rating **Critical (9.8)** CVE-ID **CVE-2025-39387** Patch Status **Unpatched** Published **Apr 21, 2025** **Affected Software** Opstore **Researcher** ![](https://www.gravatar.com/avatar/f1b68a12f61846b7fbcd7f1338106a1f.jpg?s=32&d=mp&r=g)Dimas Maulana More Details >

#### Product Lister for eBay <= 2.0.9 - Unauthenticated Local File Inclusion 9.8 CVSS Rating **Critical (9.8)** CVE-ID **CVE-2025-39384** Patch Status **Unpatched** Published **Apr 21, 2025** **Affected Software** Product Lister for eBay **Researcher** ![](https://www.gravatar.com/avatar/f1b68a12f61846b7fbcd7f1338106a1f.jpg?s=32&d=mp&r=g)Dimas Maulana More Details >

#### Service Finder Bookings <= 5.1 - Unauthenticated Privilege Escalation via 'nsl_registration_store_extra_input' 9.8 CVSS Rating **Critical (9.8)** CVE-ID **CVE-2025-2470** Patch Status **Patched** Published **Apr 24, 2025** **Affected Software** Service Finder Bookings **Researcher** ![](https://www.gravatar.com/avatar/2b99835f57008d2a5ee94f41555327d4.jpg?s=32&d=mp&r=g)Alyudin Nafiie More Details >

#### SEUR Oficial <= 2.2.23 - Unauthenticated Local File Inclusion 9.8 CVSS Rating **Critical (9.8)** CVE-ID **CVE-2025-46474** Patch Status **Unpatched** Published **Apr 25, 2025** **Affected Software** SEUR Oficial **Researcher** ![](https://www.gravatar.com/avatar/11dfabc58a06f06c9123a7e17a41cecb.jpg?s=32&d=mp&r=g)Aiden (Thái An) More Details >

#### Spreadsheet Price Changer for WooCommerce and WP E-commerce – Light <= 2.4.37 - Unauthenticated Local File Inclusion 9.8 CVSS Rating **Critical (9.8)** CVE-ID **CVE-2025-39378** Patch Status **Unpatched** Published **Apr 21, 2025** **Affected Software** Spreadsheet Price Changer for WooCommerce and WP E-commerce – Light **Researcher** ![](https://www.gravatar.com/avatar/f1b68a12f61846b7fbcd7f1338106a1f.jpg?s=32&d=mp&r=g)Dimas Maulana More Details >

#### SUMO Reward Points <= 30.7.0 - Unauthenticated Local File Inclusion 9.8 CVSS Rating **Critical (9.8)** CVE-ID **CVE-2025-32925** Patch Status **Unpatched** Published **Apr 21, 2025** **Affected Software** SUMO Reward Points for WooCommerce **Researcher** ![](https://www.gravatar.com/avatar/00000000000000000000000000000000.jpg?s=32&d=mp&r=g)Bonds More Details >

#### WP FoodBakery <= 3.3 - Unauthenticated PHP Object Injection 9.8 CVSS Rating **Critical (9.8)** CVE-ID **CVE-2025-32927** Patch Status **Unpatched** Published **Apr 21, 2025** **Affected Software** WP Foodbakery **Researcher** ![](https://www.gravatar.com/avatar/00000000000000000000000000000000.jpg?s=32&d=mp&r=g)Bonds More Details >

#### Xews Lite <= 1.0.9 - Unauthenticated Local File Inclusion 9.8 CVSS Rating **Critical (9.8)** CVE-ID **CVE-2025-39383** Patch Status **Unpatched** Published **Apr 21, 2025** **Affected Software** Xews Lite **Researcher** ![](https://www.gravatar.com/avatar/f1b68a12f61846b7fbcd7f1338106a1f.jpg?s=32&d=mp&r=g)Dimas Maulana More Details >

#### Database Toolset <= 1.8.4 - Unauthenticated Arbitrary File Deletion 9.1 CVSS Rating **Critical (9.1)** CVE-ID **CVE-2025-3065** Patch Status **Unpatched** Published **Apr 23, 2025** **Affected Software** Database Toolset **Researcher** ![](https://www.gravatar.com/avatar/01dce303f1fab51371215f21992679d9.jpg?s=32&d=mp&r=g)theviper17y More Details >

#### Aeropage Sync for Airtable <= 3.2.0 - Authenticated (Subscriber+) Arbitrary File Upload 8.8 CVSS Rating **High (8.8)** CVE-ID **CVE-2025-3914** Patch Status **Patched** Published **Apr 25, 2025** **Affected Software** Aeropage Sync for Airtable **Researcher** ![](https://www.gravatar.com/avatar/305fb970257c915652a3c990285e766e.jpg?s=32&d=mp&r=g)Chuck More Details >

#### BM Content Builder <= 3.16.2.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Options Update 8.8 CVSS Rating **High (8.8)** CVE-ID **CVE-2025-1279** Patch Status **Patched** Published **Apr 24, 2025** **Affected Software** BM Content Builder **Researcher** ![](https://www.gravatar.com/avatar/c48b8b9be22c8d030834699df0d43897.jpg?s=32&d=mp&r=g)Tonn More Details >

#### Configurator Theme Core <= 1.4.7 - Authenticated (Subscriber+) Privilege Escalation 8.8 CVSS Rating **High (8.8)** CVE-ID **CVE-2025-3101** Patch Status **Unpatched** Published **Apr 23, 2025** **Affected Software** Configurator Theme Core **Researcher** ![](https://www.gravatar.com/avatar/c48b8b9be22c8d030834699df0d43897.jpg?s=32&d=mp&r=g)Tonn More Details >

#### Crossword Compiler Puzzles <= 5.2 - Authenticated (Subscriber+) Arbitrary File Upload 8.8 CVSS Rating **High (8.8)** CVE-ID **CVE-2025-46490** Patch Status **Unpatched** Published **Apr 25, 2025** **Affected Software** Crossword Compiler Puzzles **Researcher** ![](https://www.gravatar.com/avatar/00000000000000000000000000000000.jpg?s=32&d=mp&r=g)astra.r3verii More Details >

#### Frontend Login and Registration Blocks <= 1.0.7 - Authenticated (Subscriber+) Privilege Escalation via Password Reset 8.8 CVSS Rating **High (8.8)** CVE-ID **CVE-2025-3607** Patch Status **Unpatched** Published **Apr 23, 2025** **Affected Software** Frontend Login and Registration Blocks **Researcher** ![](https://www.gravatar.com/avatar/e97952602dfd17f0532ab6202b1dd0db.jpg?s=32&d=mp&r=g)kr0d More Details >

#### Greenshift 11.4 – 11.4.5 – Authenticated (Subscriber+) Arbitrary File Upload

8.8

CVSS Rating
**High (8.8)**

CVE-ID
**CVE-2025-3616**

Patch Status
**Patched**

Published
**Apr 21, 2025**

**Affected Software**
Greenshift – animation and page builder blocks

**Researcher**

![](https://www.gravatar.com/avatar/7abadae46f0b063bdd43911a30a87f65.jpg?s=32&d=mp&r=g)mikemyers

More Details >

#### Integração entre Eduzz e Woocommerce 1.5.0 – 1.7.5 – Missing Authorization to Authenticated (Subscriber+) Privilege Escalation

8.8

CVSS Rating
**High (8.8)**

CVE-ID
**CVE-2025-3906**

Patch Status
**Unpatched**

Published
**Apr 25, 2025**

**Affected Software**
Integração entre Eduzz e Woocommerce

**Researcher**

![](https://www.gravatar.com/avatar/e97952602dfd17f0532ab6202b1dd0db.jpg?s=32&d=mp&r=g)kr0d

More Details >

#### My Tickets – Accessible Event Ticketing <= 2.0.16 - Authenticated (Subscriber+) Privilege Escalation 8.8 CVSS Rating **High (8.8)** CVE-ID **CVE-2025-3761** Patch Status **Patched** Published **Apr 23, 2025** **Affected Software** My Tickets – Accessible Event Ticketing **Researcher** ![](https://www.gravatar.com/avatar/385d41daf781fbf4dbac2a1ff894d7fc.jpg?s=32&d=mp&r=g)Le Ngoc Anh More Details >

#### Popup Builder <= 1.1.35 - Authenticated (Subscriber+) Local File Inclusion 8.8 CVSS Rating **High (8.8)** CVE-ID **CVE-2025-46230** Patch Status **Patched** Published **Apr 22, 2025** **Affected Software** Popup Builder **Researcher** ![](https://www.gravatar.com/avatar/00000000000000000000000000000000.jpg?s=32&d=mp&r=g)LVT-tholv2k More Details >

#### Vikinger <= 1.9.30 - Authenticated (Subscriber+) Privilege Escalation via 'vikinger_user_meta_update_ajax' 8.8 CVSS Rating **High (8.8)** CVE-ID **CVE-2025-2238** Patch Status **Patched** Published **Apr 24, 2025** **Affected Software** Vikinger **Researcher** ![](https://www.gravatar.com/avatar/c48b8b9be22c8d030834699df0d43897.jpg?s=32&d=mp&r=g)Tonn More Details >

#### wProject < 5.8.0 - Authenticated (Subscriber+) Privilege Escalation 8.8 CVSS Rating **High (8.8)** CVE-ID **CVE-2025-39366** Patch Status **Patched** Published **Apr 22, 2025** **Affected Software** wProject **Researcher** ![](https://www.gravatar.com/avatar/00000000000000000000000000000000.jpg?s=32&d=mp&r=g)Dave Jong More Details >

#### Xelion Webchat <= 9.1.0 - Authenticated (Subscriber+) Arbitrary Options Update 8.8 CVSS Rating **High (8.8)** CVE-ID **CVE-2025-3058** Patch Status **Patched** Published **Apr 23, 2025** **Affected Software** Xelion Webchat **Researcher** ![](https://www.gravatar.com/avatar/e97952602dfd17f0532ab6202b1dd0db.jpg?s=32&d=mp&r=g)kr0d More Details >

#### Xpro Elementor Addons – Pro <= 1.4.9 - Authenticated (Contributor+) Remote Code Execution 8.8 CVSS Rating **High (8.8)** CVE-ID **CVE-2024-13808** Patch Status **Patched** Published **Apr 25, 2025** **Affected Software** Xpro Elementor Addons - Pro **Researcher** ![](https://www.gravatar.com/avatar/f894d5600bcba5e947d6dde37a3cec1b.jpg?s=32&d=mp&r=g)stealthcopter More Details >

#### Verification SMS with TargetSMS <= 1.5 - Unauthenticated Limited Remote Code Execution 8.3 CVSS Rating **High (8.3)** CVE-ID **CVE-2025-3776** Patch Status **Unpatched** Published **Apr 23, 2025** **Affected Software** Verification SMS with TargetSMS **Researcher** ![](https://www.gravatar.com/avatar/305fb970257c915652a3c990285e766e.jpg?s=32&d=mp&r=g)Chuck More Details >

#### Grand Restaurant WordPress <= 7.0 - Missing Authorization to Unauthenticated Arbitrary Options Deletion 8.2 CVSS Rating **High (8.2)** CVE-ID **CVE-2025-39352** Patch Status **Unpatched** Published **Apr 21, 2025** **Affected Software** Grand Restaurant WordPress **Researcher** ![](https://www.gravatar.com/avatar/00000000000000000000000000000000.jpg?s=32&d=mp&r=g)Ananda Dhakal More Details >

#### WordPress Simple PayPal Shopping Cart <= 5.1.2 - Unauthenticated Information Exposure via file_url Parameter 8.2 CVSS Rating **High (8.2)** CVE-ID **CVE-2025-3529** Patch Status **Patched** Published **Apr 22, 2025** **Affected Software** WordPress Simple Shopping Cart **Researcher** ![](https://www.gravatar.com/avatar/cd164c6348ca2048a891d26c4106e94a.jpg?s=32&d=mp&r=g)Jack Taylor More Details >

#### Edumall <= 4.2.4 - Unauthenticated Local File Inclusion 8.1 CVSS Rating **High (8.1)** CVE-ID **CVE-2025-2101** Patch Status **Patched** Published **Apr 25, 2025** **Affected Software** EduMall - Professional LMS Education Center WordPress Theme **Researcher** ![](https://www.gravatar.com/avatar/c48b8b9be22c8d030834699df0d43897.jpg?s=32&d=mp&r=g)Tonn More Details >

#### JobSearch WP Job Board <= 2.8.8 - Authentication Bypass via Social Logins 8.1 CVSS Rating **High (8.1)** CVE-ID **CVE-2024-11917** Patch Status **Unpatched** Published **Apr 24, 2025** **Affected Software** JobSearch WP Job Board **Researcher** ![](https://www.gravatar.com/avatar/0c476cecff9cf0286378f2943694146f.jpg?s=32&d=mp&r=g)Foxyyy More Details >

#### Jupiter X Core <= 4.8.11 - Unauthenticated PHP Object Injection via PHAR 8.1 CVSS Rating **High (8.1)** CVE-ID **CVE-2025-2105** Patch Status **Patched** Published **Apr 25, 2025** **Affected Software** Jupiter X Core **Researcher** ![](https://www.gravatar.com/avatar/7b8cd550e860295a0dcf86632e3c79be.jpg?s=32&d=mp&r=g)Phat RiO - BlueRock More Details >

#### Plugin Central <= 2.5.1 - Cross-Site Request Forgery to Arbitrary File Deletion 8.1 CVSS Rating **High (8.1)** CVE-ID **CVE-2025-46439** Patch Status **Unpatched** Published **Apr 24, 2025** **Affected Software** Plugin Central **Researcher** ![](https://www.gravatar.com/avatar/e37bf2a629b6924efb95f289b0a7f7e4.jpg?s=32&d=mp&r=g)Nguyen Xuan Chien More Details >

#### AnalyticsWP <= 2.1.2 - Unauthenticated SQL Injection 7.5 CVSS Rating **High (7.5)** CVE-ID **CVE-2025-39389** Patch Status **Patched** Published **Apr 21, 2025** **Affected Software** AnalyticsWP **Researcher** ![](https://www.gravatar.com/avatar/15c7bc3e71963fdd7c656346bcf8b159.jpg?s=32&d=mp&r=g)Trương Hữu Phúc (truonghuuphuc) More Details >

#### Easy Guide <= 1.0.0 - Unauthenticated SQL Injection 7.5 CVSS Rating **High (7.5)** CVE-ID **CVE-2025-46460** Patch Status **Unpatched** Published **Apr 25, 2025** **Affected Software** WordPress Easy Guide **Researcher** ![](https://www.gravatar.com/avatar/385d41daf781fbf4dbac2a1ff894d7fc.jpg?s=32&d=mp&r=g)Le Ngoc Anh More Details >

#### Fable Extra <= 1.0.6 - Unauthenticated SQL Injection 7.5 CVSS Rating **High (7.5)** CVE-ID **CVE-2025-46539** Patch Status **Patched** Published **Apr 25, 2025** **Affected Software** Fable Extra **Researcher** ![](https://www.gravatar.com/avatar/00000000000000000000000000000000.jpg?s=32&d=mp&r=g)timomangcut More Details >

#### Frontend Dashboard <= 2.2.5 - Unauthenticated SQL Injection 7.5 CVSS Rating **High (7.5)** CVE-ID **CVE-2025-46248** Patch Status **Patched** Published **Apr 22, 2025** **Affected Software** Frontend Dashboard **Researcher** ![](https://www.gravatar.com/avatar/b9c98f876000c488fa1e815fe093a085.jpg?s=32&d=mp&r=g)Nguyen Ngoc Quang Bach (maysbachs) More Details >

#### Hospital Management System <= 47.0(20-11-2023) - Unauthenticated SQL Injection 7.5 CVSS Rating **High (7.5)** CVE-ID **CVE-2025-39386** Patch Status **Unpatched** Published **Apr 22, 2025** **Affected Software** Hospital Management System for WordPress **Researcher** ![](https://www.gravatar.com/avatar/15c7bc3e71963fdd7c656346bcf8b159.jpg?s=32&d=mp&r=g)Trương Hữu Phúc (truonghuuphuc) More Details >

#### Mayosis Core <= 5.4.1 - Unauthenticated Arbitrary File Read 7.5 CVSS Rating **High (7.5)** CVE-ID **CVE-2025-1565** Patch Status **Patched** Published **Apr 24, 2025** **Affected Software** Mayosis Core **Researcher** ![](https://www.gravatar.com/avatar/c48b8b9be22c8d030834699df0d43897.jpg?s=32&d=mp&r=g)Tonn More Details >

#### WordPress Simple PayPal Shopping Cart <= 5.1.2 - Unauthenticated Product Price Manipulation 7.5 CVSS Rating **High (7.5)** CVE-ID **CVE-2025-3530** Patch Status **Patched** Published **Apr 22, 2025** **Affected Software** WordPress Simple Shopping Cart **Researcher** ![](https://www.gravatar.com/avatar/cd164c6348ca2048a891d26c4106e94a.jpg?s=32&d=mp&r=g)Jack Taylor More Details >

#### WP HRM LITE <= 1.1 - Unauthenticated SQL Injection 7.5 CVSS Rating **High (7.5)** CVE-ID **CVE-2025-46455** Patch Status **Unpatched** Published **Apr 25, 2025** **Affected Software** WP HRM LITE **Researcher** ![](https://www.gravatar.com/avatar/00000000000000000000000000000000.jpg?s=32&d=mp&r=g)Hiro More Details >

#### Create custom forms for WordPress with a smart form plugin for smart businesses <= 1.2.4 - Unauthenticated Arbitrary Shortcode Execution 7.3 CVSS Rating **High (7.3)** CVE-ID **CVE-2025-2801** Patch Status **Unpatched** Published **Apr 25, 2025** **Affected Software** Create custom forms for WordPress with a smart form plugin for smart businesses – Form builder for WordPress **Researcher** ![](https://www.gravatar.com/avatar/a07a4a4ddd21367fd4d51d2d3105e7ef.jpg?s=32&d=mp&r=g)Avraham Shemesh More Details >

#### Add custom page template <= 2.0.1 - Authenticated (Administrator+) PHP Code Injection to Remote Code Execution 7.2 CVSS Rating **High (7.2)** CVE-ID **CVE-2025-3491** Patch Status **Unpatched** Published **Apr 25, 2025** **Affected Software** Add custom page template **Researcher** ![](https://www.gravatar.com/avatar/dfc42784669accf02da36cb658a6a355.jpg?s=32&d=mp&r=g)ch4r0n More Details >

#### eForm <= 4.18.0 - Unauthenticated Stored Cross-Site Scripting 7.2 CVSS Rating **High (7.2)** CVE-ID **CVE-2025-1294** Patch Status **Patched** Published **Apr 24, 2025** **Affected Software** eForm - WordPress Form Builder **Researcher** ![](https://www.gravatar.com/avatar/0ad8993a904e3c0dcdc8928248485fd6.jpg?s=32&d=mp&r=g)shaman0x01 More Details >

#### Flickr Shortcode Importer <= 2.2.3 - Authenticated (Administrator+) PHP Object Injection 7.2 CVSS Rating **High (7.2)** CVE-ID **CVE-2025-46481** Patch Status **Unpatched** Published **Apr 24, 2025** **Affected Software** Flickr Shortcode Importer **Researcher** ![](https://www.gravatar.com/avatar/00000000000000000000000000000000.jpg?s=32&d=mp&r=g)Ngo Bui Truong Vu More Details >

#### WPMasterToolKit (WPMTK) – All in one plugin <= 2.5.2 - Authenticated (Administrator+) to Arbitrary File Read and Write 7.2 CVSS Rating **High (7.2)** CVE-ID **CVE-2025-3300** Patch Status **Patched** Published **Apr 23, 2025** **Affected Software** WPMasterToolKit (WPMTK) – All in one plugin **Researcher** ![](https://www.gravatar.com/avatar/37cc74b0e1957fee81825154abeae540.jpg?s=32&d=mp&r=g)nquangit More Details >

#### Social Counter <= 2.0.5 - Authenticated (Administrator+) PHP Object Injection 6.6 CVSS Rating **Medium (6.6)** CVE-ID **CVE-2025-46473** Patch Status **Unpatched** Published **Apr 24, 2025** **Affected Software** Social Counter **Researcher** ![](https://www.gravatar.com/avatar/b9c98f876000c488fa1e815fe093a085.jpg?s=32&d=mp&r=g)Nguyen Ngoc Quang Bach (maysbachs) More Details >

#### Anps Theme plugin <= 1.1.1 - Unauthenticated Arbitrary Shortcode Execution 6.5 CVSS Rating **Medium (6.5)** CVE-ID **CVE-2024-13812** Patch Status **Patched** Published **Apr 25, 2025** **Affected Software** Anps Theme plugin **Researcher** ![](https://www.gravatar.com/avatar/8f9a99fa0333fc8418c837d7e0883c3b.jpg?s=32&d=mp&r=g)Lucio Sá More Details >

#### Appointment Booking Calendar <= 1.3.92 - Cross-Site Request Forgery to SQL Injection 6.5 CVSS Rating **Medium (6.5)** CVE-ID **CVE-2025-46241** Patch Status **Patched** Published **Apr 22, 2025** **Affected Software** Appointment Booking Calendar **Researcher** ![](https://www.gravatar.com/avatar/00000000000000000000000000000000.jpg?s=32&d=mp&r=g)astra.r3verii More Details >

#### Appsero Helper <= 1.3.4 - Authenticated (Subscriber+) SQL Injection 6.5 CVSS Rating **Medium (6.5)** CVE-ID **CVE-2025-39377** Patch Status **Unpatched** Published **Apr 21, 2025** **Affected Software** Appsero Helper **Researcher** ![](https://www.gravatar.com/avatar/15c7bc3e71963fdd7c656346bcf8b159.jpg?s=32&d=mp&r=g)Trương Hữu Phúc (truonghuuphuc) More Details >

#### ELEX WooCommerce Advanced Bulk Edit Products, Prices & Attributes <= 1.4.9 - Authenticated (Subscriber+) SQL Injection 6.5 CVSS Rating **Medium (6.5)** CVE-ID **CVE-2025-3280** Patch Status **Unpatched** Published **Apr 23, 2025** **Affected Software** ELEX WooCommerce Advanced Bulk Edit Products, Prices & Attributes **Researcher** ![](https://www.gravatar.com/avatar/7b8cd550e860295a0dcf86632e3c79be.jpg?s=32&d=mp&r=g)Phat RiO - BlueRock More Details >

#### FAT Services Booking <= 5.6 - Authenticated (Subscriber+) SQL Injection 6.5 CVSS Rating **Medium (6.5)** CVE-ID **CVE-2025-39355** Patch Status **Unpatched** Published **Apr 21, 2025** **Affected Software** FAT Services Booking **Researcher** ![](https://www.gravatar.com/avatar/11dfabc58a06f06c9123a7e17a41cecb.jpg?s=32&d=mp&r=g)Aiden (Thái An) More Details >

#### Hospital Management System <= 47.0(20-11-2023) - Authenticated (Subscriber+) SQL Injection 6.5 CVSS Rating **Medium (6.5)** CVE-ID **CVE-2025-39357** Patch Status **Unpatched** Published **Apr 21, 2025** **Affected Software** Hospital Management System for WordPress **Researcher** ![](https://www.gravatar.com/avatar/11dfabc58a06f06c9123a7e17a41cecb.jpg?s=32&d=mp&r=g)Aiden (Thái An) More Details >

#### Mailing Group Listserv <= 3.0.4 - Authenticated (Subscriber+) SQL Injection 6.5 CVSS Rating **Medium (6.5)** CVE-ID **CVE-2025-46463** Patch Status **Patched** Published **Apr 25, 2025** **Affected Software** Mailing Group Listserv **Researcher** ![](https://www.gravatar.com/avatar/00000000000000000000000000000000.jpg?s=32&d=mp&r=g)timomangcut More Details >

#### Ocean Extra <= 2.4.6 - Unauthenticated Arbitrary Shortcode Execution 6.5 CVSS Rating **Medium (6.5)** CVE-ID **CVE-2025-3472** Patch Status **Patched** Published **Apr 21, 2025** **Affected Software** Ocean Extra **Researcher** ![](https://www.gravatar.com/avatar/f894d5600bcba5e947d6dde37a3cec1b.jpg?s=32&d=mp&r=g)stealthcopter More Details >

#### Revy <= 2.1 - Authenticated (Subscriber+) SQL Injection 6.5 CVSS Rating **Medium (6.5)** CVE-ID **CVE-2025-32924** Patch Status **Unpatched** Published **Apr 21, 2025** **Affected Software** Revy **Researcher** ![](https://www.gravatar.com/avatar/11dfabc58a06f06c9123a7e17a41cecb.jpg?s=32&d=mp&r=g)Aiden (Thái An) More Details >

#### ShopLentor – WooCommerce Builder for Elementor & Gutenberg +20 Modules – All in One Solution (formerly WooLentor) <= 3.1.2 - Unauthenticated Server-Side Request Forgery via URL Parameter 6.5 CVSS Rating **Medium (6.5)** CVE-ID **CVE-2025-3775** Patch Status **Patched** Published **Apr 24, 2025** **Affected Software** ShopLentor – WooCommerce Builder for Elementor & Gutenberg +20 Modules – All in One Solution (formerly WooLentor) **Researcher** ![](https://www.gravatar.com/avatar/7abadae46f0b063bdd43911a30a87f65.jpg?s=32&d=mp&r=g)mikemyers More Details >

#### 360 View <= 1.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating **Medium (6.4)** CVE-ID **CVE-2025-46509** Patch Status **Unpatched** Published **Apr 24, 2025** **Affected Software** 360 View **Researcher** ![](https://www.gravatar.com/avatar/343456e443c863409724aa97bcfa6e3e.jpg?s=32&d=mp&r=g)johska More Details >

#### Able Player <= 1.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating **Medium (6.4)** CVE-ID **CVE-2025-46475** Patch Status **Patched** Published **Apr 24, 2025** **Affected Software** Able Player, accessible HTML5 media player **Researcher** ![](https://www.gravatar.com/avatar/343456e443c863409724aa97bcfa6e3e.jpg?s=32&d=mp&r=g)johska More Details >

#### Able Player, accessible HTML5 media player <= 1.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via preload Parameter 6.4 CVSS Rating **Medium (6.4)** CVE-ID **CVE-2025-3752** Patch Status **Patched** Published **Apr 24, 2025** **Affected Software** Able Player, accessible HTML5 media player **Researcher** ![](https://www.gravatar.com/avatar/258c774aecd81b7d1fa67abf3b576b33.jpg?s=32&d=mp&r=g)Peter Thaleikis More Details >

#### Advanced Accordion Gutenberg Block <= 5.0.2 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload 6.4 CVSS Rating **Medium (6.4)** CVE-ID **CVE-2025-2543** Patch Status **Patched** Published **Apr 23, 2025** **Affected Software** Advanced Accordion Gutenberg Block **Researcher** ![](https://www.gravatar.com/avatar/a07a4a4ddd21367fd4d51d2d3105e7ef.jpg?s=32&d=mp&r=g)Avraham Shemesh More Details >

#### Animate <= 0.5 - Authenticated (Contributor+) Server-Side Request Forgery 6.4 CVSS Rating **Medium (6.4)** CVE-ID **CVE-2025-46443** Patch Status **Unpatched** Published **Apr 24, 2025** **Affected Software** Animate **Researcher** ![](https://www.gravatar.com/avatar/e37bf2a629b6924efb95f289b0a7f7e4.jpg?s=32&d=mp&r=g)Nguyen Xuan Chien More Details >

#### Author Box After Posts <= 1.6 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating **Medium (6.4)** CVE-ID **CVE-2025-46263** Patch Status **Unpatched** Published **Apr 25, 2025** **Affected Software** Author Box After Posts **Researcher** ![](https://www.gravatar.com/avatar/00000000000000000000000000000000.jpg?s=32&d=mp&r=g)Michael More Details >

#### Awesome Wp Image Gallery <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating **Medium (6.4)** CVE-ID **CVE-2025-46476** Patch Status **Unpatched** Published **Apr 24, 2025** **Affected Software** Awesome Wp Image Gallery **Researcher** ![](https://www.gravatar.com/avatar/97a1f88460217867f45b925b3af1bb6a.jpg?s=32&d=mp&r=g)muhammad yudha More Details >

#### BBCode Deluxe <= 2020.08.01.2 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating **Medium (6.4)** CVE-ID **CVE-2025-46479** Patch Status **Unpatched** Published **Apr 24, 2025** **Affected Software** BBCode Deluxe **Researcher** ![](https://www.gravatar.com/avatar/343456e443c863409724aa97bcfa6e3e.jpg?s=32&d=mp&r=g)johska More Details >

#### BeerXML Shortcode <= 0.71 - Authenticated (Contributor+) Server-Side Request Forgery 6.4 CVSS Rating **Medium (6.4)** CVE-ID **CVE-2025-46511** Patch Status **Unpatched** Published **Apr 24, 2025** **Affected Software** BeerXML Shortcode **Researcher** ![](https://www.gravatar.com/avatar/dfc42784669accf02da36cb658a6a355.jpg?s=32&d=mp&r=g)ch4r0n More Details >

#### Breeze Display <= 1.2.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via cal_size Parameter 6.4 CVSS Rating **Medium (6.4)** CVE-ID **CVE-2025-3749** Patch Status **Patched** Published **Apr 24, 2025** **Affected Software** Breeze Display **Researcher** ![](https://www.gravatar.com/avatar/258c774aecd81b7d1fa67abf3b576b33.jpg?s=32&d=mp&r=g)Peter Thaleikis More Details >

#### Carousel-of-post-images <= 1.07 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating **Medium (6.4)** CVE-ID **CVE-2025-46536** Patch Status **Unpatched** Published **Apr 24, 2025** **Affected Software** Carousel-of-post-images **Researcher** ![](https://www.gravatar.com/avatar/343456e443c863409724aa97bcfa6e3e.jpg?s=32&d=mp&r=g)johska More Details >

#### Custom Related Posts <= 1.7.4 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating **Medium (6.4)** CVE-ID **CVE-2025-46227** Patch Status **Patched** Published **Apr 22, 2025** **Affected Software** Custom Related Posts **Researcher** ![](https://www.gravatar.com/avatar/97a1f88460217867f45b925b3af1bb6a.jpg?s=32&d=mp&r=g)muhammad yudha More Details >

#### Dropdown Content <= 1.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating **Medium (6.4)** CVE-ID **CVE-2025-46478** Patch Status **Unpatched** Published **Apr 24, 2025** **Affected Software** Dropdown Content **Researcher** ![](https://www.gravatar.com/avatar/97a1f88460217867f45b925b3af1bb6a.jpg?s=32&d=mp&r=g)muhammad yudha More Details >

#### Element Pack Elementor Addons (Header Footer, Template Library, Dynamic Grid, Carousel and Remote Arrows) <= 5.10.29 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating **Medium (6.4)** CVE-ID **CVE-2025-1458** Patch Status **Patched** Published **Apr 25, 2025** **Affected Software** Element Pack Addons for Elementor – Best Elementor addons with Ready Templates, Blocks, Widgets and WooCommerce Builder **Researcher** ![](https://www.gravatar.com/avatar/a964068aac6d7229783a0ea643877251.jpg?s=32&d=mp&r=g)zer0gh0st More Details >

#### Enhanced Paypal Shortcodes <= 0.5a - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating **Medium (6.4)** CVE-ID **CVE-2025-46543** Patch Status **Unpatched** Published **Apr 25, 2025** **Affected Software** Enhanced Paypal Shortcodes **Researcher** ![](https://www.gravatar.com/avatar/343456e443c863409724aa97bcfa6e3e.jpg?s=32&d=mp&r=g)johska More Details >

#### Event post <= 5.9.11 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating **Medium (6.4)** CVE-ID **CVE-2025-46228** Patch Status **Patched** Published **Apr 22, 2025** **Affected Software** Event post **Researcher** ![](https://www.gravatar.com/avatar/00000000000000000000000000000000.jpg?s=32&d=mp&r=g)astra.r3verii More Details >

#### External Markdown <= 0.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating **Medium (6.4)** CVE-ID **CVE-2025-46445** Patch Status **Unpatched** Published **Apr 24, 2025** **Affected Software** External Markdown **Researcher** ![](https://www.gravatar.com/avatar/343456e443c863409724aa97bcfa6e3e.jpg?s=32&d=mp&r=g)johska More Details >

#### Fable Extra <= 1.0.6 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating **Medium (6.4)** CVE-ID **CVE-2025-46447** Patch Status **Patched** Published **Apr 24, 2025** **Affected Software** Fable Extra **Researcher** ![](https://www.gravatar.com/avatar/00000000000000000000000000000000.jpg?s=32&d=mp&r=g)timomangcut More Details >

#### FuseDesk <= 6.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via successredirect Parameter 6.4 CVSS Rating **Medium (6.4)** CVE-ID **CVE-2025-3832** Patch Status **Patched** Published **Apr 23, 2025** **Affected Software** FuseDesk **Researcher** ![](https://www.gravatar.com/avatar/258c774aecd81b7d1fa67abf3b576b33.jpg?s=32&d=mp&r=g)Peter Thaleikis More Details >

#### GNA Search Shortcode <= 0.9.5 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating **Medium (6.4)** CVE-ID **CVE-2025-46540** Patch Status **Unpatched** Published **Apr 24, 2025** **Affected Software** GNA Search Shortcode **Researcher** ![](https://www.gravatar.com/avatar/343456e443c863409724aa97bcfa6e3e.jpg?s=32&d=mp&r=g)johska More Details >

#### GTDB Guitar Tuners <= 4.2.2 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating **Medium (6.4)** CVE-ID **CVE-2025-46438** Patch Status **Unpatched** Published **Apr 24, 2025** **Affected Software** GTDB Guitar Tuners **Researcher** ![](https://www.gravatar.com/avatar/343456e443c863409724aa97bcfa6e3e.jpg?s=32&d=mp&r=g)johska More Details >

#### GutenKit <= 2.2.2 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating **Medium (6.4)** CVE-ID **CVE-2025-46253** Patch Status **Patched** Published **Apr 22, 2025** **Affected Software** GutenKit – Page Builder Blocks, Patterns, and Templates for Gutenberg Block Editor **Researcher** ![](https://www.gravatar.com/avatar/00000000000000000000000000000000.jpg?s=32&d=mp&r=g)Khalid Yusuf More Details >

#### HTML Forms <= 1.5.2 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating **Medium (6.4)** CVE-ID **CVE-2025-46236** Patch Status **Patched** Published **Apr 22, 2025** **Affected Software** HTML Forms – Simple WordPress Forms Plugin **Researcher** ![](https://www.gravatar.com/avatar/97a1f88460217867f45b925b3af1bb6a.jpg?s=32&d=mp&r=g)muhammad yudha More Details >

#### Image Hover Effects For WPBakery Page Builder <= 2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating **Medium (6.4)** CVE-ID **CVE-2025-46484** Patch Status **Unpatched** Published **Apr 24, 2025** **Affected Software** Image Hover Effects For WPBakery Page Builder **Researcher** ![](https://www.gravatar.com/avatar/97a1f88460217867f45b925b3af1bb6a.jpg?s=32&d=mp&r=g)muhammad yudha More Details >

#### Image Style Hover <= 1.0.6 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating **Medium (6.4)** CVE-ID **CVE-2025-46534** Patch Status **Unpatched** Published **Apr 24, 2025** **Affected Software** Image Style Hover – Displays content when you hover on image **Researcher** ![](https://www.gravatar.com/avatar/343456e443c863409724aa97bcfa6e3e.jpg?s=32&d=mp&r=g)johska More Details >

#### Inline Text Popup <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating **Medium (6.4)** CVE-ID **CVE-2025-46538** Patch Status **Unpatched** Published **Apr 24, 2025** **Affected Software** Inline Text Popup **Researcher** ![](https://www.gravatar.com/avatar/343456e443c863409724aa97bcfa6e3e.jpg?s=32&d=mp&r=g)johska More Details >

#### Link Library <= 7.8 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating **Medium (6.4)** CVE-ID **CVE-2025-46237** Patch Status **Patched** Published **Apr 22, 2025** **Affected Software** Link Library **Researcher** ![](https://www.gravatar.com/avatar/97a1f88460217867f45b925b3af1bb6a.jpg?s=32&d=mp&r=g)muhammad yudha More Details >

#### List Last Changes <= 1.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating **Medium (6.4)** CVE-ID **CVE-2025-46238** Patch Status **Patched** Published **Apr 22, 2025** **Affected Software** List Last Changes **Researcher** ![](https://www.gravatar.com/avatar/97a1f88460217867f45b925b3af1bb6a.jpg?s=32&d=mp&r=g)muhammad yudha More Details >

#### Lottie Player <= 1.1.8 - Authenticated (Author+) Stored Cross-Site Scripting via File Upload 6.4 CVSS Rating **Medium (6.4)** CVE-ID **CVE-2025-2579** Patch Status **Patched** Published **Apr 23, 2025** **Affected Software** Lottie Player- Great Lottie Player Solution **Researcher** ![](https://www.gravatar.com/avatar/a07a4a4ddd21367fd4d51d2d3105e7ef.jpg?s=32&d=mp&r=g)Avraham Shemesh More Details >

#### Mad Mimi for WordPress <= 1.5.1 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating **Medium (6.4)** CVE-ID **CVE-2025-46262** Patch Status **Unpatched** Published **Apr 25, 2025** **Affected Software** Mad Mimi for WordPress **Researcher** ![](https://www.gravatar.com/avatar/00000000000000000000000000000000.jpg?s=32&d=mp&r=g)0x1ceKing More Details >

#### Mini twitter feed <= 3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating **Medium (6.4)** CVE-ID **CVE-2025-46496** Patch Status **Unpatched** Published **Apr 24, 2025** **Affected Software** Mini twitter feed **Researcher** ![](https://www.gravatar.com/avatar/343456e443c863409724aa97bcfa6e3e.jpg?s=32&d=mp&r=g)johska More Details >

#### Mixcloud Embed <= 2.2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating **Medium (6.4)** CVE-ID **CVE-2025-46501** Patch Status **Unpatched** Published **Apr 24, 2025** **Affected Software** Mixcloud Embed **Researcher** ![](https://www.gravatar.com/avatar/343456e443c863409724aa97bcfa6e3e.jpg?s=32&d=mp&r=g)johska More Details >

#### MPL-Publisher <= 2.18.0 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating **Medium (6.4)** CVE-ID **CVE-2025-46226** Patch Status **Patched** Published **Apr 22, 2025** **Affected Software** MPL-Publisher — Ebook & Audiobook Creator **Researcher** ![](https://www.gravatar.com/avatar/97a1f88460217867f45b925b3af1bb6a.jpg?s=32&d=mp&r=g)muhammad yudha More Details >

#### Multi-Column Taxonomy List <= 1.5 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating **Medium (6.4)** CVE-ID **CVE-2025-46491** Patch Status **Unpatched** Published **Apr 24, 2025** **Affected Software** Multi-Column Taxonomy List **Researcher** ![](https://www.gravatar.com/avatar/343456e443c863409724aa97bcfa6e3e.jpg?s=32&d=mp&r=g)johska More Details >

#### Nepali Post Date <= 5.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating **Medium (6.4)** CVE-ID **CVE-2025-46480** Patch Status **Unpatched** Published **Apr 24, 2025** **Affected Software** Nepali Post Date **Researcher** ![](https://www.gravatar.com/avatar/97a1f88460217867f45b925b3af1bb6a.jpg?s=32&d=mp&r=g)muhammad yudha More Details >

#### Ocean Extra <= 2.4.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'ocean_gallery_id' 6.4 CVSS Rating **Medium (6.4)** CVE-ID **CVE-2025-3458** Patch Status **Patched** Published **Apr 21, 2025** **Affected Software** Ocean Extra **Researcher** ![](https://www.gravatar.com/avatar/97a1f88460217867f45b925b3af1bb6a.jpg?s=32&d=mp&r=g)muhammad yudha More Details >

#### Ocean Extra <= 2.4.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode 6.4 CVSS Rating **Medium (6.4)** CVE-ID **CVE-2025-3457** Patch Status **Patched** Published **Apr 21, 2025** **Affected Software** Ocean Extra **Researcher** ![](https://www.gravatar.com/avatar/97a1f88460217867f45b925b3af1bb6a.jpg?s=32&d=mp&r=g)muhammad yudha More Details >

#### Peadig’s Google +1 Button <= 0.1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating **Medium (6.4)** CVE-ID **CVE-2025-46483** Patch Status **Unpatched** Published **Apr 24, 2025** **Affected Software** Peadig’s Google +1 Button **Researcher** ![](https://www.gravatar.com/avatar/343456e443c863409724aa97bcfa6e3e.jpg?s=32&d=mp&r=g)johska More Details >

#### Peekaboo <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating **Medium (6.4)** CVE-ID **CVE-2025-46505** Patch Status **Unpatched** Published **Apr 24, 2025** **Affected Software** Peekaboo **Researcher** ![](https://www.gravatar.com/avatar/343456e443c863409724aa97bcfa6e3e.jpg?s=32&d=mp&r=g)johska More Details >

#### Post in page for Elementor <= 1.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating **Medium (6.4)** CVE-ID **CVE-2025-46225** Patch Status **Patched** Published **Apr 22, 2025** **Affected Software** Post in page for Elementor **Researcher** ![](https://www.gravatar.com/avatar/00000000000000000000000000000000.jpg?s=32&d=mp&r=g)Gab More Details >

#### Posts for Page <= 2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating **Medium (6.4)** CVE-ID **CVE-2025-39369** Patch Status **Unpatched** Published **Apr 25, 2025** **Affected Software** Posts for Page **Researcher** ![](https://www.gravatar.com/avatar/01dce303f1fab51371215f21992679d9.jpg?s=32&d=mp&r=g)theviper17y More Details >

#### RAphicon <= 2.1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating **Medium (6.4)** CVE-ID **CVE-2025-46467** Patch Status **Unpatched** Published **Apr 24, 2025** **Affected Software** RAphicon **Researcher** ![](https://www.gravatar.com/avatar/343456e443c863409724aa97bcfa6e3e.jpg?s=32&d=mp&r=g)johska More Details >

#### RRSSB <= 1.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating **Medium (6.4)** CVE-ID **CVE-2025-46461** Patch Status **Unpatched** Published **Apr 24, 2025** **Affected Software** RRSSB **Researcher** ![](https://www.gravatar.com/avatar/343456e443c863409724aa97bcfa6e3e.jpg?s=32&d=mp&r=g)johska More Details >

#### Simple Download Counter <= 2.2 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating **Medium (6.4)** CVE-ID **CVE-2025-46240** Patch Status **Patched** Published **Apr 22, 2025** **Affected Software** Simple Download Counter **Researcher** ![](https://www.gravatar.com/avatar/97a1f88460217867f45b925b3af1bb6a.jpg?s=32&d=mp&r=g)muhammad yudha More Details >

#### Simple Google Photos Grid <= 1.5 - Authenticated (Contributor+) Server-Side Request Forgery 6.4 CVSS Rating **Medium (6.4)** CVE-ID **CVE-2025-46503** Patch Status **Unpatched** Published **Apr 24, 2025** **Affected Software** Simple Google Photos Grid **Researcher** ![](https://www.gravatar.com/avatar/dfc42784669accf02da36cb658a6a355.jpg?s=32&d=mp&r=g)ch4r0n More Details >

#### Sirv <= 7.5.3 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating **Medium (6.4)** CVE-ID **CVE-2025-46233** Patch Status **Patched** Published **Apr 22, 2025** **Affected Software** Image Optimizer, Resizer and CDN – Sirv **Researcher** ![](https://www.gravatar.com/avatar/15c7bc3e71963fdd7c656346bcf8b159.jpg?s=32&d=mp&r=g)Trương Hữu Phúc (truonghuuphuc) More Details >

#### SKT Blocks <= 2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating **Medium (6.4)** CVE-ID **CVE-2025-46235** Patch Status **Patched** Published **Apr 22, 2025** **Affected Software** SKT Blocks – Gutenberg based Page Builder **Researcher** ![](https://www.gravatar.com/avatar/4c2bd6964b38518385c4e8d1791fd762.jpg?s=32&d=mp&r=g)zaim More Details >

#### Sky Addons for Elementor <= 3.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating **Medium (6.4)** CVE-ID **CVE-2025-46260** Patch Status **Patched** Published **Apr 22, 2025** **Affected Software** Sky Addons for Elementor (Free Templates Library, Live Copy, Animations, Post Grid, Post Carousel, Particles, Sliders, Chart, Blog, Video Gallery) **Researcher** ![](https://www.gravatar.com/avatar/585bd77d4bbe100a43b04223fd09a74f.jpg?s=32&d=mp&r=g)João Pedro Soares de Alcântara More Details >

#### Tax Switch for WooCommerce <= 1.4.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via class-name Parameter 6.4 CVSS Rating **Medium (6.4)** CVE-ID **CVE-2025-3814** Patch Status **Patched** Published **Apr 21, 2025** **Affected Software** Tax Switch for WooCommerce **Researcher** ![](https://www.gravatar.com/avatar/258c774aecd81b7d1fa67abf3b576b33.jpg?s=32&d=mp&r=g)Peter Thaleikis More Details >

#### The Pack Elementor addons <= 2.1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating **Medium (6.4)** CVE-ID **CVE-2025-46472** Patch Status **Unpatched** Published **Apr 24, 2025** **Affected Software** The Pack Elementor addon **Researcher** ![](https://www.gravatar.com/avatar/00000000000000000000000000000000.jpg?s=32&d=mp&r=g)Michael More Details >

#### Theme Switcha <= 3.4 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating **Medium (6.4)** CVE-ID **CVE-2025-46239** Patch Status **Patched** Published **Apr 22, 2025** **Affected Software** Theme Switcha – Easily Switch Themes for Development and Testing **Researcher** ![](https://www.gravatar.com/avatar/97a1f88460217867f45b925b3af1bb6a.jpg?s=32&d=mp&r=g)muhammad yudha More Details >

#### Tooltip <= 1.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating **Medium (6.4)** CVE-ID **CVE-2025-46532** Patch Status **Unpatched** Published **Apr 24, 2025** **Affected Software** WordPress Tooltip **Researcher** ![](https://www.gravatar.com/avatar/343456e443c863409724aa97bcfa6e3e.jpg?s=32&d=mp&r=g)johska More Details >

#### UiCore Elements – Free Elementor widgets and templates <= 1.0.16 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets 6.4 CVSS Rating **Medium (6.4)** CVE-ID **CVE-2025-1054** Patch Status **Patched** Published **Apr 22, 2025** **Affected Software** UiCore Elements – Free Elementor widgets and templates **Researcher** ![](https://www.gravatar.com/avatar/ef74f4dbe7907a62f177592f647c1afa.jpg?s=32&d=mp&r=g)Webbernaut More Details >

#### Visual Composer Website Builder <= 45.10.0 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating **Medium (6.4)** CVE-ID **CVE-2025-46254** Patch Status **Patched** Published **Apr 22, 2025** **Affected Software** Visual Composer Website Builder **Researcher** ![](https://www.gravatar.com/avatar/97a1f88460217867f45b925b3af1bb6a.jpg?s=32&d=mp&r=g)muhammad yudha More Details >

#### WoWHead Tooltips <= 2.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating **Medium (6.4)** CVE-ID **CVE-2025-46449** Patch Status **Unpatched** Published **Apr 24, 2025** **Affected Software** WoWHead Tooltips **Researcher** ![](https://www.gravatar.com/avatar/343456e443c863409724aa97bcfa6e3e.jpg?s=32&d=mp&r=g)johska More Details >

#### WP AVCL Automation Helper (formerly WPFlyLeads) <= 3.4 - Authenticated (Subscriber+) Server-Side Request Forgery 6.4 CVSS Rating **Medium (6.4)** CVE-ID **CVE-2025-46531** Patch Status **Unpatched** Published **Apr 24, 2025** **Affected Software** WP AVCL Automation Helper (formerly WPFlyLeads) **Researcher** ![](https://www.gravatar.com/avatar/dfc42784669accf02da36cb658a6a355.jpg?s=32&d=mp&r=g)ch4r0n More Details >

#### WP Custom Post Popup <= 1.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating **Medium (6.4)** CVE-ID **CVE-2025-46471** Patch Status **Unpatched** Published **Apr 24, 2025** **Affected Software** WP Custom Post Popup **Researcher** ![](https://www.gravatar.com/avatar/343456e443c863409724aa97bcfa6e3e.jpg?s=32&d=mp&r=g)johska More Details >

#### WP Import Export Lite <= 3.9.27 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting 6.4 CVSS Rating **Medium (6.4)** CVE-ID **CVE-2025-2839** Patch Status **Patched** Published **Apr 21, 2025** **Affected Software** WP Import Export Lite **Researcher** ![](https://www.gravatar.com/avatar/ef74f4dbe7907a62f177592f647c1afa.jpg?s=32&d=mp&r=g)Webbernaut More Details >

#### WP Quiz <= 2.0.10 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating **Medium (6.4)** CVE-ID **CVE-2025-46482** Patch Status **Unpatched** Published **Apr 25, 2025** **Affected Software** Best Quiz Plugin for WordPress: WP Quiz **Researcher** ![](https://www.gravatar.com/avatar/97a1f88460217867f45b925b3af1bb6a.jpg?s=32&d=mp&r=g)muhammad yudha More Details >

#### WP Vegas <= 2.2 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating **Medium (6.4)** CVE-ID **CVE-2025-43841** Patch Status **Unpatched** Published **Apr 25, 2025** **Affected Software** WP Vegas **Researcher** ![](https://www.gravatar.com/avatar/343456e443c863409724aa97bcfa6e3e.jpg?s=32&d=mp&r=g)johska More Details >

#### Xpert Tab <= 1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating **Medium (6.4)** CVE-ID **CVE-2025-46542** Patch Status **Unpatched** Published **Apr 24, 2025** **Affected Software** Xpert Tab **Researcher** ![](https://www.gravatar.com/avatar/343456e443c863409724aa97bcfa6e3e.jpg?s=32&d=mp&r=g)johska More Details >

#### Zoho Creator Forms <= 1.0.5 - Authenticated (Contributor+) Stored Cross-Site Scripting 6.4 CVSS Rating **Medium (6.4)** CVE-ID **CVE-2025-46453** Patch Status **Unpatched** Published **Apr 24, 2025** **Affected Software** Zoho Creator Forms **Researcher** ![](https://www.gravatar.com/avatar/343456e443c863409724aa97bcfa6e3e.jpg?s=32&d=mp&r=g)johska More Details >

#### 1 Decembrie 1918 <= 1.dec.2012 - Cross-Site Request Forgery to Stored Cross-Site Scripting 6.1 CVSS Rating **Medium (6.1)** CVE-ID **CVE-2025-3870** Patch Status **Unpatched** Published **Apr 24, 2025** **Affected Software** 1 Decembrie 1918 **Researcher** ![](https://www.gravatar.com/avatar/343456e443c863409724aa97bcfa6e3e.jpg?s=32&d=mp&r=g)johska More Details >

#### ACF: Google Font Selector <= 3.0.1 - Reflected Cross-Site Scripting 6.1 CVSS Rating **Medium (6.1)** CVE-ID **CVE-2025-39382** Patch Status **Unpatched** Published **Apr 21, 2025** **Affected Software** ACF: Google Font Selector **Researcher** ![](https://www.gravatar.com/avatar/f1b68a12f61846b7fbcd7f1338106a1f.jpg?s=32&d=mp&r=g)Dimas Maulana More Details >

#### Add Google +1 (Plus one) social share Button <= 1.0.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting 6.1 CVSS Rating **Medium (6.1)** CVE-ID **CVE-2025-3866** Patch Status **Unpatched** Published **Apr 24, 2025** **Affected Software** Add Google +1 (Plus one) social share Button **Researcher** ![](https://www.gravatar.com/avatar/343456e443c863409724aa97bcfa6e3e.jpg?s=32&d=mp&r=g)johska More Details >

#### Advanced lazy load <= 1.6.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting 6.1 CVSS Rating **Medium (6.1)** CVE-ID **CVE-2025-46508** Patch Status **Unpatched** Published **Apr 24, 2025** **Affected Software** Advanced lazy load **Researcher** ![](https://www.gravatar.com/avatar/343456e443c863409724aa97bcfa6e3e.jpg?s=32&d=mp&r=g)johska More Details >

#### Ajax Comment Form CST <= 1.2 - Cross-Site Request Forgery to Stored Cross-Site Scripting 6.1 CVSS Rating **Medium (6.1)** CVE-ID **CVE-2025-3867** Patch Status **Unpatched** Published **Apr 24, 2025** **Affected Software** Ajax Comment Form CST **Researcher** ![](https://www.gravatar.com/avatar/343456e443c863409724aa97bcfa6e3e.jpg?s=32&d=mp&r=g)johska More Details >

#### Anything Popup <= 7.3 - Reflected Cross-Site Scripting 6.1 CVSS Rating **Medium (6.1)** CVE-ID **CVE-2025-39397** Patch Status **Unpatched** Published **Apr 21, 2025** **Affected Software** Anything Popup **Researcher** ![](https://www.gravatar.com/avatar/f1b68a12f61846b7fbcd7f1338106a1f.jpg?s=32&d=mp&r=g)Dimas Maulana More Details >

#### Best Posts Summary <= 1.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting 6.1 CVSS Rating **Medium (6.1)** CVE-ID **CVE-2025-39374** Patch Status **Unpatched** Published **Apr 25, 2025** **Affected Software** Best Posts Summary **Researcher** ![](https://www.gravatar.com/avatar/343456e443c863409724aa97bcfa6e3e.jpg?s=32&d=mp&r=g)johska More Details >

#### CheckBot <= 1.05 - Cross-Site Request Forgery to Stored Cross-Site Scripting 6.1 CVSS Rating **Medium (6.1)** CVE-ID **CVE-2025-43840** Patch Status **Unpatched** Published **Apr 25, 2025** **Affected Software** CheckBot **Researcher** ![](https://www.gravatar.com/avatar/343456e443c863409724aa97bcfa6e3e.jpg?s=32&d=mp&r=g)johska More Details >

#### Contact Form 7 Calendar <= 3.0.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting 6.1 CVSS Rating **Medium (6.1)** CVE-ID **CVE-2025-46510** Patch Status **Unpatched** Published **Apr 24, 2025** **Affected Software** Contact Form 7 Calendar **Researcher** ![](https://www.gravatar.com/avatar/343456e443c863409724aa97bcfa6e3e.jpg?s=32&d=mp&r=g)johska More Details >

#### Control Listings <= 1.0.4.1 - Reflected Cross-Site Scripting 6.1 CVSS Rating **Medium (6.1)** CVE-ID **CVE-2025-46234** Patch Status **Patched** Published **Apr 22, 2025** **Affected Software** Control Listings – Classifieds Ads Directory Portal Manager **Researcher** ![](https://www.gravatar.com/avatar/11dfabc58a06f06c9123a7e17a41cecb.jpg?s=32&d=mp&r=g)Aiden (Thái An) More Details >

#### Custom Admin-Bar Favorites <= 0.1 - Reflected Cross-Site Scripting 6.1 CVSS Rating **Medium (6.1)** CVE-ID **CVE-2025-3868** Patch Status **Unpatched** Published **Apr 24, 2025** **Affected Software** Custom Admin-Bar Favorites **Researcher** ![](https://www.gravatar.com/avatar/343456e443c863409724aa97bcfa6e3e.jpg?s=32&d=mp&r=g)johska More Details >

#### Custom Functions Plugin <= 1.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting 6.1 CVSS Rating **Medium (6.1)** CVE-ID **CVE-2025-46512** Patch Status **Unpatched** Published **Apr 24, 2025** **Affected Software** Custom Functions Plugin **Researcher** ![](https://www.gravatar.com/avatar/343456e443c863409724aa97bcfa6e3e.jpg?s=32&d=mp&r=g)johska More Details >

#### Document Management System <= 1.24 - Reflected Cross-Site Scripting 6.1 CVSS Rating **Medium (6.1)** CVE-ID **CVE-2025-46448** Patch Status **Unpatched** Published **Apr 25, 2025** **Affected Software** Document Management System **Researcher** ![](https://www.gravatar.com/avatar/e37bf2a629b6924efb95f289b0a7f7e4.jpg?s=32&d=mp&r=g)Nguyen Xuan Chien More Details >

#### Drop Caps <= 2.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting 6.1 CVSS Rating **Medium (6.1)** CVE-ID **CVE-2025-46495** Patch Status **Unpatched** Published **Apr 24, 2025** **Affected Software** Drop Caps **Researcher** ![](https://www.gravatar.com/avatar/343456e443c863409724aa97bcfa6e3e.jpg?s=32&d=mp&r=g)johska More Details >

#### Google News <= 2.5.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting 6.1 CVSS Rating **Medium (6.1)** CVE-ID **CVE-2025-46452** Patch Status **Unpatched** Published **Apr 24, 2025** **Affected Software** Google News **Researcher** ![](https://www.gravatar.com/avatar/e37bf2a629b6924efb95f289b0a7f7e4.jpg?s=32&d=mp&r=g)Nguyen Xuan Chien More Details >

#### Hospital Management System <= 47.0(20-11-2023) - Reflected Cross-Site Scripting 6.1 CVSS Rating **Medium (6.1)** CVE-ID **CVE-2025-39393** Patch Status **Unpatched** Published **Apr 22, 2025** **Affected Software** Hospital Management System for WordPress **Researcher** ![](https://www.gravatar.com/avatar/11dfabc58a06f06c9123a7e17a41cecb.jpg?s=32&d=mp&r=g)Aiden (Thái An) More Details >

#### Libro de Reclamaciones <= 1.0.1 - Reflected Cross-Site Scripting 6.1 CVSS Rating **Medium (6.1)** CVE-ID **CVE-2025-46446** Patch Status **Unpatched** Published **Apr 25, 2025** **Affected Software** Libro de Reclamaciones **Researcher** ![](https://www.gravatar.com/avatar/e37bf2a629b6924efb95f289b0a7f7e4.jpg?s=32&d=mp&r=g)Nguyen Xuan Chien More Details >

#### Loan Calculator <= 1.3 - Cross-Site Request Forgery to Stored Cross-Site Scripting 6.1 CVSS Rating **Medium (6.1)** CVE-ID **CVE-2025-46442** Patch Status **Unpatched** Published **Apr 24, 2025** **Affected Software** Loan Calculator **Researcher** ![](https://www.gravatar.com/avatar/86a1429aeb8e473ec62cf8dd3d4e4571.jpg?s=32&d=mp&r=g)Nabil Irawan More Details >

#### LSD Custom taxonomy and category meta <= 1.3.2 - Cross-Site Request Forgery to Stored Cross-Site Scripting 6.1 CVSS Rating **Medium (6.1)** CVE-ID **CVE-2025-46502** Patch Status **Unpatched** Published **Apr 24, 2025** **Affected Software** LSD Custom taxonomy and category meta **Researcher** ![](https://www.gravatar.com/avatar/343456e443c863409724aa97bcfa6e3e.jpg?s=32&d=mp&r=g)johska More Details >

#### Milat jQuery Automatic Popup <= 1.3.1 - Cross-Site Request Forgery to Stored Cross-site Scripting 6.1 CVSS Rating **Medium (6.1)** CVE-ID **CVE-2025-46514** Patch Status **Unpatched** Published **Apr 24, 2025** **Affected Software** Milat jQuery Automatic Popup **Researcher** ![](https://www.gravatar.com/avatar/343456e443c863409724aa97bcfa6e3e.jpg?s=32&d=mp&r=g)johska More Details >

#### My Custom Widgets <= 2.0.5 - Reflected Cross-Site Scripting 6.1 CVSS Rating **Medium (6.1)** CVE-ID **CVE-2025-46526** Patch Status **Unpatched** Published **Apr 25, 2025** **Affected Software** My Custom Widgets **Researcher** ![](https://www.gravatar.com/avatar/343456e443c863409724aa97bcfa6e3e.jpg?s=32&d=mp&r=g)johska More Details >

#### occupancyplan <= 1.0.3.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting 6.1 CVSS Rating **Medium (6.1)** CVE-ID **CVE-2025-46450** Patch Status **Unpatched** Published **Apr 24, 2025** **Affected Software** occupancyplan **Researcher** ![](https://www.gravatar.com/avatar/e37bf2a629b6924efb95f289b0a7f7e4.jpg?s=32&d=mp&r=g)Nguyen Xuan Chien More Details >

#### Related Posts via Taxonomies <= 1.0.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting 6.1 CVSS Rating **Medium (6.1)** CVE-ID **CVE-2025-46520** Patch Status **Unpatched** Published **Apr 24, 2025** **Affected Software** Related Posts via Taxonomies **Researcher** ![](https://www.gravatar.com/avatar/343456e443c863409724aa97bcfa6e3e.jpg?s=32&d=mp&r=g)johska More Details >

#### Tayori Form <= 1.2.9 - Reflected Cross-Site Scripting 6.1 CVSS Rating **Medium (6.1)** CVE-ID **CVE-2025-46437** Patch Status **Unpatched** Published **Apr 25, 2025** **Affected Software** Tayori Form Plugin **Researcher** ![](https://www.gravatar.com/avatar/e37bf2a629b6924efb95f289b0a7f7e4.jpg?s=32&d=mp&r=g)Nguyen Xuan Chien More Details >

#### Time Based Greeting <= 2.2.2 - Cross-Site Request Forgery to Stored Cross-Site Scripting 6.1 CVSS Rating **Medium (6.1)** CVE-ID **CVE-2025-46435** Patch Status **Unpatched** Published **Apr 24, 2025** **Affected Software** Time Based Greeting **Researcher** ![](https://www.gravatar.com/avatar/e37bf2a629b6924efb95f289b0a7f7e4.jpg?s=32&d=mp&r=g)Nguyen Xuan Chien More Details >

#### Twitter Card Generator <= 1.0.5 - Cross-Site Request Forgery to Stored Cross-Site Scripting 6.1 CVSS Rating **Medium (6.1)** CVE-ID **CVE-2025-46516** Patch Status **Unpatched** Published **Apr 24, 2025** **Affected Software** Twitter Card Generator **Researcher** ![](https://www.gravatar.com/avatar/343456e443c863409724aa97bcfa6e3e.jpg?s=32&d=mp&r=g)johska More Details >

#### User Registration <= 4.1.5 - Reflected Cross-Site Scripting 6.1 CVSS Rating **Medium (6.1)** CVE-ID **CVE-2025-39400** Patch Status **Patched** Published **Apr 22, 2025** **Affected Software** User Registration & Membership – Custom Registration Form, Login Form, and User Profile **Researcher** ![](https://www.gravatar.com/avatar/00000000000000000000000000000000.jpg?s=32&d=mp&r=g)Psai More Details >

#### Vasaio QR Code <= 1.2.5 - Cross-Site Request Forgery to Stored Cross-Site Scripting 6.1 CVSS Rating **Medium (6.1)** CVE-ID **CVE-2025-46504** Patch Status **Unpatched** Published **Apr 24, 2025** **Affected Software** Vasaio QR Code **Researcher** ![](https://www.gravatar.com/avatar/343456e443c863409724aa97bcfa6e3e.jpg?s=32&d=mp&r=g)johska More Details >

#### VikRestaurants Table Reservations and Take-Away <= 1.3.3 - Cross-Site Request Forgery to Stored Cross-Site Scripting 6.1 CVSS Rating **Medium (6.1)** CVE-ID **CVE-2025-46251** Patch Status **Patched** Published **Apr 22, 2025** **Affected Software** VikRestaurants Table Reservations and Take-Away **Researcher** ![](https://www.gravatar.com/avatar/106e34cffb07e9ff1371d99d90540fca.jpg?s=32&d=mp&r=g)Dhabaleshwar Das More Details >

#### WordPress Events Calendar Registration & Tickets <= 2.6.0 - Reflected Cross-Site Scripting 6.1 CVSS Rating **Medium (6.1)** CVE-ID **CVE-2025-39372** Patch Status **Unpatched** Published **Apr 22, 2025** **Affected Software** WordPress Events Calendar Registration & Tickets **Researcher** ![](https://www.gravatar.com/avatar/00000000000000000000000000000000.jpg?s=32&d=mp&r=g)Bonds More Details >

#### Wp Custom CMS Block <= 2.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting 6.1 CVSS Rating **Medium (6.1)** CVE-ID **CVE-2025-46457** Patch Status **Unpatched** Published **Apr 24, 2025** **Affected Software** Wp Custom CMS Block **Researcher** ![](https://www.gravatar.com/avatar/343456e443c863409724aa97bcfa6e3e.jpg?s=32&d=mp&r=g)johska More Details >

#### WP Filter Post Category <= 2.1.4 - Cross-Site Request Forgery to Stored Cross-Site Scripting 6.1 CVSS Rating **Medium (6.1)** CVE-ID **CVE-2025-46524** Patch Status **Unpatched** Published **Apr 24, 2025** **Affected Software** WP Filter Post Category **Researcher** ![](https://www.gravatar.com/avatar/343456e443c863409724aa97bcfa6e3e.jpg?s=32&d=mp&r=g)johska More Details >

#### wProject < 5.8.0 - Reflected Cross-Site Scripting 6.1 CVSS Rating **Medium (6.1)** CVE-ID **CVE-2025-39365** Patch Status **Patched** Published **Apr 22, 2025** **Affected Software** wProject **Researcher** ![](https://www.gravatar.com/avatar/00000000000000000000000000000000.jpg?s=32&d=mp&r=g)Dave Jong More Details >

#### WpZon – Amazon Affiliate Plugin <= 1.3 - Cross-Site Request Forgery to Stored Cross-Site Scripting 6.1 CVSS Rating **Medium (6.1)** CVE-ID **CVE-2025-46506** Patch Status **Unpatched** Published **Apr 24, 2025** **Affected Software** WpZon – Amazon Affiliate Plugin **Researcher** ![](https://www.gravatar.com/avatar/343456e443c863409724aa97bcfa6e3e.jpg?s=32&d=mp&r=g)johska More Details >

#### Confirm User Registration <= 2.1.5 - Authenticated (Administrator+) Stored Cross-Site Scripting 5.5 CVSS Rating **Medium (5.5)** CVE-ID **CVE-2025-46459** Patch Status **Unpatched** Published **Apr 24, 2025** **Affected Software** Confirm User Registration **Researcher** ![](https://www.gravatar.com/avatar/86a1429aeb8e473ec62cf8dd3d4e4571.jpg?s=32&d=mp&r=g)Nabil Irawan More Details >

#### Send From <= 2.2 - Authenticated (Administrator+) Stored Cross-Site Scripting 5.5 CVSS Rating **Medium (5.5)** CVE-ID **CVE-2025-46469** Patch Status **Unpatched** Published **Apr 24, 2025** **Affected Software** Send From **Researcher** ![](https://www.gravatar.com/avatar/86a1429aeb8e473ec62cf8dd3d4e4571.jpg?s=32&d=mp&r=g)Nabil Irawan More Details >

#### WP Customize Login Page <= 1.6.5 - Authenticated (Administrator+) Stored Cross-Site Scripting 5.5 CVSS Rating **Medium (5.5)** CVE-ID **CVE-2025-46477** Patch Status **Unpatched** Published **Apr 24, 2025** **Affected Software** WP Customize Login Page **Researcher** ![](https://www.gravatar.com/avatar/86a1429aeb8e473ec62cf8dd3d4e4571.jpg?s=32&d=mp&r=g)Nabil Irawan More Details >

#### Prevent Direct Access 2.8.6 – 2.8.8.2 – Incorrect Authorization to Authenticated (Contributor+) Multiple Media Actions

5.4

CVSS Rating
**Medium (5.4)**

CVE-ID
**CVE-2025-3861**

Patch Status
**Patched**

Published
**Apr 24, 2025**

**Affected Software**
Prevent Direct Access – Protect WordPress Files

**Researcher**

![](https://www.gravatar.com/avatar/b52f0ed9bfd356ab8119b9ee6d7d040a.jpg?s=32&d=mp&r=g)0xbro

More Details >

#### Print Science Designer <= 1.3.155 - Cross-Site Request Forgery to Stored Cross-Site Scripting 5.4 CVSS Rating **Medium (5.4)** CVE-ID **CVE-2025-46465** Patch Status **Unpatched** Published **Apr 24, 2025** **Affected Software** Print Science Designer **Researcher** ![](https://www.gravatar.com/avatar/00000000000000000000000000000000.jpg?s=32&d=mp&r=g)Skalucy More Details >

#### Advanced Linked Variations for Woocommerce <= 1.0.3 - Missing Authorization 5.3 CVSS Rating **Medium (5.3)** CVE-ID **CVE-2025-46244** Patch Status **Patched** Published **Apr 22, 2025** **Affected Software** Advanced Linked Variations for Woocommerce **Researcher** ![](https://www.gravatar.com/avatar/dfc42784669accf02da36cb658a6a355.jpg?s=32&d=mp&r=g)ch4r0n More Details >

#### Appointment Booking Calendar <= 1.3.92 - Missing Authorization 5.3 CVSS Rating **Medium (5.3)** CVE-ID **CVE-2025-46247** Patch Status **Patched** Published **Apr 22, 2025** **Affected Software** Appointment Booking Calendar **Researcher** ![](https://www.gravatar.com/avatar/00000000000000000000000000000000.jpg?s=32&d=mp&r=g)timomangcut More Details >

#### Bulk Assign Linked Products For WooCommerce <= 2.1 - Missing Authorization 5.3 CVSS Rating **Medium (5.3)** CVE-ID **CVE-2025-46489** Patch Status **Unpatched** Published **Apr 24, 2025** **Affected Software** Bulk Assign Linked Products For WooCommerce **Researcher** ![](https://www.gravatar.com/avatar/dfc42784669accf02da36cb658a6a355.jpg?s=32&d=mp&r=g)ch4r0n More Details >

#### JNews <= 11.6.5 - Missing Authorization 5.3 CVSS Rating **Medium (5.3)** CVE-ID **CVE-2025-39373** Patch Status **Unpatched** Published **Apr 22, 2025** **Affected Software** JNews - WordPress Newspaper Magazine Blog AMP Theme **Researcher** ![](https://www.gravatar.com/avatar/00000000000000000000000000000000.jpg?s=32&d=mp&r=g)Ananda Dhakal More Details >

#### Memberpress <= 1.11.37 - Unauthenticated Content Restriction Bypass to Sensitive Information Exposure 5.3 CVSS Rating **Medium (5.3)** CVE-ID **CVE-2024-11299** Patch Status **Patched** Published **Apr 21, 2025** **Affected Software** Memberpress **Researcher** ![](https://www.gravatar.com/avatar/563db10a8ff7243299139da63e0d17f7.jpg?s=32&d=mp&r=g)Francesco Carlucci More Details >

#### Prevent Direct Access – Protect WordPress Files <= 2.8.8 - Unauthenticated Sensitive Information Exposure 5.3 CVSS Rating **Medium (5.3)** CVE-ID **CVE-2025-3923** Patch Status **Patched** Published **Apr 24, 2025** **Affected Software** Prevent Direct Access – Protect WordPress Files **Researcher** ![](https://www.gravatar.com/avatar/328ff846493345d2b275183f36281a9d.jpg?s=32&d=mp&r=g)Tom Broucke More Details >

#### Reales WP – Real Estate WordPress Theme <= 2.1.2 - Missing Authorization to Unauthenticated Attachment Deletion and Favorite Property Updates 5.3 CVSS Rating **Medium (5.3)** CVE-ID **CVE-2024-13307** Patch Status **Unpatched** Published **Apr 23, 2025** **Affected Software** Reales WP - Real Estate WordPress Theme **Researcher** ![](https://www.gravatar.com/avatar/8f9a99fa0333fc8418c837d7e0883c3b.jpg?s=32&d=mp&r=g)Lucio Sá More Details >

#### Upsell Funnel Builder for WooCommerce <= 3.0.0 - Unauthenticated Order Manipulation 5.3 CVSS Rating **Medium (5.3)** CVE-ID **CVE-2025-3743** Patch Status **Patched** Published **Apr 24, 2025** **Affected Software** Upsell Funnel Builder for WooCommerce **Researcher** ![](https://www.gravatar.com/avatar/fe75f0e802ed3b22dcf3fc8fa6402026.jpg?s=32&d=mp&r=g)p4 More Details >

#### WP Customize Login Page <= 1.6.5 - Missing Authorization 5.3 CVSS Rating **Medium (5.3)** CVE-ID **CVE-2025-46485** Patch Status **Unpatched** Published **Apr 24, 2025** **Affected Software** WP Customize Login Page **Researcher** ![](https://www.gravatar.com/avatar/86a1429aeb8e473ec62cf8dd3d4e4571.jpg?s=32&d=mp&r=g)Nabil Irawan More Details >

#### wProject < 5.8.0 - Missing Authorization to Unauthenticated Content Modification and Deletion 5.3 CVSS Rating **Medium (5.3)** CVE-ID **CVE-2025-39350** Patch Status **Patched** Published **Apr 22, 2025** **Affected Software** wProject **Researcher** ![](https://www.gravatar.com/avatar/00000000000000000000000000000000.jpg?s=32&d=mp&r=g)Dave Jong More Details >

#### WS Form LITE – Drag & Drop Contact Form Builder for WordPress <= 1.10.35 - Missing Authorization to Unauthenticated Sensitive Information Exposure 5.3 CVSS Rating **Medium (5.3)** CVE-ID **CVE-2025-3912** Patch Status **Patched** Published **Apr 24, 2025** **Affected Software** WS Form LITE – Drag & Drop Contact Form Builder for WordPress **Researcher** ![](https://www.gravatar.com/avatar/e9ce52728f69df70f9bafa79a7a6b548.jpg?s=32&d=mp&r=g)Amin Beheshti More Details >

#### Absolute Links <= 1.1.1 - Authenticated (Administrator+) SQL Injection 4.9 CVSS Rating **Medium (4.9)** CVE-ID **CVE-2025-43833** Patch Status **Unpatched** Published **Apr 25, 2025** **Affected Software** Absolute Links **Researcher** ![](https://www.gravatar.com/avatar/00000000000000000000000000000000.jpg?s=32&d=mp&r=g)0x1ceKing More Details >

#### Contact Form by Bit Form <= 2.18.3 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload 4.9 CVSS Rating **Medium (4.9)** CVE-ID **CVE-2025-2580** Patch Status **Patched** Published **Apr 24, 2025** **Affected Software** Contact Form by Bit Form: Multi Step Form, Calculation Contact Form, Payment Contact Form & Custom Contact Form builder **Researcher** ![](https://www.gravatar.com/avatar/a07a4a4ddd21367fd4d51d2d3105e7ef.jpg?s=32&d=mp&r=g)Avraham Shemesh More Details >

#### iCafe Library <= 1.8.3 - Authenticated (Editor+) SQL Injection 4.9 CVSS Rating **Medium (4.9)** CVE-ID **CVE-2025-39370** Patch Status **Unpatched** Published **Apr 25, 2025** **Affected Software** iCafe Library **Researcher** ![](https://www.gravatar.com/avatar/00000000000000000000000000000000.jpg?s=32&d=mp&r=g)0x1ceKing More Details >

#### Message Filter for Contact Form 7 <= 1.6.3.2 - Authenticated (Administrator+) SQL Injection 4.9 CVSS Rating **Medium (4.9)** CVE-ID **CVE-2025-46252** Patch Status **Patched** Published **Apr 22, 2025** **Affected Software** Message Filter for Contact Form 7 **Researcher** ![](https://www.gravatar.com/avatar/7b8cd550e860295a0dcf86632e3c79be.jpg?s=32&d=mp&r=g)Phat RiO - BlueRock More Details >

#### Watu Quiz <= 3.4.3 - Authenticated (Administrator+) SQL Injection 4.9 CVSS Rating **Medium (4.9)** CVE-ID **CVE-2025-46242** Patch Status **Patched** Published **Apr 22, 2025** **Affected Software** Watu Quiz **Researcher** ![](https://www.gravatar.com/avatar/00000000000000000000000000000000.jpg?s=32&d=mp&r=g)astra.r3verii More Details >

#### Blog Manager WP <= 1.0.5 - Authenticated (Administrator+) Stored Cross-Site Scripting 4.4 CVSS Rating **Medium (4.4)** CVE-ID **CVE-2025-46517** Patch Status **Unpatched** Published **Apr 24, 2025** **Affected Software** Blog Manager WP **Researcher** ![](https://www.gravatar.com/avatar/86a1429aeb8e473ec62cf8dd3d4e4571.jpg?s=32&d=mp&r=g)Nabil Irawan More Details >

#### Business Contact Widget <= 2.7.0 - Authenticated (Administrator+) Stored Cross-Site Scripting 4.4 CVSS Rating **Medium (4.4)** CVE-ID **CVE-2025-46529** Patch Status **Unpatched** Published **Apr 24, 2025** **Affected Software** Business Contact Widget **Researcher** ![](https://www.gravatar.com/avatar/86a1429aeb8e473ec62cf8dd3d4e4571.jpg?s=32&d=mp&r=g)Nabil Irawan More Details >

#### cookieBAR <= 1.7.0 - Authenticated (Administrator+) Stored Cross-Site Scripting 4.4 CVSS Rating **Medium (4.4)** CVE-ID **CVE-2025-43834** Patch Status **Unpatched** Published **Apr 25, 2025** **Affected Software** cookieBAR **Researcher** ![](https://www.gravatar.com/avatar/86a1429aeb8e473ec62cf8dd3d4e4571.jpg?s=32&d=mp&r=g)Nabil Irawan More Details >

#### COVID-19 (Coronavirus) Update Your Customers <= 1.5.1 - Authenticated (Administrator+) Stored Cross-Site Scripting 4.4 CVSS Rating **Medium (4.4)** CVE-ID **CVE-2025-46523** Patch Status **Unpatched** Published **Apr 24, 2025** **Affected Software** COVID-19 (Coronavirus) Update Your Customers **Researcher** ![](https://www.gravatar.com/avatar/b9c98f876000c488fa1e815fe093a085.jpg?s=32&d=mp&r=g)Nguyen Ngoc Quang Bach (maysbachs) More Details >

#### Floating Social Bar <= 1.1.7 - Authenticated (Administrator+) Stored Cross-Site Scripting 4.4 CVSS Rating **Medium (4.4)** CVE-ID **CVE-2025-46451** Patch Status **Unpatched** Published **Apr 24, 2025** **Affected Software** Floating Social Bar **Researcher** ![](https://www.gravatar.com/avatar/86a1429aeb8e473ec62cf8dd3d4e4571.jpg?s=32&d=mp&r=g)Nabil Irawan More Details >

#### Landing pages and Domain aliases for WordPress <= 0.8 - Authenticated (Administrator+) Stored Cross-Site Scripting 4.4 CVSS Rating **Medium (4.4)** CVE-ID **CVE-2025-46533** Patch Status **Unpatched** Published **Apr 24, 2025** **Affected Software** Landing pages and Domain aliases for WordPress **Researcher** ![](https://www.gravatar.com/avatar/86a1429aeb8e473ec62cf8dd3d4e4571.jpg?s=32&d=mp&r=g)Nabil Irawan More Details >

#### MangBoard WP <= 1.8.6 - Authenticated (Administrator+) Stored Cross-Site Scripting via Board Header And Footer 4.4 CVSS Rating **Medium (4.4)** CVE-ID **CVE-2025-3435** Patch Status **Patched** Published **Apr 23, 2025** **Affected Software** Mang Board WP **Researcher** ![](https://www.gravatar.com/avatar/37cc74b0e1957fee81825154abeae540.jpg?s=32&d=mp&r=g)nquangit More Details >

#### Seriously Simple Podcasting <= 3.9.0 - Authenticated (Editor+) Stored Cross-Site Scripting 4.4 CVSS Rating **Medium (4.4)** CVE-ID **CVE-2025-46261** Patch Status **Patched** Published **Apr 22, 2025** **Affected Software** Seriously Simple Podcasting **Researcher** ![](https://www.gravatar.com/avatar/15c7bc3e71963fdd7c656346bcf8b159.jpg?s=32&d=mp&r=g)Trương Hữu Phúc (truonghuuphuc) More Details >

#### Textmetrics <= 3.6.2 - Authenticated (Administrator+) Stored Cross-Site Scripting 4.4 CVSS Rating **Medium (4.4)** CVE-ID **CVE-2025-46229** Patch Status **Patched** Published **Apr 22, 2025** **Affected Software** Textmetrics **Researcher** ![](https://www.gravatar.com/avatar/86a1429aeb8e473ec62cf8dd3d4e4571.jpg?s=32&d=mp&r=g)Nabil Irawan More Details >

#### VForm <= 3.1.14 - Authenticated (Administrator+) Stored Cross-Site Scripting 4.4 CVSS Rating **Medium (4.4)** CVE-ID **CVE-2025-46250** Patch Status **Patched** Published **Apr 22, 2025** **Affected Software** Lifetime free Drag & Drop Contact Form Builder for WordPress VForm **Researcher** ![](https://www.gravatar.com/avatar/00000000000000000000000000000000.jpg?s=32&d=mp&r=g)0xVenus More Details >

#### WP Cookie Consent <= 1.0 - Authenticated (Administrator+) Stored Cross-Site Scripting 4.4 CVSS Rating **Medium (4.4)** CVE-ID **CVE-2025-46525** Patch Status **Unpatched** Published **Apr 24, 2025** **Affected Software** WP Cookie Consent **Researcher** ![](https://www.gravatar.com/avatar/86a1429aeb8e473ec62cf8dd3d4e4571.jpg?s=32&d=mp&r=g)Nabil Irawan More Details >

#### WP-reCAPTCHA-bp <= 4.1 - Authenticated (Administrator+) Stored Cross-Site Scripting 4.4 CVSS Rating **Medium (4.4)** CVE-ID **CVE-2025-46541** Patch Status **Unpatched** Published **Apr 24, 2025** **Affected Software** WP-reCAPTCHA-bp **Researcher** ![](https://www.gravatar.com/avatar/86a1429aeb8e473ec62cf8dd3d4e4571.jpg?s=32&d=mp&r=g)Nabil Irawan More Details >

#### WS Force Login Page <= 3.0.3 - Authenticated (Administrator+) Stored Cross-Site Scripting 4.4 CVSS Rating **Medium (4.4)** CVE-ID **CVE-2025-46521** Patch Status **Unpatched** Published **Apr 24, 2025** **Affected Software** WS Force Login Page **Researcher** ![](https://www.gravatar.com/avatar/86a1429aeb8e473ec62cf8dd3d4e4571.jpg?s=32&d=mp&r=g)Nabil Irawan More Details >

#### Aeropage Sync for Airtable <= 3.2.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Deletion 4.3 CVSS Rating **Medium (4.3)** CVE-ID **CVE-2025-3915** Patch Status **Patched** Published **Apr 25, 2025** **Affected Software** Aeropage Sync for Airtable **Researcher** ![](https://www.gravatar.com/avatar/305fb970257c915652a3c990285e766e.jpg?s=32&d=mp&r=g)Chuck More Details >

#### affiliate-toolkit <= 3.7.3 - Cross-Site Request Forgery 4.3 CVSS Rating **Medium (4.3)** CVE-ID **CVE-2025-46231** Patch Status **Patched** Published **Apr 22, 2025** **Affected Software** affiliate-toolkit – WP Affiliate Plugin with Amazon **Researcher** ![](https://www.gravatar.com/avatar/f894d5600bcba5e947d6dde37a3cec1b.jpg?s=32&d=mp&r=g)stealthcopter More Details >

#### All in One Time Clock Lite <= 1.3.324 - Cross-Site Request Forgery 4.3 CVSS Rating **Medium (4.3)** CVE-ID **CVE-2025-46513** Patch Status **Unpatched** Published **Apr 24, 2025** **Affected Software** All in One Time Clock Lite – Tracking Employee Time Has Never Been Easier **Researcher** ![](https://www.gravatar.com/avatar/86a1429aeb8e473ec62cf8dd3d4e4571.jpg?s=32&d=mp&r=g)Nabil Irawan More Details >

#### Author Box Plugin With Different Description <= 1.3.5 - Cross-Site Request Forgery 4.3 CVSS Rating **Medium (4.3)** CVE-ID **CVE-2025-39371** Patch Status **Unpatched** Published **Apr 25, 2025** **Affected Software** Author Box Plugin With Different Description **Researcher** ![](https://www.gravatar.com/avatar/343456e443c863409724aa97bcfa6e3e.jpg?s=32&d=mp&r=g)johska More Details >

#### Availability Calendar <= 0.2.4 - Cross-Site Request Forgery 4.3 CVSS Rating **Medium (4.3)** CVE-ID **CVE-2025-46528** Patch Status **Unpatched** Published **Apr 24, 2025** **Affected Software** Availability Calendar **Researcher** ![](https://www.gravatar.com/avatar/343456e443c863409724aa97bcfa6e3e.jpg?s=32&d=mp&r=g)johska More Details >

#### Call Now PHT Blog <= 2.4.1 - Cross-Site Request Forgery 4.3 CVSS Rating **Medium (4.3)** CVE-ID **CVE-2025-46492** Patch Status **Unpatched** Published **Apr 24, 2025** **Affected Software** Call Now PHT Blog **Researcher** ![](https://www.gravatar.com/avatar/343456e443c863409724aa97bcfa6e3e.jpg?s=32&d=mp&r=g)johska More Details >

#### Car Park Booking System for WordPress <= 2.6 - Missing Authorization 4.3 CVSS Rating **Medium (4.3)** CVE-ID **CVE-2025-39376** Patch Status **Unpatched** Published **Apr 22, 2025** **Affected Software** Car Park Booking System for WordPress **Researcher** ![](https://www.gravatar.com/avatar/00000000000000000000000000000000.jpg?s=32&d=mp&r=g)Ananda Dhakal More Details >

#### CM Ad Changer <= 2.0.5 - Cross-Site Request Forgery 4.3 CVSS Rating **Medium (4.3)** CVE-ID **CVE-2025-46245** Patch Status **Patched** Published **Apr 22, 2025** **Affected Software** CM Ad Changer – A simple tool to control and optimize your site's banners **Researcher** ![](https://www.gravatar.com/avatar/dfc42784669accf02da36cb658a6a355.jpg?s=32&d=mp&r=g)ch4r0n More Details >

#### CM Answers <= 3.3.3 - Cross-Site Request Forgery 4.3 CVSS Rating **Medium (4.3)** CVE-ID **CVE-2025-46246** Patch Status **Patched** Published **Apr 22, 2025** **Affected Software** CM Answers – Easy-to-use forum to grow your WP community **Researcher** ![](https://www.gravatar.com/avatar/dfc42784669accf02da36cb658a6a355.jpg?s=32&d=mp&r=g)ch4r0n More Details >

#### Custom Login and Registration <= 1.0.0 - Missing Authorization 4.3 CVSS Rating **Medium (4.3)** CVE-ID **CVE-2025-46535** Patch Status **Unpatched** Published **Apr 25, 2025** **Affected Software** Custom Login and Registration **Researcher** ![](https://www.gravatar.com/avatar/b9c98f876000c488fa1e815fe093a085.jpg?s=32&d=mp&r=g)Nguyen Ngoc Quang Bach (maysbachs) More Details >

#### Download Alt Text AI <= 1.9.93 - Missing Authorization 4.3 CVSS Rating **Medium (4.3)** CVE-ID **CVE-2025-46232** Patch Status **Patched** Published **Apr 22, 2025** **Affected Software** Alt Text AI – Automatically generate image alt text for SEO and accessibility **Researcher** ![](https://www.gravatar.com/avatar/15c7bc3e71963fdd7c656346bcf8b159.jpg?s=32&d=mp&r=g)Trương Hữu Phúc (truonghuuphuc) More Details >

#### Easy Child Theme Creator <= 1.3.1 - Cross-Site Request Forgery 4.3 CVSS Rating **Medium (4.3)** CVE-ID **CVE-2025-39375** Patch Status **Unpatched** Published **Apr 25, 2025** **Affected Software** Easy Child Theme Creator **Researcher** ![](https://www.gravatar.com/avatar/e37bf2a629b6924efb95f289b0a7f7e4.jpg?s=32&d=mp&r=g)Nguyen Xuan Chien More Details >

#### Hacklog Remote Attachment <= 1.3.2 - Cross-Site Request Forgery 4.3 CVSS Rating **Medium (4.3)** CVE-ID **CVE-2025-46530** Patch Status **Unpatched** Published **Apr 24, 2025** **Affected Software** Hacklog Remote Attachment **Researcher** ![](https://www.gravatar.com/avatar/343456e443c863409724aa97bcfa6e3e.jpg?s=32&d=mp&r=g)johska More Details >

#### Hotel + Bed and Breakfast Booking Calendar Theme | Bellevue <= 4.2.2 - Missing Authorization 4.3 CVSS Rating **Medium (4.3)** CVE-ID **CVE-2025-39398** Patch Status **Unpatched** Published **Apr 22, 2025** **Affected Software** bellevuex **Researcher** ![](https://www.gravatar.com/avatar/00000000000000000000000000000000.jpg?s=32&d=mp&r=g)Ananda Dhakal More Details >

#### Media Library Downloader <= 1.3.1 - Missing Authorization 4.3 CVSS Rating **Medium (4.3)** CVE-ID **CVE-2025-46519** Patch Status **Patched** Published **Apr 24, 2025** **Affected Software** Media Library Downloader **Researcher** ![](https://www.gravatar.com/avatar/dfc42784669accf02da36cb658a6a355.jpg?s=32&d=mp&r=g)ch4r0n More Details >

#### Modern Polls <= 1.0.10 - Cross-Site Request Forgery 4.3 CVSS Rating **Medium (4.3)** CVE-ID **CVE-2025-46466** Patch Status **Unpatched** Published **Apr 24, 2025** **Affected Software** Modern Polls **Researcher** ![](https://www.gravatar.com/avatar/00000000000000000000000000000000.jpg?s=32&d=mp&r=g)Skalucy More Details >

#### Navegg Analytics <= 3.3.3 - Cross-Site Request Forgery 4.3 CVSS Rating **Medium (4.3)** CVE-ID **CVE-2025-46497** Patch Status **Unpatched** Published **Apr 24, 2025** **Affected Software** Navegg Analytics **Researcher** ![](https://www.gravatar.com/avatar/343456e443c863409724aa97bcfa6e3e.jpg?s=32&d=mp&r=g)johska More Details >

#### PayPal Express Checkout <= 2.1.2 - Cross-Site Request Forgery 4.3 CVSS Rating **Medium (4.3)** CVE-ID **CVE-2025-46499** Patch Status **Unpatched** Published **Apr 24, 2025** **Affected Software** PayPal Express Checkout **Researcher** ![](https://www.gravatar.com/avatar/343456e443c863409724aa97bcfa6e3e.jpg?s=32&d=mp&r=g)johska More Details >

#### Recover abandoned cart for WooCommerce <= 2.2 - Cross-Site Request Forgery 4.3 CVSS Rating **Medium (4.3)** CVE-ID **CVE-2025-46243** Patch Status **Patched** Published **Apr 22, 2025** **Affected Software** Recover abandoned cart for WooCommerce **Researcher** ![](https://www.gravatar.com/avatar/dfc42784669accf02da36cb658a6a355.jpg?s=32&d=mp&r=g)ch4r0n More Details >

#### SCSS-Library <= 0.4.1 - Cross-Site Request Forgery 4.3 CVSS Rating **Medium (4.3)** CVE-ID **CVE-2025-46436** Patch Status **Unpatched** Published **Apr 24, 2025** **Affected Software** SCSS-Library **Researcher** ![](https://www.gravatar.com/avatar/e37bf2a629b6924efb95f289b0a7f7e4.jpg?s=32&d=mp&r=g)Nguyen Xuan Chien More Details >

#### Simple calendar for Elementor <= 1.6.4 - Cross-Site Request Forgery 4.3 CVSS Rating **Medium (4.3)** CVE-ID **CVE-2025-46249** Patch Status **Patched** Published **Apr 22, 2025** **Affected Software** Simple calendar for Elementor **Researcher** ![](https://www.gravatar.com/avatar/00000000000000000000000000000000.jpg?s=32&d=mp&r=g)haudayroi More Details >

#### Smart Hashtags [#hashtagger] <= 7.2.3 - Missing Authorization 4.3 CVSS Rating **Medium (4.3)** CVE-ID **CVE-2025-46470** Patch Status **Unpatched** Published **Apr 24, 2025** **Affected Software** Smart Hashtags [#hashtagger] **Researcher** ![](https://www.gravatar.com/avatar/00000000000000000000000000000000.jpg?s=32&d=mp&r=g)domiee13 More Details >

#### Tabs <= 4.0.3 - Cross-Site Request Forgery to Stored Cross-Site Scripting 4.3 CVSS Rating **Medium (4.3)** CVE-ID **CVE-2025-46522** Patch Status **Unpatched** Published **Apr 24, 2025** **Affected Software** WordPress Tabs **Researcher** ![](https://www.gravatar.com/avatar/343456e443c863409724aa97bcfa6e3e.jpg?s=32&d=mp&r=g)johska More Details >

#### Unsafe Mimetypes <= 0.1.4 - Cross-Site Request Forgery to Stored Cross-Site Scripting 4.3 CVSS Rating **Medium (4.3)** CVE-ID **CVE-2025-46507** Patch Status **Unpatched** Published **Apr 24, 2025** **Affected Software** Unsafe Mimetypes **Researcher** ![](https://www.gravatar.com/avatar/c36a7211a54c34d3d52be3b1bd8d253e.jpg?s=32&d=mp&r=g)lucky_buddy More Details >

#### Woocommerce Automatic Order Printing | ( Formerly WooCommerce Google Cloud Print) <= 4.1 - Insecure Direct Object Reference to Authenticated (Subscriber+) Order Information Disclosure 4.3 CVSS Rating **Medium (4.3)** CVE-ID **CVE-2025-1284** Patch Status **Unpatched** Published **Apr 23, 2025** **Affected Software** Woocommerce Automatic Order Printing | ( Formerly WooCommerce Google Cloud Print) **Researcher** ![](https://www.gravatar.com/avatar/8f9a99fa0333fc8418c837d7e0883c3b.jpg?s=32&d=mp&r=g)Lucio Sá More Details >

#### wp-cyr-cho <= 0.1 - Cross-Site Request Forgery 4.3 CVSS Rating **Medium (4.3)** CVE-ID **CVE-2025-43835** Patch Status **Unpatched** Published **Apr 25, 2025** **Affected Software** wp-cyr-cho | Конвертира кирилски символи в латиниски **Researcher** ![](https://www.gravatar.com/avatar/86a1429aeb8e473ec62cf8dd3d4e4571.jpg?s=32&d=mp&r=g)Nabil Irawan More Details >

#### WPVN <= 0.7.8 - Cross-Site Request Forgery 4.3 CVSS Rating **Medium (4.3)** CVE-ID **CVE-2025-46462** Patch Status **Unpatched** Published **Apr 24, 2025** **Affected Software** WPVN – Username Changer **Researcher** ![](https://www.gravatar.com/avatar/00000000000000000000000000000000.jpg?s=32&d=mp&r=g)Skalucy More Details >

#### Zalo Official Live Chat <= 1.0.0 - Cross-Site Request Forgery 4.3 CVSS Rating **Medium (4.3)** CVE-ID **CVE-2025-46498** Patch Status **Unpatched** Published **Apr 24, 2025** **Affected Software** Zalo Official Live Chat **Researcher** ![](https://www.gravatar.com/avatar/00000000000000000000000000000000.jpg?s=32&d=mp&r=g)haudayroi More Details >

#### Buddypress Force Password Change <= 0.1 - Authenticated (Subscriber+) Account Takeover via Password Update 4.2 CVSS Rating **Medium (4.2)** CVE-ID **CVE-2025-3793** Patch Status **Unpatched** Published **Apr 23, 2025** **Affected Software** Buddypress Force Password Change **Researcher** ![](https://www.gravatar.com/avatar/e97952602dfd17f0532ab6202b1dd0db.jpg?s=32&d=mp&r=g)kr0d More Details >

* * *

_As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence._

This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us through our Bug Bounty Program, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

The post Wordfence Intelligence Weekly WordPress Vulnerability Report (April 21, 2025 to April 27, 2025) appeared first on Wordfence.

Impact Assessment

Base Score	9.8
Severity	CRITICAL

View full CVE details

Vulnerability Details

Basic Information

CVSS v3 Details

CVE Information

Description

Impact Assessment

💭 Join the Security Discussion ❌ Cancel Reply