Wordfence Intelligence Weekly WordPress Vulnerability Report (December 1, 2025 to December 7, 2025)

Last week, there were 179 vulnerabilities disclosed in 163 WordPress Plugins and 2 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 57 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to implement layered security, aligning with our overarching mission to secure WordPress with defense in depth strategies. That is why the Wordfence Intelligence user interface, vulnerability API, webhook integration, and Wordfence CLI Vulnerability Scanner are all completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report. As the world’s leading quality vulnerability database provider for WordPress, site owners can rest assured knowing Wordfence has their back.

Enterprises, Hosting Providers, and even Individuals can use the Wordfence CLI Vulnerability Scanner to run regular vulnerability scans across the sites they protect. Or alternatively, utilize the vulnerability Database API to receive a complete dump of our database of over 31,000 vulnerabilities and then utilize the webhook integration to stay on top of the newest vulnerabilities added in real-time, as well as any updates made to the database, all for free.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

New Firewall Rules Deployed Last Week

The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.

The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:

• • WAF-RULE-880 – Data redacted while we work with the vendor on a patch.
  • Motors <= 5.6.82 – Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Installation
  • Soledad < = 8.6.9 – Missing Authorization to Authenticated (Subscriber+) Arbitrary Options Update

Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.

Total Unpatched & Patched Vulnerabilities Last Week

Total Vulnerabilities by CVSS Severity Last Week

Total Vulnerabilities by CWE Type Last Week

Researchers That Contributed to WordPress Security Last Week

Researcher Name	Number of Vulnerabilities
Legion Hunter	17
Nabil Irawan	15
Athiwat Tiprasaharn (Jitlada)	14
Muhammad Yudha – DJ	9
Abdulsamad Yusuf (0xVenus)	8
type5afe	6
Ryan Kozak	6
kr0d	5
daroo	5
Md. Moniruzzaman Prodhan (NomanProdhan)	5
Muhammad Nur Ibnu Hubab (Ibnu)	4
Jonas Benjamin Friedli	4
Rafshanzani Suhada	4
Abu Hurayra (HurayraIIT)	4
Kishan Vyas	3
Ivan Cese	3
shark3y	3
Itthidej Aramsri (Boeing777)	3
Ananda Dhakal	3
dayea song	3
zaim	3
Mdr	3
Gilang – DJ	3
Certus Cybersecurity	2
benzdeus	2
Peter Thaleikis	2
NumeX	2
Phat RiO – BlueRock	2
lucky_buddy	2
YC_Infosec	2
Deadbee	2
mikemyers	2
Dmitrii Ignatyev	2
Doan Dinh Van	2
João Pedro S Alcântara (Kinorth)	2
ChamlaVic	2
Peerapat Samatathanyakorn	2
theviper17y	2
ISMAILSHADOW	1
Moose Love	1
Kai Aizen	1
Denver Jackson	1
0xQRx	1
Aurélien BOURDOIS (Elymaro)	1
Adrian Lukita	1
Powpy	1
Waris Damkham	1
zhenhua fan	1
Nicolai Hellesnes (nico_)	1
mahdi salhi (CaptinSharky01)	1
Farhan Dio Arrafiq	1
Rooting	1
Marcin Dudek (dudekmar)	1
シルAsuna	1
tmrswrr	1
Sarawut Poolkhet (MisterHelloz)	1
Jarno Vos (jarnovos)	1

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and earn a bounty on in-scope vulnerabilities through our Bug Bounty Program. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.

WordPress Plugins with Reported Vulnerabilities Last Week

WordPress Themes with Reported Vulnerabilities Last Week

Vulnerability Details

Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities. If you’d like to receive real-time notifications whenever a vulnerability is added to the Wordfence Intelligence Vulnerability Database, check out our Slack and HTTP Webhook Integration, which is completely free to utilize.

WP Directory Kit <= 1.4.4 – Authentication Bypass to Privilege Escalation via Account Takeover

10.0

CVSS Rating
Critical (10.0)

CVE-ID
CVE-2025-13390

Patch Status
Patched

Published
Dec 3, 2025

Affected Software
WP Directory Kit

Researcher

Ryan Kozak

More Details >

Advanced Custom Fields: Extended 0.9.0.5 – 0.9.1.1 – Unauthenticated Remote Code Execution in prepare_form

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2025-13486

Patch Status
Patched

Published
Dec 2, 2025

Affected Software
Advanced Custom Fields: Extended

Researcher

Marcin Dudek (dudekmar)

More Details >

CRM Memberships <= 2.5 – Missing Authorization to Privilege Escalation via Unauthenticated Password Reset in ‘ntzcrm_changepassword’ AJAX Endpoint

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2025-13313

Patch Status
Unpatched

Published
Dec 4, 2025

Affected Software
CRM Memberships

Researcher

Athiwat Tiprasaharn (Jitlada)

More Details >

DesignThemes LMS <= 1.0.4 – Unauthenticated Privilege Escalation

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2025-13542

Patch Status
Patched

Published
Dec 2, 2025

Affected Software
DesignThemes LMS

Researcher

シルAsuna

More Details >

Email Verification, Email OTP, Block Spam Email, Passwordless login, Hide Login, Magic Login – User Verification <= 2.0.39 – Authentication Bypass to Account Takeover

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2025-12374

Patch Status
Unpatched

Published
Dec 4, 2025

Affected Software
User Verification by PickPlugins

Researcher

lucky_buddy

More Details >

Flex QR Code Generator <= 1.2.7 – Unauthenticated Arbitrary File Upload

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2025-12673

Patch Status
Patched

Published
Dec 5, 2025

Affected Software
Flex QR Code Generator

Researcher

Ryan Kozak

More Details >

Frontend Admin by DynamiApps <= 3.28.20 – Unauthenticated Arbitrary Options Update

9.8

CVSS Rating
Critical (9.8)

CVE-ID
CVE-2025-13342

Patch Status
Patched

Published
Dec 3, 2025

Affected Software
Frontend Admin by DynamiApps

Researcher

YC_Infosec

More Details >

10Web Booster <= 2.32.7 – Authenticated (Subscriber+) Arbitrary Folder Deletion via two_clear_page_cache

9.6

CVSS Rating
Critical (9.6)

CVE-ID
CVE-2025-13377

Patch Status
Patched

Published
Dec 5, 2025

Affected Software
10Web Booster – Website speed optimization, Cache & Page Speed optimizer

Researcher

shark3y

More Details >

All-in-One Video Gallery 4.5.4 – 4.5.7 – Authenticated (Author+) Arbitrary File Upload via Import ZIP

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2025-12966

Patch Status
Patched

Published
Dec 5, 2025

Affected Software
All-in-One Video Gallery

Researcher

kr0d

More Details >

Auto Thumbnailer <= 1.0 – Authenticated (Contributor+) Arbitrary File Upload

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2025-12154

Patch Status
Unpatched

Published
Dec 4, 2025

Affected Software
Auto Thumbnailer

Researcher

kr0d

More Details >

ContentStudio <= 1.3.7 – Authenticated (Author+) Arbitrary File Upload

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2025-12181

Patch Status
Patched

Published
Dec 4, 2025

Affected Software
ContentStudio

Researcher

kr0d

More Details >

Cost Calculator Builder <= 3.6.3 – Unauthenticated Arbitrary File Deletion

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2025-12529

Patch Status
Patched

Published
Dec 1, 2025

Affected Software
Cost Calculator Builder

Researcher

YC_Infosec

More Details >

Demo Importer Plus <= 2.0.6 – Authenticated (Author+) Arbitrary File Upload via WXR Upload Bypass

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2025-13066

Patch Status
Patched

Published
Dec 4, 2025

Affected Software
Demo Importer Plus

Researcher

mikemyers

More Details >

Featured Image via URL <= 0.1 – Authenticated (Contributor+) Arbitrary FIle Upload

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2025-12153

Patch Status
Unpatched

Published
Dec 4, 2025

Affected Software
Featured Image via URL

Researcher

kr0d

More Details >

PostGallery <= 1.12.5 – Authenticated (Subscriber+) Arbitrary File Upload

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2025-13543

Patch Status
Unpatched

Published
Dec 4, 2025

Affected Software
PostGallery

Researcher

Moose Love

More Details >

Starter Templates <= 4.4.41 – Authenticated (Author+) Arbitrary File Upload via WXR Upload Bypass

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2025-13065

Patch Status
Patched

Published
Dec 5, 2025

Affected Software
Starter Templates – AI-Powered Templates for Elementor & Gutenberg

Researcher

mikemyers

More Details >

User Generator and Importer <= 1.2.2 – Cross-Site Request Forgery to Privilege Escalation via Arbitrary Administrator Account Creation

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2025-12879

Patch Status
Unpatched

Published
Dec 4, 2025

Affected Software
User Generator and Importer

Researcher

Ivan Cese

More Details >

Cool Tag Cloud <= 2.29 – Authenticated (Contributor+) Stored Cross-Site Scripting

8.1

CVSS Rating
High (8.1)

CVE-ID
CVE-2025-13614

Patch Status
Unpatched

Published
Dec 4, 2025

Affected Software
Cool Tag Cloud

Researcher

Muhammad Yudha – DJ

More Details >

My auctions allegro <= 3.6.32 – Unauthenticated Local File Inclusion via controller

8.1

CVSS Rating
High (8.1)

CVE-ID
CVE-2025-12851

Patch Status
Patched

Published
Dec 4, 2025

Affected Software
My auctions allegro

Researcher

type5afe

More Details >

SureMail – SMTP and Email Logs Plugin with Amazon SES, Postmark, and Other Providers <= 1.9.0 – Unauthenticated Arbitrary File Upload

8.1

CVSS Rating
High (8.1)

CVE-ID
CVE-2025-13516

Patch Status
Patched

Published
Dec 1, 2025

Affected Software
SureMail – SMTP and Email Logs Plugin with Amazon SES, Postmark, and Other Providers

Researcher

type5afe

More Details >

Modula 2.13.1 – 2.13.2 – Authenticated (Author+) Arbitrary File Upload via Race Condition

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2025-13646

Patch Status
Patched

Published
Dec 2, 2025

Affected Software
Image Gallery – Photo Grid & Video Gallery

Researcher

0xQRx

More Details >

My auctions allegro <= 3.6.32 – Unauthenticated SQL Injection via auction_id

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2025-12850

Patch Status
Patched

Published
Dec 4, 2025

Affected Software
My auctions allegro

Researcher

type5afe

More Details >

The7 Elements <= 2.7.11 – Authenticated (Contributor+) Local File Inclusion

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2025-63076

Patch Status
Unpatched

Published
Dec 5, 2025

Affected Software
The7 Elements

Researcher

João Pedro S Alcântara (Kinorth)

More Details >

VikRentCar Car Rental Management System <= 1.4.4 – Authenticated (Author+) SQL Injection via ‘month’ Parameter

7.5

CVSS Rating
High (7.5)

CVE-ID
CVE-2025-13724

Patch Status
Patched

Published
Dec 1, 2025

Affected Software
VikRentCar Car Rental Management System

Researcher

zhenhua fan

More Details >

Kadence WooCommerce Email Designer <= 1.5.17 – Unauthenticated Stored Cross-Site Scripting

7.2

CVSS Rating
High (7.2)

CVE-ID
CVE-2025-13387

Patch Status
Patched

Published
Dec 1, 2025

Affected Software
Kadence WooCommerce Email Designer

Researcher

shark3y

More Details >

Modula 2.13.1 – 2.13.2 – Authenticated (Author+) Arbitrary File Deletion

7.2

CVSS Rating
High (7.2)

CVE-ID
CVE-2025-13645

Patch Status
Patched

Published
Dec 2, 2025

Affected Software
Image Gallery – Photo Grid & Video Gallery

Researcher

ISMAILSHADOW

More Details >

Omnichannel for WooCommerce: Google, Amazon, eBay & Walmart Integration – Powered by Codisto <= 1.3.65 – Unauthenticated Stored Cross-Site Scripting

7.2

CVSS Rating
High (7.2)

CVE-ID
CVE-2025-11727

Patch Status
Unpatched

Published
Dec 3, 2025

Affected Software
Omnichannel for WooCommerce: Google, Amazon, eBay & Walmart Integration – Powered by Codisto

Researcher

shark3y

More Details >

Rich Shortcodes for Google Reviews <= 6.8 – Unauthenticated Stored Cross-Site Scripting via Google Review

7.2

CVSS Rating
High (7.2)

CVE-ID
CVE-2025-12499

Patch Status
Patched

Published
Dec 5, 2025

Affected Software
Rich Shortcodes for Google Reviews

Researcher

Kishan Vyas

More Details >

Time Sheets <= 2.1.3 – Use of Known Vulnerable Component

7.2

CVSS Rating
High (7.2)

CVE-ID
CVE-2013-6880

Patch Status
Unpatched

Published
Dec 4, 2025

Affected Software
Time Sheets

Researcher

Athiwat Tiprasaharn (Jitlada)

More Details >

Widgets for Google Reviews <= 13.2.4 – Unauthenticated Stored Cross-Site Scripting via Google Reviews

7.2

CVSS Rating
High (7.2)

CVE-ID
CVE-2025-12510

Patch Status
Patched

Published
Dec 5, 2025

Affected Software
Widgets for Google Reviews

Researcher

Kishan Vyas

More Details >

Export All Posts, Products, Orders, Refunds & Users <= 2.19 – Cross-Site Request Forgery to Sensitive Information Exposure

6.5

CVSS Rating
Medium (6.5)

CVE-ID
CVE-2025-13606

Patch Status
Patched

Published
Dec 1, 2025

Affected Software
Export All Posts, Products, Orders, Refunds & Users

Researcher

lucky_buddy

More Details >

Tag, Category, and Taxonomy Manager – AI Autotagger with OpenAI <= 3.40.1 – Authenticated (Contributor+) SQL Injection

6.5

CVSS Rating
Medium (6.5)

CVE-ID
CVE-2025-13359

Patch Status
Patched

Published
Dec 3, 2025

Affected Software
Tag, Category, and Taxonomy Manager – AI Autotagger with OpenAI

Researcher

type5afe

More Details >

Tag, Category, and Taxonomy Manager – AI Autotagger with OpenAI <= 3.40.1 – Authenticated (Contributor+) SQL Injection via ORDER BY Clause

6.5

CVSS Rating
Medium (6.5)

CVE-ID
CVE-2025-13922

Patch Status
Patched

Published
Dec 5, 2025

Affected Software
Tag, Category, and Taxonomy Manager – AI Autotagger with OpenAI

Researcher

Dmitrii Ignatyev

More Details >

Visualizer: Tables and Charts Manager for WordPress <= 3.11.12 – Authenticated (Contributor+) SQL Injection

6.5

CVSS Rating
Medium (6.5)

CVE-ID
CVE-2025-12483

Patch Status
Patched

Published
Dec 1, 2025

Affected Software
Visualizer: Tables and Charts Manager for WordPress

Researcher

Rafshanzani Suhada

More Details >

Advanced FAQ Manager <= 1.5.2 – Authenticated (Author+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-67556

Patch Status
Patched

Published
Dec 6, 2025

Affected Software
Advanced FAQ Manager

Researcher

Nabil Irawan

More Details >

Arconix Shortcodes <= 2.1.19 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-13835

Patch Status
Unpatched

Published
Dec 1, 2025

Affected Software
Arconix Shortcodes

Researcher

Rooting

More Details >

Autoptimize <= 3.1.13 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-13401

Patch Status
Patched

Published
Dec 3, 2025

Affected Software
Autoptimize

Researcher

Muhammad Yudha – DJ

More Details >

BlockArt Blocks – Gutenberg Blocks, Page Builder Blocks ,WordPress Block Plugin, Sections & Template Library <= 2.2.13 – Authenticated (Contributor+) Stored Cross-Site Scripting via `timestamp` Attribute

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-13697

Patch Status
Patched

Published
Dec 1, 2025

Affected Software
BlockArt Blocks – Gutenberg Blocks, Page Builder Blocks ,WordPress Block Plugin, Sections & Template Library

Researcher

Farhan Dio Arrafiq

More Details >

Booking Calendar <= 10.14.6 – Authenticated (Contributor+) Stored Cross-Site Scripting via bookingcalendar Shortcode

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-12804

Patch Status
Patched

Published
Dec 4, 2025

Affected Software
Booking Calendar

Researcher

Muhammad Yudha – DJ

More Details >

Canadian Nutrition Facts Label <= 3.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via Nutrition Label Custom Post Type

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-12715

Patch Status
Unpatched

Published
Dec 5, 2025

Affected Software
Canadian Nutrition Facts Label

Researcher

Muhammad Yudha – DJ

More Details >

CryptX <= 4.0.5 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-13739

Patch Status
Patched

Published
Dec 4, 2025

Affected Software
CryptX

Researcher

Muhammad Yudha – DJ

More Details >

CSS3 Buttons <= 0.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-13907

Patch Status
Unpatched

Published
Dec 5, 2025

Affected Software
CSS3 Buttons

Researcher

Gilang – DJ

More Details >

CSSIgniter Shortcodes <= 2.4.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via ‘element’ Shortcode Attribute

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-13448

Patch Status
Patched

Published
Dec 2, 2025

Affected Software
CSSIgniter Shortcodes

Researcher

Athiwat Tiprasaharn (Jitlada)

More Details >

Cute News Ticker <= 1.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via ‘color’ Shortcode Attribute

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-13656

Patch Status
Unpatched

Published
Dec 5, 2025

Affected Software
Cute News Ticker

Researcher

ChamlaVic

More Details >

Easy Jump Links Menus <= 1.0.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-13860

Patch Status
Unpatched

Published
Dec 4, 2025

Affected Software
Easy Jump Links Menus

Researcher

theviper17y

More Details >

Envo Extra <= 1.9.11 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-66066

Patch Status
Patched

Published
Dec 5, 2025

Affected Software
Envo Extra

Researcher

Abu Hurayra (HurayraIIT)

More Details >

Extra Post Images <= 1.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-13856

Patch Status
Unpatched

Published
Dec 5, 2025

Affected Software
Extra Post Images

Researcher

Gilang – DJ

More Details >

Funnel Builder by FunnelKit <= 3.13.1.2 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-66067

Patch Status
Patched

Published
Dec 6, 2025

Affected Software
FunnelKit – Funnel Builder for WooCommerce Checkout

Researcher

zaim

More Details >

Generic Elements <= 1.2.8 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-62082

Patch Status
Unpatched

Published
Dec 7, 2025

Affected Software
Generic Elements

Researcher

Abu Hurayra (HurayraIIT)

More Details >

JNews Gallery < 12.0.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-67538

Patch Status
Patched

Published
Dec 6, 2025

Affected Software
JNews Gallery

Researcher

Ananda Dhakal

More Details >

List Attachments Shortcode <= 0.4.1a – Authenticated (Author+) Stored Cross-Site Scripting via list-attachments Shortcode

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-12717

Patch Status
Unpatched

Published
Dec 5, 2025

Affected Software
List Attachments Shortcode

Researcher

Muhammad Yudha – DJ

More Details >

Master Addons for Elementor <= 2.0.9.9.3 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-63055

Patch Status
Unpatched

Published
Dec 5, 2025

Affected Software
Master Addons For Elementor – White Label, Free Widgets, Hover Effects, Conditions, & Animations

Researcher

Abu Hurayra (HurayraIIT)

More Details >

Nexter Extension <= 4.4.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-13731

Patch Status
Patched

Published
Dec 1, 2025

Affected Software
Nexter Extension – Site Enhancements Toolkit

Researcher

Muhammad Yudha – DJ

More Details >

Omnipress <= 1.6.5 – Authenticated (Author+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-12163

Patch Status
Patched

Published
Dec 4, 2025

Affected Software
Omnipress

Researcher

Kai Aizen

More Details >

RevInsite <= 1.1.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-13863

Patch Status
Unpatched

Published
Dec 5, 2025

Affected Software
RevInsite

Researcher

theviper17y

More Details >

Sermon Manager <= 2.30.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-12368

Patch Status
Unpatched

Published
Dec 4, 2025

Affected Software
Sermon Manager

Researcher

zaim

More Details >

Social Feed Gallery Portfolio <= 1.3 – Authenticated (Contributor+) Stored Cross-Site Scripting via ‘id’ Shortcode Attribute

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-13896

Patch Status
Unpatched

Published
Dec 5, 2025

Affected Software
Social Feed Gallery Portfolio

Researcher

Muhammad Yudha – DJ

More Details >

SurveyFunnel – Survey Plugin for WordPress <= 1.1.5 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-12417

Patch Status
Unpatched

Published
Dec 4, 2025

Affected Software
SurveyFunnel – Survey Plugin for WordPress

Researcher

Peter Thaleikis

More Details >

Thai Lottery Widget <= 2.5 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-13678

Patch Status
Unpatched

Published
Dec 4, 2025

Affected Software
Thai Lottery Widget

Researcher

Peerapat Samatathanyakorn

More Details >

TR Timthumb <= 1.0.4 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-13899

Patch Status
Unpatched

Published
Dec 5, 2025

Affected Software
TR Timthumb

Researcher

Peter Thaleikis

More Details >

Ultimate Review <= 2.3.6 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-63057

Patch Status
Unpatched

Published
Dec 7, 2025

Affected Software
WP Ultimate Review

Researcher

zaim

More Details >

Ultra Skype Button <= 1.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via ‘btn_id’ Shortcode Attribute

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-13898

Patch Status
Unpatched

Published
Dec 5, 2025

Affected Software
Ultra Skype Button

Researcher

Muhammad Yudha – DJ

More Details >

Xpro Elementor Addons <= 1.4.19.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-63044

Patch Status
Unpatched

Published
Dec 6, 2025

Affected Software
Xpro Addons — 140+ Widgets for Elementor

Researcher

Abu Hurayra (HurayraIIT)

More Details >

Yet Another WebClap for WordPress <= 0.2 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

6.4

CVSS Rating
Medium (6.4)

CVE-ID
CVE-2025-13857

Patch Status
Unpatched

Published
Dec 5, 2025

Affected Software
Yet Another WebClap for WordPress

Researcher

Gilang – DJ

More Details >

ELEX WordPress HelpDesk & Customer Ticketing System <= 3.3.2 – Authenticated (Contributor+) Privilege Escalation via eh_crm_edit_agent AJAX Action

6.3

CVSS Rating
Medium (6.3)

CVE-ID
CVE-2025-13534

Patch Status
Patched

Published
Dec 1, 2025

Affected Software
ELEX WordPress HelpDesk & Customer Ticketing System

Researcher

Athiwat Tiprasaharn (Jitlada)

More Details >

Clik stats <= 0.8 – Reflected Cross-Site Scripting via $_SERVER[‘PHP_SELF’]

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-13513

Patch Status
Unpatched

Published
Dec 3, 2025

Affected Software
Clik stats

Researcher

Abdulsamad Yusuf (0xVenus)

More Details >

CoSign Single Signon <= 0.3.1 – Reflected Cross-Site Scripting via $_SERVER[‘PHP_SELF’]

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-13512

Patch Status
Unpatched

Published
Dec 4, 2025

Affected Software
CoSign Single Signon

Researcher

Abdulsamad Yusuf (0xVenus)

More Details >

CSV Sumotto <= 1.0 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-13894

Patch Status
Unpatched

Published
Dec 5, 2025

Affected Software
CSV Sumotto

Researcher

Abdulsamad Yusuf (0xVenus)

More Details >

dream gallery <= 1.0 – Cross-Site Request Forgery to Stored Cross-Site Scripting via ‘dreampluginsmain’ AJAX Action

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-13621

Patch Status
Unpatched

Published
Dec 4, 2025

Affected Software
dream gallery

Researcher

dayea song

More Details >

Jabbernotification <= 0.99-RC2 – Reflected Cross-Site Scripting via admin.php PATH_INFO

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-13622

Patch Status
Unpatched

Published
Dec 4, 2025

Affected Software
Jabbernotification

Researcher

Abdulsamad Yusuf (0xVenus)

More Details >

Link Whisper Free <= 0.8.8 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-11263

Patch Status
Patched

Published
Dec 5, 2025

Affected Software
Link Whisper Free

Researcher

Nicolai Hellesnes (nico_)

More Details >

Live Sales Notification for Woocommerce – Woomotiv <= 3.6.3 – Reflected Cross-Site Scripting

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-13137

Patch Status
Unpatched

Published
Dec 5, 2025

Affected Software
Live Sales Notification for Woocommerce – Woomotiv

Researcher

Muhammad Nur Ibnu Hubab (Ibnu)

More Details >

myLCO <= 0.8.1 – Reflected Cross-Site Scripting via $_SERVER[‘PHP_SELF’]

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-13626

Patch Status
Unpatched

Published
Dec 5, 2025

Affected Software
myLCO

Researcher

Abdulsamad Yusuf (0xVenus)

More Details >

Nouri.sh Newsletter <= 1.0.1.3 – Reflected Cross-Site Scripting via $_SERVER[‘PHP_SELF’]

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-13515

Patch Status
Unpatched

Published
Dec 4, 2025

Affected Software
Nouri.sh Newsletter

Researcher

Abdulsamad Yusuf (0xVenus)

More Details >

Twitscription <= 0.1.1 – Reflected Cross-Site Scripting via admin.php PATH_INFO

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-13623

Patch Status
Unpatched

Published
Dec 4, 2025

Affected Software
Twitscription

Researcher

Abdulsamad Yusuf (0xVenus)

More Details >

WP Social Ninja – Embed Social Feeds, Customer Reviews, Chat Widgets (Google Reviews, YouTube Feed, Photo Feeds, and More) <= 3.20.3 – Unauthenticated Stored Cross-Site Scripting via External Content Import

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-13007

Patch Status
Patched

Published
Dec 1, 2025

Affected Software
WP Social Ninja – Embed Social Feeds, User Reviews & Chat Widgets

Researcher

Kishan Vyas

More Details >

WP-SOS-Donate Donation Sidebar Plugin <= 0.9.2 – Reflected Cross-Site Scripting via $_SERVER[‘PHP_SELF’]

6.1

CVSS Rating
Medium (6.1)

CVE-ID
CVE-2025-13625

Patch Status
Unpatched

Published
Dec 4, 2025

Affected Software
WP-SOS-Donate Donation Sidebar Plugin

Researcher

Abdulsamad Yusuf (0xVenus)

More Details >

Application Passwords <= 0.1.3 – Reflected Cross-Site Scripting via reject_url

5.4

CVSS Rating
Medium (5.4)

CVE-ID
CVE-2025-13308

Patch Status
Unpatched

Published
Dec 5, 2025

Affected Software
Application Passwords

Researcher

Rafshanzani Suhada

More Details >

PDF Catalog for WooCommerce <= 1.1.18 – Authenticated (Subscriber+) Stored Cross-Site Scripting

5.4

CVSS Rating
Medium (5.4)

CVE-ID
CVE-2025-12191

Patch Status
Unpatched

Published
Dec 4, 2025

Affected Software
PDF Catalog for WooCommerce

Researcher

kr0d

More Details >

Post SMTP – Complete SMTP Solution with Logs, Alerts, Backup SMTP & Mobile App <= 3.6.1 – Missing Authorization to Authenticated (Subscriber+) OAuth Token Update

5.4

CVSS Rating
Medium (5.4)

CVE-ID
CVE-2025-12887

Patch Status
Patched

Published
Dec 3, 2025

Affected Software
Post SMTP – Complete SMTP Solution with Logs, Alerts, Backup SMTP & Mobile App

Researcher

type5afe

More Details >

weDocs <= 2.1.14 – Missing Authorization to Settings Update

5.4

CVSS Rating
Medium (5.4)

CVE-ID
CVE-2025-12505

Patch Status
Patched

Published
Dec 5, 2025

Affected Software
weDocs: AI Powered Knowledge Base, Docs, Documentation, Wiki & AI Chatbot

Researcher

Md. Moniruzzaman Prodhan (NomanProdhan)

More Details >

Accessiy By CodeConfig Accessibility <= 1.0.0 – Missing Authorization to Authenticated (Subscriber+) Arbitrary Page Creation

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-13358

Patch Status
Unpatched

Published
Dec 5, 2025

Affected Software
Accessiy by CodeConfig Widget for ADA, EAA & WCAG Compliance

Researcher

Athiwat Tiprasaharn (Jitlada)

More Details >

AdForest <= 6.0.11 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-67569

Patch Status
Patched

Published
Dec 4, 2025

Affected Software
AdForest

Researcher

João Pedro S Alcântara (Kinorth)

More Details >

Constant Contact + WooCommerce <= 2.4.1 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-67580

Patch Status
Patched

Published
Dec 5, 2025

Affected Software
Constant Contact + WooCommerce

Researcher

Legion Hunter

More Details >

CRM Memberships <= 2.5 – Missing Authorization to Unauthenticated ‘ntzcrm_add_new_tag’ AJAX Action

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-13312

Patch Status
Unpatched

Published
Dec 4, 2025

Affected Software
CRM Memberships

Researcher

Athiwat Tiprasaharn (Jitlada)

More Details >

ERP <= 1.16.7 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-63008

Patch Status
Unpatched

Published
Dec 4, 2025

Affected Software
WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting

Researcher

Legion Hunter

More Details >

Everest Backup – WordPress Cloud Backup, Migration, Restore & Cloning Plugin <= 2.3.8 – Missing Authorization to Unauthenticated Backup Failure

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-10304

Patch Status
Patched

Published
Dec 2, 2025

Affected Software
Everest Backup – WordPress Cloud Backup, Migration, Restore & Cloning Plugin

Researcher

Jonas Benjamin Friedli

More Details >

Feedback Modal for Website <= 1.0.1 – Missing Authorization to Unauthenticated Arbitrary Feedback Data Exfiltration via ‘export_data’ Parameter

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-13528

Patch Status
Unpatched

Published
Dec 4, 2025

Affected Software
Feedback Modal for Website

Researcher

Legion Hunter

More Details >

Fluent Forms <= 6.1.7 – Unauthenticated Insecure Direct Object Reference to Payment Status Tampering via submission_id

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-13748

Patch Status
Patched

Published
Dec 5, 2025

Affected Software
Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder

Researcher

Md. Moniruzzaman Prodhan (NomanProdhan)

More Details >

Formstack Online Forms <= 2.0.2 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-62738

Patch Status
Unpatched

Published
Dec 5, 2025

Affected Software
Formstack Online Forms

Researcher

Legion Hunter

More Details >

g-FFL Cockpit <= 1.7.1 – Improper Authorization to Unauthenticated Product Deletion

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-12720

Patch Status
Patched

Published
Dec 5, 2025

Affected Software
g-FFL Cockpit

Researcher

Ryan Kozak

More Details >

g-FFL Cockpit <= 1.7.1 – Missing Authorization to Unauthenticated Information Exposure

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-12721

Patch Status
Patched

Published
Dec 5, 2025

Affected Software
g-FFL Cockpit

Researcher

Ryan Kozak

More Details >

Google Analytics Events <= 2.8.2 – Unauthenticated Information Exposure

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-63009

Patch Status
Unpatched

Published
Dec 4, 2025

Affected Software
WP Google Analytics Events – No-Code Custom Event Tracking for Google Analytics

Researcher

Legion Hunter

More Details >

Helloprint <= 2.1.2 – Missing Authorization to Unauthenticated Arbitrary Order Status Modification

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-13666

Patch Status
Unpatched

Published
Dec 5, 2025

Affected Software
Plug your WooCommerce into the largest catalog of customized print products from Helloprint

Researcher

Md. Moniruzzaman Prodhan (NomanProdhan)

More Details >

Hype <= 1.0.5 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-49348

Patch Status
Unpatched

Published
Dec 4, 2025

Affected Software
Hype

Researcher

NumeX

More Details >

Image Cleanup <= 1.9.2 – Unauthenticated Information Exposure

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-62737

Patch Status
Unpatched

Published
Dec 4, 2025

Affected Software
Image Cleanup

Researcher

Nabil Irawan

More Details >

MxChat – AI Chatbot for WordPress <= 2.5.5 – Unauthenticated Information Exposure

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-12585

Patch Status
Patched

Published
Dec 2, 2025

Affected Software
MxChat – AI Chatbot for WordPress

Researcher

Ryan Kozak

More Details >

Order Delivery Date for WooCommerce <= 4.3.1 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-63024

Patch Status
Unpatched

Published
Dec 3, 2025

Affected Software
Order Delivery Date for WooCommerce

Researcher

Legion Hunter

More Details >

Payaza <= 0.3.8 – Missing Authorization to Unauthenticated Order Status Update

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-12355

Patch Status
Unpatched

Published
Dec 4, 2025

Affected Software
Payaza

Researcher

Legion Hunter

More Details >

Post Cloner <= 1.0.0 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-62865

Patch Status
Unpatched

Published
Dec 5, 2025

Affected Software
Post Cloner

Researcher

Nabil Irawan

More Details >

Projectopia – WordPress Project Management <= 5.1.19 – Missing Authorization to Unauthenticated Arbitrary Attachment Deletion

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-12876

Patch Status
Unpatched

Published
Dec 4, 2025

Affected Software
Projectopia – WordPress Project Management

Researcher

Athiwat Tiprasaharn (Jitlada)

More Details >

Rehub <= 19.9.9.1 – Unauthenticated Information Exposure

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-67565

Patch Status
Patched

Published
Dec 6, 2025

Affected Software
REHub – Price Comparison, Multi Vendor Marketplace Wordpress Theme

Researcher

Ananda Dhakal

More Details >

SMS Alert Order Notifications <= 3.8.8 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-66086

Patch Status
Patched

Published
Dec 5, 2025

Affected Software
SMS Alert Order Notifications – WooCommerce

Researcher

benzdeus

More Details >

SSP Debug <= 1.0.0 – Unauthenticated Sensitive Information Exposure

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-13494

Patch Status
Unpatched

Published
Dec 4, 2025

Affected Software
SSP Debug

Researcher

Itthidej Aramsri (Boeing777)

More Details >

SurveyFunnel – Survey Plugin for WordPress <= 1.1.5 – Unauthenticated Information Exposure

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-13006

Patch Status
Unpatched

Published
Dec 4, 2025

Affected Software
SurveyFunnel – Survey Plugin for WordPress

Researcher

Deadbee

More Details >

Tiktok Feed <= 1.0.23 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-66110

Patch Status
Unpatched

Published
Dec 2, 2025

Affected Software
Feeds for TikTok – Display Video Feeds in Grid Layouts

Researcher

Legion Hunter

More Details >

User Spam Remover <= 1.1 – Unauthenticated Information Exposure

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-62735

Patch Status
Unpatched

Published
Dec 4, 2025

Affected Software
User Spam Remover

Researcher

Nabil Irawan

More Details >

Voidek Employee Portal <= 1.0.6 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-12093

Patch Status
Unpatched

Published
Dec 4, 2025

Affected Software
Voidek Employee Portal

Researcher

Athiwat Tiprasaharn (Jitlada)

More Details >

WebP Express <= 0.25.9 – Unauthenticated Information Exposure

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-11379

Patch Status
Unpatched

Published
Dec 3, 2025

Affected Software
WebP Express

Researcher

Rafshanzani Suhada

More Details >

Wp Social Login and Register Social Counter <= 3.1.3 – Missing Authorization in Cache REST Endpoints to Social Counter Tampering

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-13620

Patch Status
Patched

Published
Dec 4, 2025

Affected Software
Wp Social Login and Register Social Counter

Researcher

Dmitrii Ignatyev

More Details >

WpEvently <= 5.0.4 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-66083

Patch Status
Patched

Published
Dec 4, 2025

Affected Software
Event Booking Manager for WooCommerce

Researcher

Legion Hunter

More Details >

WPForms Google Sheet Connector <= 4.0.0 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-67570

Patch Status
Patched

Published
Dec 4, 2025

Affected Software
GSheetConnector For WPForms

Researcher

Legion Hunter

More Details >

Yandex.Metrica <= 1.2.2 – Missing Authorization

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-63063

Patch Status
Unpatched

Published
Dec 7, 2025

Affected Software
Yandex.Metrica

Researcher

NumeX

More Details >

Zigaform <= 7.6.5 – Unauthenticated Form Submission Data Disclosure in rocket_front_payment_seesummary AJAX Endpoint

5.3

CVSS Rating
Medium (5.3)

CVE-ID
CVE-2025-13696

Patch Status
Patched

Published
Dec 1, 2025

Affected Software
Zigaform – Price Calculator & Cost Estimation Form Builder Lite

Researcher

Md. Moniruzzaman Prodhan (NomanProdhan)

More Details >

FluentCart A New Era of eCommerce <= 1.3.1 – Authenticated (Administrator+) SQL Injection via ‘groupKey’ Parameter

4.9

CVSS Rating
Medium (4.9)

CVE-ID
CVE-2025-13495

Patch Status
Patched

Published
Dec 2, 2025

Affected Software
FluentCart A New Era of eCommerce – Faster, Lighter, and Simpler

Researcher

Itthidej Aramsri (Boeing777)

More Details >

WP Directory Kit <= 1.4.6 – Authenticated (Admin+) SQL Injection

4.9

CVSS Rating
Medium (4.9)

CVE-ID
CVE-2025-13090

Patch Status
Patched

Published
Dec 1, 2025

Affected Software
WP Directory Kit

Researcher

tmrswrr

More Details >

Custom Post Type UI <= 1.18.0 – Missing Authorization to Unauthenticated (Previously Administrator+) Custom Post Type Modification

4.8

CVSS Rating
Medium (4.8)

CVE-ID
CVE-2025-12826

Patch Status
Patched

Published
Dec 3, 2025

Affected Software
Custom Post Type UI

Researcher

mahdi salhi (CaptinSharky01)

More Details >

FitVids for WordPress <= 4.0.1 – Authenticated (Admin+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2025-12124

Patch Status
Unpatched

Published
Dec 4, 2025

Affected Software
FitVids for WordPress

Researcher

Jonas Benjamin Friedli

More Details >

Make Section & Column Clickable For Elementor <= 2.4 – Authenticated (Editor+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2025-63033

Patch Status
Unpatched

Published
Dec 7, 2025

Affected Software
Make Section & Column Clickable For Elementor

Researcher

Mdr

More Details >

Trail Manager <= 1.0.0 – Authenticated (Admin+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2025-13682

Patch Status
Unpatched

Published
Dec 4, 2025

Affected Software
Trail Manager

Researcher

ChamlaVic

More Details >

Weekly Planner <= 1.0 – Authenticated (Admin+) Stored Cross-Site Scripting

4.4

CVSS Rating
Medium (4.4)

CVE-ID
CVE-2025-12186

Patch Status
Unpatched

Published
Dec 4, 2025

Affected Software
Weekly Planner

Researcher

Ivan Cese

More Details >

Accessiy By CodeConfig Accessibility – Easy One-Click Accessibility Toolbar That Truly Matters <= 1.0.0 – Authenticated (Subscriber+) Missing Authorization to Modify Accessibility Settings

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-13309

Patch Status
Unpatched

Published
Dec 5, 2025

Affected Software
Accessiy by CodeConfig Widget for ADA, EAA & WCAG Compliance

Researcher

Peerapat Samatathanyakorn

More Details >

Actionwear products sync <= 2.3.3 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-49350

Patch Status
Unpatched

Published
Dec 6, 2025

Affected Software
Actionwear products sync

Researcher

Jarno Vos (jarnovos)

More Details >

Add Custom Codes <= 4.80 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-62739

Patch Status
Unpatched

Published
Dec 5, 2025

Affected Software
Add Custom Codes – Insert Header, Footer, Custom PHP Snippets, CSS, Javascript

Researcher

Certus Cybersecurity

More Details >

AI CoPilot <= 1.2.7 – Authenticated (Contributor+) Information Exposure

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-62994

Patch Status
Unpatched

Published
Dec 4, 2025

Affected Software
WP AI CoPilot – AI content writer plugin, ChatGPT WordPress, GPT-3/4 , Ai assistance

Researcher

daroo

More Details >

ARK Related Posts <= 2.19 – Cross-Site Request Forgery to Settings Update

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-13684

Patch Status
Patched

Published
Dec 4, 2025

Affected Software
ARK Related Posts

Researcher

Muhammad Nur Ibnu Hubab (Ibnu)

More Details >

Auto Alt Text <= 2.5.2 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-62866

Patch Status
Patched

Published
Dec 6, 2025

Affected Software
Auto Alt Text

Researcher

Nabil Irawan

More Details >

Backup, Restore and Migrate your sites with XCloner <= 4.8.2 – Cross-Site Request Forgery in Xcloner_Remote_Storage:save()

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-11759

Patch Status
Patched

Published
Dec 4, 2025

Affected Software
Backup, Restore and Migrate your sites with XCloner

Researcher

Rafshanzani Suhada

More Details >

Beaver Builder – WordPress Page Builder <= 2.9.4 – Missing Authorization to Authenticated (Contributor+) Builder Status Tampering

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-12782

Patch Status
Patched

Published
Dec 3, 2025

Affected Software
Beaver Builder Page Builder – Drag and Drop Website Builder

Researchers

Athiwat Tiprasaharn (Jitlada)

Itthidej Aramsri (Boeing777)

Powpy

Waris Damkham

More Details >

Beaver Builder – WordPress Page Builder <= 2.9.4 – Missing Authorization to Authenticated (Contributor+) Global Preset Modification

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-11726

Patch Status
Patched

Published
Dec 1, 2025

Affected Software
Beaver Builder Page Builder – Drag and Drop Website Builder

Researcher

Athiwat Tiprasaharn (Jitlada)

More Details >

Bread & Butter: Gate content + Capture leads + Collect first-party data + Nurture with Ai agents <= 7.11.1374 – Cross-Site Request Forgery to Arbitrary File Upload

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-12189

Patch Status
Patched

Published
Dec 4, 2025

Affected Software
Bread & Butter: Gate content & Improve lead conversion in 60 seconds

Researcher

Ryan Kozak

More Details >

Business Directory <= 6.4.19 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-67596

Patch Status
Patched

Published
Dec 3, 2025

Affected Software
Business Directory Plugin – Easy Listing Directories for WordPress

Researcher

Legion Hunter

More Details >

Chartify <= 3.6.3 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-66529

Patch Status
Patched

Published
Dec 3, 2025

Affected Software
Chartify – WordPress Chart Plugin

Researcher

Doan Dinh Van

More Details >

Contact Form by BestWebSoft <= 4.3.5 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-63056

Patch Status
Unpatched

Published
Dec 7, 2025

Affected Software
Contact Form by BestWebSoft – Advanced WP Contact Form Builder for WordPress

Researcher

Phat RiO – BlueRock

More Details >

ContentStudio <= 1.3.7 – Cross-Site Request Forgery to Settings Update

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-13144

Patch Status
Patched

Published
Dec 4, 2025

Affected Software
ContentStudio

Researcher

Muhammad Nur Ibnu Hubab (Ibnu)

More Details >

Custom Layouts – Post + Product grids made easy <= 1.4.12 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-62996

Patch Status
Unpatched

Published
Dec 5, 2025

Affected Software
Custom Layouts – Post + Product grids made easy

Researcher

daroo

More Details >

Custom Sidebars by ProteusThemes <= 1.0.3 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-62733

Patch Status
Unpatched

Published
Dec 4, 2025

Affected Software
Custom Sidebars by ProteusThemes

Researcher

Nabil Irawan

More Details >

EPROLO Dropshipping <= 2.3.1 – Missing Authorization to Authenticated (Subscriber+) Tracking Data Modification

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-12133

Patch Status
Patched

Published
Dec 4, 2025

Affected Software
EPROLO-Dropshipping

Researcher

Legion Hunter

More Details >

Ergonet Cache <= 1.0.11 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-62867

Patch Status
Unpatched

Published
Dec 6, 2025

Affected Software
Ergonet Cache

Researcher

Nabil Irawan

More Details >

Fluent Booking – The Ultimate Appointments Scheduling, Events Booking, Events Calendar Solution <= 1.9.11 – Authenticated (Subscriber+) Missing Authorization to Calendar Import and Management

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-13756

Patch Status
Patched

Published
Dec 3, 2025

Affected Software
Fluent Booking – The Ultimate Appointments Scheduling, Events Booking, Events Calendar Solution

Researcher

Md. Moniruzzaman Prodhan (NomanProdhan)

More Details >

Gravitec.net – Web Push Notifications <= 2.9.17 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-62869

Patch Status
Unpatched

Published
Dec 6, 2025

Affected Software
Gravitec.net – Web Push Notifications

Researcher

Nabil Irawan

More Details >

Gutenverse News – Advanced News Magazine Blog Gutenberg Blocks Addons <= 3.0.2 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-62090

Patch Status
Unpatched

Published
Dec 3, 2025

Affected Software
Gutenverse News – Advanced News Magazine Blog Gutenberg Blocks Addons

Researcher

Denver Jackson

More Details >

Happy Addons for Elementor <= 3.20.3 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-63077

Patch Status
Unpatched

Published
Dec 4, 2025

Affected Software
Happy Addons for Elementor

Researcher

Mdr

More Details >

Hide Categories Or Products On Shop Page <= 1.0.7 – Cross-Site Request Forgery to Settings Update

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-12128

Patch Status
Unpatched

Published
Dec 4, 2025

Affected Software
Hide Categories Or Products On Shop Page

Researcher

Jonas Benjamin Friedli

More Details >

HUSKY – Products Filter Professional for WooCommerce <= 1.3.7.2 – Authenticated (Subscriber+) Insecure Direct Object Reference via ‘woof_add_query/woof_remove_query’

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-13109

Patch Status
Patched

Published
Dec 3, 2025

Affected Software
HUSKY – Products Filter Professional for WooCommerce

Researcher

Athiwat Tiprasaharn (Jitlada)

More Details >

Image Cleanup <= 1.9.2 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-62736

Patch Status
Unpatched

Published
Dec 4, 2025

Affected Software
Image Cleanup

Researcher

Nabil Irawan

More Details >

Image Optimizer by wps.sk <= 1.2.0 – Cross-Site Request Forgery to Bulk Image Optimization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-12190

Patch Status
Unpatched

Published
Dec 4, 2025

Affected Software
Image Optimizer by wps.sk

Researcher

Sarawut Poolkhet (MisterHelloz)

More Details >

JNews Paywall < 12.0.1 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-67591

Patch Status
Patched

Published
Dec 6, 2025

Affected Software
JNews Paywall

Researcher

Ananda Dhakal

More Details >

Listar – Directory Listing & Classifieds WordPress Plugin <= 3.0.0 – Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Deletion

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-12574

Patch Status
Unpatched

Published
Dec 5, 2025

Affected Software
Listar – Directory Listing & Classifieds WordPress Plugin

Researcher

Athiwat Tiprasaharn (Jitlada)

More Details >

Listar – Directory Listing & Classifieds WordPress Plugin <= 3.0.0 – Missing Authorization to Authenticated (Subscriber+) Listing Update

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-12577

Patch Status
Unpatched

Published
Dec 5, 2025

Affected Software
Listar – Directory Listing & Classifieds WordPress Plugin

Researcher

Athiwat Tiprasaharn (Jitlada)

More Details >

Live CSS Preview <= 2.0.0 – Missing Authorization to Authenticated (Subscriber+) Settings Update

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-12354

Patch Status
Unpatched

Published
Dec 4, 2025

Affected Software
Live CSS Preview

Researcher

Legion Hunter

More Details >

Media Library Downloader <= 1.4.0 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-62734

Patch Status
Unpatched

Published
Dec 4, 2025

Affected Software
Media Library Downloader

Researcher

Nabil Irawan

More Details >

MultiParcels Shipping For WooCommerce <= 1.30.12 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-62995

Patch Status
Unpatched

Published
Dec 5, 2025

Affected Software
MultiParcels Shipping For WooCommerce

Researcher

Legion Hunter

More Details >

My Tickets <= 2.1.0 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-64257

Patch Status
Patched

Published
Dec 6, 2025

Affected Software
My Tickets – Accessible Event Ticketing

Researcher

daroo

More Details >

Norby AI <= 1.0.3 – Cross-Site Request Forgery to Settings Update

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-13362

Patch Status
Unpatched

Published
Dec 4, 2025

Affected Software
Norby AI

Researcher

dayea song

More Details >

PDF Thumbnail Generator <= 1.4 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-67469

Patch Status
Patched

Published
Dec 6, 2025

Affected Software
PDF Thumbnail Generator

Researcher

Nabil Irawan

More Details >

Photo Gallery by Ays <= 6.4.8 – Cross-Site Request Forgery to Bulk Actions

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-13685

Patch Status
Patched

Published
Dec 1, 2025

Affected Software
Photo Gallery by Ays – Responsive Image Gallery

Researcher

Deadbee

More Details >

Portfolio and Projects <= 1.5.5 – Authenticated (Contributor+) Information Exposure

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-67470

Patch Status
Patched

Published
Dec 5, 2025

Affected Software
Portfolio and Projects

Researcher

Nabil Irawan

More Details >

Quantic Social Image Hover <= 1.0.8 – Cross-Site Request Forgery to Settings Update

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-13360

Patch Status
Unpatched

Published
Dec 4, 2025

Affected Software
Quantic Social Image Hover

Researcher

dayea song

More Details >

Quiz Maker <= 6.7.0.82 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-67595

Patch Status
Patched

Published
Dec 2, 2025

Affected Software
Quiz Maker

Researcher

Doan Dinh Van

More Details >

Salon booking system <= 10.30.3 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-66531

Patch Status
Patched

Published
Dec 7, 2025

Affected Software
Salon Booking System – Free Version

Researcher

daroo

More Details >

Search, Filters & Merchandising for WooCommerce <= 3.0.67 – Missing Authorization to Authenticated (Subscriber+) Plugin Deactivation

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-12091

Patch Status
Patched

Published
Dec 5, 2025

Affected Software
Search, Filters & Merchandising for WooCommerce

Researcher

Athiwat Tiprasaharn (Jitlada)

More Details >

ShopEngine <= 4.8.5 – Cross-Site Request Forgery to Wishlist Manipulation

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-12358

Patch Status
Patched

Published
Dec 2, 2025

Affected Software
ShopEngine Elementor WooCommerce Builder Addon – All in One WooCommerce Solution

Researcher

Adrian Lukita

More Details >

SMTP Mail <= 1.3.49 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-62762

Patch Status
Unpatched

Published
Dec 4, 2025

Affected Software
SMTP Mail

Researcher

Nabil Irawan

More Details >

SurveyJS: Drag & Drop WordPress Form Builder <= 1.12.20 – Cross-Site Request Forgery to Survey Deletion

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-13140

Patch Status
Patched

Published
Dec 1, 2025

Affected Software
SurveyJS: Drag & Drop WordPress Form Builder to create, style and embed multiple forms of any complexity

Researcher

Muhammad Nur Ibnu Hubab (Ibnu)

More Details >

Tablesome <= 1.1.34 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-66526

Patch Status
Patched

Published
Dec 5, 2025

Affected Software
Tablesome Table – Contact Form DB – WPForms, CF7, Gravity, Forminator, Fluent

Researcher

Certus Cybersecurity

More Details >

Tag, Category, and Taxonomy Manager – AI Autotagger with OpenAI <= 3.40.1 – Missing Authorization to Authenticated (Subscriber+) Arbitrary Taxonomy Term Manipulation

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-13354

Patch Status
Patched

Published
Dec 3, 2025

Affected Software
Tag, Category, and Taxonomy Manager – AI Autotagger with OpenAI

Researcher

type5afe

More Details >

Takeads <= 1.0.13 – Missing Authorization to Plugin Settings Deletion

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-12370

Patch Status
Unpatched

Published
Dec 4, 2025

Affected Software
Takeads

Researcher

Nabil Irawan

More Details >

Thank You Page Customizer for WooCommerce <= 1.1.8 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-66528

Patch Status
Patched

Published
Dec 5, 2025

Affected Software
Thank You Page Customizer for WooCommerce – Increase Your Sales

Researcher

daroo

More Details >

Thim Elementor Kit <= 1.3.3 – Authenticated (Contributor+) Insecure Direct Object Reference

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-67594

Patch Status
Patched

Published
Dec 6, 2025

Affected Software
Thim Kit for Elementor – Pre-built Templates & Widgets for Elementor

Researcher

Mdr

More Details >

Time Sheets <= 2.1.3 – Cross-Site Request Forgery

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-10055

Patch Status
Unpatched

Published
Dec 4, 2025

Affected Software
Time Sheets

Researcher

Aurélien BOURDOIS (Elymaro)

More Details >

Torod – The smart shipping and delivery portal for e-shops and retailers <= 1.9 – Cross-Site Request Forgery To Plugin’s Settings Modification

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-12373

Patch Status
Patched

Published
Dec 4, 2025

Affected Software
Torod – The smart shipping and delivery portal for e-shops and retailers

Researcher

Nabil Irawan

More Details >

WC Vendors – WooCommerce Multivendor, WooCommerce Marketplace, Product Vendors <= 2.6.4 – Cross-Site Request Forgery to Vendor Product Deletion

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-12130

Patch Status
Patched

Published
Dec 4, 2025

Affected Software
WC Vendors – WooCommerce Multivendor, WooCommerce Marketplace, Product Vendors

Researcher

Jonas Benjamin Friedli

More Details >

Webcake – Landing Page Builder <= 1.1 – Missing Authorization to Authenticated (Subscriber+) Settings Update

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-12165

Patch Status
Patched

Published
Dec 4, 2025

Affected Software
Webcake – Landing Page Builder

Researcher

Legion Hunter

More Details >

WooCommerce Payment Gateway – Paysera <= 3.9.0 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-63015

Patch Status
Unpatched

Published
Dec 4, 2025

Affected Software
Paysera Payment Gateway for WooCommerce

Researcher

Legion Hunter

More Details >

WooCommerce PDF Invoices & Packing Slips <= 4.9.1 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-67589

Patch Status
Patched

Published
Dec 7, 2025

Affected Software
PDF Invoices & Packing Slips for WooCommerce

Researcher

Phat RiO – BlueRock

More Details >

WP Landing Page <= 0.9.3 – Cross-Site Request Forgery to Arbitrary Post Meta Update

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-13629

Patch Status
Unpatched

Published
Dec 5, 2025

Affected Software
WP Landing Page

Researcher

Ivan Cese

More Details >

WPKoi Templates for Elementor <= 3.4.4 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-64274

Patch Status
Patched

Published
Dec 6, 2025

Affected Software
WPKoi Templates for Elementor

Researcher

benzdeus

More Details >

Xagio SEO <= 7.1.0.29 – Missing Authorization

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-63025

Patch Status
Unpatched

Published
Dec 4, 2025

Affected Software
Xagio SEO – AI Powered SEO

Researcher

Legion Hunter

More Details >