Exposure of WordPress

Blogs, CMS
2,139
exposure score
2,932,393
sites use
0
exploited
176
critical
Vexday analysis

WordPress acumula 2.381 CVEs catalogadas, com 174 classificadas como críticas e 95 surgidas apenas nos últimos 90 dias, o que indica um fluxo contínuo e elevado de novas vulnerabilidades para a plataforma. A falha mais comum é CWE-79 (Cross-Site Scripting), refletindo a superfície de ataque característica de ambientes com grande volume de plugins e temas de terceiros. Embora a taxa de exploração ativa esteja abaixo da média geral do catálogo CISA KEV, o EPSS máximo observado chega a 0,977, e o CVE-2022-21661 — uma vulnerabilidade de consulta SQL — apresenta EPSS de 0,978, sinalizando altíssima probabilidade de exploração e merecendo atenção prioritária em qualquer plano de remediação. Equipes de segurança devem monitorar ativamente o ritmo de publicações recentes e manter políticas rigorosas de atualização, especialmente em instalações com extensões de terceiros.

CVEs

2,406 results
CVE-2025-58855HIGHWordPress AP HoneyPot WordPress Plugin Plugin <= 1.4 - Cross Site Request Forgery (CSRF) VulnerabilityEPSS 0.2%CVE-2024-54356MEDIUMWordPress Online Booking & Scheduling Calendar for WordPress by vcita plugin <= 4.5 - Cross Site Request Forgery (CSRF) vulnerabilityEPSS 0.2%CVE-2025-0329MEDIUMAI ChatBot for WordPress – WPBot < 6.2.4 - Admin+ Stored XSSEPSS 0.2%CVE-2025-0627LOWAI Autotagger < 3.30.0 - Admin+ Stored XSSEPSS 0.2%CVE-2025-6488MEDIUMisMobile <= 1.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via device ParameterEPSS 0.2%CVE-2025-10701MEDIUMTime Clock – A WordPress Employee & Volunteer Time Clock Plugin <= 1.3.1 - Authenticated (Custom+) Stored Cross-Site ScriptingEPSS 0.2%CVE-2021-36855MEDIUMWordPress Booking Ultra Pro plugin <= 1.1.4 - Cross-Site Scripting (XSS) via Cross-Site Request Forgery (CSRF) vulnerabilityEPSS 0.2%CVE-2022-4533MEDIUMLimit Login Attempts Plus <= 1.1.0 - IP Address Spoofing to Protection Mechanism BypassEPSS 0.2%CVE-2023-34029MEDIUMWordPress Disable WordPress Update Notifications Plugin <= 2.3.3 is vulnerable to Cross Site Request Forgery (CSRF)EPSS 0.2%CVE-2025-12580MEDIUMSMS for WordPress <= 1.1.8 - Reflected Cross-Site ScriptingEPSS 0.2%CVE-2024-44020MEDIUMWordPress WP Free SSL plugin <= 1.2.6 - Broken Access Control vulnerabilityEPSS 0.2%CVE-2025-9858MEDIUMAuto Bulb Finder for WordPress <= 2.8.0 - Authenticated (Contributor+) Stored Cross-Site ScriptingEPSS 0.2%CVE-2025-8623MEDIUMWeedMaps Menu for WordPress <= 1.2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via weedmaps_menu ShortcodeEPSS 0.2%CVE-2024-13458MEDIUMWordPress SEO Friendly Accordion FAQ with AI assisted content generation <= 2.2.1 - Authenticated (Contributor+) Stored Cross-Site ScriptingEPSS 0.2%CVE-2024-13572MEDIUMPrecious Metals Charts and Widgets for WordPress <= 1.2.8 - Authenticated (Contributor+) Stored Cross-site ScriptingEPSS 0.2%CVE-2025-6067MEDIUMEasy Social Feed – Social Photos Gallery – Post Feed – Like Box <= 6.6.7 - Authenticated (Contributor+) DOM-Based Stored Cross-Site ScriptingEPSS 0.2%CVE-2022-38075MEDIUMWordPress Mantenimiento web plugin <= 0.13 - Cross-Site Request Forgery (CSRF) vulnerability leading to Stored Cross-Site Scripting (XSS)EPSS 0.2%CVE-2025-58978MEDIUMWordPress PDF Generator for WordPress Plugin <= 1.5.4 - Broken Access Control VulnerabilityEPSS 0.2%CVE-2025-13861MEDIUMHTML Forms – Simple WordPress Forms Plugin <= 1.6.0 - Unauthenticated Stored Cross-Site ScriptingEPSS 0.2%CVE-2025-12469MEDIUMFunnelKit Automations – Email Marketing Automation and CRM for WordPress & WooCommerce <= 3.6.4.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Email SendingEPSS 0.2%