Exposure of WordPress

Blogs, CMS
2,061
exposure score
2,932,393
sites use
0
exploited
174
critical
Vexday analysis

WordPress acumula 2.381 CVEs catalogadas, com 174 classificadas como críticas e 95 surgidas apenas nos últimos 90 dias, o que indica um fluxo contínuo e elevado de novas vulnerabilidades para a plataforma. A falha mais comum é CWE-79 (Cross-Site Scripting), refletindo a superfície de ataque característica de ambientes com grande volume de plugins e temas de terceiros. Embora a taxa de exploração ativa esteja abaixo da média geral do catálogo CISA KEV, o EPSS máximo observado chega a 0,977, e o CVE-2022-21661 — uma vulnerabilidade de consulta SQL — apresenta EPSS de 0,978, sinalizando altíssima probabilidade de exploração e merecendo atenção prioritária em qualquer plano de remediação. Equipes de segurança devem monitorar ativamente o ritmo de publicações recentes e manter políticas rigorosas de atualização, especialmente em instalações com extensões de terceiros.

CVEs

2,387 results
CVE-2025-32238MEDIUMWordPress Online Booking & Scheduling Calendar for WordPress by vcita plugin <= 4.5.5 - Sensitive Data Exposure vulnerabilityEPSS 0.4%CVE-2025-60190HIGHWordPress Immocaster WordPress Plugin plugin <= 1.3.6 - Local File Inclusion vulnerabilityEPSS 0.4%CVE-2023-28666MEDIUMThe InPost Gallery WordPress plugin, in versions < 2.2.2, is affected by a reflected cross-site scripting vulnerability in the 'imgurl' paraEPSS 0.4%CVE-2023-28664MEDIUMThe Meta Data and Taxonomies Filter WordPress plugin, in versions < 1.3.1, is affected by a reflected cross-site scripting vulnerability in EPSS 0.4%CVE-2023-41951MEDIUMWordPress rtMedia for WordPress, BuddyPress and bbPress plugin <= 4.6.14 - Broken Access Control vulnerabilityEPSS 0.4%CVE-2024-51615CRITICALWordPress WordPress Auction Plugin plugin <= 3.7 - SQL Injection vulnerabilityEPSS 0.4%CVE-2022-2934MEDIUMBeaver Builder – WordPress Page Builder <= 2.5.5.2 - Authenticated Stored Cross-Site Scripting via Image URLEPSS 0.4%CVE-2022-2716MEDIUMBeaver Builder – WordPress Page Builder <= 2.5.5.2 - Authenticated Stored Cross-Site Scripting via Text EditorEPSS 0.4%CVE-2023-5252MEDIUMFareHarbor for WordPress <= 3.6.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via ShortcodeEPSS 0.4%CVE-2021-36863MEDIUMWordPress Quiz And Survey Master plugin <= 7.3.4 - Auth. Stored Cross-Site Scripting (XSS) vulnerabilityEPSS 0.4%CVE-2023-34172MEDIUMWordPress WordPress Social Login Plugin <= 3.0.4 is vulnerable to Cross Site Scripting (XSS)EPSS 0.4%CVE-2022-38460MEDIUMWordPress NOTICE BOARD plugin <= 1.1 - Authenticated Stored Cross-Site Scripting (XSS) vulnerabilityEPSS 0.4%CVE-2025-13145HIGHWP Import – Ultimate CSV XML Importer for WordPress <= 7.33.1 - Authenticated (Administrator+) PHP Object Injection via CSV ImportEPSS 0.4%CVE-2022-40191MEDIUMWordPress Contact Form By Mega Forms plugin <= 1.2.4 - Authenticated Stored Cross-Site Scripting (XSS) vulnerabilityEPSS 0.4%CVE-2022-36791MEDIUMWordPress Torro Forms plugin <= 1.0.16 - Authenticated Stored Cross-Site Scripting (XSS) vulnerabilityEPSS 0.4%CVE-2024-10530MEDIUMKognetiks Chatbot for WordPress <= 2.1.7 - Missing Authorization to Authenticated (Subscriber+) Assistant AdditionEPSS 0.4%CVE-2021-36849LOWWordPress Social Media Share Buttons plugin <= 3.8.1 - Authenticated Stored Cross-Site Scripting (XSS) vulnerabilityEPSS 0.4%CVE-2025-30996CRITICALArbitrary File Upload Vulnerability in WordPress themes by ThemifyEPSS 0.4%CVE-2023-4772MEDIUMNewsletter <= 7.8.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via ShortcodeEPSS 0.4%CVE-2023-5062MEDIUMWordPress Charts <= 0.7.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via ShortcodeEPSS 0.4%

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →