Most Exploitable CVEs - EPSS Rankings
CVEs ranked by EPSS (Exploit Prediction Scoring System) probability. Higher scores mean a greater likelihood of exploitation in the wild within the next 30 days.
164
EPSS > 50%
156
CISA KEV Listed
35,468
CVEs with EPSS
0.7%
Avg EPSS Score
| Rank | CVE ID | EPSS Score | Percentile | CVSS | Flags | Summary |
|---|---|---|---|---|---|---|
| 5001 | CVE-2025-59565 |
|
19.8th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the WP Swings Upsell Order Bump Offer for Wo | |
| 5002 | CVE-2025-59553 |
|
19.8th | 6.5 | This vulnerability allows attackers to inject malicious scripts into web pages generated by the Cust | |
| 5003 | CVE-2025-59552 |
|
19.8th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the Save as PDF WordPress plugin allows atta | |
| 5004 | CVE-2025-58992 |
|
19.8th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the WordPress Product Catalog Simple plugin | |
| 5005 | CVE-2025-58965 |
|
19.8th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the Fusion Page Builder Gallery extension al | |
| 5006 | CVE-2025-58704 |
|
19.8th | 6.5 | This vulnerability allows attackers to inject malicious scripts into web pages generated by the WP D | |
| 5007 | CVE-2025-58703 |
|
19.8th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the Skyword API WordPress plugin allows atta | |
| 5008 | CVE-2025-58702 |
|
19.8th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the MarketKing WordPress plugin allows attac | |
| 5009 | CVE-2025-58684 |
|
19.8th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the Themepoints Logo Showcase WordPress plug | |
| 5010 | CVE-2025-58683 |
|
19.8th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the WordPress Last Updated Shortcode plugin | |
| 5011 | CVE-2025-58682 |
|
19.8th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the Kama Click Counter WordPress plugin allo | |
| 5012 | CVE-2025-58654 |
|
19.8th | 6.5 | This DOM-based cross-site scripting (XSS) vulnerability in the xili-language WordPress plugin allows | |
| 5013 | CVE-2025-58653 |
|
19.8th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the JSM file_get_contents() Shortcode WordPr | |
| 5014 | CVE-2025-58652 |
|
19.8th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the Carousel Ultimate WordPress plugin allow | |
| 5015 | CVE-2025-58651 |
|
19.8th | 6.5 | This DOM-based cross-site scripting (XSS) vulnerability in PlayerJS WordPress plugin allows attacker | |
| 5016 | CVE-2025-58648 |
|
19.8th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the Simple JWT Login WordPress plugin allows | |
| 5017 | CVE-2025-58265 |
|
19.8th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the WordPress Events Manager - OpenStreetMap | |
| 5018 | CVE-2025-58264 |
|
19.8th | 6.5 | A stored cross-site scripting (XSS) vulnerability in the JupiterX Core WordPress plugin allows attac | |
| 5019 | CVE-2025-58263 |
|
19.8th | 6.5 | This vulnerability allows attackers to inject malicious scripts into web pages generated by the Budd | |
| 5020 | CVE-2025-58257 |
|
19.8th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the Verowa Connect WordPress plugin allows a | |
| 5021 | CVE-2025-58254 |
|
19.8th | 6.5 | This stored XSS vulnerability in StylePress for Elementor allows attackers to inject malicious scrip | |
| 5022 | CVE-2025-58253 |
|
19.8th | 6.5 | This DOM-based cross-site scripting (XSS) vulnerability in the Real Estate Manager WordPress plugin | |
| 5023 | CVE-2025-58248 |
|
19.8th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the Pinterest Pinboard Widget WordPress plug | |
| 5024 | CVE-2025-58242 |
|
19.8th | 6.5 | This DOM-based Cross-Site Scripting (XSS) vulnerability in the Bg Church Memos WordPress plugin allo | |
| 5025 | CVE-2025-58241 |
|
19.8th | 6.5 | This DOM-based Cross-Site Scripting (XSS) vulnerability in the SnapWidget Social Photo Feed Widget W | |
| 5026 | CVE-2025-58240 |
|
19.8th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the xili-tidy-tags WordPress plugin allows a | |
| 5027 | CVE-2025-58239 |
|
19.8th | 6.5 | This stored XSS vulnerability in the WP Category Dropdown WordPress plugin allows attackers to injec | |
| 5028 | CVE-2025-58238 |
|
19.8th | 6.5 | This stored cross-site scripting (XSS) vulnerability in ONTRAPORT PilotPress WordPress plugin allows | |
| 5029 | CVE-2025-58237 |
|
19.8th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the LC Wizard WordPress plugin allows attack | |
| 5030 | CVE-2025-58235 |
|
19.8th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the Rustaurius Front End Users WordPress plu | |
| 5031 | CVE-2025-58233 |
|
19.8th | 6.5 | This DOM-based cross-site scripting vulnerability in Guaven Labs SQL Chart Builder WordPress plugin | |
| 5032 | CVE-2025-58232 |
|
19.8th | 6.5 | This DOM-based cross-site scripting vulnerability in the Ickata Image Editor by Pixo WordPress plugi | |
| 5033 | CVE-2025-58231 |
|
19.8th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the Bitly WordPress plugin allows attackers | |
| 5034 | CVE-2025-58230 |
|
19.8th | 6.5 | This DOM-based Cross-Site Scripting (XSS) vulnerability in the ZoloBlocks WordPress plugin allows at | |
| 5035 | CVE-2025-58229 |
|
19.8th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the Sitekit WordPress plugin allows attacker | |
| 5036 | CVE-2025-58228 |
|
19.8th | 6.5 | This stored XSS vulnerability in Quick View for WooCommerce allows attackers to inject malicious scr | |
| 5037 | CVE-2025-58227 |
|
19.8th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the Podlove Subscribe button WordPress plugi | |
| 5038 | CVE-2025-58220 |
|
19.8th | 6.5 | This DOM-based cross-site scripting vulnerability in the Card Elements for WPBakery WordPress plugin | |
| 5039 | CVE-2025-58031 |
|
19.8th | 6.5 | This stored cross-site scripting (XSS) vulnerability in Nextend Facebook Connect WordPress plugin al | |
| 5040 | CVE-2025-58030 |
|
19.8th | 6.5 | This stored Cross-Site Scripting (XSS) vulnerability in the WordPress Page-list plugin allows attack | |
| 5041 | CVE-2025-58028 |
|
19.8th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the Designil PDPA Thailand WordPress plugin | |
| 5042 | CVE-2025-58027 |
|
19.8th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the WordPress NGG Smart Image Search plugin | |
| 5043 | CVE-2025-58026 |
|
19.8th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the Termageddon WordPress plugin allows atta | |
| 5044 | CVE-2025-58023 |
|
19.8th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the Genealogical Tree WordPress plugin allow | |
| 5045 | CVE-2025-58022 |
|
19.8th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the maxpagels ShortCode WordPress plugin all | |
| 5046 | CVE-2025-58021 |
|
19.8th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the List Child Pages Shortcode WordPress plu | |
| 5047 | CVE-2025-58020 |
|
19.8th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the Theater for WordPress plugin allows atta | |
| 5048 | CVE-2025-58019 |
|
19.8th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the Search Atlas SEO WordPress plugin allows | |
| 5049 | CVE-2025-58018 |
|
19.8th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the Mail Subscribe List WordPress plugin all | |
| 5050 | CVE-2025-58017 |
|
19.8th | 6.5 | This stored cross-site scripting (XSS) vulnerability in Ultimate Store Kit Elementor Addons allows a |
What is EPSS?
The Exploit Prediction Scoring System (EPSS) is a data-driven model developed by FIRST.org that estimates the probability a CVE will be exploited in the wild within the next 30 days. Unlike CVSS which measures severity, EPSS measures likelihood of exploitation — making it ideal for prioritizing which vulnerabilities to patch first.
Why EPSS matters: With thousands of CVEs published monthly, not all vulnerabilities are equally dangerous. EPSS helps security teams focus on the CVEs most likely to be actively exploited, rather than patching solely by CVSS score. A critical CVSS 9.8 vulnerability with 0.1% EPSS may be less urgent than a high CVSS 7.5 with 90% EPSS.
Prioritize by Exploit Risk
Scan your servers and see which vulnerabilities have the highest EPSS scores. Focus on what attackers are actually targeting.
Start Monitoring Free