Most Exploitable CVEs - EPSS Rankings
CVEs ranked by EPSS (Exploit Prediction Scoring System) probability. Higher scores mean a greater likelihood of exploitation in the wild within the next 30 days.
164
EPSS > 50%
156
CISA KEV Listed
35,468
CVEs with EPSS
0.7%
Avg EPSS Score
| Rank | CVE ID | EPSS Score | Percentile | CVSS | Flags | Summary |
|---|---|---|---|---|---|---|
| 5051 | CVE-2025-58008 |
|
19.8th | 6.5 | This stored XSS vulnerability in the Participants Database WordPress plugin allows attackers to inje | |
| 5052 | CVE-2025-58002 |
|
19.8th | 6.5 | This vulnerability allows attackers to inject malicious scripts into web pages viewed by other users | |
| 5053 | CVE-2025-58001 |
|
19.8th | 6.5 | A stored cross-site scripting (XSS) vulnerability in the WordPress Compact Archives plugin allows at | |
| 5054 | CVE-2025-57999 |
|
19.8th | 6.5 | This DOM-based Cross-Site Scripting (XSS) vulnerability in WPKoi Templates for Elementor allows atta | |
| 5055 | CVE-2025-57996 |
|
19.8th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the Buckets WordPress plugin allows attacker | |
| 5056 | CVE-2025-57993 |
|
19.8th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the Geolocation IP Detection WordPress plugi | |
| 5057 | CVE-2025-57989 |
|
19.8th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the WordPress Widgets Shortcode plugin allow | |
| 5058 | CVE-2025-57988 |
|
19.8th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the Uncanny Toolkit for LearnDash WordPress | |
| 5059 | CVE-2025-57986 |
|
19.8th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the WP Subtitle WordPress plugin allows atta | |
| 5060 | CVE-2025-57973 |
|
19.8th | 5.5 | This stored XSS vulnerability in the WP-Members WordPress plugin allows attackers to inject maliciou | |
| 5061 | CVE-2025-57967 |
|
19.8th | 6.5 | This vulnerability allows attackers to inject malicious scripts into web pages generated by the WPB | |
| 5062 | CVE-2025-57966 |
|
19.8th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the Gallery Lightbox WordPress plugin allows | |
| 5063 | CVE-2025-57965 |
|
19.8th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the WP Proposals WordPress plugin allows att | |
| 5064 | CVE-2025-57964 |
|
19.8th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the Library Bookshelves WordPress plugin all | |
| 5065 | CVE-2025-57963 |
|
19.8th | 6.5 | This DOM-based cross-site scripting vulnerability in Zoho Billing allows attackers to inject malicio | |
| 5066 | CVE-2025-57954 |
|
19.8th | 6.5 | This DOM-based Cross-Site Scripting (XSS) vulnerability in the Ays Pro Poll Maker WordPress plugin a | |
| 5067 | CVE-2025-57953 |
|
19.8th | 6.5 | This DOM-based cross-site scripting vulnerability in the Open User Map WordPress plugin allows attac | |
| 5068 | CVE-2025-57948 |
|
19.8th | 6.5 | This DOM-based Cross-Site Scripting (XSS) vulnerability in the Directory Pro WordPress plugin allows | |
| 5069 | CVE-2025-57947 |
|
19.8th | 6.5 | This DOM-based XSS vulnerability in Ays Pro Photo Gallery WordPress plugin allows attackers to injec | |
| 5070 | CVE-2025-57938 |
|
19.8th | 6.5 | This DOM-based Cross-Site Scripting (XSS) vulnerability in the Easy Hotel Booking WordPress plugin a | |
| 5071 | CVE-2025-57932 |
|
19.8th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the PowerFolio WordPress plugin allows attac | |
| 5072 | CVE-2025-57913 |
|
19.8th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the Behance Portfolio Manager WordPress plug | |
| 5073 | CVE-2025-57911 |
|
19.8th | 6.5 | This DOM-based cross-site scripting vulnerability in the WPFactory Adverts WordPress plugin allows a | |
| 5074 | CVE-2025-57910 |
|
19.8th | 6.5 | This stored cross-site scripting (XSS) vulnerability in AnyClip Luminous Studio WordPress plugin all | |
| 5075 | CVE-2025-57900 |
|
19.8th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the GutenKit WordPress plugin allows attacke | |
| 5076 | CVE-2025-53570 |
|
19.8th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the DELUCKS SEO WordPress plugin allows atta | |
| 5077 | CVE-2025-53463 |
|
19.8th | 6.5 | This DOM-based Cross-Site Scripting (XSS) vulnerability in the HT Mega plugin for WPBakery Page Buil | |
| 5078 | CVE-2025-53454 |
|
19.8th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the Ultimate WP Mail WordPress plugin allows | |
| 5079 | CVE-2025-10794 |
|
19.9th | 4.3 | This is a cross-site scripting (XSS) vulnerability in PHPGurukul Car Rental Project 3.0 that allows | |
| 5080 | CVE-2025-9035 |
|
20th | 5.4 | This is a reflected cross-site scripting (XSS) vulnerability in Horato Internet Technologies' Virtua | |
| 5081 | CVE-2025-10764 |
|
19.9th | 6.3 | This vulnerability in SeriaWei ZKEACMS allows attackers to perform server-side request forgery (SSRF | |
| 5082 | CVE-2025-43803 |
|
19.9th | 4.3 | An insecure direct object reference (IDOR) vulnerability in Liferay's Contacts Center widget allows | |
| 5083 | CVE-2025-8664 |
|
20th | 6.3 | This Cross-Site Scripting (XSS) vulnerability in StarCities E-Municipality Management allows attacke | |
| 5084 | CVE-2025-11958 |
|
19.8th | 4.1 | An improper input validation vulnerability in Devolutions Server's Security Dashboard ignored-tasks | |
| 5085 | CVE-2025-11712 |
|
19.7th | 6.1 | This vulnerability allows malicious web pages to bypass browser security controls using OBJECT tags | |
| 5086 | CVE-2025-11655 |
|
19.7th | 4.7 | This vulnerability allows remote attackers to upload arbitrary SVG files without proper restrictions | |
| 5087 | CVE-2025-11618 |
|
19.7th | 4.3 | A missing validation check in FreeRTOS-Plus-TCP's UDP/IPv6 packet processing can cause an invalid po | |
| 5088 | CVE-2025-35053 |
|
19.8th | 6.4 | CVE-2025-35053 allows authenticated users in Newforma Info Exchange (NIX) to read and delete arbitra | |
| 5089 | CVE-2025-25207 |
|
19.9th | 5.7 | CVE-2025-25207 is a denial-of-service vulnerability in Red Hat Connectivity Link's Authorino service | |
| 5090 | CVE-2025-11390 |
|
19.9th | 4.3 | This vulnerability allows attackers to inject malicious scripts into the PHPGurukul Cyber Cafe Manag | |
| 5091 | CVE-2025-11279 |
|
19.7th | 5.5 | This CSV injection vulnerability in Axosoft Scrum and Bug Tracking allows attackers to inject malici | |
| 5092 | CVE-2023-7328 |
|
19.9th | 5.3 | This vulnerability allows unauthenticated attackers to retrieve user data from Screen SFT DAB 600/C | |
| 5093 | CVE-2025-54292 |
|
19.9th | 4.6 | This path traversal vulnerability in Canonical LXD LXD-UI allows authenticated attackers to access o | |
| 5094 | CVE-2025-66026 |
|
20th | 6.1 | This is a reflected Cross-Site Scripting (XSS) vulnerability in REDAXO CMS that allows arbitrary Jav | |
| 5095 | CVE-2025-60916 |
|
19.8th | 5.4 | A reflected cross-site scripting (XSS) vulnerability in the /overview/network/ endpoint of Austrian | |
| 5096 | CVE-2025-13588 |
|
19.7th | 6.3 | This CVE describes a Server-Side Request Forgery (SSRF) vulnerability in lKinderBueno Streamity Xtre | |
| 5097 | CVE-2025-62372 |
|
19.7th | 6.5 | This vulnerability allows users to crash the vLLM inference engine by passing malformed multimodal e | |
| 5098 | CVE-2025-12524 |
|
19.7th | 5.4 | The Post Type Switcher WordPress plugin up to version 4.0.0 has an Insecure Direct Object Reference | |
| 5099 | CVE-2025-7711 |
|
19.8th | 5.4 | This vulnerability allows authenticated WordPress users with Subscriber-level access or higher to ex | |
| 5100 | CVE-2025-12763 |
|
19.8th | 6.8 | pgAdmin 4 on Windows systems contains a command injection vulnerability that allows attackers to exe |
What is EPSS?
The Exploit Prediction Scoring System (EPSS) is a data-driven model developed by FIRST.org that estimates the probability a CVE will be exploited in the wild within the next 30 days. Unlike CVSS which measures severity, EPSS measures likelihood of exploitation — making it ideal for prioritizing which vulnerabilities to patch first.
Why EPSS matters: With thousands of CVEs published monthly, not all vulnerabilities are equally dangerous. EPSS helps security teams focus on the CVEs most likely to be actively exploited, rather than patching solely by CVSS score. A critical CVSS 9.8 vulnerability with 0.1% EPSS may be less urgent than a high CVSS 7.5 with 90% EPSS.
Prioritize by Exploit Risk
Scan your servers and see which vulnerabilities have the highest EPSS scores. Focus on what attackers are actually targeting.
Start Monitoring Free