Most Exploitable CVEs - EPSS Rankings

CVEs ranked by EPSS (Exploit Prediction Scoring System) probability. Higher scores mean a greater likelihood of exploitation in the wild within the next 30 days.

164

EPSS > 50%

156

CISA KEV Listed

35,468

CVEs with EPSS

0.7%

Avg EPSS Score

All Critical High Medium Low

Rank	CVE ID	EPSS Score	Percentile	CVSS	Summary
6501	CVE-2025-21367	0.17%	38.3th	7.8	This is a Windows kernel privilege escalation vulnerability in the Win32 subsystem that allows attac
6502	CVE-2025-21358	0.17%	38.3th	7.8	This Windows Core Messaging vulnerability allows attackers to elevate privileges on affected systems
6503	CVE-2024-13699	0.17%	38.3th	6.4	The Qi Addons For Elementor WordPress plugin has a stored cross-site scripting vulnerability in the
6504	CVE-2025-31627	0.17%	38.2th	5.9	This stored cross-site scripting (XSS) vulnerability in the Media Library Assistant WordPress plugin
6505	CVE-2025-31610	0.17%	38.2th	5.9	This stored cross-site scripting (XSS) vulnerability in WordPress Notification Bar plugins allows at
6506	CVE-2025-31575	0.17%	38.2th	5.9	This vulnerability allows attackers to inject malicious scripts into WordPress websites using the Fl
6507	CVE-2025-31472	0.17%	38.2th	5.9	This stored cross-site scripting (XSS) vulnerability in the Flatty WordPress plugin allows attackers
6508	CVE-2025-31470	0.17%	38.2th	5.9	This stored cross-site scripting (XSS) vulnerability in the FancyThemes Page Takeover WordPress plug
6509	CVE-2025-31463	0.17%	38.2th	5.9	This stored cross-site scripting (XSS) vulnerability in the TGG WP Optimizer WordPress plugin allows
6510	CVE-2025-31437	0.17%	38.2th	5.9	This stored cross-site scripting (XSS) vulnerability in the WP-OGP WordPress plugin allows attackers
6511	CVE-2025-31031	0.17%	38.2th	5.9	This stored cross-site scripting (XSS) vulnerability in the Job Colors for WP Job Manager WordPress
6512	CVE-2025-30904	0.17%	38.2th	5.9	This stored cross-site scripting (XSS) vulnerability in the Ays Pro Chartify WordPress plugin allows
6513	CVE-2025-30847	0.17%	38.2th	5.9	This stored cross-site scripting (XSS) vulnerability in the Ashley Novelist WordPress plugin allows
6514	CVE-2025-30799	0.17%	38.2th	5.9	This stored cross-site scripting (XSS) vulnerability in the WP Google Street View WordPress plugin a
6515	CVE-2025-30792	0.17%	38.2th	5.9	This stored cross-site scripting (XSS) vulnerability in the WordPress Comment Approved Notifier Exte
6516	CVE-2025-30789	0.17%	38.2th	5.9	This stored cross-site scripting (XSS) vulnerability in the Clearout Email Validator WordPress plugi
6517	CVE-2025-30545	0.17%	38.2th	5.9	This stored cross-site scripting (XSS) vulnerability in the WordPress issuuPress plugin allows attac
6518	CVE-2025-30540	0.17%	38.2th	5.9	This stored cross-site scripting (XSS) vulnerability in the AvaiBook WordPress plugin allows attacke
6519	CVE-2025-30536	0.17%	38.2th	5.9	This stored cross-site scripting (XSS) vulnerability in the Beautiful Link Preview WordPress plugin
6520	CVE-2025-30532	0.17%	38.2th	5.9	This stored cross-site scripting (XSS) vulnerability in the Weather Layer WordPress plugin allows at
6521	CVE-2025-30530	0.17%	38.2th	5.9	This stored cross-site scripting (XSS) vulnerability in the AI Preloader WordPress plugin allows att
6522	CVE-2025-29101	0.17%	38.3th	7.5	A stack overflow vulnerability in Tenda AC8V4.0 routers allows attackers to execute arbitrary code o
6523	CVE-2025-25567	0.17%	38.3th	9.8	SoftEther VPN 5.02.5187 contains a buffer overflow vulnerability in the UniToStrForSingleChars funct
6524	CVE-2024-53458	0.17%	38.3th	7.5	Sysax Multi Server 6.99 is vulnerable to denial of service when processing malicious SSH packets, ca
6525	CVE-2025-39562	0.17%	38.2th	5.9	This stored cross-site scripting (XSS) vulnerability in the Payment Form for PayPal Pro WordPress pl
6526	CVE-2025-39444	0.17%	38.2th	5.9	This stored cross-site scripting (XSS) vulnerability in the MaxButtons WordPress plugin allows attac
6527	CVE-2025-39428	0.17%	38.2th	5.9	This stored cross-site scripting (XSS) vulnerability in the Gravity Forms CSS Themes with Fontawesom
6528	CVE-2025-30720	0.17%	38.3th	6.1	This vulnerability in Oracle Configurator allows unauthenticated attackers with network access via H
6529	CVE-2025-32680	0.17%	38.2th	5.9	This stored cross-site scripting (XSS) vulnerability in the WordPress Review Stream plugin allows at
6530	CVE-2025-32640	0.17%	38.2th	5.9	This stored cross-site scripting (XSS) vulnerability in the WordPress One Click Accessibility plugin
6531	CVE-2025-32493	0.17%	38.2th	5.9	This stored cross-site scripting (XSS) vulnerability in the BP Social Connect WordPress plugin allow
6532	CVE-2025-32489	0.17%	38.2th	5.9	This stored cross-site scripting (XSS) vulnerability in the Wetterwarner WordPress plugin allows att
6533	CVE-2025-32483	0.17%	38.2th	5.9	This stored cross-site scripting (XSS) vulnerability in the WordPress Request Call Back plugin allow
6534	CVE-2025-31035	0.17%	38.2th	5.9	This stored cross-site scripting (XSS) vulnerability in the WP Editor.md WordPress plugin allows att
6535	CVE-2025-31008	0.17%	38.2th	5.9	This stored cross-site scripting (XSS) vulnerability in the YouTube Embed WordPress plugin allows at
6536	CVE-2025-32135	0.17%	38.2th	5.9	This stored cross-site scripting (XSS) vulnerability in the Split Test For Elementor WordPress plugi
6537	CVE-2025-32133	0.17%	38.2th	5.9	This stored cross-site scripting (XSS) vulnerability in the Ays Pro Secure Copy Content Protection a
6538	CVE-2025-32131	0.17%	38.2th	5.9	This stored cross-site scripting (XSS) vulnerability in the Social Intents WordPress plugin allows a
6539	CVE-2025-32129	0.17%	38.2th	5.9	This stored cross-site scripting (XSS) vulnerability in Data443 Risk Mitigation's Welcome Bar WordPr
6540	CVE-2025-31837	0.17%	38.2th	5.9	This stored cross-site scripting (XSS) vulnerability in the WP Proposals WordPress plugin allows att
6541	CVE-2025-31806	0.17%	38.2th	5.9	This stored cross-site scripting (XSS) vulnerability in the Webling WordPress plugin allows attacker
6542	CVE-2025-31793	0.17%	38.2th	5.9	This stored cross-site scripting (XSS) vulnerability in the Piotnet Forms WordPress plugin allows at
6543	CVE-2025-31772	0.17%	38.2th	5.9	This stored cross-site scripting (XSS) vulnerability in the WP Modal Popup with Cookie Integration W
6544	CVE-2025-31742	0.17%	38.2th	5.9	This stored cross-site scripting (XSS) vulnerability in the PixelDima Dima Take Action WordPress plu
6545	CVE-2024-13613	0.17%	38.2th	7.5	The Wise Chat WordPress plugin exposes sensitive information through insecure file storage in the up
6546	CVE-2024-11372	0.17%	38.3th	7.2	The Connexion Logs WordPress plugin through version 3.0.2 contains a SQL injection vulnerability due
6547	CVE-2025-31223	0.17%	38.3th	8.0	This memory corruption vulnerability in Apple's WebKit browser engine allows attackers to execute ar
6548	CVE-2025-6424	0.17%	38.3th	9.8	A use-after-free vulnerability in Firefox's FontFaceSet implementation allows memory corruption that
6549	CVE-2025-25692	0.17%	38.3th	6.5	A PHAR deserialization vulnerability in PrestaShop v8.2.0 allows attackers to execute arbitrary code
6550	CVE-2025-32990	0.17%	38.2th	6.5	This CVE describes a heap-buffer-overflow vulnerability in GnuTLS's certtool utility when parsing te

← Previous Page 131 of 710 Next →

What is EPSS?

The Exploit Prediction Scoring System (EPSS) is a data-driven model developed by FIRST.org that estimates the probability a CVE will be exploited in the wild within the next 30 days. Unlike CVSS which measures severity, EPSS measures likelihood of exploitation — making it ideal for prioritizing which vulnerabilities to patch first.

Why EPSS matters: With thousands of CVEs published monthly, not all vulnerabilities are equally dangerous. EPSS helps security teams focus on the CVEs most likely to be actively exploited, rather than patching solely by CVSS score. A critical CVSS 9.8 vulnerability with 0.1% EPSS may be less urgent than a high CVSS 7.5 with 90% EPSS.

Prioritize by Exploit Risk

Scan your servers and see which vulnerabilities have the highest EPSS scores. Focus on what attackers are actually targeting.

Start Monitoring Free