Most Exploitable CVEs - EPSS Rankings
CVEs ranked by EPSS (Exploit Prediction Scoring System) probability. Higher scores mean a greater likelihood of exploitation in the wild within the next 30 days.
164
EPSS > 50%
156
CISA KEV Listed
35,468
CVEs with EPSS
0.7%
Avg EPSS Score
| Rank | CVE ID | EPSS Score | Percentile | CVSS | Flags | Summary |
|---|---|---|---|---|---|---|
| 6501 | CVE-2025-46532 |
|
15.6th | 6.5 | This DOM-based Cross-Site Scripting (XSS) vulnerability in the Haris Zulfiqar Tooltip WordPress plug | |
| 6502 | CVE-2025-46496 |
|
15.6th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the Mini Twitter Feed WordPress plugin allow | |
| 6503 | CVE-2025-46484 |
|
15.6th | 6.5 | This DOM-based cross-site scripting (XSS) vulnerability in the Image Hover Effects For WPBakery Page | |
| 6504 | CVE-2025-46480 |
|
15.6th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the Nepali Post Date WordPress plugin allows | |
| 6505 | CVE-2025-46476 |
|
15.6th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the Awesome Wp Image Gallery WordPress plugi | |
| 6506 | CVE-2025-46472 |
|
15.6th | 6.5 | This stored cross-site scripting (XSS) vulnerability in The Pack Elementor addons WordPress plugin a | |
| 6507 | CVE-2025-46467 |
|
15.6th | 6.5 | This DOM-based Cross-Site Scripting (XSS) vulnerability in the RAphicon WordPress plugin allows atta | |
| 6508 | CVE-2025-46461 |
|
15.6th | 6.5 | This DOM-based Cross-Site Scripting (XSS) vulnerability in the RRSSB WordPress plugin allows attacke | |
| 6509 | CVE-2025-46447 |
|
15.6th | 6.5 | This DOM-based Cross-Site Scripting (XSS) vulnerability in WPFable Fable Extra WordPress plugin allo | |
| 6510 | CVE-2025-48695 |
|
15.7th | 6.4 | A privilege escalation vulnerability in CyberDAVA allows low-privileged authenticated users to eleva | |
| 6511 | CVE-2025-47939 |
|
15.6th | 5.4 | This vulnerability in TYPO3's file management module allows backend users to upload potentially harm | |
| 6512 | CVE-2025-4863 |
|
15.7th | 6.3 | This critical vulnerability in Advaya Softech GEMS ERP Portal 2.1 allows remote attackers to execute | |
| 6513 | CVE-2025-46747 |
|
15.7th | 5.7 | An authenticated user without user-management permissions can enumerate other user accounts in affec | |
| 6514 | CVE-2025-3748 |
|
15.8th | 6.4 | The Taxonomy Chain Menu WordPress plugin contains a stored cross-site scripting (XSS) vulnerability | |
| 6515 | CVE-2025-3890 |
|
15.8th | 6.4 | The WordPress Simple Shopping Cart plugin has a stored XSS vulnerability in its 'wp_cart_button' sho | |
| 6516 | CVE-2025-52576 |
|
15.8th | 5.3 | This vulnerability in Kanboard allows attackers to enumerate valid usernames and bypass IP-based bru | |
| 6517 | CVE-2025-5702 |
|
15.6th | 5.6 | This vulnerability in GNU C Library's Power10-optimized strcmp function corrupts non-volatile vector | |
| 6518 | CVE-2025-24015 |
|
15.6th | 5.3 | This vulnerability in Deno runtime versions 1.46.0 through 2.1.6 fails to validate AES-GCM authentic | |
| 6519 | CVE-2025-54126 |
|
15.8th | 5.3 | The WebAssembly Micro Runtime's iwasm package in versions 2.4.0 and below incorrectly handles IPv4 a | |
| 6520 | CVE-2025-7919 |
|
15.8th | 6.5 | WinMatrix3 Web package has an unauthenticated SQL injection vulnerability that allows remote attacke | |
| 6521 | CVE-2025-7755 |
|
15.9th | 6.3 | CVE-2025-7755 is a critical unrestricted file upload vulnerability in code-projects Online Ordering | |
| 6522 | CVE-2025-6745 |
|
15.7th | 5.3 | The WoodMart WordPress theme plugin has an information exposure vulnerability that allows unauthenti | |
| 6523 | CVE-2025-53512 |
|
15.6th | 6.5 | This vulnerability allows unauthorized users to access the /log endpoint on Juju controllers, exposi | |
| 6524 | CVE-2025-48812 |
|
15.7th | 5.5 | This vulnerability allows an attacker to read memory outside the intended buffer in Microsoft Excel, | |
| 6525 | CVE-2025-9728 |
|
15.8th | 4.3 | This is a reflected cross-site scripting (XSS) vulnerability in Vvveb CMS version 1.0.7.2 that allow | |
| 6526 | CVE-2025-53337 |
|
15.7th | 5.4 | This CVE describes a Missing Authorization vulnerability in the LifePress WordPress plugin that allo | |
| 6527 | CVE-2025-55495 |
|
15.9th | 6.5 | This buffer overflow vulnerability in Tenda AC6 routers allows attackers to execute arbitrary code b | |
| 6528 | CVE-2025-57886 |
|
15.7th | 5.4 | This vulnerability allows attackers to bypass authorization controls by manipulating user-controlled | |
| 6529 | CVE-2025-43750 |
|
15.6th | 6.5 | This vulnerability allows unauthenticated remote users (including guest users) to upload malicious f | |
| 6530 | CVE-2025-54717 |
|
15.7th | 5.4 | This CVE describes a Missing Authorization vulnerability in the WP Membership WordPress plugin that | |
| 6531 | CVE-2025-53221 |
|
15.7th | 4.3 | This CVE describes a missing authorization vulnerability in the CodeablePress WordPress plugin that | |
| 6532 | CVE-2025-54705 |
|
15.7th | 4.3 | This CVE describes a missing authorization vulnerability in the WpEvently WordPress plugin that allo | |
| 6533 | CVE-2025-54695 |
|
15.7th | 5.4 | This CVE describes a Missing Authorization vulnerability in the HasTech HT Mega WordPress plugin tha | |
| 6534 | CVE-2025-49736 |
|
15.9th | 4.3 | A spoofing vulnerability in Microsoft Edge for Android allows attackers to trick users into performi | |
| 6535 | CVE-2025-59950 |
|
15.8th | 6.7 | This vulnerability in FreshRSS allows attackers to trick administrators into promoting unauthorized | |
| 6536 | CVE-2025-59842 |
|
15.9th | 4.3 | This vulnerability in JupyterLab and Jupyter Notebook allows reverse tabnabbing attacks when users c | |
| 6537 | CVE-2025-60155 |
|
15.8th | 5.3 | This CVE describes a missing authorization vulnerability in the WP Virtual Assistant WordPress plugi | |
| 6538 | CVE-2025-60130 |
|
15.8th | 5.3 | This CVE describes a missing authorization vulnerability in the WEDOS Global WordPress plugin that a | |
| 6539 | CVE-2025-60129 |
|
15.8th | 5.3 | This CVE describes a Missing Authorization vulnerability in the Yext WordPress plugin that allows at | |
| 6540 | CVE-2025-60121 |
|
15.8th | 5.3 | A missing authorization vulnerability in Ex-Themes WooEvents WordPress plugin allows attackers to by | |
| 6541 | CVE-2025-60120 |
|
15.9th | 5.3 | This CVE describes a missing authorization vulnerability in the WP Directory Kit WordPress plugin th | |
| 6542 | CVE-2025-58919 |
|
15.8th | 5.3 | This CVE describes a Missing Authorization vulnerability in the guihom Wide Banner WordPress plugin | |
| 6543 | CVE-2025-43819 |
|
15.7th | 6.5 | This vulnerability allows remote unauthenticated attackers to reuse expired user sessions through th | |
| 6544 | CVE-2025-58069 |
|
15.9th | 5.3 | CVE-2025-58069 is a hard-coded cryptographic key vulnerability in Click Plus PLC firmware version 3. | |
| 6545 | CVE-2025-9342 |
|
15.9th | 6.5 | This vulnerability allows attackers to bypass authorization controls in AHE Mobile by manipulating u | |
| 6546 | CVE-2025-58969 |
|
15.8th | 5.3 | This CVE describes a missing authorization vulnerability in the WordPress Custom Login URL plugin th | |
| 6547 | CVE-2025-58685 |
|
15.8th | 5.3 | This CVE describes a Missing Authorization vulnerability in the Cecabank WooCommerce Plugin for Word | |
| 6548 | CVE-2025-58681 |
|
15.9th | 5.3 | This CVE describes a Missing Authorization vulnerability in the Easy Quotes WordPress plugin that al | |
| 6549 | CVE-2025-58680 |
|
15.9th | 6.5 | This CVE describes a Missing Authorization vulnerability in the Gutentor WordPress plugin that allow | |
| 6550 | CVE-2025-58679 |
|
15.9th | 5.3 | This CVE describes a Missing Authorization vulnerability in the AppMySite WordPress plugin that allo |
What is EPSS?
The Exploit Prediction Scoring System (EPSS) is a data-driven model developed by FIRST.org that estimates the probability a CVE will be exploited in the wild within the next 30 days. Unlike CVSS which measures severity, EPSS measures likelihood of exploitation — making it ideal for prioritizing which vulnerabilities to patch first.
Why EPSS matters: With thousands of CVEs published monthly, not all vulnerabilities are equally dangerous. EPSS helps security teams focus on the CVEs most likely to be actively exploited, rather than patching solely by CVSS score. A critical CVSS 9.8 vulnerability with 0.1% EPSS may be less urgent than a high CVSS 7.5 with 90% EPSS.
Prioritize by Exploit Risk
Scan your servers and see which vulnerabilities have the highest EPSS scores. Focus on what attackers are actually targeting.
Start Monitoring Free