Most Exploitable CVEs - EPSS Rankings

CVEs ranked by EPSS (Exploit Prediction Scoring System) probability. Higher scores mean a greater likelihood of exploitation in the wild within the next 30 days.

164

EPSS > 50%

156

CISA KEV Listed

35,468

CVEs with EPSS

0.7%

Avg EPSS Score

All Critical High Medium Low

Rank	CVE ID	EPSS Score	Percentile	CVSS	Summary
6551	CVE-2025-58678	0.05%	15.9th	6.5	A missing authorization vulnerability in the PickPlugins Accordion WordPress plugin allows attackers
6552	CVE-2025-58659	0.05%	15.9th	5.3	The Helpie FAQ WordPress plugin versions up to 1.39 contain hard-coded credentials that allow attack
6553	CVE-2025-58656	0.05%	15.9th	5.3	This CVE describes a hard-coded credentials vulnerability in the Estonian Shipping Methods for WooCo
6554	CVE-2025-58269	0.05%	15.9th	5.3	A hard-coded credentials vulnerability in weDevs WP Project Manager WordPress plugin allows attacker
6555	CVE-2025-58247	0.05%	15.9th	5.3	This CVE describes a missing authorization vulnerability in the TI WooCommerce Wishlist WordPress pl
6556	CVE-2025-58222	0.05%	15.8th	5.3	This CVE describes a missing authorization vulnerability in the Maidul Team Manager WordPress plugin
6557	CVE-2025-58029	0.05%	15.8th	5.3	This CVE describes a missing authorization vulnerability in the Classic Widgets with Block-based Wid
6558	CVE-2025-58006	0.05%	15.9th	4.7	This CVE describes an open redirect vulnerability in the WP Gravity Forms Keap/Infusionsoft WordPres
6559	CVE-2025-58004	0.05%	15.8th	5.3	This CVE describes a missing authorization vulnerability in the DriCub WordPress theme that allows a
6560	CVE-2025-58003	0.05%	15.8th	5.3	This CVE describes a missing authorization vulnerability in the Javo Core WordPress plugin that allo
6561	CVE-2025-58000	0.05%	15.8th	5.3	This CVE describes a missing authorization vulnerability in the Memberful WordPress plugin that allo
6562	CVE-2025-57987	0.05%	15.8th	5.3	This CVE describes a missing authorization vulnerability in the ThimPress WP Events Manager WordPres
6563	CVE-2025-57976	0.05%	15.8th	5.3	This CVE describes a missing authorization vulnerability in the CardCom Payment Gateway WordPress pl
6564	CVE-2025-57971	0.05%	15.8th	5.3	This CVE describes a Missing Authorization vulnerability in SALESmanago & Leadoo WordPress plugins t
6565	CVE-2025-57958	0.05%	15.8th	5.3	This CVE describes a missing authorization vulnerability in the WPXPO WowAddons WordPress plugin tha
6566	CVE-2025-57957	0.05%	15.8th	5.3	This CVE describes a missing authorization vulnerability in the wpcraft WooMS WordPress plugin that
6567	CVE-2025-57955	0.05%	15.9th	6.5	This CVE describes a missing authorization vulnerability in the Post Carousel Slider for Elementor W
6568	CVE-2025-57944	0.05%	15.8th	5.3	This CVE describes a missing authorization vulnerability in the Skimlinks Affiliate Marketing Tool W
6569	CVE-2025-57939	0.05%	15.8th	5.3	This CVE describes a missing authorization vulnerability in the Image Hover Effects - Elementor Addo
6570	CVE-2025-57921	0.05%	15.8th	5.3	This CVE describes a missing authorization vulnerability in the N-Media Frontend File Manager WordPr
6571	CVE-2025-57909	0.05%	15.9th	6.5	This CVE describes a missing authorization vulnerability in the WordPress Editor Custom Color Palett
6572	CVE-2025-57907	0.05%	15.8th	5.3	This CVE describes a Missing Authorization vulnerability in the Heureka WordPress plugin that allows
6573	CVE-2025-7702	0.05%	15.9th	4.7	This CVE describes an open redirect vulnerability in Pusula Communication's Manageable Email Sending
6574	CVE-2025-10059	0.05%	15.7th	6.5	An improper handling of the lsid field in sharded queries can cause MongoDB routers to crash when th
6575	CVE-2025-58597	0.05%	15.7th	4.3	This vulnerability allows attackers to bypass authorization controls in wpForo Forum by manipulating
6576	CVE-2025-9841	0.05%	15.8th	6.3	This vulnerability allows remote attackers to upload arbitrary files to Mobile Shop Management Syste
6577	CVE-2025-62523	0.05%	15.8th	6.3	PILOS before version 4.8.0 has a CORS misconfiguration that reflects the Origin header without valid
6578	CVE-2025-12268	0.05%	15.7th	6.3	This vulnerability allows remote attackers to upload arbitrary files to LearnHouse's Course Thumbnai
6579	CVE-2025-49961	0.05%	15.6th	6.3	This CVE describes a Missing Authorization vulnerability in the Breeze Checkout WordPress plugin tha
6580	CVE-2025-62598	0.05%	15.6th	6.1	This reflected cross-site scripting (XSS) vulnerability in WeGIA allows attackers to inject maliciou
6581	CVE-2025-61454	0.05%	15.6th	6.1	A reflected Cross-Site Scripting (XSS) vulnerability in Bhabishya-123 E-commerce 1.0 allows attacker
6582	CVE-2025-62415	0.05%	15.9th	6.9	This vulnerability allows authenticated administrators in Bagisto v2.3.7 to upload malicious HTML fi
6583	CVE-2025-60015	0.05%	15.6th	5.7	An out-of-bounds write vulnerability in F5OS-A and F5OS-C software could allow attackers to corrupt
6584	CVE-2025-31702	0.05%	15.9th	6.8	This vulnerability in certain Dahua embedded products allows attackers with normal user credentials
6585	CVE-2025-11606	0.05%	15.6th	6.3	This CVE describes a SQL injection vulnerability in iPynch Social Network Website's search component
6586	CVE-2025-9549	0.05%	15.9th	6.5	A missing authorization vulnerability in Drupal Facets allows attackers to access restricted content
6587	CVE-2025-55971	0.05%	15.6th	4.7	This CVE describes a blind Server-Side Request Forgery (SSRF) vulnerability in TCL 65C655 Smart TVs
6588	CVE-2025-54088	0.05%	15.9th	6.1	CVE-2025-54088 is an open-redirect vulnerability in Secure Access software that allows attackers wit
6589	CVE-2025-13544	0.05%	15.7th	6.3	This CVE describes an unrestricted file upload vulnerability in ashraf-kabir travel-agency software
6590	CVE-2025-63879	0.05%	15.6th	6.1	A reflected cross-site scripting (XSS) vulnerability in the /ecommerce/products.php component of E-c
6591	CVE-2025-12862	0.05%	15.7th	6.3	CVE-2025-12862 is an unrestricted file upload vulnerability in projectworlds Online Notes Sharing Pl
6592	CVE-2025-0875	0.05%	15.6th	6.5	This vulnerability allows attackers to bypass authorization controls in PROLIZ OBS Student Affairs I
6593	CVE-2025-13789	0.05%	15.9th	6.3	This CVE describes a server-side request forgery (SSRF) vulnerability in ZenTao's AI module. Attacke
6594	CVE-2025-13783	0.05%	15.7th	6.3	This CVE describes a SQL injection vulnerability in taosir WTCMS's comment administration component.
6595	CVE-2025-12653	0.05%	15.9th	6.5	This vulnerability allows unauthenticated attackers to join arbitrary organizations in GitLab by man
6596	CVE-2025-65019	0.05%	15.6th	5.4	This vulnerability in Astro's Cloudflare adapter allows attackers to inject malicious SVG payloads v
6597	CVE-2024-44661	0.05%	15.6th	5.4	PHPGurukul Online Shopping Portal 2.0 contains a cross-site scripting vulnerability in the quantity
6598	CVE-2024-44655	0.05%	15.6th	6.1	PHPGurukul Complaint Management System 2.0 contains a cross-site scripting vulnerability in the sear
6599	CVE-2024-46336	0.05%	15.6th	6.1	Kashipara School Management System 1.0 contains a cross-site scripting (XSS) vulnerability in the fe
6600	CVE-2024-46334	0.05%	15.6th	6.1	This vulnerability allows attackers to inject malicious scripts into the kashipara School Management

← Previous Page 132 of 331 Next →

What is EPSS?

The Exploit Prediction Scoring System (EPSS) is a data-driven model developed by FIRST.org that estimates the probability a CVE will be exploited in the wild within the next 30 days. Unlike CVSS which measures severity, EPSS measures likelihood of exploitation — making it ideal for prioritizing which vulnerabilities to patch first.

Why EPSS matters: With thousands of CVEs published monthly, not all vulnerabilities are equally dangerous. EPSS helps security teams focus on the CVEs most likely to be actively exploited, rather than patching solely by CVSS score. A critical CVSS 9.8 vulnerability with 0.1% EPSS may be less urgent than a high CVSS 7.5 with 90% EPSS.

Prioritize by Exploit Risk

Scan your servers and see which vulnerabilities have the highest EPSS scores. Focus on what attackers are actually targeting.

Start Monitoring Free