Most Exploitable CVEs - EPSS Rankings

CVEs ranked by EPSS (Exploit Prediction Scoring System) probability. Higher scores mean a greater likelihood of exploitation in the wild within the next 30 days.

164

EPSS > 50%

156

CISA KEV Listed

35,468

CVEs with EPSS

0.7%

Avg EPSS Score

All Critical High Medium Low

Rank	CVE ID	EPSS Score	Percentile	CVSS	Summary
7551	CVE-2025-20272	0.05%	13.5th	4.3	An authenticated low-privileged attacker can exploit insufficient input validation in certain REST A
7552	CVE-2025-60247	0.05%	13.5th	6.5	This CVE describes a Missing Authorization vulnerability in the Bux Woocommerce plugin for WordPress
7553	CVE-2025-62949	0.05%	13.6th	6.5	This stored cross-site scripting (XSS) vulnerability in BuddyDev Activity Plus Reloaded for BuddyPre
7554	CVE-2025-11163	0.05%	13.7th	4.3	The SmartCrawl SEO plugin for WordPress has an authorization bypass vulnerability that allows authen
7555	CVE-2025-5873	0.05%	13.6th	6.3	This vulnerability allows remote attackers to upload arbitrary files to eCharge Hardy Barth Salia PL
7556	CVE-2025-62951	0.05%	13.6th	6.5	This stored cross-site scripting (XSS) vulnerability in the H5P WordPress plugin allows attackers to
7557	CVE-2025-13681	0.05%	13.8th	4.9	The BFG Tools – Extension Zipper WordPress plugin up to version 1.0.7 contains a path traversal vu
7558	CVE-2026-2147	0.05%	13.6th	5.3	This vulnerability in Tenda AC21 routers allows remote attackers to access sensitive information thr
7559	CVE-2025-37159	0.05%	13.7th	5.8	This vulnerability allows an authenticated remote attacker to hijack active user sessions in the AOS
7560	CVE-2026-0890	0.05%	13.8th	5.4	This CVE describes a spoofing vulnerability in Firefox and Thunderbird's DOM copy-paste and drag-dro
7561	CVE-2025-62289	0.05%	13.6th	4.9	This vulnerability in Oracle ZFS Storage Appliance Kit allows high-privileged attackers with network
7562	CVE-2024-27239	0.05%	13.7th	4.3	A use-after-free vulnerability in Zoom Workplace Apps and SDKs allows authenticated users to cause d
7563	CVE-2025-62963	0.05%	13.6th	6.5	This DOM-based Cross-Site Scripting (XSS) vulnerability in the Estatik WordPress plugin allows attac
7564	CVE-2024-27246	0.05%	13.7th	4.3	A use-after-free vulnerability in Zoom Workplace Apps and SDKs allows authenticated users to cause d
7565	CVE-2025-11742	0.05%	13.5th	4.3	This vulnerability allows authenticated WordPress users with Subscriber-level access or higher to vi
7566	CVE-2025-62967	0.05%	13.6th	6.5	This DOM-based XSS vulnerability in the DirectoryPress WordPress plugin allows attackers to inject m
7567	CVE-2025-0239	0.05%	13.6th	4.0	This vulnerability allows attackers to bypass certificate validation when Firefox or Thunderbird red
7568	CVE-2025-62968	0.05%	13.6th	6.5	This stored cross-site scripting (XSS) vulnerability in the WP Last Modified Info WordPress plugin a
7569	CVE-2025-62969	0.05%	13.6th	6.5	This stored XSS vulnerability in NextMove Lite WordPress plugin allows attackers to inject malicious
7570	CVE-2025-52184	0.05%	13.7th	6.1	A cross-site scripting (XSS) vulnerability in Helpy.io v2.8.0 allows remote attackers to inject mali
7571	CVE-2025-62971	0.05%	13.6th	6.5	This stored cross-site scripting (XSS) vulnerability in the Attesa Extra WordPress plugin allows att
7572	CVE-2025-3929	0.05%	13.5th	6.1	This is a cross-site scripting (XSS) vulnerability in MDaemon Email Server that allows attackers to
7573	CVE-2025-62974	0.05%	13.6th	6.5	This stored cross-site scripting (XSS) vulnerability in the CoSchedule Headline Analyzer WordPress p
7574	CVE-2025-64630	0.05%	13.5th	4.7	This CVE describes a missing authorization vulnerability in the Strategy11 Team Business Directory W
7575	CVE-2025-5700	0.05%	13.5th	6.4	The Simple Logo Carousel WordPress plugin has a stored cross-site scripting vulnerability that allow
7576	CVE-2025-13448	0.05%	13.7th	6.4	The CSSIgniter Shortcodes WordPress plugin has a stored XSS vulnerability in the 'element' shortcode
7577	CVE-2025-9562	0.05%	13.7th	6.4	The Redirection for Contact Form 7 WordPress plugin has a stored XSS vulnerability in its qs_date sh
7578	CVE-2025-11803	0.05%	13.7th	6.4	The WPSite Shortcode WordPress plugin has a stored cross-site scripting vulnerability that allows au
7579	CVE-2026-0903	0.05%	13.6th	5.4	This vulnerability allows remote attackers to bypass Chrome's dangerous file type protections on Win
7580	CVE-2025-52626	0.05%	13.6th	4.5	A command injection vulnerability in HCL AION 2.0 allows attackers to execute arbitrary commands on
7581	CVE-2025-62983	0.05%	13.6th	6.5	This stored cross-site scripting (XSS) vulnerability in the WordPress Posts By Tag plugin allows att
7582	CVE-2025-62984	0.05%	13.6th	6.5	This stored XSS vulnerability in WPeka WP AdCenter allows attackers to inject malicious scripts into
7583	CVE-2025-62985	0.05%	13.6th	6.5	This stored cross-site scripting (XSS) vulnerability in the Simple Pull Quote WordPress plugin allow
7584	CVE-2025-6706	0.05%	13.6th	5.0	An authenticated MongoDB user can trigger a use-after-free vulnerability by executing specific aggre
7585	CVE-2025-64361	0.05%	13.6th	6.5	This DOM-based cross-site scripting (XSS) vulnerability in the Consulting Elementor Widgets WordPres
7586	CVE-2025-12964	0.05%	13.7th	6.4	The Magical Products Display WordPress plugin has a stored XSS vulnerability that allows authenticat
7587	CVE-2025-64362	0.05%	13.6th	6.5	This DOM-based Cross-Site Scripting (XSS) vulnerability in the SeventhQueen K Elements WordPress plu
7588	CVE-2025-64365	0.05%	13.6th	6.5	This DOM-based cross-site scripting (XSS) vulnerability in the Ohio Extra WordPress plugin allows at
7589	CVE-2025-65111	0.05%	13.7th	5.3	This vulnerability in SpiceDB causes missing LookupResources results when checking permissions defin
7590	CVE-2024-11029	0.05%	13.7th	5.5	This vulnerability in FreeIPA's API audit mechanism causes administrative credentials to be logged i
7591	CVE-2025-48088	0.05%	13.6th	6.5	This stored XSS vulnerability in Ultimate Addons for WPBakery Page Builder allows attackers to injec
7592	CVE-2025-64275	0.05%	13.6th	6.5	This stored cross-site scripting (XSS) vulnerability in the Booking Manager WordPress plugin allows
7593	CVE-2025-12935	0.05%	13.7th	6.4	This vulnerability allows authenticated WordPress users with contributor-level access or higher to i
7594	CVE-2025-7487	0.05%	13.5th	6.3	This critical vulnerability in JoeyBling SpringBoot_MyBatisPlus allows remote attackers to upload ar
7595	CVE-2025-66053	0.05%	13.6th	6.5	This stored cross-site scripting (XSS) vulnerability in the Enfold WordPress theme allows attackers
7596	CVE-2026-22915	0.05%	13.8th	4.3	CVE-2026-22915 allows attackers with low privileges to read files from specific directories on affec
7597	CVE-2025-66057	0.05%	13.7th	6.3	This DOM-based Cross-Site Scripting (XSS) vulnerability in the Bold Page Builder WordPress plugin al
7598	CVE-2025-10901	0.05%	13.5th	4.3	The Originality.ai AI Checker WordPress plugin has an authorization vulnerability that allows authen
7599	CVE-2022-49285	0.05%	13.5th	5.5	A NULL pointer dereference vulnerability in the Linux kernel's MMA8452 accelerometer driver allows l
7600	CVE-2025-64380	0.05%	13.6th	6.5	This stored cross-site scripting (XSS) vulnerability in the Booster for WooCommerce plugin allows at

← Previous Page 152 of 332 Next →

What is EPSS?

The Exploit Prediction Scoring System (EPSS) is a data-driven model developed by FIRST.org that estimates the probability a CVE will be exploited in the wild within the next 30 days. Unlike CVSS which measures severity, EPSS measures likelihood of exploitation — making it ideal for prioritizing which vulnerabilities to patch first.

Why EPSS matters: With thousands of CVEs published monthly, not all vulnerabilities are equally dangerous. EPSS helps security teams focus on the CVEs most likely to be actively exploited, rather than patching solely by CVSS score. A critical CVSS 9.8 vulnerability with 0.1% EPSS may be less urgent than a high CVSS 7.5 with 90% EPSS.

Prioritize by Exploit Risk

Scan your servers and see which vulnerabilities have the highest EPSS scores. Focus on what attackers are actually targeting.

Start Monitoring Free