Most Exploitable CVEs - EPSS Rankings

CVEs ranked by EPSS (Exploit Prediction Scoring System) probability. Higher scores mean a greater likelihood of exploitation in the wild within the next 30 days.

164

EPSS > 50%

156

CISA KEV Listed

35,468

CVEs with EPSS

0.7%

Avg EPSS Score

All Critical High Medium Low

Rank	CVE ID	EPSS Score	Percentile	CVSS	Summary
7901	CVE-2025-12661	0.04%	12.8th	6.4	The Pollcaster Shortcode Plugin for WordPress has a stored XSS vulnerability in the 'height' paramet
7902	CVE-2025-12660	0.04%	12.8th	6.4	The Padlet Shortcode WordPress plugin has a stored XSS vulnerability that allows authenticated attac
7903	CVE-2025-11802	0.04%	13th	6.4	The Bulma Shortcodes WordPress plugin has a stored XSS vulnerability in the 'bulma-notification' sho
7904	CVE-2025-11801	0.04%	13th	6.4	The AudioTube WordPress plugin has a stored XSS vulnerability in the 'caption' attribute of its shor
7905	CVE-2025-11800	0.04%	13th	6.4	The Surbma \| MiniCRM Shortcode WordPress plugin has a stored XSS vulnerability that allows authentic
7906	CVE-2025-11799	0.04%	12.8th	6.4	The Affiliate AI Lite WordPress plugin has a stored XSS vulnerability in all versions up to 1.0.1. A
7907	CVE-2025-11770	0.04%	13th	6.4	The BrightTALK WordPress Shortcode plugin has a stored XSS vulnerability that allows authenticated a
7908	CVE-2025-11768	0.04%	13th	6.4	The Islamic Phrases WordPress plugin has a stored XSS vulnerability that allows authenticated attack
7909	CVE-2025-11767	0.04%	13th	6.4	The Tips Shortcode WordPress plugin has a stored cross-site scripting vulnerability that allows auth
7910	CVE-2025-11765	0.04%	13th	6.4	The Stock Tools WordPress plugin has a stored XSS vulnerability in all versions up to 1.1. Authentic
7911	CVE-2025-11764	0.04%	13th	6.4	This vulnerability allows authenticated WordPress users with contributor-level access or higher to i
7912	CVE-2025-11763	0.04%	12.8th	6.4	The Display Pages Shortcode WordPress plugin has a stored XSS vulnerability in the 'column_count' pa
7913	CVE-2025-36371	0.04%	13.1th	6.5	IBM i operating systems (versions 7.2-7.6) have an information disclosure vulnerability in the datab
7914	CVE-2025-6251	0.04%	13th	6.4	This stored XSS vulnerability in the Royal Elementor Addons plugin allows authenticated attackers wi
7915	CVE-2025-12691	0.04%	13th	6.4	This stored XSS vulnerability in the Photonic Gallery WordPress plugin allows authenticated attacker
7916	CVE-2025-12457	0.04%	13th	6.4	This vulnerability allows authenticated WordPress users with Author-level permissions or higher to u
7917	CVE-2025-12088	0.04%	13th	6.4	The Meta Display Block WordPress plugin has a stored XSS vulnerability that allows authenticated att
7918	CVE-2025-8609	0.04%	12.8th	6.4	The RTMKit Addons for Elementor WordPress plugin has a stored cross-site scripting vulnerability tha
7919	CVE-2025-8605	0.04%	13th	6.4	This stored XSS vulnerability in the Gutenify WordPress plugin allows authenticated attackers with c
7920	CVE-2025-12823	0.04%	13th	6.4	The CSV to SortTable WordPress plugin has a stored XSS vulnerability in all versions up to 4.2. Auth
7921	CVE-2025-11868	0.04%	13th	6.4	The everviz WordPress plugin up to version 1.1 contains a stored cross-site scripting (XSS) vulnerab
7922	CVE-2025-13193	0.04%	13th	5.5	This vulnerability in libvirt allows unprivileged users to read snapshots of shut-down virtual machi
7923	CVE-2025-54562	0.04%	12.9th	4.3	This vulnerability in Desktop Alert PingAlert's Application Server (versions 6.1.0.11 to 6.1.1.2) al
7924	CVE-2025-13160	0.04%	13.1th	5.3	IQ-Support software by IQ Service International contains an information exposure vulnerability that
7925	CVE-2025-64749	0.04%	12.9th	4.3	This CVE describes an information disclosure vulnerability in Directus where unauthorized users can
7926	CVE-2025-8397	0.04%	12.8th	6.4	The Save as PDF Button WordPress plugin has a stored XSS vulnerability that allows authenticated att
7927	CVE-2025-11769	0.04%	12.8th	6.4	The WordPress Content Flipper plugin has a stored XSS vulnerability in the 'bgcolor' shortcode attri
7928	CVE-2025-10295	0.04%	13th	6.4	This stored XSS vulnerability in the Angel WordPress theme allows authenticated attackers with subsc
7929	CVE-2025-64705	0.04%	12.9th	4.3	CVE-2025-64705 is an information disclosure vulnerability in Frappe Learning Management System (LMS)
7930	CVE-2025-12732	0.04%	12.9th	4.3	This vulnerability in the WP Import – Ultimate CSV XML Importer WordPress plugin allows authentica
7931	CVE-2025-11863	0.04%	13th	6.4	The My Geo Posts Free WordPress plugin has a stored cross-site scripting vulnerability that allows a
7932	CVE-2025-11860	0.04%	13th	6.4	The Twitter Feed plugin for WordPress has a stored XSS vulnerability in versions up to 1.3.1. Authen
7933	CVE-2025-11859	0.04%	13th	6.4	This stored XSS vulnerability in the PayPal Donation Shortcode WordPress plugin allows authenticated
7934	CVE-2025-11856	0.04%	13th	6.4	The Eventbee Ticketing Widget plugin for WordPress has a stored cross-site scripting (XSS) vulnerabi
7935	CVE-2025-11829	0.04%	13th	6.4	The Five9 Live Chat WordPress plugin has a stored XSS vulnerability that allows authenticated users
7936	CVE-2025-11828	0.04%	12.8th	6.4	The Magazine Companion WordPress plugin has a stored XSS vulnerability that allows authenticated att
7937	CVE-2025-11822	0.04%	12.8th	6.4	The WP Bootstrap Tabs WordPress plugin has a stored XSS vulnerability that allows authenticated atta
7938	CVE-2025-11821	0.04%	12.8th	6.4	This vulnerability allows authenticated WordPress users with contributor-level access or higher to i
7939	CVE-2025-11805	0.04%	12.8th	6.4	The Skip to Timestamp WordPress plugin has a stored XSS vulnerability in all versions up to 1.4.4. A
7940	CVE-2025-11129	0.04%	12.8th	6.4	The Include Fussball.de Widgets WordPress plugin has a stored XSS vulnerability that allows authenti
7941	CVE-2025-42889	0.04%	13th	5.4	This SQL injection vulnerability in SAP Starter Solution allows authenticated attackers to execute a
7942	CVE-2025-12643	0.04%	12.8th	6.4	The Saphali LiqPay for donate WordPress plugin has a stored cross-site scripting vulnerability in al
7943	CVE-2025-12112	0.04%	13th	6.4	This vulnerability allows authenticated WordPress users with Author-level permissions or higher to i
7944	CVE-2022-50590	0.04%	12.9th	5.3	This vulnerability allows remote unauthenticated attackers to exploit a type confusion flaw in Suite
7945	CVE-2025-11745	0.04%	12.8th	6.4	This stored XSS vulnerability in the Ad Inserter WordPress plugin allows authenticated attackers wit
7946	CVE-2025-11162	0.04%	12.8th	6.4	This vulnerability allows authenticated WordPress users with Contributor-level access or higher to i
7947	CVE-2025-11812	0.04%	12.8th	6.4	The Reuse Builder WordPress plugin has a stored XSS vulnerability in all versions up to 1.7. Authent
7948	CVE-2025-12324	0.04%	13th	6.4	This stored XSS vulnerability in TablePress WordPress plugin allows authenticated attackers with con
7949	CVE-2025-11841	0.04%	13th	6.4	This vulnerability allows authenticated WordPress users with Contributor-level access or higher to i
7950	CVE-2025-63293	0.04%	12.8th	6.5	This vulnerability allows authenticated users to append comments or upload attachments to tickets th

← Previous Page 159 of 332 Next →

What is EPSS?

The Exploit Prediction Scoring System (EPSS) is a data-driven model developed by FIRST.org that estimates the probability a CVE will be exploited in the wild within the next 30 days. Unlike CVSS which measures severity, EPSS measures likelihood of exploitation — making it ideal for prioritizing which vulnerabilities to patch first.

Why EPSS matters: With thousands of CVEs published monthly, not all vulnerabilities are equally dangerous. EPSS helps security teams focus on the CVEs most likely to be actively exploited, rather than patching solely by CVSS score. A critical CVSS 9.8 vulnerability with 0.1% EPSS may be less urgent than a high CVSS 7.5 with 90% EPSS.

Prioritize by Exploit Risk

Scan your servers and see which vulnerabilities have the highest EPSS scores. Focus on what attackers are actually targeting.

Start Monitoring Free