Most Exploitable CVEs - EPSS Rankings
CVEs ranked by EPSS (Exploit Prediction Scoring System) probability. Higher scores mean a greater likelihood of exploitation in the wild within the next 30 days.
164
EPSS > 50%
156
CISA KEV Listed
35,468
CVEs with EPSS
0.7%
Avg EPSS Score
| Rank | CVE ID | EPSS Score | Percentile | CVSS | Flags | Summary |
|---|---|---|---|---|---|---|
| 8351 | CVE-2025-67566 |
|
12.1th | 5.3 | This CVE describes a missing authorization vulnerability in the Woffice Core WordPress plugin that a | |
| 8352 | CVE-2025-67568 |
|
12th | 5.3 | This CVE describes a missing authorization vulnerability in the xtemos Basel WordPress theme that al | |
| 8353 | CVE-2025-67569 |
|
12th | 5.3 | This CVE describes a Missing Authorization vulnerability in the AdForest WordPress theme that allows | |
| 8354 | CVE-2025-52493 |
|
12th | 6.5 | PagerDuty Runbook exposes stored secrets in the webpage DOM on configuration pages, allowing adminis | |
| 8355 | CVE-2025-67570 |
|
12th | 5.3 | This CVE describes a missing authorization vulnerability in the WPForms Google Sheet Connector WordP | |
| 8356 | CVE-2025-67571 |
|
12th | 5.3 | This CVE describes a missing authorization vulnerability in the WPFunnels WordPress plugin that allo | |
| 8357 | CVE-2025-35431 |
|
11.9th | 5.4 | CVE-2025-35431 is an LDAP injection vulnerability in CISA Thorium that allows authenticated attacker | |
| 8358 | CVE-2025-67572 |
|
12th | 5.3 | This CVE describes a missing authorization vulnerability in the PenciDesign PenNews WordPress theme | |
| 8359 | CVE-2025-61330 |
|
11.9th | 6.5 | A hard-coded weak password vulnerability in H3C Magic-branded devices allows attackers to gain root | |
| 8360 | CVE-2025-67573 |
|
12th | 5.3 | This CVE describes a missing authorization vulnerability in the ThimPress Sailing WordPress theme th | |
| 8361 | CVE-2025-67574 |
|
12.1th | 5.3 | This CVE describes a missing authorization vulnerability in the wpdevart Booking Calendar plugin for | |
| 8362 | CVE-2025-67575 |
|
12.1th | 5.3 | This CVE describes a Missing Authorization vulnerability in the Sitewide Notice WP WordPress plugin | |
| 8363 | CVE-2025-67576 |
|
12.1th | 5.3 | This CVE describes a missing authorization vulnerability in the QuantumCloud Simple Link Directory W | |
| 8364 | CVE-2025-47221 |
|
11.8th | 5.3 | This vulnerability allows administrators in Keyfactor SignServer to write arbitrary files to any dir | |
| 8365 | CVE-2025-0801 |
|
12th | 4.3 | This CSRF vulnerability in the RateMyAgent Official WordPress plugin allows unauthenticated attacker | |
| 8366 | CVE-2025-67577 |
|
12.1th | 5.3 | This CVE describes a missing authorization vulnerability in the Easy Form Builder WordPress plugin t | |
| 8367 | CVE-2025-52620 |
|
12.1th | 4.3 | HCL BigFix SaaS Authentication Service contains a Cross-Site Scripting vulnerability in its image up | |
| 8368 | CVE-2025-67578 |
|
12.1th | 5.3 | This CVE describes a missing authorization vulnerability in the WP Email Capture WordPress plugin th | |
| 8369 | CVE-2025-67579 |
|
12.1th | 5.3 | This CVE describes a missing authorization vulnerability in the WordPress User Extra Fields plugin ( | |
| 8370 | CVE-2026-24990 |
|
11.8th | 5.4 | This CVE describes a missing authorization vulnerability in the WP Docs WordPress plugin that allows | |
| 8371 | CVE-2025-67580 |
|
12.1th | 5.3 | This CVE describes a missing authorization vulnerability in the Constant Contact + WooCommerce WordP | |
| 8372 | CVE-2025-10490 |
|
11.8th | 4.4 | The Zephyr Project Manager WordPress plugin has a stored XSS vulnerability in admin settings that al | |
| 8373 | CVE-2025-1506 |
|
12th | 4.3 | This CSRF vulnerability in the Wp Social Login and Register Social Counter WordPress plugin allows u | |
| 8374 | CVE-2025-67581 |
|
12.1th | 5.3 | This CVE describes a Missing Authorization vulnerability in the TrueBooker WordPress plugin that all | |
| 8375 | CVE-2025-67582 |
|
12.1th | 5.3 | This CVE describes a missing authorization vulnerability in the Wbcom Designs lock-my-bp WordPress p | |
| 8376 | CVE-2025-67583 |
|
12.1th | 5.3 | This CVE describes a Missing Authorization vulnerability in the ThemeAtelier IDonate WordPress plugi | |
| 8377 | CVE-2024-13859 |
|
11.8th | 6.4 | This vulnerability allows authenticated attackers with Subscriber-level access or higher to inject m | |
| 8378 | CVE-2026-24995 |
|
11.8th | 4.3 | This CVE describes a Missing Authorization vulnerability in the WordPress Latest Post Shortcode plug | |
| 8379 | CVE-2025-67584 |
|
12.1th | 5.3 | This CVE describes a missing authorization vulnerability in the rtCamp GoDAM WordPress plugin that a | |
| 8380 | CVE-2025-6308 |
|
12th | 6.3 | A critical SQL injection vulnerability in PHPGurukul Emergency Ambulance Hiring Portal 1.0 allows re | |
| 8381 | CVE-2025-67586 |
|
12.1th | 5.3 | This CVE describes a missing authorization vulnerability in the WordPress Highlight and Share plugin | |
| 8382 | CVE-2025-7149 |
|
12th | 6.3 | This critical SQL injection vulnerability in Campcodes Advanced Online Voting System 1.0 allows remo | |
| 8383 | CVE-2025-14370 |
|
12th | 5.3 | The Quote Comments WordPress plugin has a missing authorization vulnerability that allows authentica | |
| 8384 | CVE-2025-67844 |
|
11.9th | 5.0 | This vulnerability in Mintlify Platform's GitHub Integration API allows attackers to access sensitiv | |
| 8385 | CVE-2025-10579 |
|
11.9th | 5.3 | The BackWPup WordPress plugin up to version 5.5.0 has an authorization vulnerability where authentic | |
| 8386 | CVE-2025-65799 |
|
11.9th | 4.3 | CVE-2025-65799 is a path traversal vulnerability in usememos memos v0.25.2 that allows attackers to | |
| 8387 | CVE-2025-11823 |
|
12th | 6.4 | This stored XSS vulnerability in the ShopLentor WooCommerce Builder plugin allows authenticated atta | |
| 8388 | CVE-2025-44178 |
|
12th | 6.5 | DASAN GPON ONU H660WM routers with firmware version H660WMR210825 have improper access control in de | |
| 8389 | CVE-2025-6847 |
|
12th | 6.3 | A critical SQL injection vulnerability exists in Simple Forum 1.0's /forum_edit.php file, allowing r | |
| 8390 | CVE-2025-6605 |
|
12th | 6.3 | This critical SQL injection vulnerability in SourceCodester Best Salon Management System 1.0 allows | |
| 8391 | CVE-2026-25021 |
|
11.8th | 5.4 | This CVE describes a Missing Authorization vulnerability in the Mizan Demo Importer WordPress plugin | |
| 8392 | CVE-2025-5699 |
|
12th | 5.5 | The Developer Formatter WordPress plugin has a stored cross-site scripting vulnerability in Custom C | |
| 8393 | CVE-2025-6607 |
|
12th | 6.3 | This critical SQL injection vulnerability in SourceCodester Best Salon Management System 1.0 allows | |
| 8394 | CVE-2025-6850 |
|
12th | 6.3 | CVE-2025-6850 is a critical SQL injection vulnerability in Simple Forum 1.0 that allows remote attac | |
| 8395 | CVE-2025-6319 |
|
12th | 6.3 | A critical SQL injection vulnerability exists in PHPGurukul Pre-School Enrollment System 1.0, specif | |
| 8396 | CVE-2025-68556 |
|
12.1th | 5.3 | This CVE describes a Missing Authorization vulnerability in the VillaTheme HAPPY WordPress plugin th | |
| 8397 | CVE-2025-11776 |
|
11.8th | 4.3 | Mattermost versions before 11 have an authorization bypass vulnerability where guest users can disco | |
| 8398 | CVE-2025-6320 |
|
12th | 6.3 | This critical SQL injection vulnerability in PHPGurukul Pre-School Enrollment System 1.0 allows atta | |
| 8399 | CVE-2025-6609 |
|
12th | 6.3 | This is a critical SQL injection vulnerability in SourceCodester Best Salon Management System 1.0. A | |
| 8400 | CVE-2022-50951 |
|
12th | 6.4 | WiFi File Transfer 1.0.8 has a persistent cross-site scripting vulnerability where attackers can inj |
What is EPSS?
The Exploit Prediction Scoring System (EPSS) is a data-driven model developed by FIRST.org that estimates the probability a CVE will be exploited in the wild within the next 30 days. Unlike CVSS which measures severity, EPSS measures likelihood of exploitation — making it ideal for prioritizing which vulnerabilities to patch first.
Why EPSS matters: With thousands of CVEs published monthly, not all vulnerabilities are equally dangerous. EPSS helps security teams focus on the CVEs most likely to be actively exploited, rather than patching solely by CVSS score. A critical CVSS 9.8 vulnerability with 0.1% EPSS may be less urgent than a high CVSS 7.5 with 90% EPSS.
Prioritize by Exploit Risk
Scan your servers and see which vulnerabilities have the highest EPSS scores. Focus on what attackers are actually targeting.
Start Monitoring Free