Most Exploitable CVEs - EPSS Rankings

CVEs ranked by EPSS (Exploit Prediction Scoring System) probability. Higher scores mean a greater likelihood of exploitation in the wild within the next 30 days.

164

EPSS > 50%

156

CISA KEV Listed

35,468

CVEs with EPSS

0.7%

Avg EPSS Score

All Critical High Medium Low

Rank	CVE ID	EPSS Score	Percentile	CVSS	Summary
8451	CVE-2025-12481	0.04%	11.8th	4.3	The WP Duplicate Page WordPress plugin has a missing authorization vulnerability that allows authent
8452	CVE-2025-3468	0.04%	12th	6.4	This vulnerability allows authenticated attackers with Custom-level access in WordPress to inject ma
8453	CVE-2025-62740	0.04%	12th	5.3	This vulnerability allows unauthorized users to access CRM data and functions due to broken access c
8454	CVE-2025-62865	0.04%	12th	5.3	This CVE describes a Missing Authorization vulnerability in the WordPress Post Cloner plugin that al
8455	CVE-2025-39937	0.04%	12th	5.5	A NULL pointer dereference vulnerability in the Linux kernel's rfkill-gpio driver could cause kernel
8456	CVE-2025-61148	0.04%	11.9th	6.5	An Insecure Direct Object Reference (IDOR) vulnerability in EduplusCampus 3.0.1 allows authenticated
8457	CVE-2025-62141	0.04%	12th	5.3	CVE-2025-62141 is a missing authorization vulnerability in the 101gen Wawp WordPress plugin that all
8458	CVE-2025-12971	0.04%	11.8th	4.3	This vulnerability in the WordPress Folders plugin allows authenticated attackers with Contributor-l
8459	CVE-2025-62145	0.04%	12th	5.3	A missing authorization vulnerability in the NewClarity DMCA Protection Badge WordPress plugin allow
8460	CVE-2025-62870	0.04%	12th	5.3	This CVE describes a Missing Authorization vulnerability in the Eupago Gateway for WooCommerce WordP
8461	CVE-2025-62147	0.04%	12th	5.3	This CVE describes a Missing Authorization vulnerability in the Realbig WordPress plugin that allows
8462	CVE-2024-57931	0.04%	11.8th	5.5	This CVE addresses a vulnerability in the Linux kernel's SELinux subsystem where encountering unknow
8463	CVE-2025-52599	0.04%	12th	6.5	This vulnerability involves inadequate permission management for camera guest accounts in Hanwha Vis
8464	CVE-2025-63001	0.04%	12th	5.3	This CVE describes a Missing Authorization vulnerability in the nicdark Hotel Booking WordPress plug
8465	CVE-2025-62401	0.04%	11.9th	5.4	A vulnerability in Moodle's timed assignment feature allows students to bypass time restrictions, po
8466	CVE-2025-8843	0.04%	11.9th	5.3	A heap-based buffer overflow vulnerability in NASM Netwide Assembler 2.17rc0 allows attackers with l
8467	CVE-2025-63016	0.04%	12th	5.3	This CVE describes a Missing Authorization vulnerability in the QuadLayers TikTok Feed WordPress plu
8468	CVE-2025-63022	0.04%	12th	5.3	This CVE describes a Missing Authorization vulnerability in the Illia Simple Like Page WordPress plu
8469	CVE-2025-63031	0.04%	12th	5.3	This CVE describes a missing authorization vulnerability in the WP Grids EasyTest WordPress plugin t
8470	CVE-2025-7167	0.04%	12th	6.3	This critical SQL injection vulnerability in Responsive Blog Site 1.0 allows remote attackers to exe
8471	CVE-2026-24055	0.04%	11.8th	5.3	This vulnerability allows unauthenticated attackers to bind their Slack workspace to any Langfuse pr
8472	CVE-2025-63053	0.04%	12.1th	5.3	This vulnerability allows attackers to bypass authorization controls in the Jewel Theme Master Addon
8473	CVE-2025-58121	0.04%	11.8th	5.4	This vulnerability allows low-privileged users in Checkmk to bypass permission checks on REST API en
8474	CVE-2025-49334	0.04%	12.1th	5.3	This vulnerability allows attackers to bypass authorization controls in the MyD Delivery WordPress p
8475	CVE-2025-49338	0.04%	12th	5.3	This CVE describes a missing authorization vulnerability in the Flowbox WordPress plugin that allows
8476	CVE-2025-6909	0.04%	12th	6.3	This CVE describes a critical SQL injection vulnerability in PHPGurukul Old Age Home Management Syst
8477	CVE-2025-12820	0.04%	12th	5.3	The Pure WC Variation Swatches WordPress plugin through version 1.1.7 lacks proper authorization che
8478	CVE-2025-62782	0.04%	11.8th	5.3	InventoryGui library versions 1.6.3-SNAPSHOT and earlier contain a vulnerability that allows item du
8479	CVE-2025-63008	0.04%	12.1th	5.3	This CVE describes a Missing Authorization vulnerability in weDevs WP ERP plugin for WordPress that
8480	CVE-2025-62079	0.04%	12.1th	5.3	This CVE describes a Missing Authorization vulnerability in the Damian WP Export Categories & Taxono
8481	CVE-2025-9865	0.04%	11.9th	5.4	This vulnerability allows attackers to spoof website domains in Google Chrome on Android by tricking
8482	CVE-2025-5237	0.04%	11.9th	6.4	This stored XSS vulnerability in the Target Video Easy Publish WordPress plugin allows authenticated
8483	CVE-2026-0742	0.04%	12.1th	6.4	The Smart Appointment & Booking WordPress plugin has a stored XSS vulnerability that allows authenti
8484	CVE-2025-14581	0.04%	12th	5.3	This vulnerability allows authenticated WordPress users with Subscriber-level access or higher to su
8485	CVE-2025-54394	0.04%	12th	5.3	Netwrix Directory Manager versions 11.0.0.0 through 11.1.25162.02 insufficiently protect credentials
8486	CVE-2025-62092	0.04%	12th	5.3	CVE-2025-62092 is a missing authorization vulnerability in the Wiremo WordPress plugin that allows a
8487	CVE-2025-6913	0.04%	12th	6.3	A critical SQL injection vulnerability exists in PHPGurukul Student Record System 3.2 through the /a
8488	CVE-2025-63023	0.04%	12.1th	5.3	This CVE describes a Missing Authorization vulnerability in the Payment Gateway for PayPal on WooCom
8489	CVE-2025-62116	0.04%	12th	5.3	A missing authorization vulnerability in Quadlayers AI Copilot WordPress plugin allows attackers to
8490	CVE-2025-12814	0.04%	11.8th	5.3	The SiteSEO WordPress plugin has an improper capability check vulnerability that allows authenticate
8491	CVE-2025-10529	0.04%	12th	6.5	This CVE describes a same-origin policy bypass vulnerability in the Layout component of Mozilla prod
8492	CVE-2025-63028	0.04%	12.1th	5.3	This CVE describes a missing authorization vulnerability in the Traveler WordPress theme that allows
8493	CVE-2025-66625	0.04%	12.1th	4.9	This vulnerability in Umbraco CMS allows attackers with backoffice access to enumerate arbitrary fil
8494	CVE-2025-62129	0.04%	12.1th	5.3	This CVE describes a missing authorization vulnerability in the RestroPress WordPress plugin that al
8495	CVE-2025-12065	0.04%	11.9th	4.4	The WP Carticon WordPress plugin has a stored XSS vulnerability that allows authenticated administra
8496	CVE-2025-15317	0.04%	11.8th	6.5	CVE-2025-15317 is an uncontrolled resource consumption vulnerability in Tanium Server that allows at
8497	CVE-2026-22486	0.04%	12th	5.3	This CVE describes a Missing Authorization vulnerability in the Hakob Re Gallery & Responsive Photo
8498	CVE-2026-22488	0.04%	12th	5.3	This CVE describes a Missing Authorization vulnerability in the Dashboard Welcome for Beaver Builder
8499	CVE-2025-6915	0.04%	12th	6.3	A critical SQL injection vulnerability exists in PHPGurukul Student Record System 3.2's /register.ph
8500	CVE-2025-14054	0.04%	12th	4.4	This vulnerability allows authenticated attackers with Shop Manager or higher privileges in WordPres

← Previous Page 170 of 332 Next →

What is EPSS?

The Exploit Prediction Scoring System (EPSS) is a data-driven model developed by FIRST.org that estimates the probability a CVE will be exploited in the wild within the next 30 days. Unlike CVSS which measures severity, EPSS measures likelihood of exploitation — making it ideal for prioritizing which vulnerabilities to patch first.

Why EPSS matters: With thousands of CVEs published monthly, not all vulnerabilities are equally dangerous. EPSS helps security teams focus on the CVEs most likely to be actively exploited, rather than patching solely by CVSS score. A critical CVSS 9.8 vulnerability with 0.1% EPSS may be less urgent than a high CVSS 7.5 with 90% EPSS.

Prioritize by Exploit Risk

Scan your servers and see which vulnerabilities have the highest EPSS scores. Focus on what attackers are actually targeting.

Start Monitoring Free