Most Exploitable CVEs - EPSS Rankings

CVEs ranked by EPSS (Exploit Prediction Scoring System) probability. Higher scores mean a greater likelihood of exploitation in the wild within the next 30 days.

164

EPSS > 50%

156

CISA KEV Listed

35,468

CVEs with EPSS

0.7%

Avg EPSS Score

All Critical High Medium Low

Rank	CVE ID	EPSS Score	Percentile	CVSS	Summary
8701	CVE-2025-62748	0.04%	11.5th	6.5	This DOM-based XSS vulnerability in Genetech Products' Web and WooCommerce Addons for WPBakery Build
8702	CVE-2025-49390	0.04%	11.6th	5.4	This stored cross-site scripting (XSS) vulnerability in the WordPress Cookie Notice & Consent plugin
8703	CVE-2025-62749	0.04%	11.5th	6.5	This DOM-based Cross-Site Scripting (XSS) vulnerability in the WordPress User Specific Content plugi
8704	CVE-2025-64229	0.04%	11.7th	4.3	This CVE describes a missing authorization vulnerability in the BoldGrid Client Invoicing by Sprout
8705	CVE-2025-68504	0.04%	11.5th	6.5	This DOM-based Cross-Site Scripting (XSS) vulnerability in Crocoblock's JetSearch WordPress plugin a
8706	CVE-2025-62752	0.04%	11.5th	6.5	This DOM-based Cross-Site Scripting (XSS) vulnerability in the Calendar.Online/Kalender.Digital Word
8707	CVE-2025-62295	0.04%	11.6th	5.4	SOPlanning versions before 1.55 contain a stored cross-site scripting (XSS) vulnerability in the /gr
8708	CVE-2025-6071	0.04%	11.5th	5.3	A hard-coded cryptographic key vulnerability in ABB RMC-100 and RMC-100 LITE devices allows attacker
8709	CVE-2025-13985	0.04%	11.5th	5.3	This CVE describes an incorrect authorization vulnerability in Drupal's Entity Share module that all
8710	CVE-2025-62756	0.04%	11.5th	6.5	This DOM-based cross-site scripting vulnerability in The Moneytizer WordPress plugin allows attacker
8711	CVE-2025-49398	0.04%	11.5th	6.1	This vulnerability allows attackers to inject malicious scripts into web pages through the Easy Appo
8712	CVE-2025-62296	0.04%	11.6th	5.4	SOPlanning versions before 1.55 contain a stored cross-site scripting (XSS) vulnerability in the /ta
8713	CVE-2025-68607	0.04%	11.5th	6.5	This stored cross-site scripting (XSS) vulnerability in the WordPress Custom Field Template plugin a
8714	CVE-2025-62757	0.04%	11.5th	6.5	This DOM-based XSS vulnerability in the WebMan Amplifier WordPress plugin allows attackers to inject
8715	CVE-2025-11448	0.04%	11.7th	4.3	The Envira Photo Gallery WordPress plugin has a missing capability check on its bulk-convert REST AP
8716	CVE-2025-62297	0.04%	11.6th	5.4	SOPlanning web application is vulnerable to stored cross-site scripting (XSS) in the /projets endpoi
8717	CVE-2025-62991	0.04%	11.5th	6.5	This stored cross-site scripting (XSS) vulnerability in the Minamaze WordPress theme allows attacker
8718	CVE-2025-49904	0.04%	11.8th	6.1	This reflected cross-site scripting (XSS) vulnerability in the Booking and Rental Manager for WooCom
8719	CVE-2025-62729	0.04%	11.6th	5.4	SOPlanning web application is vulnerable to stored cross-site scripting (XSS) in the /status endpoin
8720	CVE-2025-64270	0.04%	11.7th	6.5	This vulnerability in the Masteriyo LMS WordPress plugin allows unauthorized users to retrieve embed
8721	CVE-2025-63032	0.04%	11.5th	6.5	This stored cross-site scripting (XSS) vulnerability in the ThinkUpThemes Consulting WordPress theme
8722	CVE-2025-49905	0.04%	11.8th	6.1	This vulnerability allows attackers to inject malicious scripts into web pages generated by the Rang
8723	CVE-2025-64272	0.04%	11.7th	6.5	This vulnerability in the GetResponse Email Marketing WordPress plugin allows unauthorized users to
8724	CVE-2025-49357	0.04%	11.5th	6.5	This stored cross-site scripting (XSS) vulnerability in the Audiomack WordPress plugin allows attack
8725	CVE-2025-49909	0.04%	11.8th	6.1	This is a reflected cross-site scripting (XSS) vulnerability in the Penci Bookmark & Follow WordPres
8726	CVE-2025-62111	0.04%	11.5th	6.5	This stored cross-site scripting (XSS) vulnerability in the WordPress Extra Shortcodes plugin allows
8727	CVE-2025-52764	0.04%	11.8th	6.1	This vulnerability allows attackers to inject malicious scripts into web pages generated by the flex
8728	CVE-2025-64295	0.04%	11.7th	6.5	This vulnerability in All In One SEO Pack WordPress plugin allows attackers to retrieve embedded sen
8729	CVE-2025-62118	0.04%	11.5th	6.5	This stored cross-site scripting (XSS) vulnerability in the WordPress AdWords Conversion Tracking Co
8730	CVE-2025-60983	0.04%	11.6th	5.4	A reflected cross-site scripting (XSS) vulnerability exists in Rubikon Banking Solution 4.0.3's 'Sea
8731	CVE-2025-2045	0.04%	11.6th	4.3	This CVE describes an improper authorization vulnerability in GitLab EE that allows users with limit
8732	CVE-2025-62125	0.04%	11.5th	6.5	This stored cross-site scripting (XSS) vulnerability in the WordPress Custom Background Changer plug
8733	CVE-2025-13196	0.04%	11.6th	5.4	This stored XSS vulnerability in Element Pack Addons for Elementor allows authenticated attackers wi
8734	CVE-2025-64422	0.04%	11.5th	4.3	Coolify's login endpoint has a rate limit bypass vulnerability that allows attackers to perform unli
8735	CVE-2025-62742	0.04%	11.5th	6.5	This stored cross-site scripting (XSS) vulnerability in the Curator.Io WordPress plugin allows attac
8736	CVE-2025-53239	0.04%	11.8th	6.1	This is a reflected cross-site scripting (XSS) vulnerability in the WordPress User Registration Aide
8737	CVE-2025-0969	0.04%	11.5th	6.5	The Brizy Page Builder WordPress plugin exposes administrator email addresses and password hashes to
8738	CVE-2025-62743	0.04%	11.5th	6.5	This stored cross-site scripting (XSS) vulnerability in the MyBookTable Bookstore WordPress plugin a
8739	CVE-2025-62744	0.04%	11.5th	6.5	This stored cross-site scripting (XSS) vulnerability in the WordPress Page Title Splitter plugin all
8740	CVE-2025-53245	0.04%	11.6th	5.4	This stored cross-site scripting (XSS) vulnerability in the WP Logo Changer WordPress plugin allows
8741	CVE-2025-62990	0.04%	11.5th	6.5	This stored XSS vulnerability in Livemesh Addons for Beaver Builder allows attackers to inject malic
8742	CVE-2025-62082	0.04%	11.5th	6.5	This stored XSS vulnerability in the Generic Elements for Elementor WordPress plugin allows attacker
8743	CVE-2025-55736	0.04%	11.6th	6.5	In flaskBlog versions 2.8.0 and earlier, any authenticated user can escalate their privileges to adm
8744	CVE-2024-9661	0.04%	11.3th	4.3	This CSRF vulnerability in WP All Import Pro allows unauthenticated attackers to trick administrator
8745	CVE-2025-62095	0.04%	11.5th	6.5	This stored cross-site scripting (XSS) vulnerability in the Neilgee Bootstrap Modals WordPress plugi
8746	CVE-2025-63724	0.04%	11.6th	6.0	This SQL injection vulnerability in SVX Portal 2.7A allows attackers to execute arbitrary SQL comman
8747	CVE-2025-52166	0.04%	11.4th	6.5	This vulnerability allows authenticated attackers in Agorum core open software to escalate their pri
8748	CVE-2026-23845	0.04%	11.6th	5.8	Mailpit versions before 1.28.3 are vulnerable to Server-Side Request Forgery (SSRF) through the HTML
8749	CVE-2025-68040	0.04%	11.7th	6.5	This vulnerability in the weDevs WP Project Manager WordPress plugin allows attackers to retrieve em
8750	CVE-2025-62096	0.04%	11.5th	6.5	This stored cross-site scripting (XSS) vulnerability in the WPFactory Maximum Products per User for

← Previous Page 175 of 332 Next →

What is EPSS?

The Exploit Prediction Scoring System (EPSS) is a data-driven model developed by FIRST.org that estimates the probability a CVE will be exploited in the wild within the next 30 days. Unlike CVSS which measures severity, EPSS measures likelihood of exploitation — making it ideal for prioritizing which vulnerabilities to patch first.

Why EPSS matters: With thousands of CVEs published monthly, not all vulnerabilities are equally dangerous. EPSS helps security teams focus on the CVEs most likely to be actively exploited, rather than patching solely by CVSS score. A critical CVSS 9.8 vulnerability with 0.1% EPSS may be less urgent than a high CVSS 7.5 with 90% EPSS.

Prioritize by Exploit Risk

Scan your servers and see which vulnerabilities have the highest EPSS scores. Focus on what attackers are actually targeting.

Start Monitoring Free