Most Exploitable CVEs - EPSS Rankings

CVEs ranked by EPSS (Exploit Prediction Scoring System) probability. Higher scores mean a greater likelihood of exploitation in the wild within the next 30 days.

164

EPSS > 50%

156

CISA KEV Listed

35,468

CVEs with EPSS

0.7%

Avg EPSS Score

All Critical High Medium Low

Rank	CVE ID	EPSS Score	Percentile	CVSS	Summary
8751	CVE-2025-53286	0.04%	11.8th	6.1	This Cross-Site Scripting (XSS) vulnerability in the Dropify WordPress plugin allows attackers to in
8752	CVE-2025-62097	0.04%	11.5th	6.5	This DOM-based XSS vulnerability in SEO Slider WordPress plugin allows attackers to inject malicious
8753	CVE-2025-49923	0.04%	11.8th	6.1	This DOM-based XSS vulnerability in Seriously Simple Podcasting WordPress plugin allows attackers to
8754	CVE-2025-7075	0.04%	11.7th	6.3	CVE-2025-7075 is a critical vulnerability in BlackVue Dashcam 590X devices that allows unauthenticat
8755	CVE-2025-53324	0.04%	11.6th	5.4	This stored cross-site scripting (XSS) vulnerability in the Gutenify WordPress plugin allows attacke
8756	CVE-2023-26002	0.04%	11.8th	4.3	This CVE describes a missing authorization vulnerability in the 6Storage Rentals WordPress plugin th
8757	CVE-2025-68499	0.04%	11.5th	6.5	This DOM-based Cross-Site Scripting (XSS) vulnerability in Crocoblock JetTabs WordPress plugin allow
8758	CVE-2025-53349	0.04%	11.8th	6.1	This is a reflected cross-site scripting (XSS) vulnerability in the Kalium WordPress theme that allo
8759	CVE-2025-4369	0.04%	11.4th	5.5	This stored XSS vulnerability in the WordPress Companion Auto Update plugin allows authenticated adm
8760	CVE-2025-9122	0.04%	11.6th	5.3	This vulnerability in Hitachi Vantara Pentaho Data Integration and Analytics Community Dashboard Fra
8761	CVE-2025-53574	0.04%	11.8th	6.1	This CVE describes a reflected cross-site scripting (XSS) vulnerability in the Doliconnect WordPress
8762	CVE-2025-54856	0.04%	11.5th	4.8	This stored XSS vulnerability in Movable Type allows attackers with 'ContentType Management' privile
8763	CVE-2025-12924	0.04%	11.6th	4.3	This CVE describes a missing authorization vulnerability in the rymcu forest software's BankControll
8764	CVE-2025-62499	0.04%	11.5th	4.8	This stored XSS vulnerability in Movable Type allows attackers with 'ContentType Management' privile
8765	CVE-2025-52331	0.04%	11.6th	6.1	A cross-site scripting vulnerability in WinRAR's generate report function allows attackers to inject
8766	CVE-2026-2099	0.04%	11.5th	5.4	AgentFlow software by Flowring contains a stored cross-site scripting vulnerability that allows auth
8767	CVE-2025-61255	0.04%	11.5th	6.1	Bank Locker Management System by PHPGurukul contains a reflected Cross-Site Scripting vulnerability
8768	CVE-2025-59491	0.04%	11.8th	6.1	This Cross-Site Scripting (XSS) vulnerability in CentralSquare Community Development allows attacker
8769	CVE-2025-30186	0.04%	11.8th	5.4	This CVE describes a cross-site scripting (XSS) vulnerability where attackers can upload malicious f
8770	CVE-2025-12630	0.04%	11.5th	4.9	The Upload.am WordPress plugin before version 1.0.1 contains an insecure direct object reference vul
8771	CVE-2025-62735	0.04%	11.6th	5.3	This vulnerability in the WordPress User Spam Remover plugin allows unauthorized users to retrieve e
8772	CVE-2025-30190	0.04%	11.8th	5.4	This vulnerability allows malicious Office documents to inject script code when edited, potentially
8773	CVE-2025-49934	0.04%	11.6th	5.4	This stored cross-site scripting (XSS) vulnerability in CrocoBlock's JetBlocks For Elementor WordPre
8774	CVE-2025-59025	0.04%	11.8th	6.1	This CVE describes a cross-site scripting (XSS) vulnerability in Open-Xchange AppSuite where malicio
8775	CVE-2025-47464	0.04%	11.6th	4.9	This Server-Side Request Forgery (SSRF) vulnerability in the Solace Extra WordPress plugin allows at
8776	CVE-2025-62737	0.04%	11.6th	5.3	This vulnerability in the Image Cleanup WordPress plugin allows unauthorized users to retrieve embed
8777	CVE-2025-67546	0.04%	11.7th	6.5	This vulnerability in weDevs WP ERP plugin allows unauthorized users to retrieve embedded sensitive
8778	CVE-2025-63020	0.04%	11.5th	6.5	This stored XSS vulnerability in the Postie WordPress plugin allows attackers to inject malicious sc
8779	CVE-2025-59026	0.04%	11.8th	5.4	This is a cross-site scripting (XSS) vulnerability in Open-Xchange AppSuite where malicious file upl
8780	CVE-2025-62894	0.04%	11.6th	5.4	This stored XSS vulnerability in the ACF Recent Posts Widget WordPress plugin allows attackers to in
8781	CVE-2025-14278	0.04%	11.5th	6.4	The HT Slider for Elementor WordPress plugin has a stored XSS vulnerability in the 'slide_title' par
8782	CVE-2025-62897	0.04%	11.5th	4.7	This vulnerability allows attackers to inject malicious scripts into WP Recipe Maker web pages throu
8783	CVE-2025-62898	0.04%	11.6th	5.4	This stored cross-site scripting (XSS) vulnerability in the WordPress Links Shortcode plugin allows
8784	CVE-2025-13730	0.04%	11.5th	6.4	The OpenID Connect Generic Client WordPress plugin has a stored XSS vulnerability in all versions up
8785	CVE-2025-62899	0.04%	11.6th	5.4	This stored cross-site scripting (XSS) vulnerability in the Photospace Responsive WordPress plugin a
8786	CVE-2025-49986	0.04%	11.4th	5.3	This CVE describes a missing authorization vulnerability in the Video List Manager WordPress plugin
8787	CVE-2025-27803	0.04%	11.6th	6.5	This CVE describes a critical authentication bypass vulnerability in certain devices where both the
8788	CVE-2025-62139	0.04%	11.6th	5.3	The Terms descriptions WordPress plugin versions up to 3.4.9 contains a vulnerability where sensitiv
8789	CVE-2025-62900	0.04%	11.6th	5.4	This stored XSS vulnerability in the WeblineIndia Popular Posts WordPress plugin allows attackers to
8790	CVE-2023-53503	0.04%	11.6th	5.5	A Linux kernel vulnerability in the ext4 filesystem allows attackers with write access to block devi
8791	CVE-2025-50952	0.04%	11.3th	6.5	This CVE describes a NULL pointer dereference vulnerability in openjpeg v2.5.0's DWT component that
8792	CVE-2024-13437	0.04%	11.3th	4.3	This Cross-Site Request Forgery vulnerability in the Book a Room WordPress plugin allows attackers t
8793	CVE-2025-59115	0.04%	11.6th	5.4	Windu CMS version 4.1 has a stored cross-site scripting vulnerability in the logon page that allows
8794	CVE-2024-13683	0.04%	11.6th	4.3	This CSRF vulnerability in the Automate Hub Free WordPress plugin allows attackers to trick administ
8795	CVE-2025-62904	0.04%	11.6th	5.4	This vulnerability is a stored cross-site scripting (XSS) flaw in the WP Geo WordPress plugin, allow
8796	CVE-2025-49990	0.04%	11.4th	5.3	This CVE describes a missing authorization vulnerability in the ContentStudio WordPress plugin that
8797	CVE-2025-62905	0.04%	11.6th	5.4	This stored cross-site scripting (XSS) vulnerability in the Query Posts WordPress plugin allows atta
8798	CVE-2025-58986	0.04%	11.5th	6.5	This CVE describes a Missing Authorization vulnerability in the Jock On Air Now (JOAN) WordPress plu
8799	CVE-2025-49993	0.04%	11.4th	5.3	This CVE describes a Missing Authorization vulnerability in the Cookie-Script.com WordPress plugin t
8800	CVE-2025-14451	0.04%	11.4th	4.7	The Solutions Ad Manager WordPress plugin has an open redirect vulnerability that allows unauthentic

← Previous Page 176 of 332 Next →

What is EPSS?

The Exploit Prediction Scoring System (EPSS) is a data-driven model developed by FIRST.org that estimates the probability a CVE will be exploited in the wild within the next 30 days. Unlike CVSS which measures severity, EPSS measures likelihood of exploitation — making it ideal for prioritizing which vulnerabilities to patch first.

Why EPSS matters: With thousands of CVEs published monthly, not all vulnerabilities are equally dangerous. EPSS helps security teams focus on the CVEs most likely to be actively exploited, rather than patching solely by CVSS score. A critical CVSS 9.8 vulnerability with 0.1% EPSS may be less urgent than a high CVSS 7.5 with 90% EPSS.

Prioritize by Exploit Risk

Scan your servers and see which vulnerabilities have the highest EPSS scores. Focus on what attackers are actually targeting.

Start Monitoring Free