Most Exploitable CVEs - EPSS Rankings

CVEs ranked by EPSS (Exploit Prediction Scoring System) probability. Higher scores mean a greater likelihood of exploitation in the wild within the next 30 days.

164

EPSS > 50%

156

CISA KEV Listed

35,468

CVEs with EPSS

0.7%

Avg EPSS Score

All Critical High Medium Low

Rank	CVE ID	EPSS Score	Percentile	CVSS	Summary
8851	CVE-2025-11874	0.04%	11.6th	5.4	This stored XSS vulnerability in the Slippy Slider WordPress plugin allows authenticated attackers w
8852	CVE-2026-22519	0.04%	11.5th	6.5	This stored cross-site scripting (XSS) vulnerability in the BuddyDev MediaPress WordPress plugin all
8853	CVE-2026-24117	0.04%	11.4th	5.3	CVE-2026-24117 is a Server-Side Request Forgery (SSRF) vulnerability in Rekor's /api/v1/index/retrie
8854	CVE-2025-63045	0.04%	11.5th	6.5	This DOM-based Cross-Site Scripting (XSS) vulnerability in Master Slider Pro WordPress plugin allows
8855	CVE-2025-13963	0.04%	11.5th	6.4	The FX Currency Converter WordPress plugin has a stored XSS vulnerability in its 'fxcc_convert' shor
8856	CVE-2025-68992	0.04%	11.5th	6.5	This stored XSS vulnerability in the BWL Knowledge Base Manager WordPress plugin allows attackers to
8857	CVE-2025-62940	0.04%	11.6th	5.4	This stored cross-site scripting (XSS) vulnerability in the Blox Lite WordPress plugin allows attack
8858	CVE-2025-63046	0.04%	11.5th	6.5	This DOM-based cross-site scripting (XSS) vulnerability in the ListingPro WordPress plugin allows at
8859	CVE-2025-64047	0.04%	11.8th	6.1	OpenRapid RapidCMS 1.3.1 contains a cross-site scripting vulnerability in the /user/user-move.php en
8860	CVE-2025-62941	0.04%	11.6th	5.4	This stored XSS vulnerability in the Events Maker WordPress plugin allows attackers to inject malici
8861	CVE-2025-52491	0.04%	11.4th	5.8	This CVE describes a Server-Side Request Forgery (SSRF) vulnerability in Akamai CloudTest. It allows
8862	CVE-2025-13693	0.04%	11.5th	6.4	This vulnerability allows authenticated WordPress users with Author-level permissions or higher to i
8863	CVE-2025-64048	0.04%	11.8th	6.1	YCCMS 3.4 contains a stored XSS vulnerability in article management that allows attackers to inject
8864	CVE-2025-62942	0.04%	11.6th	5.4	This stored cross-site scripting (XSS) vulnerability in the WP Mapbox GL JS Maps WordPress plugin al
8865	CVE-2025-63048	0.04%	11.5th	6.5	This DOM-based XSS vulnerability in the ListingPro Lead Form WordPress plugin allows attackers to in
8866	CVE-2025-62943	0.04%	11.6th	5.4	This stored XSS vulnerability in the Next Page, Not Next Post WordPress plugin allows attackers to i
8867	CVE-2025-36407	0.04%	11.7th	6.5	This vulnerability in IBM Db2 allows a local user to cause a denial of service by exploiting imprope
8868	CVE-2025-63050	0.04%	11.5th	6.5	This stored cross-site scripting (XSS) vulnerability in the REHub Framework WordPress plugin allows
8869	CVE-2025-36423	0.04%	11.7th	6.5	This vulnerability in IBM Db2 allows a local user to cause a denial of service by exploiting imprope
8870	CVE-2025-63052	0.04%	11.5th	6.5	This stored XSS vulnerability in the SimpLy Gallery WordPress plugin allows attackers to inject mali
8871	CVE-2025-54458	0.04%	11.4th	5.0	The Mattermost Confluence Plugin before version 1.5.0 has an authorization bypass vulnerability wher
8872	CVE-2025-63828	0.04%	11.3th	6.1	A Host Header Injection vulnerability in Backdrop CMS 1.32.1 allows attackers to manipulate the Host
8873	CVE-2025-63055	0.04%	11.5th	6.5	This stored cross-site scripting (XSS) vulnerability in Master Addons for Elementor allows attackers
8874	CVE-2025-3704	0.04%	11.4th	5.9	This stored cross-site scripting (XSS) vulnerability in DBAR Productions Volunteer Sign Up Sheets Wo
8875	CVE-2025-14032	0.04%	11.5th	6.4	The Bold Timeline Lite WordPress plugin has a stored XSS vulnerability in the 'title' parameter of t
8876	CVE-2025-63059	0.04%	11.5th	6.5	This stored XSS vulnerability in the Ninja Popups WordPress plugin allows attackers to inject malici
8877	CVE-2026-0887	0.04%	11.3th	4.3	This CVE describes a clickjacking vulnerability in the PDF Viewer component of Mozilla products that
8878	CVE-2025-62901	0.04%	11.5th	6.5	This stored XSS vulnerability in the WP Microdata WordPress plugin allows attackers to inject malici
8879	CVE-2025-11773	0.04%	11.7th	4.3	This vulnerability allows authenticated WordPress users with Subscriber-level access or higher to mo
8880	CVE-2025-8617	0.04%	11.5th	6.4	The YITH WooCommerce Quick View WordPress plugin has a stored XSS vulnerability in all versions up t
8881	CVE-2025-62926	0.04%	11.5th	6.5	This stored cross-site scripting (XSS) vulnerability in the TempTool WordPress plugin allows attacke
8882	CVE-2025-63243	0.04%	11.6th	4.6	This reflected XSS vulnerability in Pixeon WebLaudos allows attackers to execute arbitrary JavaScrip
8883	CVE-2025-11029	0.04%	11.7th	4.3	This is a Cross-Site Request Forgery (CSRF) vulnerability in givanz Vvveb CMS versions up to 1.0.7.2
8884	CVE-2025-69017	0.04%	11.5th	6.5	This stored cross-site scripting (XSS) vulnerability in the RestroPress WordPress plugin allows atta
8885	CVE-2025-8780	0.04%	11.5th	6.4	The Livemesh SiteOrigin Widgets WordPress plugin has a stored XSS vulnerability in Hero Header and P
8886	CVE-2025-69018	0.04%	11.5th	6.5	This DOM-based Cross-Site Scripting (XSS) vulnerability in the Shamalli Web Directory Free WordPress
8887	CVE-2025-53295	0.04%	11.4th	5.3	CVE-2025-53295 is a missing authorization vulnerability in the iCount Payment Gateway WordPress plug
8888	CVE-2025-9116	0.04%	11.7th	5.8	This vulnerability allows attackers to inject malicious scripts via the REQUEST_URI parameter in the
8889	CVE-2025-69019	0.04%	11.5th	6.5	This DOM-based cross-site scripting vulnerability in the FlippingBook WordPress plugin allows attack
8890	CVE-2025-63674	0.04%	11.6th	6.8	This vulnerability allows local physical attackers with access to the device's SD card slot to execu
8891	CVE-2025-69020	0.04%	11.5th	6.5	This stored cross-site scripting (XSS) vulnerability in Tribulant Software Newsletters WordPress plu
8892	CVE-2025-10144	0.04%	11.3th	6.5	This SQL injection vulnerability in the Perfect Brands for WooCommerce WordPress plugin allows authe
8893	CVE-2025-1738	0.04%	11.4th	6.2	The Trivision Camera NC227WF v5.8.0 transmits passwords in URL query strings, exposing authenticatio
8894	CVE-2025-9488	0.04%	11.5th	6.4	The Redux Framework WordPress plugin has a stored XSS vulnerability in all versions up to 4.5.8. Aut
8895	CVE-2025-49914	0.04%	11.7th	6.5	This vulnerability in the Restaurant Menu by MotoPress WordPress plugin exposes sensitive system inf
8896	CVE-2025-12086	0.04%	11.7th	4.3	This vulnerability in the Return Refund and Exchange For WooCommerce WordPress plugin allows authent
8897	CVE-2025-9856	0.04%	11.5th	6.4	This stored XSS vulnerability in the Popup Builder WordPress plugin allows authenticated attackers w
8898	CVE-2025-10006	0.04%	11.6th	6.4	The WPBakery Page Builder WordPress plugin has a stored XSS vulnerability in its 'rev_slider_vc' sho
8899	CVE-2025-63071	0.04%	11.6th	5.3	This vulnerability in the auxin-elements WordPress plugin allows attackers to retrieve embedded sens
8900	CVE-2025-63072	0.04%	11.5th	6.5	This stored cross-site scripting (XSS) vulnerability in THEMECO Cornerstone WordPress plugin allows

← Previous Page 178 of 332 Next →

What is EPSS?

The Exploit Prediction Scoring System (EPSS) is a data-driven model developed by FIRST.org that estimates the probability a CVE will be exploited in the wild within the next 30 days. Unlike CVSS which measures severity, EPSS measures likelihood of exploitation — making it ideal for prioritizing which vulnerabilities to patch first.

Why EPSS matters: With thousands of CVEs published monthly, not all vulnerabilities are equally dangerous. EPSS helps security teams focus on the CVEs most likely to be actively exploited, rather than patching solely by CVSS score. A critical CVSS 9.8 vulnerability with 0.1% EPSS may be less urgent than a high CVSS 7.5 with 90% EPSS.

Prioritize by Exploit Risk

Scan your servers and see which vulnerabilities have the highest EPSS scores. Focus on what attackers are actually targeting.

Start Monitoring Free