Most Exploitable CVEs - EPSS Rankings

CVEs ranked by EPSS (Exploit Prediction Scoring System) probability. Higher scores mean a greater likelihood of exploitation in the wild within the next 30 days.

164

EPSS > 50%

156

CISA KEV Listed

35,468

CVEs with EPSS

0.7%

Avg EPSS Score

All Critical High Medium Low

Rank	CVE ID	EPSS Score	Percentile	CVSS	Summary
8951	CVE-2025-64292	0.04%	11.8th	5.4	This DOM-based cross-site scripting (XSS) vulnerability in the Analytics Germanized WordPress plugin
8952	CVE-2025-0932	0.04%	11.5th	4.3	A Use After Free vulnerability in Arm GPU drivers allows non-privileged user processes to access fre
8953	CVE-2025-2533	0.04%	11.5th	5.3	IBM Db2 for Linux versions 12.1.0 through 12.1.2 contain a vulnerability where a specially crafted q
8954	CVE-2024-13096	0.04%	11.6th	4.6	This vulnerability in the WP Finance WordPress plugin allows attackers to trick logged-in administra
8955	CVE-2024-13555	0.04%	11.3th	5.3	This CSRF vulnerability in the 1 Click WordPress Migration plugin allows unauthenticated attackers t
8956	CVE-2025-66103	0.04%	11.5th	6.5	This DOM-based Cross-Site Scripting (XSS) vulnerability in the WPCal.Io WordPress plugin allows atta
8957	CVE-2025-34467	0.04%	11.6th	4.3	This vulnerability allows authenticated low-privilege users to cause denial-of-service against admin
8958	CVE-2021-25635	0.04%	11.4th	5.5	This vulnerability allows attackers to forge digital signatures in LibreOffice documents. An attacke
8959	CVE-2025-10902	0.04%	11.7th	4.3	The Originality.ai AI Checker WordPress plugin has an authorization vulnerability that allows authen
8960	CVE-2025-8482	0.04%	11.6th	4.3	The Simple Local Avatars WordPress plugin version 2.8.4 has an authorization vulnerability that allo
8961	CVE-2025-69357	0.04%	11.5th	6.5	This stored cross-site scripting (XSS) vulnerability in TheGem Theme Elements for Elementor WordPres
8962	CVE-2026-1972	0.04%	11.5th	5.3	This vulnerability allows attackers to bypass authentication on Edimax BR-6208AC V2 routers by manip
8963	CVE-2025-11172	0.04%	11.7th	4.3	The Check Plagiarism WordPress plugin has an authorization vulnerability that allows authenticated u
8964	CVE-2025-11876	0.04%	11.5th	6.4	The Mailgun Subscriptions WordPress plugin has a stored XSS vulnerability in its 'mailgun_subscripti
8965	CVE-2025-12634	0.04%	11.7th	4.3	This vulnerability in the Refund Request for WooCommerce WordPress plugin allows authenticated users
8966	CVE-2025-69360	0.04%	11.5th	6.5	This DOM-based cross-site scripting (XSS) vulnerability in TheGem Theme Elements for WPBakery WordPr
8967	CVE-2025-13785	0.04%	11.4th	4.3	This vulnerability in yungifez Skuul School Management System allows remote attackers to access sens
8968	CVE-2025-12582	0.04%	11.7th	4.3	The Features plugin for WordPress has an authorization vulnerability that allows authenticated users
8969	CVE-2025-13311	0.04%	11.7th	4.4	The Just Highlight WordPress plugin has a stored XSS vulnerability in its 'Highlight Color' setting.
8970	CVE-2025-15329	0.04%	11.6th	4.9	CVE-2025-15329 is an information disclosure vulnerability in Tanium Threat Response that allows unau
8971	CVE-2025-69362	0.04%	11.5th	6.5	This stored cross-site scripting (XSS) vulnerability in POSIMYTH UiChemy allows attackers to inject
8972	CVE-2025-23144	0.04%	11.5th	5.5	This CVE describes a race condition vulnerability in the Linux kernel's LED backlight subsystem wher
8973	CVE-2025-67912	0.04%	11.5th	6.5	This stored XSS vulnerability in the Stars Testimonials WordPress plugin allows attackers to inject
8974	CVE-2025-66066	0.04%	11.8th	6.1	This stored cross-site scripting (XSS) vulnerability in the Envo Extra WordPress plugin allows attac
8975	CVE-2025-49293	0.04%	11.8th	4.3	This CVE describes a Missing Authorization vulnerability in the WordPress plugin Crawlomatic Multisi
8976	CVE-2025-15332	0.04%	11.6th	4.9	An information disclosure vulnerability in Tanium Threat Response could allow authenticated users to
8977	CVE-2025-66067	0.04%	11.8th	5.4	This DOM-based Cross-Site Scripting (XSS) vulnerability in FunnelKit Funnel Builder for WordPress al
8978	CVE-2025-12014	0.04%	11.7th	4.3	This vulnerability allows authenticated WordPress users with Subscriber-level access or higher to mo
8979	CVE-2025-67951	0.04%	11.5th	6.5	This DOM-based Cross-Site Scripting (XSS) vulnerability in WPZOOM Addons for Elementor allows attack
8980	CVE-2025-21803	0.04%	11.6th	5.5	This CVE describes a race condition vulnerability in the Linux kernel's LoongArch architecture durin
8981	CVE-2025-67983	0.04%	11.5th	6.5	This DOM-based XSS vulnerability in WP Visitor Statistics plugin allows attackers to inject maliciou
8982	CVE-2025-9937	0.04%	11.6th	5.4	CVE-2025-9937 is an improper authorization vulnerability in elunez eladmin's LocalStorageController
8983	CVE-2025-66081	0.04%	11.8th	5.4	This stored cross-site scripting (XSS) vulnerability in the WordPress Head Meta Data plugin allows a
8984	CVE-2025-12087	0.04%	11.7th	4.3	This vulnerability allows authenticated WordPress users with Subscriber-level access or higher to de
8985	CVE-2025-11952	0.04%	11.8th	6.1	This stored XSS vulnerability in Oct8ne Chatbot v2.3 allows attackers to inject malicious JavaScript
8986	CVE-2025-0796	0.04%	11.3th	4.3	This CSRF vulnerability in the Mortgage Lead Capture System WordPress plugin allows unauthenticated
8987	CVE-2024-13438	0.04%	11.3th	4.3	This CSRF vulnerability in the SpeedSize Image & Video AI-Optimizer WordPress plugin allows unauthen
8988	CVE-2025-12113	0.04%	11.7th	4.3	This vulnerability in the Alt Text Generator AI WordPress plugin allows authenticated attackers with
8989	CVE-2025-6833	0.04%	11.7th	4.3	This vulnerability allows authenticated WordPress users with subscriber-level access or higher to ma
8990	CVE-2026-21484	0.04%	11.6th	5.3	This vulnerability in AnythingLLM allows attackers to determine whether specific usernames exist in
8991	CVE-2025-64046	0.04%	11.8th	6.1	OpenRapid RapidCMS 1.3.1 contains a cross-site scripting (XSS) vulnerability in the /system/update-r
8992	CVE-2025-4963	0.04%	11.3th	6.4	The WP Extended plugin for WordPress has a stored XSS vulnerability in SVG file upload functionality
8993	CVE-2026-24347	0.04%	11.5th	5.3	Improper input validation in the Admin UI of EZCast Pro II version 1.17478.146 allows attackers to m
8994	CVE-2023-53985	0.04%	11.3th	6.1	CVE-2023-53985 is a reflected cross-site scripting (XSS) vulnerability in Zippy CRM (formerly Zstore
8995	CVE-2025-14030	0.04%	11.5th	6.4	The AI Feeds WordPress plugin has a stored XSS vulnerability in versions up to 1.0.22. Authenticated
8996	CVE-2025-67533	0.04%	11.5th	6.5	This stored cross-site scripting (XSS) vulnerability in the Themify Portfolio Post WordPress plugin
8997	CVE-2025-68070	0.04%	11.5th	6.5	This stored cross-site scripting (XSS) vulnerability in the VK Google Job Posting Manager WordPress
8998	CVE-2025-26042	0.04%	11.5th	6.0	Uptime Kuma versions 1.23.0 and above contain a ReDoS vulnerability where an administrator creating
8999	CVE-2025-68076	0.04%	11.5th	6.5	This stored cross-site scripting (XSS) vulnerability in the Stockholm Core WordPress plugin allows a
9000	CVE-2025-63645	0.04%	11.6th	5.4	A stored cross-site scripting (XSS) vulnerability in pH7Software pH7-Social-Dating-CMS allows attack

← Previous Page 180 of 332 Next →

What is EPSS?

The Exploit Prediction Scoring System (EPSS) is a data-driven model developed by FIRST.org that estimates the probability a CVE will be exploited in the wild within the next 30 days. Unlike CVSS which measures severity, EPSS measures likelihood of exploitation — making it ideal for prioritizing which vulnerabilities to patch first.

Why EPSS matters: With thousands of CVEs published monthly, not all vulnerabilities are equally dangerous. EPSS helps security teams focus on the CVEs most likely to be actively exploited, rather than patching solely by CVSS score. A critical CVSS 9.8 vulnerability with 0.1% EPSS may be less urgent than a high CVSS 7.5 with 90% EPSS.

Prioritize by Exploit Risk

Scan your servers and see which vulnerabilities have the highest EPSS scores. Focus on what attackers are actually targeting.

Start Monitoring Free