Most Exploitable CVEs - EPSS Rankings

CVEs ranked by EPSS (Exploit Prediction Scoring System) probability. Higher scores mean a greater likelihood of exploitation in the wild within the next 30 days.

164

EPSS > 50%

156

CISA KEV Listed

35,468

CVEs with EPSS

0.7%

Avg EPSS Score

All Critical High Medium Low

Rank	CVE ID	EPSS Score	Percentile	CVSS	Summary
1601	CVE-2025-32413	0.17%	38.6th	6.4	Vulnerability-Lookup versions before 2.7.1 contain a stored cross-site scripting (XSS) vulnerability
1602	CVE-2025-31209	0.17%	38.6th	6.3	An out-of-bounds read vulnerability in Apple operating systems allows attackers to disclose user inf
1603	CVE-2025-4270	0.17%	38.5th	5.3	This vulnerability in TOTOLINK A720R routers allows remote attackers to access sensitive system conf
1604	CVE-2025-8979	0.17%	38.5th	6.6	This vulnerability in Tenda AC15 routers allows attackers to bypass firmware update authentication c
1605	CVE-2023-7315	0.17%	38.6th	5.4	Nagios XI versions before 5.11.3 contain a cross-site scripting vulnerability in the Graph Explorer
1606	CVE-2023-7314	0.17%	38.6th	5.4	Nagios XI versions before 5.11.3 contain a cross-site scripting vulnerability in the Bandwidth Repor
1607	CVE-2023-7313	0.17%	38.6th	5.4	Nagios XI versions before 5.11.3 contain a cross-site scripting vulnerability in the Bulk Modificati
1608	CVE-2024-13212	0.17%	38.4th	6.3	This critical vulnerability in SingMR HouseRent 1.0 allows remote attackers to upload arbitrary file
1609	CVE-2024-37451	0.17%	38.4th	4.3	This CSRF vulnerability in the Rara Theme Travel Agency WordPress theme allows attackers to trick au
1610	CVE-2024-37435	0.17%	38.4th	4.3	This CSRF vulnerability in the Rara Theme Perfect Portfolio WordPress theme allows attackers to tric
1611	CVE-2024-37093	0.17%	38.4th	4.3	A Cross-Site Request Forgery (CSRF) vulnerability in the MasterStudy LMS WordPress plugin allows att
1612	CVE-2024-54169	0.17%	38.4th	6.5	This vulnerability allows authenticated attackers to perform directory traversal attacks on IBM Enti
1613	CVE-2025-25197	0.17%	38.4th	5.4	This Cross-Site Scripting (XSS) vulnerability in Silverstripe Elemental allows attackers to inject m
1614	CVE-2025-25213	0.17%	38.5th	6.5	This vulnerability allows clickjacking attacks on Wi-Fi AP UNIT 'AC-WPS-11ac series' devices. Attack
1615	CVE-2023-6425	0.17%	38.4th	6.3	This vulnerability allows attackers to inject malicious JavaScript into the BigProf Online Clinic Ma
1616	CVE-2021-34668	0.17%	38.4th	6.4	This vulnerability allows author-level users in WordPress to inject malicious JavaScript into folder
1617	CVE-2025-24604	0.17%	38.2th	5.4	This CVE describes a missing authorization vulnerability in the VForm WordPress plugin that allows a
1618	CVE-2025-23761	0.17%	38.2th	5.4	This CVE describes a missing authorization vulnerability in the Woo Tuner WordPress plugin that allo
1619	CVE-2025-0311	0.17%	38.3th	6.4	This stored XSS vulnerability in the Orbit Fox WordPress plugin allows authenticated attackers with
1620	CVE-2023-47807	0.17%	38.3th	4.3	This CVE describes a missing authorization vulnerability in the 10WebAnalytics WordPress plugin that
1621	CVE-2022-41995	0.17%	38.3th	4.3	This CVE describes a missing authorization vulnerability in the Gallery Images Ape WordPress plugin
1622	CVE-2024-56255	0.17%	38.3th	4.3	This CVE describes a Missing Authorization vulnerability in the AyeCode Connect WordPress plugin tha
1623	CVE-2023-51300	0.17%	38.3th	6.1	PHPJabbers Hotel Booking System v4.0 contains multiple cross-site scripting (XSS) vulnerabilities in
1624	CVE-2024-13699	0.17%	38.3th	6.4	The Qi Addons For Elementor WordPress plugin has a stored cross-site scripting vulnerability in the
1625	CVE-2025-31627	0.17%	38.2th	5.9	This stored cross-site scripting (XSS) vulnerability in the Media Library Assistant WordPress plugin
1626	CVE-2025-31610	0.17%	38.2th	5.9	This stored cross-site scripting (XSS) vulnerability in WordPress Notification Bar plugins allows at
1627	CVE-2025-31575	0.17%	38.2th	5.9	This vulnerability allows attackers to inject malicious scripts into WordPress websites using the Fl
1628	CVE-2025-31472	0.17%	38.2th	5.9	This stored cross-site scripting (XSS) vulnerability in the Flatty WordPress plugin allows attackers
1629	CVE-2025-31470	0.17%	38.2th	5.9	This stored cross-site scripting (XSS) vulnerability in the FancyThemes Page Takeover WordPress plug
1630	CVE-2025-31463	0.17%	38.2th	5.9	This stored cross-site scripting (XSS) vulnerability in the TGG WP Optimizer WordPress plugin allows
1631	CVE-2025-31437	0.17%	38.2th	5.9	This stored cross-site scripting (XSS) vulnerability in the WP-OGP WordPress plugin allows attackers
1632	CVE-2025-31031	0.17%	38.2th	5.9	This stored cross-site scripting (XSS) vulnerability in the Job Colors for WP Job Manager WordPress
1633	CVE-2025-30904	0.17%	38.2th	5.9	This stored cross-site scripting (XSS) vulnerability in the Ays Pro Chartify WordPress plugin allows
1634	CVE-2025-30847	0.17%	38.2th	5.9	This stored cross-site scripting (XSS) vulnerability in the Ashley Novelist WordPress plugin allows
1635	CVE-2025-30799	0.17%	38.2th	5.9	This stored cross-site scripting (XSS) vulnerability in the WP Google Street View WordPress plugin a
1636	CVE-2025-30792	0.17%	38.2th	5.9	This stored cross-site scripting (XSS) vulnerability in the WordPress Comment Approved Notifier Exte
1637	CVE-2025-30789	0.17%	38.2th	5.9	This stored cross-site scripting (XSS) vulnerability in the Clearout Email Validator WordPress plugi
1638	CVE-2025-30545	0.17%	38.2th	5.9	This stored cross-site scripting (XSS) vulnerability in the WordPress issuuPress plugin allows attac
1639	CVE-2025-30540	0.17%	38.2th	5.9	This stored cross-site scripting (XSS) vulnerability in the AvaiBook WordPress plugin allows attacke
1640	CVE-2025-30536	0.17%	38.2th	5.9	This stored cross-site scripting (XSS) vulnerability in the Beautiful Link Preview WordPress plugin
1641	CVE-2025-30532	0.17%	38.2th	5.9	This stored cross-site scripting (XSS) vulnerability in the Weather Layer WordPress plugin allows at
1642	CVE-2025-30530	0.17%	38.2th	5.9	This stored cross-site scripting (XSS) vulnerability in the AI Preloader WordPress plugin allows att
1643	CVE-2025-39562	0.17%	38.2th	5.9	This stored cross-site scripting (XSS) vulnerability in the Payment Form for PayPal Pro WordPress pl
1644	CVE-2025-39444	0.17%	38.2th	5.9	This stored cross-site scripting (XSS) vulnerability in the MaxButtons WordPress plugin allows attac
1645	CVE-2025-39428	0.17%	38.2th	5.9	This stored cross-site scripting (XSS) vulnerability in the Gravity Forms CSS Themes with Fontawesom
1646	CVE-2025-30720	0.17%	38.3th	6.1	This vulnerability in Oracle Configurator allows unauthenticated attackers with network access via H
1647	CVE-2025-32680	0.17%	38.2th	5.9	This stored cross-site scripting (XSS) vulnerability in the WordPress Review Stream plugin allows at
1648	CVE-2025-32640	0.17%	38.2th	5.9	This stored cross-site scripting (XSS) vulnerability in the WordPress One Click Accessibility plugin
1649	CVE-2025-32493	0.17%	38.2th	5.9	This stored cross-site scripting (XSS) vulnerability in the BP Social Connect WordPress plugin allow
1650	CVE-2025-32489	0.17%	38.2th	5.9	This stored cross-site scripting (XSS) vulnerability in the Wetterwarner WordPress plugin allows att

← Previous Page 33 of 331 Next →

What is EPSS?

The Exploit Prediction Scoring System (EPSS) is a data-driven model developed by FIRST.org that estimates the probability a CVE will be exploited in the wild within the next 30 days. Unlike CVSS which measures severity, EPSS measures likelihood of exploitation — making it ideal for prioritizing which vulnerabilities to patch first.

Why EPSS matters: With thousands of CVEs published monthly, not all vulnerabilities are equally dangerous. EPSS helps security teams focus on the CVEs most likely to be actively exploited, rather than patching solely by CVSS score. A critical CVSS 9.8 vulnerability with 0.1% EPSS may be less urgent than a high CVSS 7.5 with 90% EPSS.

Prioritize by Exploit Risk

Scan your servers and see which vulnerabilities have the highest EPSS scores. Focus on what attackers are actually targeting.

Start Monitoring Free