Most Exploitable CVEs - EPSS Rankings

CVEs ranked by EPSS (Exploit Prediction Scoring System) probability. Higher scores mean a greater likelihood of exploitation in the wild within the next 30 days.

164

EPSS > 50%

156

CISA KEV Listed

35,468

CVEs with EPSS

0.7%

Avg EPSS Score

All Critical High Medium Low

Rank	CVE ID	EPSS Score	Percentile	CVSS	Summary
1651	CVE-2025-32483	0.17%	38.2th	5.9	This stored cross-site scripting (XSS) vulnerability in the WordPress Request Call Back plugin allow
1652	CVE-2025-31035	0.17%	38.2th	5.9	This stored cross-site scripting (XSS) vulnerability in the WP Editor.md WordPress plugin allows att
1653	CVE-2025-31008	0.17%	38.2th	5.9	This stored cross-site scripting (XSS) vulnerability in the YouTube Embed WordPress plugin allows at
1654	CVE-2025-32135	0.17%	38.2th	5.9	This stored cross-site scripting (XSS) vulnerability in the Split Test For Elementor WordPress plugi
1655	CVE-2025-32133	0.17%	38.2th	5.9	This stored cross-site scripting (XSS) vulnerability in the Ays Pro Secure Copy Content Protection a
1656	CVE-2025-32131	0.17%	38.2th	5.9	This stored cross-site scripting (XSS) vulnerability in the Social Intents WordPress plugin allows a
1657	CVE-2025-32129	0.17%	38.2th	5.9	This stored cross-site scripting (XSS) vulnerability in Data443 Risk Mitigation's Welcome Bar WordPr
1658	CVE-2025-31837	0.17%	38.2th	5.9	This stored cross-site scripting (XSS) vulnerability in the WP Proposals WordPress plugin allows att
1659	CVE-2025-31806	0.17%	38.2th	5.9	This stored cross-site scripting (XSS) vulnerability in the Webling WordPress plugin allows attacker
1660	CVE-2025-31793	0.17%	38.2th	5.9	This stored cross-site scripting (XSS) vulnerability in the Piotnet Forms WordPress plugin allows at
1661	CVE-2025-31772	0.17%	38.2th	5.9	This stored cross-site scripting (XSS) vulnerability in the WP Modal Popup with Cookie Integration W
1662	CVE-2025-31742	0.17%	38.2th	5.9	This stored cross-site scripting (XSS) vulnerability in the PixelDima Dima Take Action WordPress plu
1663	CVE-2025-25692	0.17%	38.3th	6.5	A PHAR deserialization vulnerability in PrestaShop v8.2.0 allows attackers to execute arbitrary code
1664	CVE-2025-32990	0.17%	38.2th	6.5	This CVE describes a heap-buffer-overflow vulnerability in GnuTLS's certtool utility when parsing te
1665	CVE-2025-56769	0.17%	38.3th	6.5	A vulnerability in chinabugotech hutool's QLExpressEngine class allows attackers to execute arbitrar
1666	CVE-2024-51317	0.17%	38.3th	6.5	A command injection vulnerability in NetSurf browser version 3.11 allows remote attackers to execute
1667	CVE-2024-52969	0.17%	38.1th	4.1	This SQL injection vulnerability in FortiSIEM's Update/Create Case feature allows authenticated atta
1668	CVE-2025-22921	0.17%	38.1th	6.5	This vulnerability in FFmpeg's JPEG2000 decoder allows attackers to cause a segmentation fault (cras
1669	CVE-2025-26373	0.17%	38.2th	6.5	This vulnerability allows authenticated low-privileged attackers to enumerate user accounts in Q-Fre
1670	CVE-2023-38272	0.17%	38.1th	5.9	This vulnerability in IBM Cloud Pak System allows authenticated users with network access to view se
1671	CVE-2025-3982	0.17%	38.1th	4.3	This CVE describes a prototype pollution vulnerability in Sverchok 1.3.0's Set Property Mk2 Node. At
1672	CVE-2024-11299	0.17%	38.1th	5.3	The Memberpress WordPress plugin exposes sensitive information through WordPress core search functio
1673	CVE-2025-32896	0.17%	38.1th	6.5	Unauthorized attackers can exploit Apache SeaTunnel's REST API to read arbitrary files and perform d
1674	CVE-2025-5314	0.17%	38.1th	6.1	This vulnerability allows unauthenticated attackers to inject malicious JavaScript via the 'pdf-sour
1675	CVE-2025-61788	0.17%	38.2th	5.4	Opencast versions before 17.8 and 18.2 have a stored cross-site scripting (XSS) vulnerability where
1676	CVE-2025-13525	0.17%	38.2th	6.1	The WP Directory Kit WordPress plugin has a reflected cross-site scripting (XSS) vulnerability in th
1677	CVE-2025-64407	0.17%	38.2th	5.3	Apache OpenOffice versions through 4.1.15 have an authorization vulnerability where specially crafte
1678	CVE-2025-67897	0.17%	38.1th	5.3	This vulnerability in Sequoia PGP library versions before 2.1.0 allows remote attackers to crash app
1679	CVE-2025-21403	0.17%	37.9th	6.4	This vulnerability in On-Premises Data Gateway allows unauthorized access to sensitive information s
1680	CVE-2025-1681	0.17%	38th	5.4	The Cardealer WordPress theme has a vulnerability that allows authenticated users with subscriber-le
1681	CVE-2025-31529	0.17%	37.9th	4.3	A missing authorization vulnerability in the Slider Path for Elementor WordPress plugin allows attac
1682	CVE-2025-31417	0.17%	37.9th	4.3	This CVE describes a Missing Authorization vulnerability in the WP Docs WordPress plugin that allows
1683	CVE-2025-30909	0.17%	37.9th	4.3	This CVE describes a missing authorization vulnerability in the Conversios.io WordPress plugin that
1684	CVE-2025-30851	0.17%	37.9th	4.3	This CVE describes a missing authorization vulnerability in the Tickera WordPress plugin that allows
1685	CVE-2025-2757	0.17%	38th	6.3	A critical heap-based buffer overflow vulnerability in Assimp's MD5 file parser allows remote attack
1686	CVE-2025-2754	0.17%	38th	6.3	A critical heap-based buffer overflow vulnerability in Assimp's AC3D file handler allows remote atta
1687	CVE-2025-30346	0.17%	38th	5.4	This vulnerability allows attackers to perform client-side desync attacks via HTTP/1 requests agains
1688	CVE-2025-29512	0.17%	38th	6.1	A stored Cross-Site Scripting (XSS) vulnerability in NodeBB v4.0.4 and earlier allows attackers to i
1689	CVE-2025-39571	0.17%	37.9th	4.3	This CVE describes a Missing Authorization vulnerability in the WPXPO WowStore WordPress plugin that
1690	CVE-2025-32212	0.17%	37.9th	6.5	This CVE describes a missing authorization vulnerability in the Specia Companion WordPress plugin th
1691	CVE-2025-31004	0.17%	37.9th	4.3	This CVE describes a missing authorization vulnerability in the Croover.inc Rich Table of Contents W
1692	CVE-2025-32358	0.17%	38th	4.0	This vulnerability allows authenticated admin users in Zammad to perform Server-Side Request Forgery
1693	CVE-2025-32277	0.17%	37.9th	4.3	This CVE describes a Missing Authorization vulnerability in the RepairBuddy WordPress plugin that al
1694	CVE-2025-32239	0.17%	37.9th	4.3	This CVE describes a missing authorization vulnerability in the GetSocial.io WordPress plugin that a
1695	CVE-2025-32237	0.17%	37.9th	4.3	A missing authorization vulnerability in Stylemix MasterStudy LMS WordPress plugin allows attackers
1696	CVE-2025-32234	0.17%	37.9th	4.3	This CVE describes a Missing Authorization vulnerability in the AdMail WordPress plugin that allows
1697	CVE-2025-32232	0.17%	37.9th	4.3	This CVE describes a missing authorization vulnerability in the ERA404 StaffList WordPress plugin th
1698	CVE-2025-32229	0.17%	37.9th	4.3	This CVE describes a Missing Authorization vulnerability in the Bowo Variable Inspector WordPress pl
1699	CVE-2025-31541	0.17%	37.9th	6.5	This CVE describes a missing authorization vulnerability in the TuriTop Booking System WordPress plu
1700	CVE-2025-31525	0.17%	37.9th	4.3	This CVE describes a missing authorization vulnerability in the WP Mobile Bottom Menu WordPress plug

← Previous Page 34 of 331 Next →

What is EPSS?

The Exploit Prediction Scoring System (EPSS) is a data-driven model developed by FIRST.org that estimates the probability a CVE will be exploited in the wild within the next 30 days. Unlike CVSS which measures severity, EPSS measures likelihood of exploitation — making it ideal for prioritizing which vulnerabilities to patch first.

Why EPSS matters: With thousands of CVEs published monthly, not all vulnerabilities are equally dangerous. EPSS helps security teams focus on the CVEs most likely to be actively exploited, rather than patching solely by CVSS score. A critical CVSS 9.8 vulnerability with 0.1% EPSS may be less urgent than a high CVSS 7.5 with 90% EPSS.

Prioritize by Exploit Risk

Scan your servers and see which vulnerabilities have the highest EPSS scores. Focus on what attackers are actually targeting.

Start Monitoring Free