Most Exploitable CVEs - EPSS Rankings
CVEs ranked by EPSS (Exploit Prediction Scoring System) probability. Higher scores mean a greater likelihood of exploitation in the wild within the next 30 days.
164
EPSS > 50%
156
CISA KEV Listed
35,468
CVEs with EPSS
0.7%
Avg EPSS Score
| Rank | CVE ID | EPSS Score | Percentile | CVSS | Flags | Summary |
|---|---|---|---|---|---|---|
| 2051 | CVE-2025-31567 |
|
34.7th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the Themesflat Addons For Elementor WordPres | |
| 2052 | CVE-2025-31559 |
|
34.7th | 6.5 | This DOM-based Cross-Site Scripting (XSS) vulnerability in Caspio Bridge Custom Database Application | |
| 2053 | CVE-2025-31556 |
|
34.7th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the IMPress for IDX Broker WordPress plugin | |
| 2054 | CVE-2025-31549 |
|
34.7th | 6.5 | This DOM-based Cross-Site Scripting (XSS) vulnerability in the Agency Dominion Inc. Fusion WordPress | |
| 2055 | CVE-2025-31543 |
|
34.7th | 6.5 | This DOM-based Cross-Site Scripting (XSS) vulnerability in the Twice Commerce WordPress plugin allow | |
| 2056 | CVE-2025-31535 |
|
34.7th | 6.5 | This DOM-based Cross-Site Scripting (XSS) vulnerability in the Simple Owl Carousel WordPress plugin | |
| 2057 | CVE-2025-31532 |
|
34.7th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the AtomChat WordPress plugin allows attacke | |
| 2058 | CVE-2025-30963 |
|
34.7th | 6.5 | This DOM-based cross-site scripting vulnerability in Crocoblock's JetSmartFilters WordPress plugin a | |
| 2059 | CVE-2025-30961 |
|
34.7th | 6.5 | This DOM-based cross-site scripting (XSS) vulnerability in the Trackserver WordPress plugin allows a | |
| 2060 | CVE-2025-31412 |
|
34.7th | 6.5 | This DOM-based cross-site scripting (XSS) vulnerability in the JetProductGallery WordPress plugin al | |
| 2061 | CVE-2025-31043 |
|
34.7th | 6.5 | This DOM-based Cross-Site Scripting (XSS) vulnerability in the JetSearch WordPress plugin allows att | |
| 2062 | CVE-2025-30987 |
|
34.7th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the JetBlocks For Elementor WordPress plugin | |
| 2063 | CVE-2025-31465 |
|
34.7th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the Better Section Navigation Widget WordPre | |
| 2064 | CVE-2025-31452 |
|
34.7th | 6.5 | This stored cross-site scripting (XSS) vulnerability in WP Ultimate Search WordPress plugin allows a | |
| 2065 | CVE-2025-31450 |
|
34.7th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the phantom.omaga Toggle Box WordPress plugi | |
| 2066 | CVE-2025-31433 |
|
34.7th | 6.5 | A stored cross-site scripting (XSS) vulnerability in the Magic Embeds WordPress plugin allows attack | |
| 2067 | CVE-2025-31096 |
|
34.7th | 6.5 | This DOM-based Cross-Site Scripting (XSS) vulnerability in the PostX WordPress plugin allows attacke | |
| 2068 | CVE-2025-31093 |
|
34.7th | 6.5 | This vulnerability allows attackers to inject malicious scripts into web pages generated by the RPS | |
| 2069 | CVE-2025-31088 |
|
34.7th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the Paid Member Subscriptions WordPress plug | |
| 2070 | CVE-2025-31073 |
|
34.7th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the Unlimited WordPress theme allows attacke | |
| 2071 | CVE-2025-31092 |
|
34.7th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the Click to Chat WordPress plugin allows at | |
| 2072 | CVE-2025-26736 |
|
34.7th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the MorningTime Lite WordPress theme allows | |
| 2073 | CVE-2025-26732 |
|
34.7th | 6.5 | This DOM-based Cross-Site Scripting (XSS) vulnerability in the StoreBiz WordPress theme allows attac | |
| 2074 | CVE-2025-30925 |
|
34.7th | 6.5 | This stored cross-site scripting (XSS) vulnerability in The Pack Elementor addons WordPress plugin a | |
| 2075 | CVE-2025-30922 |
|
34.7th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the Simplebooklet PDF Viewer and Embedder Wo | |
| 2076 | CVE-2025-30920 |
|
34.7th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the WP Posts Carousel WordPress plugin allow | |
| 2077 | CVE-2025-30900 |
|
34.7th | 6.5 | This stored cross-site scripting (XSS) vulnerability in Zoho Billing - Embed Payment Form allows att | |
| 2078 | CVE-2025-30898 |
|
34.7th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the Persian WooCommerce Shipping WordPress p | |
| 2079 | CVE-2025-30893 |
|
34.7th | 6.5 | This DOM-based Cross-Site Scripting (XSS) vulnerability in the LeadConnector WordPress plugin allows | |
| 2080 | CVE-2025-30836 |
|
34.7th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the LatePoint WordPress plugin allows attack | |
| 2081 | CVE-2025-30832 |
|
34.7th | 6.5 | This DOM-based Cross-Site Scripting (XSS) vulnerability in the Themify Event Post WordPress plugin a | |
| 2082 | CVE-2025-30826 |
|
34.7th | 6.5 | This DOM-based cross-site scripting vulnerability in the IP Locator WordPress plugin allows attacker | |
| 2083 | CVE-2025-30813 |
|
34.7th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the Listamester WordPress plugin allows atta | |
| 2084 | CVE-2025-30786 |
|
34.7th | 6.5 | This DOM-based Cross-Site Scripting (XSS) vulnerability in the Quotes llama WordPress plugin allows | |
| 2085 | CVE-2025-30779 |
|
34.7th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the Doneren met Mollie WordPress plugin allo | |
| 2086 | CVE-2025-30776 |
|
34.7th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the Sitekit WordPress plugin allows attacker | |
| 2087 | CVE-2025-30770 |
|
34.7th | 6.5 | This DOM-based Cross-Site Scripting (XSS) vulnerability in the Charitable WordPress plugin allows at | |
| 2088 | CVE-2025-30768 |
|
34.7th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the WordPress jAlbum Bridge plugin allows at | |
| 2089 | CVE-2025-30766 |
|
34.7th | 6.5 | This DOM-based cross-site scripting (XSS) vulnerability in Happy Addons for Elementor allows attacke | |
| 2090 | CVE-2025-28885 |
|
34.7th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the Fiverr.com Official Search Box WordPress | |
| 2091 | CVE-2025-26869 |
|
34.7th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the Build WordPress theme allows attackers t | |
| 2092 | CVE-2025-26739 |
|
34.7th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the newseqo WordPress theme allows attackers | |
| 2093 | CVE-2025-30551 |
|
34.7th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the WordPress Pretty file links plugin allow | |
| 2094 | CVE-2025-2771 |
|
34.7th | 5.3 | This vulnerability allows remote attackers to bypass authentication on BEC Technologies routers with | |
| 2095 | CVE-2025-24550 |
|
34.7th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the JobScore Job Manager WordPress plugin al | |
| 2096 | CVE-2025-22771 |
|
34.7th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the WordPress plugin 'The Great Firewords of | |
| 2097 | CVE-2025-39582 |
|
34.7th | 6.5 | This DOM-based cross-site scripting (XSS) vulnerability in the WP Data Access WordPress plugin allow | |
| 2098 | CVE-2025-39579 |
|
34.7th | 6.5 | This DOM-based XSS vulnerability in WP Swings Membership For WooCommerce allows attackers to inject | |
| 2099 | CVE-2025-39577 |
|
34.7th | 6.5 | This stored cross-site scripting (XSS) vulnerability in PropertyHive WordPress plugin allows attacke | |
| 2100 | CVE-2025-39575 |
|
34.7th | 6.5 | This stored cross-site scripting (XSS) vulnerability in WPSight WPCasa WordPress plugin allows attac |
What is EPSS?
The Exploit Prediction Scoring System (EPSS) is a data-driven model developed by FIRST.org that estimates the probability a CVE will be exploited in the wild within the next 30 days. Unlike CVSS which measures severity, EPSS measures likelihood of exploitation — making it ideal for prioritizing which vulnerabilities to patch first.
Why EPSS matters: With thousands of CVEs published monthly, not all vulnerabilities are equally dangerous. EPSS helps security teams focus on the CVEs most likely to be actively exploited, rather than patching solely by CVSS score. A critical CVSS 9.8 vulnerability with 0.1% EPSS may be less urgent than a high CVSS 7.5 with 90% EPSS.
Prioritize by Exploit Risk
Scan your servers and see which vulnerabilities have the highest EPSS scores. Focus on what attackers are actually targeting.
Start Monitoring Free