Most Exploitable CVEs - EPSS Rankings
CVEs ranked by EPSS (Exploit Prediction Scoring System) probability. Higher scores mean a greater likelihood of exploitation in the wild within the next 30 days.
164
EPSS > 50%
156
CISA KEV Listed
35,468
CVEs with EPSS
0.7%
Avg EPSS Score
| Rank | CVE ID | EPSS Score | Percentile | CVSS | Flags | Summary |
|---|---|---|---|---|---|---|
| 2101 | CVE-2025-39573 |
|
34.7th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the WP Posts Carousel WordPress plugin allow | |
| 2102 | CVE-2025-39555 |
|
34.7th | 6.5 | This vulnerability allows attackers to inject malicious scripts into Church Admin WordPress plugin p | |
| 2103 | CVE-2025-39549 |
|
34.7th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the Most And Least Read Posts Widget WordPre | |
| 2104 | CVE-2025-39543 |
|
34.7th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the Royal Elementor Addons WordPress plugin | |
| 2105 | CVE-2025-39529 |
|
34.7th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the Scriptless Social Sharing WordPress plug | |
| 2106 | CVE-2025-39525 |
|
34.7th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the WordPress Logo Carousel Slider plugin al | |
| 2107 | CVE-2025-39516 |
|
34.7th | 6.5 | This DOM-based XSS vulnerability in the Author WIP Progress Bar WordPress plugin allows attackers to | |
| 2108 | CVE-2025-39514 |
|
34.7th | 6.5 | This stored cross-site scripting (XSS) vulnerability in Asgaros Forum allows attackers to inject mal | |
| 2109 | CVE-2025-30982 |
|
34.7th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the MyBookProgress WordPress plugin allows a | |
| 2110 | CVE-2025-26951 |
|
34.7th | 6.5 | This DOM-based Cross-Site Scripting (XSS) vulnerability in the C9 Blocks WordPress plugin allows att | |
| 2111 | CVE-2025-26934 |
|
34.7th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the Glossy Blog WordPress theme allows attac | |
| 2112 | CVE-2025-26870 |
|
34.7th | 6.5 | This DOM-based Cross-Site Scripting (XSS) vulnerability in the JetEngine WordPress plugin allows att | |
| 2113 | CVE-2025-26749 |
|
34.7th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the WPFactory Additional Custom Product Tabs | |
| 2114 | CVE-2025-22269 |
|
34.7th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the Real Testimonials WordPress plugin allow | |
| 2115 | CVE-2025-26982 |
|
34.7th | 6.5 | This DOM-based Cross-Site Scripting (XSS) vulnerability in the DSGVO Youtube WordPress plugin allows | |
| 2116 | CVE-2025-26744 |
|
34.7th | 6.5 | This DOM-based Cross-Site Scripting (XSS) vulnerability in the JetBlog WordPress plugin allows attac | |
| 2117 | CVE-2025-32214 |
|
34.7th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the Hive Support WordPress plugin allows att | |
| 2118 | CVE-2025-32495 |
|
34.7th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the Waymark WordPress plugin allows attacker | |
| 2119 | CVE-2025-31020 |
|
34.7th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the Simple Spoiler WordPress plugin allows a | |
| 2120 | CVE-2025-32211 |
|
34.7th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the Broadstreet WordPress plugin allows atta | |
| 2121 | CVE-2025-32207 |
|
34.7th | 6.5 | This vulnerability allows attackers to inject malicious scripts into web pages generated by the Ni W | |
| 2122 | CVE-2025-32194 |
|
34.7th | 6.5 | This stored cross-site scripting (XSS) vulnerability in LA-Studio Element Kit for Elementor allows a | |
| 2123 | CVE-2025-32192 |
|
34.7th | 6.5 | This stored Cross-Site Scripting (XSS) vulnerability in Ultra Addons Lite for Elementor allows attac | |
| 2124 | CVE-2025-32190 |
|
34.7th | 6.5 | This DOM-based cross-site scripting (XSS) vulnerability in the Musician's Pack for Elementor WordPre | |
| 2125 | CVE-2025-32188 |
|
34.7th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the Advanced Woo Labels WordPress plugin all | |
| 2126 | CVE-2025-32186 |
|
34.7th | 6.5 | This DOM-based Cross-Site Scripting (XSS) vulnerability in Turbo Addons for Elementor allows attacke | |
| 2127 | CVE-2025-32184 |
|
34.7th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the Ultimate Store Kit Elementor Addons Word | |
| 2128 | CVE-2025-32182 |
|
34.7th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the Spider Elements WordPress plugin allows | |
| 2129 | CVE-2025-32179 |
|
34.7th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the Maps for WP WordPress plugin allows atta | |
| 2130 | CVE-2025-32177 |
|
34.7th | 6.5 | A stored cross-site scripting (XSS) vulnerability in the pgn4web Embed Chessboard WordPress plugin a | |
| 2131 | CVE-2025-32175 |
|
34.7th | 6.5 | This stored cross-site scripting (XSS) vulnerability in VK Filter Search WordPress plugin allows att | |
| 2132 | CVE-2025-32173 |
|
34.7th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the B Blocks WordPress plugin allows attacke | |
| 2133 | CVE-2025-32171 |
|
34.7th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the Table Block by Tableberg WordPress plugi | |
| 2134 | CVE-2025-32167 |
|
34.7th | 6.5 | This stored cross-site scripting (XSS) vulnerability in SurveyJS allows attackers to inject maliciou | |
| 2135 | CVE-2025-32165 |
|
34.7th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the Doppler Forms WordPress plugin allows at | |
| 2136 | CVE-2025-32162 |
|
34.7th | 6.5 | This vulnerability allows attackers to inject malicious scripts into web pages viewed by other users | |
| 2137 | CVE-2025-31407 |
|
34.7th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the Tiger WordPress theme allows attackers t | |
| 2138 | CVE-2025-31126 |
|
34.6th | 5.3 | An attacker controlling the element.json well-known file can potentially access media encryption key | |
| 2139 | CVE-2025-31893 |
|
34.7th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the Botnet Attack Blocker WordPress plugin a | |
| 2140 | CVE-2025-31819 |
|
34.7th | 6.5 | This Cross-site Scripting (XSS) vulnerability in the Nova Blocks WordPress plugin allows attackers t | |
| 2141 | CVE-2025-31897 |
|
34.7th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the Arrow Custom Feed for Twitter WordPress | |
| 2142 | CVE-2025-31894 |
|
34.7th | 6.5 | This stored cross-site scripting (XSS) vulnerability in Infoway LLC's Ebook Downloader WordPress plu | |
| 2143 | CVE-2025-31891 |
|
34.7th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the Gosign Posts Slider Block WordPress plug | |
| 2144 | CVE-2025-31884 |
|
34.7th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the WordPress Norse Rune Oracle plugin allow | |
| 2145 | CVE-2025-31875 |
|
34.7th | 6.5 | This DOM-based cross-site scripting (XSS) vulnerability in the FancyPost WordPress plugin allows att | |
| 2146 | CVE-2025-31873 |
|
34.7th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the SheetDB WordPress plugin allows attacker | |
| 2147 | CVE-2025-31869 |
|
34.7th | 6.5 | This stored Cross-Site Scripting (XSS) vulnerability in the Black Widgets For Elementor WordPress pl | |
| 2148 | CVE-2025-31861 |
|
34.7th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the Perfect Font Awesome Integration WordPre | |
| 2149 | CVE-2025-31850 |
|
34.7th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the PDF Generator Addon for Elementor Page B | |
| 2150 | CVE-2025-31844 |
|
34.7th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the Magical Blocks WordPress plugin allows a |
What is EPSS?
The Exploit Prediction Scoring System (EPSS) is a data-driven model developed by FIRST.org that estimates the probability a CVE will be exploited in the wild within the next 30 days. Unlike CVSS which measures severity, EPSS measures likelihood of exploitation — making it ideal for prioritizing which vulnerabilities to patch first.
Why EPSS matters: With thousands of CVEs published monthly, not all vulnerabilities are equally dangerous. EPSS helps security teams focus on the CVEs most likely to be actively exploited, rather than patching solely by CVSS score. A critical CVSS 9.8 vulnerability with 0.1% EPSS may be less urgent than a high CVSS 7.5 with 90% EPSS.
Prioritize by Exploit Risk
Scan your servers and see which vulnerabilities have the highest EPSS scores. Focus on what attackers are actually targeting.
Start Monitoring Free