Most Exploitable CVEs - EPSS Rankings
CVEs ranked by EPSS (Exploit Prediction Scoring System) probability. Higher scores mean a greater likelihood of exploitation in the wild within the next 30 days.
164
EPSS > 50%
156
CISA KEV Listed
35,468
CVEs with EPSS
0.7%
Avg EPSS Score
| Rank | CVE ID | EPSS Score | Percentile | CVSS | Flags | Summary |
|---|---|---|---|---|---|---|
| 3401 | CVE-2025-22781 |
|
25.8th | 6.5 | This DOM-based Cross-Site Scripting (XSS) vulnerability in the Nativery WordPress plugin allows atta | |
| 3402 | CVE-2025-22769 |
|
25.8th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the Creative Brahma Multifox WordPress theme | |
| 3403 | CVE-2025-22761 |
|
25.8th | 6.5 | This stored XSS vulnerability in the Ajax Contact Form WordPress plugin allows attackers to inject m | |
| 3404 | CVE-2025-22758 |
|
25.8th | 6.5 | This DOM-based Cross-Site Scripting (XSS) vulnerability in Elementor AI Addons for WordPress allows | |
| 3405 | CVE-2025-22749 |
|
25.8th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the AwoThemes Social Media Engine WordPress | |
| 3406 | CVE-2025-22747 |
|
25.8th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the WordPress Foundation Columns plugin allo | |
| 3407 | CVE-2025-22745 |
|
25.8th | 6.5 | This DOM-based cross-site scripting vulnerability in the Navigation Du Lapin Blanc WordPress plugin | |
| 3408 | CVE-2025-22743 |
|
25.8th | 6.5 | This vulnerability allows attackers to inject malicious scripts into web pages generated by the Twit | |
| 3409 | CVE-2024-47517 |
|
25.7th | 6.8 | This vulnerability allows attackers to obtain expired administrator authentication tokens from netwo | |
| 3410 | CVE-2025-22827 |
|
25.8th | 6.5 | This DOM-based Cross-Site Scripting (XSS) vulnerability in the WP Joomag WordPress plugin allows att | |
| 3411 | CVE-2025-22824 |
|
25.8th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the Lucia Intelisano Live Flight Radar WordP | |
| 3412 | CVE-2025-22822 |
|
25.8th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the WP Custom Countdown WordPress plugin all | |
| 3413 | CVE-2025-22820 |
|
25.8th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the VR Views WordPress plugin allows attacke | |
| 3414 | CVE-2025-22818 |
|
25.8th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the S3Bubble S3Player WordPress plugin allow | |
| 3415 | CVE-2025-22813 |
|
25.8th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the ChatBot for WordPress - WPBot Conversati | |
| 3416 | CVE-2025-22811 |
|
25.8th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the MT Addons for Elementor WordPress plugin | |
| 3417 | CVE-2025-22809 |
|
25.8th | 6.5 | This DOM-based Cross-Site Scripting (XSS) vulnerability in the Gravity Master PDF Catalog Woocommerc | |
| 3418 | CVE-2025-22807 |
|
25.8th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the Responsive Flickr Slideshow WordPress pl | |
| 3419 | CVE-2025-22805 |
|
25.8th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the WordPress Skill Bar plugin allows attack | |
| 3420 | CVE-2025-22803 |
|
25.8th | 6.5 | A stored cross-site scripting (XSS) vulnerability in VillaTheme's Advanced Product Information for W | |
| 3421 | CVE-2025-22801 |
|
25.8th | 6.5 | This stored XSS vulnerability in the Free WooCommerce Theme 99fy Extension WordPress plugin allows a | |
| 3422 | CVE-2025-22365 |
|
25.8th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the WordPress EMC2 Alert Boxes plugin allows | |
| 3423 | CVE-2025-22354 |
|
25.8th | 6.5 | This DOM-based cross-site scripting (XSS) vulnerability in the Digi Store WordPress theme allows att | |
| 3424 | CVE-2025-22296 |
|
25.8th | 6.5 | This is a cross-site scripting (XSS) vulnerability in the Hash Elements WordPress plugin that allows | |
| 3425 | CVE-2025-22584 |
|
25.8th | 6.5 | This DOM-based XSS vulnerability in the Timeline Pro WordPress plugin allows attackers to inject mal | |
| 3426 | CVE-2025-22580 |
|
25.8th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the Biltorvet Dealer Tools WordPress plugin | |
| 3427 | CVE-2025-22574 |
|
25.8th | 6.5 | This vulnerability allows attackers to inject malicious scripts into web pages generated by the ICS | |
| 3428 | CVE-2025-22572 |
|
25.8th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the Legacy ePlayer WordPress plugin allows a | |
| 3429 | CVE-2025-22558 |
|
25.8th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the mcjh button shortcode WordPress plugin a | |
| 3430 | CVE-2025-22554 |
|
25.8th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the Video Embed Optimizer WordPress plugin a | |
| 3431 | CVE-2025-22551 |
|
25.8th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the Boot-Modal WordPress plugin allows attac | |
| 3432 | CVE-2025-22549 |
|
25.8th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the WP Github WordPress plugin allows attack | |
| 3433 | CVE-2025-22546 |
|
25.8th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the jQuery TwentyTwenty WordPress plugin all | |
| 3434 | CVE-2025-22544 |
|
25.8th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the Mind Doodle Visual Sitemaps & Tasks Word | |
| 3435 | CVE-2025-22532 |
|
25.8th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the Simple Photo Sphere WordPress plugin all | |
| 3436 | CVE-2025-22530 |
|
25.8th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the SIOT Iamport payment button plugin for W | |
| 3437 | CVE-2025-22528 |
|
25.8th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the Huurkalender WP WordPress plugin allows | |
| 3438 | CVE-2025-22524 |
|
25.8th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the Formafzar WordPress plugin allows attack | |
| 3439 | CVE-2025-22517 |
|
25.8th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the WordPress List Pages at Depth plugin all | |
| 3440 | CVE-2025-22515 |
|
25.8th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the Show Google Analytics WordPress widget a | |
| 3441 | CVE-2025-22511 |
|
25.8th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the Ella van Durpe Slides & Presentations Wo | |
| 3442 | CVE-2025-22362 |
|
25.8th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the WordPress WPAchievements Free plugin all | |
| 3443 | CVE-2025-22339 |
|
25.8th | 6.5 | This DOM-based Cross-Site Scripting (XSS) vulnerability in the Store Commerce WordPress theme allows | |
| 3444 | CVE-2025-22333 |
|
25.8th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the Piotnet Addons for Elementor WordPress p | |
| 3445 | CVE-2025-22327 |
|
25.8th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the EO4WP WordPress plugin allows attackers | |
| 3446 | CVE-2025-22321 |
|
25.8th | 6.5 | This stored cross-site scripting (XSS) vulnerability in ElementsCSS Addons for Elementor WordPress p | |
| 3447 | CVE-2025-22312 |
|
25.8th | 6.5 | This DOM-based Cross-Site Scripting (XSS) vulnerability in ThimPress Thim Elementor Kit WordPress pl | |
| 3448 | CVE-2025-22309 |
|
25.8th | 6.5 | This DOM-based XSS vulnerability in the SpeakOut! Email Petitions WordPress plugin allows attackers | |
| 3449 | CVE-2025-22261 |
|
25.8th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the WP FullCalendar WordPress plugin allows | |
| 3450 | CVE-2025-26980 |
|
25.8th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the Wired Impact Volunteer Management WordPr |
What is EPSS?
The Exploit Prediction Scoring System (EPSS) is a data-driven model developed by FIRST.org that estimates the probability a CVE will be exploited in the wild within the next 30 days. Unlike CVSS which measures severity, EPSS measures likelihood of exploitation — making it ideal for prioritizing which vulnerabilities to patch first.
Why EPSS matters: With thousands of CVEs published monthly, not all vulnerabilities are equally dangerous. EPSS helps security teams focus on the CVEs most likely to be actively exploited, rather than patching solely by CVSS score. A critical CVSS 9.8 vulnerability with 0.1% EPSS may be less urgent than a high CVSS 7.5 with 90% EPSS.
Prioritize by Exploit Risk
Scan your servers and see which vulnerabilities have the highest EPSS scores. Focus on what attackers are actually targeting.
Start Monitoring Free