Most Exploitable CVEs - EPSS Rankings
CVEs ranked by EPSS (Exploit Prediction Scoring System) probability. Higher scores mean a greater likelihood of exploitation in the wild within the next 30 days.
164
EPSS > 50%
156
CISA KEV Listed
35,468
CVEs with EPSS
0.7%
Avg EPSS Score
| Rank | CVE ID | EPSS Score | Percentile | CVSS | Flags | Summary |
|---|---|---|---|---|---|---|
| 3451 | CVE-2025-26949 |
|
25.8th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the WordPress Team Section Block plugin allo | |
| 3452 | CVE-2025-26947 |
|
25.8th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the WordPress Services Section block plugin | |
| 3453 | CVE-2025-26939 |
|
25.8th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the Counters Block WordPress plugin allows a | |
| 3454 | CVE-2025-26937 |
|
25.8th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the WordPress Icon List Block plugin allows | |
| 3455 | CVE-2025-26913 |
|
25.8th | 6.5 | This DOM-based Cross-Site Scripting (XSS) vulnerability in the AR For WordPress plugin allows attack | |
| 3456 | CVE-2025-26896 |
|
25.8th | 6.5 | This vulnerability allows attackers to inject malicious scripts into web pages generated by PiwigoPr | |
| 3457 | CVE-2025-26891 |
|
25.8th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the Ibtana WordPress plugin allows attackers | |
| 3458 | CVE-2025-26881 |
|
25.8th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the WordPress Sticky Content plugin allows a | |
| 3459 | CVE-2025-27351 |
|
25.8th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the WordPress Local Search SEO Contact Page | |
| 3460 | CVE-2025-27348 |
|
25.8th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the WP Social SEO Booster WordPress plugin a | |
| 3461 | CVE-2025-27341 |
|
25.8th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the Reactive Mortgage Calculator WordPress p | |
| 3462 | CVE-2025-27331 |
|
25.8th | 6.5 | This vulnerability allows attackers to inject malicious scripts into web pages viewed by other users | |
| 3463 | CVE-2025-27329 |
|
25.8th | 6.5 | This DOM-based Cross-Site Scripting (XSS) vulnerability in the EZ InLinkz linkup WordPress plugin al | |
| 3464 | CVE-2025-27327 |
|
25.8th | 6.5 | This DOM-based Cross-Site Scripting (XSS) vulnerability in the SRS Player WordPress plugin allows at | |
| 3465 | CVE-2025-27323 |
|
25.8th | 6.5 | This DOM-based Cross-Site Scripting (XSS) vulnerability in the WP About Author WordPress plugin allo | |
| 3466 | CVE-2025-27320 |
|
25.8th | 6.5 | This DOM-based cross-site scripting (XSS) vulnerability in the Profile Widget Ninja WordPress plugin | |
| 3467 | CVE-2025-27307 |
|
25.8th | 6.5 | This vulnerability allows attackers to inject malicious scripts into web pages generated by the Quot | |
| 3468 | CVE-2025-27305 |
|
25.8th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the WordPress Table of Contents Block plugin | |
| 3469 | CVE-2025-27280 |
|
25.8th | 6.5 | This vulnerability allows attackers to inject malicious scripts into Archive Page WordPress plugin p | |
| 3470 | CVE-2025-27265 |
|
25.8th | 6.5 | This DOM-based cross-site scripting (XSS) vulnerability in the Google Maps for WordPress plugin allo | |
| 3471 | CVE-2025-25875 |
|
25.8th | 6.4 | CVE-2025-25875 is an SQL injection vulnerability in ITSourcecode Simple ChatBox that allows attacker | |
| 3472 | CVE-2025-27016 |
|
25.8th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the Drivr Lite WordPress plugin allows attac | |
| 3473 | CVE-2025-26766 |
|
25.8th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the Leyka WordPress plugin allows attackers | |
| 3474 | CVE-2025-26761 |
|
25.8th | 6.5 | A DOM-based cross-site scripting (XSS) vulnerability in HashThemes Easy Elementor Addons WordPress p | |
| 3475 | CVE-2025-22689 |
|
25.8th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the Forex Calculators WordPress plugin allow | |
| 3476 | CVE-2025-22676 |
|
25.8th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the Upcasted AWS S3 for WordPress plugin all | |
| 3477 | CVE-2025-26574 |
|
25.8th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the Google Drive WP Media WordPress plugin a | |
| 3478 | CVE-2025-26567 |
|
25.8th | 6.5 | This DOM-based XSS vulnerability in the Font Awesome WP WordPress plugin allows attackers to inject | |
| 3479 | CVE-2025-26558 |
|
25.8th | 6.5 | This DOM-based Cross-Site Scripting (XSS) vulnerability in the mkkmail Aparat Responsive WordPress p | |
| 3480 | CVE-2025-26538 |
|
25.8th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the Prezi Embedder WordPress plugin allows a | |
| 3481 | CVE-2025-25136 |
|
25.8th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the Optimate Ads WordPress plugin allows att | |
| 3482 | CVE-2025-25117 |
|
25.8th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the Smart Countdown FX WordPress plugin allo | |
| 3483 | CVE-2025-25098 |
|
25.8th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the WordPress Links in Captions plugin allow | |
| 3484 | CVE-2025-25094 |
|
25.8th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the Breaking News Ticker WordPress plugin al | |
| 3485 | CVE-2025-25091 |
|
25.8th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the NextGen Cooliris Gallery WordPress plugi | |
| 3486 | CVE-2025-25082 |
|
25.8th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the FlexIDX Home Search WordPress plugin all | |
| 3487 | CVE-2025-25080 |
|
25.8th | 6.5 | A stored cross-site scripting (XSS) vulnerability in the Kona Gallery Block WordPress plugin allows | |
| 3488 | CVE-2025-25078 |
|
25.8th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the Google Earth Embed WordPress plugin allo | |
| 3489 | CVE-2025-25076 |
|
25.8th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the Graceful Email Obfuscation WordPress plu | |
| 3490 | CVE-2025-22674 |
|
25.8th | 6.5 | This stored cross-site scripting (XSS) vulnerability in Get Bowtied's Product Blocks for WooCommerce | |
| 3491 | CVE-2025-22662 |
|
25.8th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the SendPulse Email Marketing Newsletter Wor | |
| 3492 | CVE-2025-23747 |
|
25.8th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the Awesome Timeline WordPress plugin allows | |
| 3493 | CVE-2025-23581 |
|
25.8th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the Demo User DZS WordPress plugin allows at | |
| 3494 | CVE-2025-22292 |
|
25.8th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the Powerful Auto Chat WordPress plugin allo | |
| 3495 | CVE-2025-24261 |
|
25.7th | 5.5 | This macOS vulnerability allows applications to bypass file system protection mechanisms and modify | |
| 3496 | CVE-2025-1474 |
|
25.7th | 5.5 | In MLflow versions 2.18, administrators can create user accounts without setting passwords, violatin | |
| 3497 | CVE-2025-26895 |
|
25.8th | 6.5 | This DOM-based Cross-Site Scripting (XSS) vulnerability in the m1.DownloadList WordPress plugin allo | |
| 3498 | CVE-2025-28929 |
|
25.8th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the Tabbed Login Widget WordPress plugin all | |
| 3499 | CVE-2025-28919 |
|
25.8th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the WordPress Easy Image Display plugin allo | |
| 3500 | CVE-2025-23829 |
|
25.8th | 6.5 | This stored cross-site scripting (XSS) vulnerability in the Woo Update Variations In Cart WordPress |
What is EPSS?
The Exploit Prediction Scoring System (EPSS) is a data-driven model developed by FIRST.org that estimates the probability a CVE will be exploited in the wild within the next 30 days. Unlike CVSS which measures severity, EPSS measures likelihood of exploitation — making it ideal for prioritizing which vulnerabilities to patch first.
Why EPSS matters: With thousands of CVEs published monthly, not all vulnerabilities are equally dangerous. EPSS helps security teams focus on the CVEs most likely to be actively exploited, rather than patching solely by CVSS score. A critical CVSS 9.8 vulnerability with 0.1% EPSS may be less urgent than a high CVSS 7.5 with 90% EPSS.
Prioritize by Exploit Risk
Scan your servers and see which vulnerabilities have the highest EPSS scores. Focus on what attackers are actually targeting.
Start Monitoring Free