Most Exploitable CVEs - EPSS Rankings
CVEs ranked by EPSS (Exploit Prediction Scoring System) probability. Higher scores mean a greater likelihood of exploitation in the wild within the next 30 days.
164
EPSS > 50%
156
CISA KEV Listed
35,468
CVEs with EPSS
0.7%
Avg EPSS Score
| Rank | CVE ID | EPSS Score | Percentile | CVSS | Flags | Summary |
|---|---|---|---|---|---|---|
| 3851 | CVE-2025-30549 |
|
24.4th | 4.3 | A Cross-Site Request Forgery (CSRF) vulnerability in the Yummly Rich Recipes WordPress plugin allows | |
| 3852 | CVE-2025-30542 |
|
24.4th | 4.3 | A Cross-Site Request Forgery (CSRF) vulnerability in the wpsolutions SoundCloud Ultimate WordPress p | |
| 3853 | CVE-2025-30538 |
|
24.4th | 4.3 | This CSRF vulnerability in the Simple Optimizer WordPress plugin allows attackers to trick authentic | |
| 3854 | CVE-2025-30534 |
|
24.4th | 4.3 | A Cross-Site Request Forgery (CSRF) vulnerability in the Image Captcha WordPress plugin allows attac | |
| 3855 | CVE-2025-30526 |
|
24.4th | 4.3 | This Cross-Site Request Forgery (CSRF) vulnerability in the Typekit plugin for WordPress allows atta | |
| 3856 | CVE-2025-30521 |
|
24.4th | 4.3 | A Cross-Site Request Forgery (CSRF) vulnerability in the GP Back To Top WordPress plugin allows atta | |
| 3857 | CVE-2025-29412 |
|
24.4th | 4.8 | This cross-site scripting (XSS) vulnerability in Mart Developers iBanking v2.0.0 allows attackers to | |
| 3858 | CVE-2024-13552 |
|
24.3th | 4.3 | The SupportCandy WordPress plugin has an insecure direct object reference vulnerability that allows | |
| 3859 | CVE-2025-39438 |
|
24.4th | 4.3 | A Cross-Site Request Forgery (CSRF) vulnerability in the momen2009 Theme Changer WordPress plugin al | |
| 3860 | CVE-2025-39426 |
|
24.4th | 4.3 | A Cross-Site Request Forgery (CSRF) vulnerability in the illow - Cookies Consent WordPress plugin al | |
| 3861 | CVE-2025-32817 |
|
24.4th | 6.1 | This vulnerability in SonicWall Connect Tunnel Windows client allows attackers to overwrite arbitrar | |
| 3862 | CVE-2025-39546 |
|
24.4th | 4.3 | This CSRF vulnerability in ElementsReady Addons for Elementor allows attackers to trick authenticate | |
| 3863 | CVE-2025-39512 |
|
24.4th | 4.3 | This Cross-Site Request Forgery (CSRF) vulnerability in the Yuya Hoshino Bulk Term Editor WordPress | |
| 3864 | CVE-2025-26903 |
|
24.4th | 4.3 | A Cross-Site Request Forgery (CSRF) vulnerability in the RealMag777 InPost Gallery WordPress plugin | |
| 3865 | CVE-2025-32678 |
|
24.4th | 4.3 | This CSRF vulnerability in the WP Show Stats WordPress plugin allows attackers to trick authenticate | |
| 3866 | CVE-2025-22015 |
|
24.5th | 5.5 | A Linux kernel memory management vulnerability allows corruption of xarray entries during shmem page | |
| 3867 | CVE-2025-20940 |
|
24.4th | 4.0 | This vulnerability in Samsung Device Health Manager Service allows local attackers to bypass permiss | |
| 3868 | CVE-2025-32274 |
|
24.4th | 4.3 | This CSRF vulnerability in the WP w3all phpBB integration plugin allows attackers to trick authentic | |
| 3869 | CVE-2025-32272 |
|
24.4th | 4.3 | A Cross-Site Request Forgery (CSRF) vulnerability in the PickPlugins Wishlist WordPress plugin allow | |
| 3870 | CVE-2025-32270 |
|
24.4th | 4.3 | This CSRF vulnerability in the Broadstreet WordPress plugin allows attackers to trick authenticated | |
| 3871 | CVE-2025-32268 |
|
24.4th | 4.3 | This CSRF vulnerability in the QR Code Tag for WC WordPress plugin allows attackers to trick authent | |
| 3872 | CVE-2025-32266 |
|
24.4th | 4.3 | A Cross-Site Request Forgery (CSRF) vulnerability in the WordPress plugin '404 Image Redirection (Re | |
| 3873 | CVE-2025-32264 |
|
24.4th | 4.3 | A Cross-Site Request Forgery (CSRF) vulnerability in UltraAddons Elementor Lite WordPress plugin all | |
| 3874 | CVE-2025-32262 |
|
24.4th | 4.3 | A Cross-Site Request Forgery (CSRF) vulnerability in the Robert D Payne RDP Wiki Embed WordPress plu | |
| 3875 | CVE-2025-32250 |
|
24.4th | 5.4 | A Cross-Site Request Forgery (CSRF) vulnerability in the Rollbar WordPress plugin allows attackers t | |
| 3876 | CVE-2025-32248 |
|
24.4th | 5.4 | A Cross-Site Request Forgery (CSRF) vulnerability in the SwiftXR WordPress plugin allows attackers t | |
| 3877 | CVE-2025-31888 |
|
24.4th | 4.3 | This CSRF vulnerability in WPExperts.io WP Multistore Locator allows attackers to trick authenticate | |
| 3878 | CVE-2025-31880 |
|
24.4th | 4.3 | A Cross-Site Request Forgery (CSRF) vulnerability in the Stylemix Pearl WordPress plugin allows atta | |
| 3879 | CVE-2025-31859 |
|
24.4th | 5.4 | This CSRF vulnerability in Feedbucket WordPress plugin allows attackers to trick authenticated admin | |
| 3880 | CVE-2025-31852 |
|
24.4th | 4.3 | A Cross-Site Request Forgery (CSRF) vulnerability in the N-Media Bulk Product Sync WordPress plugin | |
| 3881 | CVE-2025-31839 |
|
24.4th | 4.3 | A Cross-Site Request Forgery (CSRF) vulnerability in the digireturn DN Footer Contacts WordPress plu | |
| 3882 | CVE-2025-31814 |
|
24.4th | 4.3 | A Cross-Site Request Forgery (CSRF) vulnerability in the OwnerRez WordPress plugin allows attackers | |
| 3883 | CVE-2025-31808 |
|
24.4th | 4.3 | This CSRF vulnerability in SCSS WP Editor WordPress plugin allows attackers to trick authenticated a | |
| 3884 | CVE-2025-31784 |
|
24.4th | 4.3 | This CSRF vulnerability in the WordPress Embed Extended plugin allows attackers to trick authenticat | |
| 3885 | CVE-2025-31776 |
|
24.4th | 4.3 | A Cross-Site Request Forgery (CSRF) vulnerability in the Aphotrax Uptime Robot Plugin for WordPress | |
| 3886 | CVE-2025-31763 |
|
24.4th | 4.3 | A Cross-Site Request Forgery (CSRF) vulnerability in the WordPress Cache control by Cacholong plugin | |
| 3887 | CVE-2025-31756 |
|
24.4th | 4.3 | A Cross-Site Request Forgery (CSRF) vulnerability in the TZ PlusGallery WordPress plugin allows atta | |
| 3888 | CVE-2024-9765 |
|
24.3th | 6.5 | The EKC Tournament Manager WordPress plugin before version 2.2.2 contains a directory traversal vuln | |
| 3889 | CVE-2024-6667 |
|
24.4th | 6.1 | The KBucket WordPress plugin before version 4.1.5 contains a reflected cross-site scripting (XSS) vu | |
| 3890 | CVE-2024-42213 |
|
24.4th | 5.3 | HCL BigFix Compliance leaves temporary files in production environments that attackers can access th | |
| 3891 | CVE-2024-7073 |
|
24.3th | 6.5 | This CVE describes a server-side request forgery (SSRF) vulnerability in multiple WSO2 products that | |
| 3892 | CVE-2025-51082 |
|
24.3th | 5.3 | This vulnerability allows remote attackers to execute arbitrary code on Tenda AC8V4 routers by explo | |
| 3893 | CVE-2025-53358 |
|
24.5th | 6.5 | This vulnerability in kotaemon allows attackers to perform directory traversal attacks by submitting | |
| 3894 | CVE-2025-57749 |
|
24.5th | 6.5 | A symlink traversal vulnerability in n8n's Read/Write File node allows attackers to bypass directory | |
| 3895 | CVE-2025-55014 |
|
24.4th | 4.7 | The YouDao plugin in StarDict sends X11 clipboard selections to remote servers via unencrypted HTTP, | |
| 3896 | CVE-2025-64074 |
|
24.3th | 5.3 | A path-traversal vulnerability in the logout functionality of Shenzhen Zhibotong Electronics ZBT WE2 | |
| 3897 | CVE-2025-50574 |
|
24.5th | 6.1 | This cross-site scripting (XSS) vulnerability in Glamour Salon Management System v1 allows attackers | |
| 3898 | CVE-2025-54267 |
|
24.5th | 6.5 | This CVE describes an incorrect authorization vulnerability in Adobe Commerce that allows low-privil | |
| 3899 | CVE-2025-11435 |
|
24.4th | 4.3 | This vulnerability allows attackers to inject malicious scripts into the /show/submissions endpoint | |
| 3900 | CVE-2025-12426 |
|
24.3th | 5.3 | The Quiz Maker WordPress plugin exposes quiz answers to unauthenticated attackers through an AJAX en |
What is EPSS?
The Exploit Prediction Scoring System (EPSS) is a data-driven model developed by FIRST.org that estimates the probability a CVE will be exploited in the wild within the next 30 days. Unlike CVSS which measures severity, EPSS measures likelihood of exploitation — making it ideal for prioritizing which vulnerabilities to patch first.
Why EPSS matters: With thousands of CVEs published monthly, not all vulnerabilities are equally dangerous. EPSS helps security teams focus on the CVEs most likely to be actively exploited, rather than patching solely by CVSS score. A critical CVSS 9.8 vulnerability with 0.1% EPSS may be less urgent than a high CVSS 7.5 with 90% EPSS.
Prioritize by Exploit Risk
Scan your servers and see which vulnerabilities have the highest EPSS scores. Focus on what attackers are actually targeting.
Start Monitoring Free