Aggregating NVD, CVE, and multi-source threat feeds, this list provides deep analysis of high-risk threats such as RCE. By integrating CVSS and EPSS models, the system dynamically tracks Exp (Exploit) resources and PoC availability to accurately assess Exploitability. Combined with official Patches and remediation strategies, it helps prioritize Vulnerability Management workflows, significantly shortening response cycles and securing your critical assets.
| CVE | Description | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|
| CVE-2015-10138 | The Work The Flow File Upload plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the jQuery-File-Upload-9.5.0 server and test files in versions up to, and including, 2.5.2. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected sites server which may make remote code execution possible. | 9.8 | 2.43% | 2025-07-19 | 2026-06-16 |
| CVE-2015-10136 | The GI-Media Library plugin for WordPress is vulnerable to Directory Traversal in versions before 3.0 via the 'fileid' parameter. This allows unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information. | 7.5 | 1.96% | 2025-07-19 | 2026-06-16 |
| CVE-2015-10135 | The WPshop 2 – E-Commerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the ajaxUpload function in versions before 1.3.9.6. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected sites server which may make remote code execution possible. | 9.8 | 2.76% | 2025-07-19 | 2026-06-16 |
| CVE-2015-10134 | The Simple Backup plugin for WordPress is vulnerable to Arbitrary File Download in versions up to, and including, 2.7.10. via the download_backup_file function. This is due to a lack of capability checks and file type validation. This makes it possible for attackers to download sensitive files such as the wp-config.php file from the affected site. | 7.5 | 1.15% | 2025-07-19 | 2026-06-16 |
| CVE-2015-10133 | The Subscribe to Comments for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 2.1.2 via the Path to header value. This allows authenticated attackers, with administrative privileges and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and i | 7.2 | 1.39% | 2025-07-19 | 2026-06-16 |
| CVE-2015-20112 | RLPx 5 has two CTR streams based on the same key, IV, and nonce. This can facilitate decryption on a private network. | 3.4 | 0.05% | 2025-06-29 | 2026-06-16 |
| CVE-2015-0849 | pycode-browser before version 1.0 is prone to a predictable temporary file vulnerability. | 3.9 | 0.11% | 2025-06-26 | 2026-06-16 |
| CVE-2015-0843 | yubiserver before 0.6 is prone to buffer overflows due to misuse of sprintf. | 9.8 | 0.39% | 2025-06-26 | 2026-06-16 |
| CVE-2015-0842 | yubiserver before 0.6 is prone to SQL injection issues, potentially leading to an authentication bypass. | 9.8 | 0.35% | 2025-06-26 | 2026-06-16 |
| CVE-2015-4582 | The TheCartPress boot-store (aka Boot Store) theme 1.6.4 for WordPress allows header.php tcp_register_error XSS. NOTE: CVE-2015-4582 is not assigned to any Oracle product. | 7.2 | 0.19% | 2025-04-28 | 2026-06-16 |
| CVE-2015-2079 | Usermin 0.980 through 1.x before 1.660 allows uconfig_save.cgi sig_file_free remote code execution because it uses the two argument (not three argument) form of Perl open. | 9.9 | 1.00% | 2025-04-28 | 2026-06-16 |
| CVE-2015-20111 | miniupnp before 4c90b87, as used in Bitcoin Core before 0.12 and other products, lacks checks for snprintf return values, leading to a buffer overflow and significant data leak, a different vulnerability than CVE-2019-12107. In Bitcoin Core before 0.12, remote code execution was possible in conjunction with CVE-2015-6031 exploitation. | 9.8 | 1.27% | 2024-11-17 | 2026-06-16 |
| CVE-2015-10132 | A vulnerability classified as problematic was found in Thimo Grauerholz WP-Spreadplugin up to 3.8.6.1 on WordPress. This vulnerability affects unknown code of the file spreadplugin.php. The manipulation of the argument Spreadplugin leads to cross site scripting. The attack can be initiated remotely. Upgrading to version 3.8.6.6 is able to address this issue. The name of the patch is a9b9afc641854698e80aa5dd9ababfc8e0e57d69. It is recommended to upgrade the affected component. The identifier of t | 3.5 | 0.49% | 2024-04-21 | 2026-06-16 |
| CVE-2015-10131 | A vulnerability was found in chrisy TFO Graphviz Plugin up to 1.9 on WordPress and classified as problematic. Affected by this issue is the function admin_page_load/admin_page of the file tfo-graphviz-admin.php. The manipulation leads to cross site scripting. The attack may be launched remotely. Upgrading to version 1.10 is able to address this issue. The name of the patch is 594c953a345f79e26003772093b0caafc14b92c2. It is recommended to upgrade the affected component. The identifier of this vul | 3.5 | 0.49% | 2024-03-31 | 2026-06-16 |
| CVE-2015-10123 | An unautheticated remote attacker could send specifically crafted packets to a affected device. If an authenticated user then views that data in a specific page of the web-based management a buffer overflow will be triggered to gain full access of the device. | 8.8 | 0.65% | 2024-03-13 | 2026-06-16 |
| CVE-2015-10130 | The Team Circle Image Slider With Lightbox plugin for WordPress is vulnerable to Cross-Site Request Forgery in version 1.0. This is due to missing or incorrect nonce validation on the circle_thumbnail_slider_with_lightbox_image_management_func() function. This makes it possible for unauthenticated attackers to edit image data which can be used to inject malicious JavaScript, along with deleting images, and uploading malicious files via a forged request granted they can trick a site administrator | 5.3 | 0.20% | 2024-03-12 | 2026-06-16 |
| CVE-2015-10129 | A vulnerability was found in planet-freo up to 20150116 and classified as problematic. Affected by this issue is some unknown functionality of the file admin/inc/auth.inc.php. The manipulation of the argument auth leads to incorrect comparison. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. This product is using a rolling release to provide continious deliver | 3.7 | 0.62% | 2024-02-04 | 2026-06-16 |
| CVE-2015-10128 | A vulnerability was found in rt-prettyphoto Plugin up to 1.2 on WordPress and classified as problematic. Affected by this issue is the function royal_prettyphoto_plugin_links of the file rt-prettyphoto.php. The manipulation leads to cross site scripting. The attack may be launched remotely. Upgrading to version 1.3 is able to address this issue. The patch is identified as 0d3d38cfa487481b66869e4212df1cefc281ecb7. It is recommended to upgrade the affected component. VDB-249422 is the identifier a | 3.5 | 0.46% | 2024-01-02 | 2026-06-16 |
| CVE-2015-10127 | A vulnerability was found in PlusCaptcha Plugin up to 2.0.6 on WordPress and classified as problematic. Affected by this issue is some unknown functionality. The manipulation leads to cross site scripting. The attack may be launched remotely. Upgrading to version 2.0.14 is able to address this issue. The patch is identified as 1274afc635170daafd38306487b6bb8a01f78ecd. It is recommended to upgrade the affected component. VDB-248954 is the identifier assigned to this vulnerability. | 3.5 | 0.46% | 2023-12-26 | 2026-06-16 |
| CVE-2015-8314 | The Devise gem before 3.5.4 for Ruby mishandles Remember Me cookies for sessions, which may allow an adversary to obtain unauthorized persistent application access. | 7.5 | 0.62% | 2023-12-12 | 2026-06-16 |