EUVD-2026-31033

The Nexa Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE plugin for WordPress is vulnerable to Server-Side Request Forgery SSRF in versions up to and including 1.1.1. This is due to the importdemo function accepting a user-supplied URL in the demojsonfile POST parameter and...

CVE-2025-9331 Spacious <= 1.9.11 - Missing Authorization to Autheticated (Subscriber+) Demo Data Import

The Spacious theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'welcomenoticeimporthandler' function in all versions up to, and including, 1.9.11. This makes it possible for authenticated attackers, with Subscriber-level access and...

CVE-2025-9331

CVE-2025-9331 affects the WordPress Spacious plugin. The issue is a missing capability check in the welcome_notice_import_handler, enabling authenticated users with Subscriber-level access and above to import demo data and modify data on all versions up to 1.9.11. Several connected sources confir...

CVE-2024-13810

The Zass - WooCommerce Theme for Handmade Artists and Artisans theme for WordPress is vulnerable to unauthorized access due to a missing capability check on the 'zassimportzass' AJAX actions in all versions up to, and including, 3.9.9.10. This makes it possible for authenticated attackers, with...

CVE-2024-8430

The Spice Starter Sites plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the spicestartersitesimportercreater function in all versions up to, and including, 1.2.5. This makes it possible for unauthenticated attackers to import demo conte...

PostmagThemes Demo < 1.0.8 - Admin+ Arbitrary File Upload

The plugin does not validate the imported file, allowing high-privilege users such as admin to upload arbitrary files such as PHP leading to RCE. 1. Go to Appearance » Import Demo Data » Manual demo files upload » Run "Choose a JSON file for customizer import" and import a PHP file. 2. Click Impo...