WordPress Campress Theme <= 1.35 - Unauthenticated Local File Inclusion

Campress theme for WordPress up to 1.35 contains a local file inclusion caused by 'campresswoocommercegetajaxproducts' function, letting unauthenticated attackers include and execute arbitrary PHP files, exploit requires no authentication. id: CVE-2024-10763 info: name: WordPress Campress Theme =...

WordPress Choreo theme <= 1.6 - Local File Inclusion vulnerability

Local File Inclusion vulnerability discovered by Bonds in WordPress Theme Choreo versions = 1.6...

WordPress WineShop theme <= 3.17 - Local File Inclusion vulnerability

Local File Inclusion vulnerability discovered by Bonds in WordPress Theme WineShop versions = 3.17...

CVE-2026-39642 WordPress Nyla theme <= 1.7 - Arbitrary Shortcode Execution vulnerability

Improper Neutralization of Script-Related HTML Tags in a Web Page Basic XSS vulnerability in SpabRice Nyla allows Code Injection. This issue affects Nyla: from n/a through 1.7...

WordPress CopyPress theme <= 1.4.5 - Local File Inclusion vulnerability

Local File Inclusion vulnerability discovered by Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity in WordPress Theme CopyPress versions = 1.4.5...

CVE-2026-6812

The Ona theme for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.26 via the onaactivatechildtheme. This makes it possible for authenticated attackers, with administrator-level access and above, to make web requests to arbitrary locations originating...

VulnCheck KEV: CVE-2024-13421

The Real Estate 7 WordPress theme for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 3.5.1. This is due to the plugin not properly restricting the roles allowed to be selected during registration. This makes it possible for unauthenticated attackers to...

WordPress Kids Online Store theme <= 0.8.9 - Arbitrary File Upload vulnerability

Arbitrary File Upload vulnerability discovered by Denver Jackson in WordPress Theme Kids Online Store versions = 0.8.9...

WordPress Ecommerce Zone theme <= 0.9.7 - Arbitrary File Upload vulnerability

Arbitrary File Upload vulnerability discovered by Denver Jackson in WordPress Theme Ecommerce Zone versions = 0.9.7...

EUVD-2024-47052

The Scylla lite theme for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘url’ parameter within the theme's Button shortcode in all versions up to, and including, 1.8.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers,...

CVE-2026-39635 WordPress Grand Magazine theme <= 3.5.5 - Cross Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery CSRF vulnerability in ThemeGoods Grand Magazine grandmagazine allows Cross Site Request Forgery.This issue affects Grand Magazine: from n/a through = 3.5.5...

CVE-2026-39628 WordPress DukaMarket theme <= 1.3.0 - Arbitrary Shortcode Execution vulnerability

Improper Neutralization of Script-Related HTML Tags in a Web Page Basic XSS vulnerability in kutethemes DukaMarket dukamarket allows Code Injection.This issue affects DukaMarket: from n/a through = 1.3.0...

CVE-2026-39603 WordPress Grand Photography theme <= 5.7.8 - Cross Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery CSRF vulnerability in ThemeGoods Grand Photography grandphotography allows Cross Site Request Forgery.This issue affects Grand Photography: from n/a through = 5.7.8...

CVE-2026-32374

Missing Authorization vulnerability in raratheme The Minimal the-minimal allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects The Minimal: from n/a through = 1.2.9...

CVE-2026-32515 WordPress Miraculous theme < 2.1.2 - Broken Access Control vulnerability

Missing Authorization vulnerability in kamleshyadav Miraculous miraculous allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Miraculous: from n/a through 2.1.2...

CVE-2026-32505 WordPress Kiddy theme <= 2.0.8 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in CreativeWS Kiddy kiddy allows PHP Local File Inclusion.This issue affects Kiddy: from n/a through = 2.0.8...

CVE-2026-25360

CVE-2026-25360 corresponds to a Deserialization of Untrusted Data vulnerability in the Vex plugin by Vex (Vex) for WordPress. Affected product: Vex = 1.2.9). Connected Wordfence details also list the CVE-2026-25360 under the Wordfence vulnerability repository with the same patched status and attr...

CVE-2026-25359 WordPress Pendulum theme < 3.1.5 - PHP Object Injection vulnerability

Deserialization of Untrusted Data vulnerability in rascals Pendulum pendulum allows Object Injection.This issue affects Pendulum: from n/a through 3.1.5...

CVE-2026-22509

CVE-2026-22509 is a WordPress Gioia theme vulnerability (

CVE-2026-22500 WordPress m2 | Construction and Tools Store theme <= 1.1.2 - PHP Object Injection vulnerability

Deserialization of Untrusted Data vulnerability in axiomthemes m2 | Construction and Tools Store m2-ce allows Object Injection.This issue affects m2 | Construction and Tools Store: from n/a through = 1.1.2...