5810 matches found
Themes Coder Ecommerce <= 1.3.4 - SQL Injection
The Themes Coder Ecommerce WordPress plugin through 1.3.4 does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection. id: CVE-2024-13726 info: name: Themes Coder Ecommerce = 1.3.4 - SQL...
Multiple Thrive Themes < 2.0.0 - Arbitrary File Upload
Thrive “Legacy” Rise by Thrive Themes WordPress theme before 2.0.0, Luxe by Thrive Themes WordPress theme before 2.0.0, Minus by Thrive Themes WordPress theme before 2.0.0, Ignition by Thrive Themes WordPress theme before 2.0.0, FocusBlog by Thrive Themes WordPress theme before 2.0.0, Squared by...
All Thrive Themes and Plugins - Unauthenticated Option Update
The Thrive Optimize WordPress plugin before 1.4.13.3, Thrive Comments WordPress plugin before 1.4.15.3, Thrive Headline Optimizer WordPress plugin before 1.3.7.3, Thrive Leads WordPress plugin before 2.3.9.4, Thrive Ultimatum WordPress plugin before 2.3.9.4, Thrive Quiz Builder WordPress plugin...
WordPress Epsilon Framework Themes <=2.4.8 - Remote Code Execution
WordPress themes including Shapely = 1.2.7, NewsMag = 2.4.1, Activello = 1.4.0, Illdy = 2.1.4, Allegiant = 1.2.2, Newspaper X = 1.3.1, Pixova Lite = 2.0.5, Brilliance = 1.2.7, MedZone Lite = 1.2.4, Regina Lite = 2.0.4, Transcend = 1.1.8, Affluent = 1.1.0, Bonkers = 1.0.4, Antreas = 1.0.2, Sparkli...
WordPress Bello Directory & Listing Theme <1.6.0 - Cross-Site Scripting
WordPress Bello Directory & Listing theme before 1.6.0 contains a reflected cross-site scripting vulnerability. It does not properly sanitize and escape the listinglistview, btbblistingfieldmylat, btbblistingfieldmylng, btbblistingfielddistancevalue, btbblistingfieldmylatdefault,...
WordPress Catch Breadcrumb <1.5.4 - Cross-Site Scripting
WordPress Catch Breadcrumb plugin before 1.5.4 contains a reflected cross-site scripting vulnerability via the s parameter a search query. Also affected are 16 themes if the plugin is enabled: Alchemist and Alchemist PRO, Izabel and Izabel PRO, Chique and Chique PRO, Clean Enterprise and Clean...
Wordpress Multiple Themes - Reflected Cross-Site Scripting
All of the above Aapna WordPress theme through 1.3, Anand WordPress theme through 1.2, Anfaust WordPress theme through 1.1, Arendelle WordPress theme before 1.1.13, Atlast Business WordPress theme through 1.5.8.5, Bazaar Lite WordPress theme before 1.8.6, Brain Power WordPress theme through 1.2,...
CVE-2026-15336
The Catch Themes Demo Import plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 3.3. This is due to the catchthemesdemoimportactivateplugin function, hooked on admininit when the activateplugin GET parameter is present, calling PluginUpgrader::install to...
EUVD-2026-44855
The Catch Themes Demo Import plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 3.3. This is due to the catchthemesdemoimportactivateplugin function, hooked on admininit when the activateplugin GET parameter is present, calling PluginUpgrader::install to...
CVE-2026-15336
The CVE describes a vulnerability in the Catch Themes Demo Import plugin for WordPress (versions up to and including 3.3). The root cause is in catch_themes_demo_import_activate_plugin(), which is hooked on admin_init when the activate_plugin parameter is present and calls Plugin_Upgrader::instal...
Malicious code in @cw-ui/asio-neon-themes (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector dcd2366d31cefc8f66861e0e65c782a88c46dc9232d11d463a9fa2869c73dcaa On npm install, postinstall.js reads os.hostname and embeds it as a query parameter in a plain-HTTP GET to a bare IPv4 address...
MAL-2026-10556 Malicious code in @cw-ui/asio-neon-themes (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector dcd2366d31cefc8f66861e0e65c782a88c46dc9232d11d463a9fa2869c73dcaa On npm install, postinstall.js reads os.hostname and embeds it as a query parameter in a plain-HTTP GET to a bare IPv4 address...
CVE-2026-57800
Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in Edge-Themes Overworld overworld allows PHP Local File Inclusion.This issue affects Overworld: from n/a through = 1.5...
CVE-2026-57788
Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in Edge-Themes Aalto aalto allows PHP Local File Inclusion.This issue affects Aalto: from n/a through = 1.8...
CVE-2026-57802
Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in Select-Themes Struktur struktur allows PHP Local File Inclusion.This issue affects Struktur: from n/a through = 2.5.1...
CVE-2026-57800 WordPress Overworld theme <= 1.5 - Local File Inclusion vulnerability
Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in Edge-Themes Overworld overworld allows PHP Local File Inclusion.This issue affects Overworld: from n/a through = 1.5...
Wordfence Intelligence Weekly WordPress Vulnerability Report (June 29, 2026 to July 5, 2026)
Last week, there were 250 vulnerabilities disclosed in 181 WordPress Plugins and 41 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 101 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabiliti...
PT-2026-56960
Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in Select-Themes Struktur struktur allows PHP Local File Inclusion.This issue affects Struktur: from n/a through = 2.5.1...
PT-2026-56950
Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in ThemeMove Brook brook allows PHP Local File Inclusion.This issue affects Brook: from n/a through = 2.9.0...
PT-2026-56961
Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in Select-Themes Struktur Core struktur-core allows PHP Local File Inclusion.This issue affects Struktur Core: from n/a through = 2.5.1...