2172 matches found
CVE-2026-57804
CVE-2026-57804 describes an PHP Local File Inclusion in CodexThemes TheGem Theme Elements (for Elementor), specifically TheGem Theme Elements for Elementor up to version 5.11.1. The issue arises from improper control of the filename used in include/require statements, enabling an attacker with au...
CVE-2026-57795 WordPress Kitchor theme <= 1.4.3 - Local File Inclusion vulnerability
Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in themelexus Kitchor kitchor allows PHP Local File Inclusion.This issue affects Kitchor: from n/a through = 1.4.3...
CVE-2026-57796 WordPress Leedo theme <= 3.0.0 - Local File Inclusion vulnerability
Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in VLThemes Leedo leedo allows PHP Local File Inclusion.This issue affects Leedo: from n/a through = 3.0.0...
CVE-2026-57738
CVE-2026-57738 affects WordPress Theme 777 (axiomthemes) up to version 1.13.0. The issue is a PHP object‑injection via deserialization of untrusted data in the 777 plugin/theme, enabling arbitrary object injection with high impact (CVSS 3.1: 9.8, Network attack, no user interaction). Connected so...
CVE-2026-57405
CVE-2026-57405 affects WordPress Open Shop theme (versions up to and including 1.7.1). The root cause is Missing Authorization due to incorrectly configured access control levels, classified as a Broken Access Control vulnerability. CVSS3.1 metrics indicate a HIGH base score of 7.1 (AV:N/AC:L/PR:...
CVE-2026-57368
CVE-2026-57368 concerns the NooTheme Jobmonster WordPress theme (noo-jobmonster) with a reflected Cross-Site Scripting (XSS) vulnerability described as caused by improper neutralization of input during web page generation. Affected version range is Jobmonster up to and including 4.8.5. The vulner...
CVE-2026-57368 WordPress Jobmonster theme <= 4.8.5 - Reflected Cross Site Scripting (XSS) vulnerability
Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in NooTheme Jobmonster noo-jobmonster allows Reflected XSS.This issue affects Jobmonster: from n/a through = 4.8.5...
mTheme Unus < 2.3 - Directory Traversal
The mTheme-Unus theme for WordPress, prior to version 2.3, contained a directory traversal flaw that let attackers access arbitrary files. This was possible by exploiting the files parameter in css/css.php with .. sequences. id: CVE-2015-9406 info: name: mTheme Unus 2.3 - Directory Traversal...
Nokri – Job Board WordPress Theme <= 1.6.2 - Unauthenticated Arbitrary Password Change
The Nokri – Job Board WordPress Theme theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.6.2. This is due to the plugin not properly checking for an empty token value prior updating their details like password. This makes it...
WordPress Jannah Theme <5.4.5 - Cross-Site Scripting
WordPress Jannah theme before 5.4.5 contains a reflected cross-site scripting vulnerability. It does not properly sanitize the 'query' POST parameter in its tieajaxsearch AJAX action. id: CVE-2021-24407 info: name: WordPress Jannah Theme 5.4.5 - Cross-Site Scripting author: pikpikcu severity:...
CVE-2026-6801 Context Blog <= 1.3.5 - Unauthenticated Sensitive Information Exposure via 'postID' Parameter
The Context Blog theme for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.3.5 via the contextblogmodalpopup. This makes it possible for unauthenticated attackers to extract the content of password-protected posts...
CVE-2026-12685
The EscortWP escortwp WordPress theme through 3.6.2 was distributed with a vendor-authored, obfuscated backdoor that lets an unauthenticated attacker who supplies a hard-coded, per-build key permanently delete all of the site's content, and that covertly transmits the site URL, administrator emai...
WordPress 777 theme <= 1.13.0 - PHP Object Injection vulnerability
PHP Object Injection vulnerability discovered by Bonds in WordPress Theme 777 versions = 1.13.0...
WordPress Open Shop theme <= 1.7.1 - Broken Access Control vulnerability
Broken Access Control vulnerability discovered by HaiND in WordPress Theme Open Shop versions = 1.7.1...
WordPress Flatsome theme <= 3.20.5 - Reflected Cross Site Scripting (XSS) vulnerability
Reflected Cross Site Scripting XSS vulnerability discovered by Bonds in WordPress Theme Flatsome versions = 3.20.5...
WordPress Nuss theme <= 1.3.6 - Local File Inclusion vulnerability
Local File Inclusion vulnerability discovered by João Pedro S Alcântara Kinorth in WordPress Theme Nuss versions = 1.3.6...
CVE-2026-57685
Subscriber Broken Access Control in Martfury - WooCommerce Marketplace WordPress Theme = 3.2.8 versions...
CVE-2025-69156
Unauthenticated Cross Site Scripting XSS in Kids Zone - Children WordPress Theme = 5.4 versions...
CVE-2025-69155
Unauthenticated Cross Site Scripting XSS in Fitness Zone WordPress Theme = 5.7 versions...
CVE-2025-69154
Unauthenticated Cross Site Scripting XSS in SpaLab | Beauty Salon WordPress Theme = 6.7 versions...