CVE-2026-5717

The CVE-2026-5717 entry concerns the WordPress plugin VI: Include Post By. Affected: all versions up to 0.4.200706. Issue: Stored Cross-Site Scripting via the class_container attribute of the include-post-by-cat shortcode, caused by insufficient input sanitization and output escaping on user-supp...

CVE-2026-5717 VI: Include Post By <= 0.4.200706 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'class_container' Shortcode Attribute

The VI: Include Post By plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'classcontainer' attribute of the 'include-post-by-cat' shortcode in all versions up to, and including, 0.4.200706 due to insufficient input sanitization and output escaping on user supplied...

CVE-2026-5717

The VI: Include Post By plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'classcontainer' attribute of the 'include-post-by-cat' shortcode in all versions up to, and including, 0.4.200706 due to insufficient input sanitization and output escaping on user supplied...

WordPress VI: Include Post By plugin <= 0.4.200706 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'class_container' Shortcode Attribute vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via 'classcontainer' Shortcode Attribute vulnerability discovered by MAJidox in WordPress Plugin VI: Include Post By versions = 0.4.200706...

PT-2026-33013

Name of the Vulnerable Software and Affected Versions VI: Include Post By versions prior to 0.4.200706 Description Stored Cross-Site Scripting occurs due to insufficient input sanitization and output escaping on user supplied attributes. Authenticated attackers with contributor-level access and...

WordPress plugin VI: Include Post By 安全漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. There is...

CVE-2026-39538

Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in Mikado-Themes Mikado Core mikado-core allows PHP Local File Inclusion.This issue affects Mikado Core: from n/a through = 1.6...

CVE-2026-39544

Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in themeStek LabtechCO labtechco allows PHP Local File Inclusion.This issue affects LabtechCO: from n/a through = 8.3...

CVE-2026-39679

Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in ApusTheme Freeio freeio allows PHP Local File Inclusion.This issue affects Freeio: from n/a through = 1.3.21...

CVE-2025-5804

Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in Case Themes Case Theme User case-theme-user allows PHP Local File Inclusion.This issue affects Case Theme User: from n/a through 1.0.4...

CVE-2025-58913

Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in CactusThemes VideoPro videopro allows PHP Local File Inclusion.This issue affects VideoPro: from n/a through = 2.3.8.1...

CVE-2025-58913

Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in CactusThemes VideoPro videopro allows PHP Local File Inclusion.This issue affects VideoPro: from n/a through = 2.3.8.1...

Exploit for Code Injection in Backupbliss Backup_Migration

🔥 CVE-2023-6553 — WordPress Backup Migration RCE Unauthen...

CVE-2025-5804

CVE-2025-5804 affects the WordPress plugin Case Theme User (versions before 1.0.4). The issue is an Unauthenticated Local File Inclusion due to Improper Control of Filename for Include/Require Statement in PHP, enabling LFI in Case Theme User prior to 1.0.4. Public references from Patchstack/Word...

CVE-2026-39623

Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in kutethemes Biolife biolife allows PHP Local File Inclusion.This issue affects Biolife: from n/a through = 3.2.3...

PT-2026-31913

Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in Case Themes Case Theme User allows PHP Local File Inclusion.This issue affects Case Theme User: from n/a before 1.0.4...

PT-2026-31914

Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in CactusThemes VideoPro allows PHP Local File Inclusion.This issue affects VideoPro: from n/a through 2.3.8.1...

CVE-2026-39639

Missing Authorization vulnerability in redpixelstudios RPS Include Content rps-include-content allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects RPS Include Content: from n/a through = 1.2.2...

CLSA-2026-1775731413 libxml2: Fix of 8 CVEs

CVE-2023-45322: fix use-after-free in xmlStaticCopyNodeList when copying DTDs - CVE-2024-34459: fix buffer over-read in xmlHTMLPrintFileContext in xmllint - CVE-2025-6170: fix potential buffer overflows in xmllint interactive shell - CVE-2025-8732: fix stack overflow from self-referencing SGML...

CVE-2026-35525

LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to 10.25.3, for % include %, % render %, and % layout %, LiquidJS checks whether the candidate path is inside the configured partials or layouts roots before reading it. That check is path-based, not...