512 matches found
CVE-2024-13787 VEDA - MultiPurpose WordPress Theme <= 4.2 - Authenticated (Subscriber+) PHP Object Injection
The VEDA - MultiPurpose WordPress Theme theme for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.2 via deserialization of untrusted input in the 'vedabackupandrestoreaction' function. This makes it possible for authenticated attackers, with Subscriber-leve...
CVE-2024-13811 Lafka - Multi Store Burger - Pizza & Food Delivery WooCommerce Theme <= 4.5.7 - Missing Authorization to Authenticated (Subscriber+) Demo Import
The Lafka - Multi Store Burger - Pizza & Food Delivery WooCommerce Theme theme for WordPress is vulnerable to unauthorized access due to a missing capability check on the 'lafkaimportlafka' AJAX actions in all versions up to, and including, 4.5.7. This makes it possible for authenticated attacker...
CVE-2024-13811
CVE-2024-13811 concerns the Lafka - Multi Store Burger - Pizza & Food Delivery WooCommerce Theme for WordPress (versions
CVE-2024-8682 JNews - WordPress Newspaper Magazine Blog AMP Theme <= 11.6.6 - Unauthorized User Registration
The JNews - WordPress Newspaper Magazine Blog AMP Theme theme for WordPress is vulnerable to unauthorized user registration in all versions up to, and including, 11.6.6. This is due to the plugin not properly validate if the user can register option is enabled prior to creating a user though the...
CVE-2024-8682
CVE-2024-8682 affects JNews theme for WordPress (versions up to and including 11.6.6). The vulnerability allows unauthenticated users to register as site users because register_handler() does not adequately validate if user registration is enabled before creating a user. Impact is unauthorized us...
CVE-2025-1307 Newscrunch <= 1.8.4 - Authenticated (Subscriber+) Arbitrary File Upload
The Newscrunch theme for WordPress is vulnerable to arbitrary file uploads due to a missing capability check in the newscrunchinstallandactivateplugin function in all versions up to, and including, 1.8.4.1. This makes it possible for authenticated attackers, with Subscriber-level access and above...
CVE-2024-12811
The CVE CVE-2024-12811 affects the Traveler WordPress theme (versions up to 3.1.8). It describes an authenticated Local File Inclusion via the hotel_alone_slider shortcode’s style attribute, enabling an attacker with contributor+ permissions to include arbitrary server files and execute PHP code....
CVE-2024-13693
The Enfold theme for WordPress is vulnerable to unauthorized access of data due to a missing capability check in avia-export-class.php in all versions up to, and including, 6.0.9. This makes it possible for unauthenticated attackers to export all avia settings which may included sensitive...
CVE-2025-1282
The Car Dealer Automotive WordPress Theme – Responsive theme for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the deletepostphoto and addcar functions in all versions up to, and including, 1.6.3. This makes it possible for authenticated attackers,...
CVE-2025-1282 Car Dealer Automotive WordPress Theme – Responsive <= 1.6.3 - Authenticated (Subscriber+) Arbitrary File Deletion and Read
The Car Dealer Automotive WordPress Theme – Responsive theme for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the deletepostphoto and addcar functions in all versions up to, and including, 1.6.3. This makes it possible for authenticated attackers,...
CVE-2024-13693 Enfold <= 6.0.9 - Missing Authorization to Sensitive Information Disclosure in avia-export-class.php
The Enfold theme for WordPress is vulnerable to unauthorized access of data due to a missing capability check in avia-export-class.php in all versions up to, and including, 6.0.9. This makes it possible for unauthenticated attackers to export all avia settings which may included sensitive...
CVE-2024-13693
CVE-2024-13693 affects the Enfold WordPress theme (versions
WordPress Enfold theme <= 6.0.9 - Authenticated (Subscriber+) Server-Side Request Forgery via attachment_id vulnerability
Authenticated Subscriber+ Server-Side Request Forgery via attachmentid vulnerability discovered by mikemyers in WordPress Theme Enfold versions = 6.0.9...
CVE-2025-27013
CVE-2025-27013 affects MediCenter - Health Medical Clinic WordPress Theme (MediCenter). Described as a Missing Authorization vulnerability, with CVSS v3.1 base score 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N). Wordfence documentation confirms the affected software and labels the issue as Missing A...
CVE-2024-13667
The Uncode theme for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘mle-description’ parameter in all versions up to, and including, 2.9.1.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level acces...
CVE-2024-13681
CVE-2024-13681 affects the WordPress theme Uncode. The vulnerability is an unauthenticated arbitrary file read due to insufficient input validation in the uncode_admin_get_oembed function, affecting all versions up to 2.9.1.6. Patch/mitigation: upgrade to Uncode 2.9.1.6 or apply the vendor fix th...
CVE-2024-13681 Uncode <= 2.9.1.6 - Unauthenticated Arbitrary File Read in uncode_admin_get_oembed
The Uncode theme for WordPress is vulnerable to arbitrary file read due to insufficient input validation in the 'uncodeadmingetoembed' function in all versions up to, and including, 2.9.1.6. This makes it possible for unauthenticated attackers to read arbitrary files on the server...
CVE-2024-13797 PressMart - Modern Elementor WooCommerce WordPress Theme <= 1.2.16 - Unauthenticated Arbitrary Shortcode Execution
The PressMart - Modern Elementor WooCommerce WordPress Theme theme for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.2.16. This is due to the software allowing users to execute an action that does not properly validate a value before running...
CVE-2024-13346
The Avada | Website Builder For WordPress & WooCommerce theme for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 7.11.13. This is due to the software allowing users to execute an action that does not properly validate a value before running...
CVE-2025-0837
The Puzzles theme for WordPress is vulnerable to Stored Cross-Site Scripting via shortcodes in versions up to, and including, 4.2.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and...