512 matches found
CVE-2024-13529 SocialV - Social Network and Community BuddyPress Theme <= 2.0.15 - Missing Authorization to Arbitrary File Download
The SocialV - Social Network and Community BuddyPress Theme theme for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'socialvsenddownloadfile' function in all versions up to, and including, 2.0.15. This makes it possible for authenticated attackers...
WordPress OnePress theme <= 2.3.11 - Broken Access Control vulnerability
Broken Access Control vulnerability discovered by Fariq Fadillah Gusti Insani Patchstack Alliance in WordPress Theme OnePress versions = 2.3.11...
CVE-2024-11936
The Zox News theme for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the 'backupoptions' and 'restoreoptions' function in all versions up to, and including, 3.16.0. This makes it possible for authenticated...
WordPress InspiryThemes RealHomes Theme Privilege Escalation Vulnerability (Jan 2025)
The WordPress theme RealHomes by InspiryThemes is prone to a privilege escalation vulnerability. SPDX-FileCopyrightText: 2025 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-onl...
WordPress Lestin theme < 1.2.0 - Reflected Cross Site Scripting (XSS) vulnerability
Reflected Cross Site Scripting XSS vulnerability discovered by justakazh in WordPress Theme Lestin - Directory Listing WordPress Theme versions 1.2.0...
WordPress Orgarium theme < 1.1.9 - Reflected Cross Site Scripting (XSS) vulnerability
Reflected Cross Site Scripting XSS vulnerability discovered by justakazh Patchstack Alliance in WordPress Theme Orgarium - Agriculture & Organic Farm WordPress Theme versions 1.1.9...
WordPress Pisole theme < 1.1.0 - Reflected Cross Site Scripting (XSS) vulnerability
Reflected Cross Site Scripting XSS vulnerability discovered by justakazh Patchstack Alliance in WordPress Theme Pisole - Digital Creative Agency WordPress Theme versions 1.1.0...
WordPress Education LMS theme <= 0.0.7 - Stored Cross Site Scripting (XSS) vulnerability
Stored Cross Site Scripting XSS vulnerability discovered by Michael Patchstack Alliance in WordPress Theme Education LMS versions = 0.0.7...
CVE-2024-37441
CVE-2024-37441 is a CSRF vulnerability in DesertThemes NewsMash (WordPress theme). Affected are NewsMash versions n/a through 1.0.34. The issue enables CSRF; connected sources indicate the vulnerability has been patched in NewsMash, but no fixed version is specified in the provided documents. No ...
CVE-2024-37435
CVE-2024-37435 describes a Cross-Site Request Forgery (CSRF) in the WordPress theme “Perfect Portfolio.” Affected: Perfect Portfolio versions up to 1.2.0 (listed as from n/a through 1.2.0). Root cause: CSRF enabling unauthorized actions via crafted requests. Impact (per CVSS v3.1 in the sources):...
CVE-2024-37412 WordPress Blossom Shop theme <= 1.1.7 - Cross Site Request Forgery (CSRF) vulnerability
Cross-Site Request Forgery CSRF vulnerability in Blossom Themes Blossom Shop allows Cross Site Request Forgery.This issue affects Blossom Shop: from n/a through 1.1.7...
CVE-2024-56234
Technical details for CVE-2024-56234 are not provided in the supplied documents. No concrete information on affected products, root cause, impact, or remediation is available here; monitor for official advisories and vendor updates.
CVE-2024-12588 Shortcodes and extra features for Phlox theme <= 2.17.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Staff Widget
The Shortcodes and extra features for Phlox theme plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Staff widget in all versions up to, and including, 2.17.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it...
CVE-2024-9545 Shortcodes and extra features for Phlox theme <= 2.17.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via aux_contact_box and aux_gmaps Shortcodes
The Shortcodes and extra features for Phlox theme plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's auxcontactbox and auxgmaps shortcodes in all versions up to, and including, 2.17.0 due to insufficient input sanitization and output escaping on user supplied...
CVE-2024-11926
The Travel Booking WordPress Theme theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'stPartnerCreateServiceRental', 'stdeleteorderitem', 'stpartnerapprovebooking', 'saveorderitem', and 'userDenyEachInfo' functions in all versions up t...
CVE-2024-12333
CVE-2024-12333 affects the Woodmart WordPress theme. The vulnerability allows unauthenticated attackers to execute arbitrary shortcodes via the woodmart_instagram_ajax_query AJAX action because a value is not properly validated before running do_shortcode. This is a shortcode execution flaw in al...
CVE-2024-43222 WordPress Sweet Date theme <= 3.7.3 - Privilege Escalation vulnerability
Missing Authorization vulnerability in SeventhQueen Sweet Date sweetdate allows Privilege Escalation.This issue affects Sweet Date: from n/a through = 3.7.3...
CVE-2024-10849
CVE-2024-10849 details (NewsMash theme, WordPress) : The NewsMash WordPress theme is affected by a stored cross-site scripting (XSS) vulnerability via a malicious display name in all versions up to 1.0.71. Exploitation requires authenticated access at Contributor level or higher, and an attacker ...
CVE-2024-10578
The Pubnews theme for WordPress is vulnerable to unauthorized arbitrary plugin installation due to a missing capability check on the pubnewsimporterpluginactionfornotice function in all versions up to, and including, 1.0.7. This makes it possible for authenticated attackers, with Subscriber-level...
CVE-2024-10836
CVE-2024-10836 affects the Flixita WordPress theme (all versions up to 1.0.82). It is a Reflected Cross-Site Scripting vulnerability via the id parameter caused by insufficient input sanitization and output escaping, allowing unauthenticated attackers to inject scripts in pages executed after use...