19031 matches found
EUVD-2026-41105
Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Averta LTD Shortcodes and extra features for Phlox theme allows DOM-Based XSS. This issue affects Shortcodes and extra features for Phlox theme: from n/a through 2.17.16...
CVE-2026-57737
Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Averta LTD Shortcodes and extra features for Phlox theme allows DOM-Based XSS. This issue affects Shortcodes and extra features for Phlox theme: from n/a through 2.17.16...
WordPress Shortcodes and extra features for Phlox theme plugin <= 2.17.16 - Cross Site Scripting (XSS) vulnerability
Cross Site Scripting XSS vulnerability discovered by timomangcut in WordPress Plugin Shortcodes and extra features for Phlox theme versions = 2.17.16...
CVE-2026-27435 WordPress Woffice theme < 5.4.33 - Broken Access Control vulnerability
Missing Authorization vulnerability in WofficeIO Woffice allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Woffice: from n/a before 5.4.33...
CVE-2026-27435
WordPress Woffice theme versions before 5.4.33 are affected by a Missing Authorization vulnerability due to incorrectly configured access control. CVSSv3.1: 5.3 (Network, Low privileges, No user interaction). Impact: Integrity impact (LOW); others None. Affected: Woffice theme (WordPress)
WordPress 15Zine <3.3.0 - Cross-Site Scripting
WordPress 15Zine before 3.3.0 is vulnerable to reflected cross-site scripting because the theme does not sanitize the cbi parameter before including it in the HTTP response via the cbsa AJAX action. id: CVE-2020-36510 info: name: WordPress 15Zine 3.3.0 - Cross-Site Scripting author: veshraj...
ScoreMe Theme - Cross-Site Scripting
WordPress ScoreMe theme through 2016-04-01 contains a reflected cross-site scripting vulnerability via the s parameter which allows an attacker to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal...
WordPress CAS Theme <= 1.0.0 - Server-Side Request Forgery
The CAS WordPress theme through version 1.0.0 is vulnerable to Server-Side Request Forgery SSRF via the 'url' parameter in the getremotedata.php script. This vulnerability allows unauthenticated attackers to make the server perform requests to arbitrary URLs. id: CVE-2024-4399 info: name: WordPre...
JobMonster < 4.5.2.9 - Cross-Site Scripting
In the theme JobMonster 4.5.2.9 there is a XSS vulnerability as the input for the search form is provided through unsanitized GET requests. id: CVE-2022-1170 info: name: JobMonster 4.5.2.9 - Cross-Site Scripting author: Akincibor,ritikchaddha severity: medium description: | In the theme JobMonste...
WordPress Page Builder KingComposer <=2.9.6 - Open Redirect
WordPress Page Builder KingComposer 2.9.6 and prior does not validate the id parameter before redirecting the user to it via the kcgetthumbn AJAX action which is available to both unauthenticated and authenticated users. id: CVE-2022-0165 info: name: WordPress Page Builder KingComposer =2.9.7 to...
WordPress JNews Theme <8.0.6 - Cross-Site Scripting
WordPress JNews theme before 8.0.6 contains a reflected cross-site scripting vulnerability. It does not sanitize the catid parameter in the POST request /?ajax-request=jnews with action=jnewsbuildmegacategory. id: CVE-2021-24342 info: name: WordPress JNews Theme =8.0.6 to mitigate the XSS...
WordPress Jannah Theme <5.4.5 - Cross-Site Scripting
WordPress Jannah theme before 5.4.5 contains a reflected cross-site scripting vulnerability. It does not properly sanitize the 'query' POST parameter in its tieajaxsearch AJAX action. id: CVE-2021-24407 info: name: WordPress Jannah Theme 5.4.5 - Cross-Site Scripting author: pikpikcu severity:...
WordPress Jannah Theme <5.4.4 - Cross-Site Scripting
WordPress Jannah theme before 5.4.4 contains a reflected cross-site scripting vulnerability. It does not properly sanitize the options JSON parameter in its tiegetuserweather AJAX action before outputting it back in the page. id: CVE-2021-24364 info: name: WordPress Jannah Theme 5.4.4 - Cross-Sit...
WordPress Laborator Neon Theme 2.0 - Cross-Site Scripting
WordPress Laborator Neon theme 2.0 contains a cross-site scripting vulnerability via the data/autosuggest-remote.php q parameter. id: CVE-2019-20141 info: name: WordPress Laborator Neon Theme 2.0 - Cross-Site Scripting author: knassar702 severity: medium description: WordPress Laborator Neon them...
WordPress tagDiv Composer < 3.5 - Authentication Bypass
The tagDiv Composer WordPress plugin before 3.5, required by the Newspaper WordPress theme before 12.1 and Newsmag WordPress theme before 5.2.2, does not properly implement the Facebook login feature, allowing unauthenticated attackers to login as any user by just knowing their email address id:...
WordPress OneTone theme <= 3.0.6 – Unauthenticated Stored XSS
includes/theme-functions.php in the OneTone theme through 3.0.6 for WordPress has multiple stored XSS issues. id: CVE-2019-17231 info: name: WordPress OneTone theme = 3.0.6 – Unauthenticated Stored XSS author: daffainfo severity: medium description: | includes/theme-functions.php in the OneTone...
WordPress OneTone theme <= 3.0.6 – Unauthenticated Options Changes
includes/theme-functions.php in the OneTone theme through 3.0.6 for WordPress allows unauthenticated options changes. id: CVE-2019-17230 info: name: WordPress OneTone theme = 3.0.6 – Unauthenticated Options Changes author: daffainfo severity: medium description: | includes/theme-functions.php in...
Yellow Pencil Visual Theme Customizer < 7.2.1 - Privilege Escalation
The WaspThemes Visual CSS Style Editor aka yellow-pencil-visual-theme-customizer plugin before 7.2.1 for WordPress allows ypoptionupdate CSRF, as demonstrated by use of ypremoteget to obtain admin access. id: CVE-2019-11886 info: name: Yellow Pencil Visual Theme Customizer 7.2.1 - Privilege...
WordPress Campress Theme <= 1.35 - Unauthenticated Local File Inclusion
Campress theme for WordPress up to 1.35 contains a local file inclusion caused by 'campresswoocommercegetajaxproducts' function, letting unauthenticated attackers include and execute arbitrary PHP files, exploit requires no authentication. id: CVE-2024-10763 info: name: WordPress Campress Theme =...
WordPress Madara Theme < 2.2.2.1 - Local File Inclusion
Madara WordPress theme = 2.2.2 contains a local file inclusion vulnerability caused by improper sanitization of the 'template' parameter, letting unauthenticated attackers execute arbitrary files on the server, exploit requires crafted request. id: CVE-2025-4524 info: name: WordPress Madara Theme...