18741 matches found
VulnCheck KEV: CVE-2024-11350
The AdForest theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 5.1.6. This is due to the plugin not properly validating a user's identity prior to updating their password through the adforestresetpassword function. This makes it...
CI4MS Vulnerable to Arbitrary Database Table Drop via Theme deleteProcess
Summary The deleteProcess action accepts a POST parameter tables containing arbitrary table names. These are passed directly to $forge-dropTable without validating that the tables belong to the theme being deleted. The deleteConfirm view correctly populates tables from the theme's own migration...
GHSA-VGRF-PR28-VF98 CI4MS Vulnerable to Arbitrary Database Table Drop via Theme deleteProcess
Summary The deleteProcess action accepts a POST parameter tables containing arbitrary table names. These are passed directly to $forge-dropTable without validating that the tables belong to the theme being deleted. The deleteConfirm view correctly populates tables from the theme's own migration...
CVE-2026-6812
The Ona theme for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.26 via the onaactivatechildtheme. This makes it possible for authenticated attackers, with administrator-level access and above, to make web requests to arbitrary locations originating...
CVE-2026-5077
The Total theme for WordPress is vulnerable to Stored Cross-Site Scripting via post titles in versions up to, and including, 2.2.1 due to insufficient output escaping when rendering thetitle inside HTML attribute context in the home blog section template. This makes it possible for authenticated...
Malicious code in edj-shopify-theme (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector b0e23978c8bb0369f485f8c3e2384f10d9e649d13a3c198475ace4184c3757a5 The package edj-shopify-theme was found to contain malicious code. Source: ghsa-malware...
Malicious Package
Overview edj-shopify-theme is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
MAL-2026-3278 Malicious code in honcho-theme (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 84982c0724088423f1dfd6be1667977bde24611206ff38083fbd5f1bddb51ee7 The package honcho-theme was found to contain malicious code. Source: ghsa-malware 23c78ef060edd4e17fe6722502a19a3f7cfa402b9253a432003578db145e5c24 A...
Malicious code in honcho-theme (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 84982c0724088423f1dfd6be1667977bde24611206ff38083fbd5f1bddb51ee7 The package honcho-theme was found to contain malicious code. Source: ghsa-malware 23c78ef060edd4e17fe6722502a19a3f7cfa402b9253a432003578db145e5c24 A...
MAL-2026-3277 Malicious code in edj-shopify-theme (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector b0e23978c8bb0369f485f8c3e2384f10d9e649d13a3c198475ace4184c3757a5 The package edj-shopify-theme was found to contain malicious code. Source: ghsa-malware...
Malicious code in @bcs-ui/theme (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 5e8fd043a0105b7ec2fd37e2db50a7dbab652403949cf1f0950366ddab6eafdf The package @bcs-ui/theme was found to contain malicious code. Source: ghsa-malware 2a3c36dafcc4718b7edd494534658ed583e693c1235d638066d51997eccb1d10...
MAL-2026-3271 Malicious code in @bcs-ui/theme (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 5e8fd043a0105b7ec2fd37e2db50a7dbab652403949cf1f0950366ddab6eafdf The package @bcs-ui/theme was found to contain malicious code. Source: ghsa-malware 2a3c36dafcc4718b7edd494534658ed583e693c1235d638066d51997eccb1d10...
Malicious Package
Overview @bcs-ui/theme is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
VulnCheck KEV: CVE-2023-47783
Missing Authorization vulnerability in Thrive Themes Thrive Theme Builder.This issue affects Thrive Theme Builder: from n/a before 3.24.0...
PT-2026-37160
Name of the Vulnerable Software and Affected Versions CI4MS versions 0.31.1.0 through 0.31.7.0 Description The deleteProcess function in the /backend/themes/delete-process/slug endpoint fails to validate the tables POST parameter. An authenticated administrator can send a crafted request containi...
VulnCheck KEV: CVE-2025-4606
The Sala - Startup & SaaS WordPress Theme theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.1.4. This is due to the theme not properly validating a user's identity prior to updating their details like password. This makes it...
VulnCheck KEV: CVE-2024-13421
The Real Estate 7 WordPress theme for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 3.5.1. This is due to the plugin not properly restricting the roles allowed to be selected during registration. This makes it possible for unauthenticated attackers to...
VulnCheck KEV: CVE-2024-12281
The Homey theme for WordPress is vulnerable to privilege escalation in all versions up to, and including, 2.4.2. This is due to the plugin allowing users who are registering new accounts to set their own role. This makes it possible for unauthenticated attackers to gain elevated privileges by...
CVE-2026-5077
The Total theme for WordPress is vulnerable to Stored Cross-Site Scripting via post titles in versions up to, and including, 2.2.1 due to insufficient output escaping when rendering thetitle inside HTML attribute context in the home blog section template. This makes it possible for authenticated...
CVE-2026-5077 Total <= 2.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Post Title in Blog Section Image alt Attribute
The Total theme for WordPress is vulnerable to Stored Cross-Site Scripting via post titles in versions up to, and including, 2.2.1 due to insufficient output escaping when rendering thetitle inside HTML attribute context in the home blog section template. This makes it possible for authenticated...