19015 matches found
CVE-2026-30940 baserCMS: Path Traversal in Theme File API Leads to Arbitrary File Write and RCE
baserCMS is a website development framework. Prior to version 5.2.3, a path traversal vulnerability exists in the theme file management API /baser/api/admin/bc-theme-file/themefiles/add.json that allows arbitrary file write. An authenticated administrator can include ../ sequences in the path...
baserCMS 安全漏洞
BaserCMS is a corporate-level content management system CMS developed by the BaserCMS team. Versions of BaserCMS prior to 5.2.3 contained security vulnerabilities. These vulnerabilities were caused by path traversal in the theme file management API, which could lead to arbitrary file writing and...
PT-2026-29152
baserCMS is a website development framework. Prior to version 5.2.3, a path traversal vulnerability exists in the theme file management API /baser/api/admin/bc-theme-file/theme files/add.json that allows arbitrary file write. An authenticated administrator can include ../ sequences in the path...
CVE-2025-12886
The Oxygen Theme theme for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 6.0.8 via the laboratorcalcroute AJAX action. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web applicati...
EUVD-2025-209110
The Restaurant Cafeteria WordPress theme through 0.4.6 exposes insecure admin-ajax actions without nonce or capability checks, allowing any logged-in user, like subscriber, to perform privileged operations. An attacker can install and activate a from a user-supplied URL, leading to arbitrary PHP...
EUVD-2025-209108
The Oxygen Theme theme for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 6.0.8 via the laboratorcalcroute AJAX action. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web applicati...
CVE-2025-15445
The Restaurant Cafeteria WordPress theme through 0.4.6 exposes insecure admin-ajax actions without nonce or capability checks, allowing any logged-in user, like subscriber, to perform privileged operations. An attacker can install and activate a from a user-supplied URL, leading to arbitrary PHP...
CVE-2025-15445 Restaurant Cafeteria <= 0.4.6 - Subscriber+ Arbitrary Plugin Installation/Activation
The Restaurant Cafeteria WordPress theme through 0.4.6 exposes insecure admin-ajax actions without nonce or capability checks, allowing any logged-in user, like subscriber, to perform privileged operations. An attacker can install and activate a from a user-supplied URL, leading to arbitrary PHP...
CVE-2025-15445 Restaurant Cafeteria <= 0.4.6 - Subscriber+ Arbitrary Plugin Installation/Activation
The Restaurant Cafeteria WordPress theme through 0.4.6 exposes insecure admin-ajax actions without nonce or capability checks, allowing any logged-in user, like subscriber, to perform privileged operations. An attacker can install and activate a from a user-supplied URL, leading to arbitrary PHP...
CVE-2025-15445
The Restaurant Cafeteria WordPress theme through 0.4.6 exposes insecure admin-ajax actions without nonce or capability checks, allowing any logged-in user, like subscriber, to perform privileged operations. An attacker can install and activate a from a user-supplied URL, leading to arbitrary PHP...
CVE-2025-15445
The CVE-2025-15445 entry relates to the WordPress theme Restaurant Cafeteria up to version 0.4.6. The issue is insecure admin-ajax actions that lack nonce or capability checks, enabling any logged-in user (e.g., a subscriber) to perform privileged operations. The documented impact includes arbitr...
CVE-2025-12886 Oxygen <= 6.0.8 - Unauthenticated Server-Side Request Forgery via route_path
The Oxygen Theme theme for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 6.0.8 via the laboratorcalcroute AJAX action. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web applicati...
CVE-2025-12886 Oxygen <= 6.0.8 - Unauthenticated Server-Side Request Forgery via route_path
The Oxygen Theme theme for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 6.0.8 via the laboratorcalcroute AJAX action. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web applicati...
CVE-2025-12886
The Oxygen Theme theme for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 6.0.8 via the laboratorcalcroute AJAX action. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web applicati...
CVE-2025-12886
The Oxygen Theme for WordPress (versions up to 6.0.8) is vulnerable to unauthenticated Server-Side Request Forgery via the laborator_calc_route AJAX action. This allows an attacker to issue web requests from the application to arbitrary locations, potentially querying and modifying information fr...
PT-2026-28271
The Oxygen Theme theme for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 6.0.8 via the laborator calc route AJAX action. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web...
WordPress plugin Oxygen Theme 代码问题漏洞
WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...
CVE-2026-25009
Missing Authorization vulnerability in raratheme Education Zone education-zone allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Education Zone: from n/a through = 1.3.8...
CVE-2026-25344
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in RadiusTheme Review Schema review-schema allows Retrieve Embedded Sensitive Data.This issue affects Review Schema: from n/a through = 2.2.6...
CVE-2026-25371
Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in King-Theme Lumise Product Designer lumise allows Blind SQL Injection.This issue affects Lumise Product Designer: from n/a through 2.0.9...