CVE-2025-6989

The Kallyas theme for WordPress is vulnerable to arbitrary folder deletion due to insufficient file path validation in the deletefont function in all versions up to, and including, 4.21.0. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete...

WordPress MediCenter - Health Medical Clinic Theme <= 15.1 is vulnerable to PHP Object Injection

Software MediCenter - Health Medical Clinic Type Theme Vulnerable versions = 15.1 Fixed in 15.2 OWASP Top 10 A3: Injection Classification PHP Object Injection CVE CVE-2025-54014 Patch priority High CVSS severity High 9.8 Developer EPC PSID b489f4cff59c Credits Aiden Required privilege...

WordPress MinimogWP Theme <= 3.9.0 is vulnerable to Content Injection

Software MinimogWP Type Theme Vulnerable versions = 3.9.0 Fixed in 3.9.1 OWASP Top 10 A3: Injection Classification Content Injection CVE CVE-2025-8198 Patch priority Low CVSS severity Low 7.5 Developer Claim ownership PSID d80fff95e821 Credits Valatty Required privilege Unauthenticated Published ...

WordPress KALLYAS - Creative eCommerce Multi-Purpose WordPress Theme Theme <= 4.21.0 is vulnerable to Arbitrary File Deletion

Software KALLYAS - Creative eCommerce Multi-Purpose WordPress Theme Type Theme Vulnerable versions = 4.21.0 Fixed in 4.22.0 OWASP Top 10 A3: Injection Classification Arbitrary File Deletion CVE CVE-2025-6989 Patch priority Medium CVSS severity Medium 8.1 Developer EPC PSID fbbebe81e3b7 Credits...

WordPress Platform Theme < 1.4.4 is vulnerable to Broken Access Control

Software Platform Type Theme Vulnerable versions 1.4.4 Fixed in 1.4.4 OWASP Top 10 A5: Broken Access Control Classification Broken Access Control CVE CVE-2015-10143 Patch priority High CVSS severity High 9.8 Developer Claim ownership PSID 04b827207d59 Credits Marc-Alexandre Montpas Required...

WordPress News Magazine X Theme <= 1.2.35 is vulnerable to Local File Inclusion

Software News Magazine X Type Theme Vulnerable versions = 1.2.35 Fixed in N/A OWASP Top 10 A3: Injection Classification Local File Inclusion CVE CVE-2025-24766 Patch priority High CVSS severity High 7.5 Developer Claim ownership PSID b88166b6f805 Credits LVT-tholv2k Required privilege...

CVE-2025-5529 Educenter <= 1.6.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Educenter theme for WordPress is vulnerable to Stored Cross-Site Scripting via the Circle Counter Block in all versions up to, and including, 1.6.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and...

CVE-2015-10143

The CVE-2015-10143 entry concerns the Platform theme for WordPress prior to version 1.4.4, where a missing capability check in the _ajax_save_options() function allows unauthenticated modification of options. Affects the Platform theme (WordPress Platform) and enables updating arbitrary site opti...

WordPress KALLYAS - Creative eCommerce Multi-Purpose WordPress Theme Theme <= 4.21.0 is vulnerable to Local File Inclusion

Software KALLYAS - Creative eCommerce Multi-Purpose WordPress Theme Type Theme Vulnerable versions = 4.21.0 Fixed in 4.22.0 OWASP Top 10 A1: Injection Classification Local File Inclusion CVE CVE-2025-6991 Patch priority Low CVSS severity Low 7.5 Developer EPC PSID 34bd1e68ee25 Credits stealthcopt...

WordPress Educenter Theme <= 1.6.2 is vulnerable to Cross Site Scripting (XSS)

Software Educenter Type Theme Vulnerable versions = 1.6.2 Fixed in N/A OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2025-5529 Patch priority Low CVSS severity Low 6.5 Developer Claim ownership PSID 8465b696cfd2 Credits Peter Thaleikis Required privileg...

WordPress Cena Store Theme <= 2.11.26 is vulnerable to Local File Inclusion

Software Cena Store Type Theme Vulnerable versions = 2.11.26 Fixed in 2.11.27 OWASP Top 10 A3: Injection Classification Local File Inclusion CVE CVE-2025-48171 Patch priority High CVSS severity High 8.1 Developer Claim ownership PSID 349bfe1912dd Credits Tran Nguyen Bao Khanh VCI - VNPT Cyber...

WordPress Jobmonster Theme <= 4.7.8 is vulnerable to Cross Site Scripting (XSS)

Software Jobmonster Type Theme Vulnerable versions = 4.7.8 Fixed in 4.7.9 OWASP Top 10 A3: Injection Classification Cross Site Scripting XSS CVE CVE-2025-53201 Patch priority Medium CVSS severity Medium 7.1 Developer Claim ownership PSID 24486db3ae4e Credits Tran Nguyen Bao Khanh VCI - VNPT Cyber...

CVE-2025-6222

The WooCommerce Refund And Exchange with RMA - Warranty Management, Refund Policy, Manage User Wallet theme for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'cedrnxorderexchangeattachfiles' function in all versions up to, and including, 3.2.6. This...

CVE-2025-31072

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in designthemes Ofiz - WordPress Business Consulting Theme ofiz allows Reflected XSS.This issue affects Ofiz - WordPress Business Consulting Theme: from n/a through = 2.0...

CVE-2025-5393

The Alone – Charity Multipurpose Non-profit WordPress Theme theme for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the aloneimportpackrestoredata function in all versions up to, and including, 7.8.5. This makes it possible for unauthenticated...

CVE-2025-5394

The Alone – Charity Multipurpose Non-profit WordPress Theme theme for WordPress is vulnerable to arbitrary file uploads due to a missing capability check on the aloneimportpackinstallplugin function in all versions up to, and including, 7.8.3. This makes it possible for unauthenticated attackers ...

WordPress Theme Builder For Elementor plugin <= 1.2.3 - Cross Site Request Forgery (CSRF) Vulnerability

Cross Site Request Forgery CSRF Vulnerability discovered by Nguyen Xuan Chien in WordPress Plugin Theme Builder For Elementor versions = 1.2.3...

CVE-2025-31422

Deserialization of Untrusted Data vulnerability in designthemes Visual Art | Gallery WordPress Theme visual-arts allows Object Injection.This issue affects Visual Art | Gallery WordPress Theme: from n/a through = 2.4...

CVE-2025-31427

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in designthemes Invico - WordPress Consulting Business Theme invico allows Reflected XSS.This issue affects Invico - WordPress Consulting Business Theme: from n/a through = 1.9...

CVE-2025-31072

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in designthemes Ofiz - WordPress Business Consulting Theme ofiz allows Reflected XSS.This issue affects Ofiz - WordPress Business Consulting Theme: from n/a through = 2.0...