CVE-2026-40751 WordPress Ashtanga theme <= 1.2 - PHP Object Injection vulnerability

Unauthenticated PHP Object Injection in Ashtanga = 1.2 versions...

CVE-2026-39549 WordPress Aperitif theme <= 1.5 - Local File Inclusion vulnerability

Unauthenticated Local File Inclusion in Aperitif = 1.5 versions...

CVE-2025-69151 WordPress Grand Car Rental theme <= 3.7 - Cross Site Scripting (XSS) vulnerability

Unauthenticated Cross Site Scripting XSS in Grand Car Rental = 3.7 versions...

CVE-2025-69141 WordPress Kelly Young theme <= 1.1.0 - Local File Inclusion vulnerability

Unauthenticated Local File Inclusion in Kelly Young = 1.1.0 versions...

CVE-2025-69137 WordPress Genemy theme <= 1.6.6 - Broken Access Control vulnerability

Subscriber Broken Access Control in Genemy = 1.6.6 versions...

CVE-2025-69137

Technical details about CVE-2025-69137 are not provided in the supplied connected documents. The records only indicate a broken access control issue in Genemy theme

CVE-2025-69122 WordPress SeaFood Company theme <= 1.4 - PHP Object Injection vulnerability

Unauthenticated PHP Object Injection in SeaFood Company = 1.4 versions...

CVE-2025-69119

CVE-2025-69119 concerns the WordPress Corbesier theme (

CVE-2025-69105 WordPress Modernee theme <= 1.6.0 - Local File Inclusion vulnerability

Unauthenticated Local File Inclusion in Modernee = 1.6.0 versions...

Exploit for CVE-2026-1555

CVE-2026-1555: Unauthenticated Arbitrary File Upload in WebSta...

EUVD-2026-35985

The Xstore WordPress theme before 9.7.3 does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection...

CVE-2026-3326 XStore < 9.7.3 - Unauthenticated SQLi

The Xstore WordPress theme before 9.7.3 does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection...

CVE-2026-3326

The CVE-2026-3326 entry concerns the XStore WordPress theme (versions before 9.7.3). An unsanitised/Unescaped parameter is used in a SQL statement via an AJAX action that is accessible to unauthenticated users, leading to a SQL injection. This is described across multiple sources in the connected...

Exploit for CVE-2026-1555

██████╗██╗ ██╗███████╗ ██████╗ ██████╗ ██████╗ █████...

CVE-2023-54352

WordPress Seotheme contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary PHP code by uploading malicious files to the theme directory. Attackers can access the uploaded PHP shell at /wp-content/themes/seotheme/mar.php to execute system commands...

EUVD-2024-55615

WordPress Theme Travelscape 1.0.3 contains an arbitrary file upload vulnerability that allows unauthenticated attackers to upload malicious files by exploiting insufficient validation in the theme's upload functionality. Attackers can upload arbitrary files to the theme directory and execute them...

CVE-2023-54352

WordPress Seotheme contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary PHP code by uploading malicious files to the theme directory. Attackers can access the uploaded PHP shell at /wp-content/themes/seotheme/mar.php to execute system commands...

CVE-2023-54352 WordPress Seotheme Remote Code Execution Unauthenticated

WordPress Seotheme contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary PHP code by uploading malicious files to the theme directory. Attackers can access the uploaded PHP shell at /wp-content/themes/seotheme/mar.php to execute system commands...

CVE-2025-14042

The Automotive Car Dealership Business WordPress Theme for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Project Details' custom field in Portfolio Items in all versions up to, and including, 13.4.1. This is due to insufficient input sanitization and output escaping on...

CVE-2025-15470

The Eleganzo theme for WordPress is vulnerable to arbitrary directory deletion due to insufficient path validation in the akdrequiredplugincallback function in all versions up to, and including, 1.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to...