CVE-2025-8218

The Real Spaces - WordPress Properties Directory Theme theme for WordPress is vulnerable to privilege escalation via the 'changerolemember' parameter in all versions up to, and including, 3.5. This is due to a lack of restriction in the profile update role. This makes it possible for...

CVE-2025-6758 Real Spaces - WordPress Properties Directory Theme <= 3.6 - Unauthenticated Privilege Escalation to Administrator via 'imic_agent_register'

The Real Spaces - WordPress Properties Directory Theme theme for WordPress is vulnerable to privilege escalation via the 'imicagentregister' function in all versions up to, and including, 3.6. This is due to a lack of restriction in the registration role. This makes it possible for unauthenticate...

CVE-2025-8218 Real Spaces - WordPress Properties Directory Theme <= 3.5 - Authenticated (Subscriber+) Privilege Escalation to Administrator via 'change_role_member'

The Real Spaces - WordPress Properties Directory Theme theme for WordPress is vulnerable to privilege escalation via the 'changerolemember' parameter in all versions up to, and including, 3.5. This is due to a lack of restriction in the profile update role. This makes it possible for...

WordPress Rare Radio theme <= 1.0.15.1 - Local File Inclusion vulnerability

Local File Inclusion vulnerability discovered by Bonds in WordPress Theme Rare Radio versions = 1.0.15.1...

WordPress BugsPatrol theme <= 1.5.0 - PHP Object Injection vulnerability

PHP Object Injection vulnerability discovered by Bonds in WordPress Theme BugsPatrol versions = 1.5.0...

PT-2025-33710 · WordPress · Real Spaces - Wordpress Properties Directory Theme

Name of the Vulnerable Software and Affected Versions: Real Spaces - WordPress Properties Directory Theme versions prior to 3.6 Description: The Real Spaces - WordPress Properties Directory Theme for WordPress is susceptible to privilege escalation through the change role member parameter during...

CVE-2025-8105

The The Soledad theme for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 8.6.7. This is due to the software allowing users to execute an action that does not properly validate a value before running doshortcode. This makes it possible for...

CVE-2025-8142

The Soledad theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 8.6.7 via the 'headerlayout' parameter. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary .php files on the serve...

PT-2025-33592 · WordPress · Soledad

Name of the Vulnerable Software and Affected Versions: Soledad theme for WordPress versions prior to 8.6.8 Description: The Soledad theme for WordPress is susceptible to Stored Cross-Site Scripting via the pcsml smartlists h parameter due to insufficient input sanitization and output escaping. Th...

WordPress Findgo Theme <= 1.3.57 - Cross Site Request Forgery (CSRF) Vulnerability

Cross Site Request Forgery CSRF Vulnerability discovered by 0xd4rk5id3 in WordPress Theme Findgo versions = 1.3.57...

CVE-2025-54690 WordPress Xinterio Theme <= 4.2 - Local File Inclusion Vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in themeStek Xinterio allows PHP Local File Inclusion. This issue affects Xinterio: from n/a through 4.2...

CVE-2025-54680 WordPress Blogger Buzz Theme theme <= 1.2.6 - Cross Site Scripting (XSS) Vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in sparklewpthemes Blogger Buzz blogger-buzz allows Stored XSS.This issue affects Blogger Buzz: from n/a through = 1.2.6...

CVE-2025-24766

CVE-2025-24766 : WordPress News Magazine X (WP Royal Themes) has an LFI flaw in PHP due to improper control of filenames for include/require. Affected: News Magazine X

CVE-2025-32288 WordPress RT-Theme 18 | Extensions plugin <= 2.4 - Local File Inclusion Vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in stmcan RT-Theme 18 | Extensions rt18-extensions allows PHP Local File Inclusion.This issue affects RT-Theme 18 | Extensions: from n/a through = 2.4...

WordPress WP Rentals Theme <= 3.13.1 is vulnerable to Cross Site Scripting (XSS)

Software WP Rentals Type Theme Vulnerable versions = 3.13.1 Fixed in N/A OWASP Top 10 A3: Injection Classification Cross Site Scripting XSS CVE CVE-2025-53330 Patch priority Low CVSS severity Low 6.5 Developer Claim ownership PSID be5ed984cceb Credits Ananda Dhakal Patchstack Required privilege...

PT-2025-33149 · Wp Royal Themes · News Magazine X

Name of the Vulnerable Software and Affected Versions: WP Royal Themes News Magazine X versions through 1.2.37 Description: A flaw exists in WP Royal Themes News Magazine X related to improper control of filename for include/require statements, leading to a PHP Local File Inclusion issue. This...

CVE-2025-8891 OceanWP <= 4.0.9 - 4.1.1 - Cross-Site Request Forgery to Ocean Extra Plugin Installation

The OceanWP theme for WordPress is vulnerable to Cross-Site Request Forgery in versions 4.0.9 to 4.1.1. This is due to missing or incorrect nonce validation on the oceanwpnoticebuttonclick function. This makes it possible for unauthenticated attackers to install the Ocean Extra plugin via a forge...

CVE-2025-8891 OceanWP <= 4.0.9 - 4.1.1 - Cross-Site Request Forgery to Ocean Extra Plugin Installation

The OceanWP theme for WordPress is vulnerable to Cross-Site Request Forgery in versions 4.0.9 to 4.1.1. This is due to missing or incorrect nonce validation on the oceanwpnoticebuttonclick function. This makes it possible for unauthenticated attackers to install the Ocean Extra plugin via a forge...

CVE-2025-7726

The The7 theme for WordPress is vulnerable to Stored Cross-Site Scripting via its lightbox rendering code in all versions up to, and including, 12.6.0 due to insufficient input sanitization and output escaping. The theme’s JavaScript reads user-supplied 'title' and 'data-dt-img-description'...

WordPress The7 Theme <= 12.6.0 is vulnerable to Cross Site Scripting (XSS)

Software The7 Type Theme Vulnerable versions = 12.6.0 Fixed in 12.7.0 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2025-7726 Patch priority Low CVSS severity Low 6.5 Developer Claim ownership PSID 79f4fdafca8f Credits Webbernaut Required privilege...