CVE-2025-12886

The Oxygen Theme theme for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 6.0.8 via the laboratorcalcroute AJAX action. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web applicati...

CVE-2026-27096

Deserialization of Untrusted Data vulnerability in BuddhaThemes ColorFolio - Freelance Designer WordPress Theme allows Object Injection.This issue affects ColorFolio - Freelance Designer WordPress Theme: from n/a through 1.3...

CVE-2026-32529 WordPress Molla theme < 1.5.19 - Reflected Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in don-themes Molla molla allows Reflected XSS.This issue affects Molla: from n/a through 1.5.19...

CVE-2026-32528 WordPress Riode | Multi-Purpose WooCommerce theme < 1.6.29 - Reflected Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in don-themes Riode riode allows Reflected XSS.This issue affects Riode: from n/a through 1.6.29...

CVE-2026-32528

CVE-2026-32528 affects the Riode WordPress theme (Multi-Purpose WooCommerce) with versions prior to 1.6.29. The issue is a Reflected Cross-Site Scripting (XSS) caused by improper input neutralization during web page generation. The CVSS v3.1 base score is 7.1 (HIGH), with network attack vector, n...

CVE-2026-32508

CVE-2026-32508 affects the WordPress Halstein theme prior to v1.8. The vulnerability is due to deserialization of untrusted data, enabling object injection in Halstein before 1.8. Affected software is Mikado-Themes Halstein halstein; impact is described as potential object injection with limited ...

CVE-2026-27083 WordPress Work & Travel Company theme <= 1.2 - PHP Object Injection vulnerability

Deserialization of Untrusted Data vulnerability in ThemeREX Work & Travel Company work-travel-company allows Object Injection.This issue affects Work & Travel Company: from n/a through = 1.2...

CVE-2026-27082 WordPress Love Story theme <= 1.3.12 - PHP Object Injection vulnerability

Deserialization of Untrusted Data vulnerability in ThemeREX Love Story lovestory allows Object Injection.This issue affects Love Story: from n/a through = 1.3.12...

CVE-2026-27079 WordPress Amfissa theme <= 1.1 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in Mikado-Themes Amfissa amfissa allows PHP Local File Inclusion.This issue affects Amfissa: from n/a through = 1.1...

CVE-2026-27078 WordPress Emaurri theme <= 1.0.1 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in Mikado-Themes Emaurri emaurri allows PHP Local File Inclusion.This issue affects Emaurri: from n/a through = 1.0.1...

CVE-2026-27082 WordPress Love Story theme <= 1.3.12 - PHP Object Injection vulnerability

Deserialization of Untrusted Data vulnerability in ThemeREX Love Story lovestory allows Object Injection.This issue affects Love Story: from n/a through = 1.3.12...

CVE-2026-27081 WordPress Rosebud theme <= 1.4 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in Mikado-Themes Rosebud rosebud allows PHP Local File Inclusion.This issue affects Rosebud: from n/a through = 1.4...

CVE-2026-27083

CVE-2026-27083 describes a Deserialization of Untrusted Data vulnerability in the WordPress theme “Work & Travel Company” (ThemeREX Work & Travel Company) affecting versions through 1.2. The root cause is PHP object injection via deserialization of untrusted data in the theme, enabling potential ...

CVE-2026-27075 WordPress Belfort theme <= 1.0 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in Mikado-Themes Belfort belfort allows PHP Local File Inclusion.This issue affects Belfort: from n/a through = 1.0...

CVE-2026-27077

CVE-2026-27077 affects Mikado-Themes MultiOffice WordPress theme (MultiOffice)

CVE-2026-25464

CVE-2026-25464 affects the WordPress plugin Jannah (Jannah – Newspaper Magazine News BuddyPress AMP). The Wordfence and NVD entries describe an "Imporper Control of Filename for Include/Require Statement" vulnerability that enables PHP Local File Inclusion via manipulated include/require targets....

CVE-2026-25454 WordPress The League theme <= 4.4.1 - Broken Access Control vulnerability

Missing Authorization vulnerability in MVPThemes The League the-league allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects The League: from n/a through = 4.4.1...

CVE-2026-25382

CVE-2026-25382 affects the IdealAuto WordPress theme (IdealAuto) version prior to 3.8.6. The vulnerability is an Unauthenticated Local File Inclusion due to improper control of the filename used by PHP include/require statements (PHP Remote File Inclusion vector). Exploitation could allow an atta...

CVE-2026-25373 WordPress Vayvo - Media Streaming & Membership WordPress Theme theme < 6.8 - Reflected Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in ProgressionStudios Vayvo vayvo-progression allows Reflected XSS.This issue affects Vayvo: from n/a through 6.8...

CVE-2026-25350 WordPress Miti theme < 1.5.3 - Reflected Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in skygroup Miti miti allows Reflected XSS.This issue affects Miti: from n/a through 1.5.3...