CVE-2025-69406 WordPress FreightCo theme <= 1.1.7 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in ThemeREX FreightCo freightco allows PHP Local File Inclusion.This issue affects FreightCo: from n/a through = 1.1.7...

CVE-2025-69408

CVE-2025-69408 is a documented Local File Inclusion (LFI) vulnerability in the WordPress plugin/theme stack: HealthFirst by Mikado-Themes, version

CVE-2025-69409

CVE-2025-69409 is a Local File Inclusion vulnerability in the WordPress theme “PJ | Life & Business Coaching” up to version 3.0.0, caused by improper control of filenames in PHP include/require statements. The issue allows local file inclusion and is described with a High risk (CVSS 3.1: AV:N/AC:...

CVE-2025-69404 WordPress Extreme Store theme <= 1.5.10 - PHP Object Injection vulnerability

Deserialization of Untrusted Data vulnerability in ThemeREX Extreme Store extremestore allows Object Injection.This issue affects Extreme Store: from n/a through = 1.5.10...

CVE-2025-69402

CVE-2025-69402 : Local File Inclusion in the WordPress Theme R&F rf (ThemeREX) via Improper Control of Filename for Include/Require. Affected: ThemeREX R&F rf versions up to and including 1.5. Exploitation context not provided in the sources. Remediation per the connected docs: update ThemeREX R&...

CVE-2025-69396

CVE-2025-69396 concerns WordPress ThemeREX Splendour (Splendour) versions through 1.23, with an Unauthenticated Local File Inclusion due to improper control of filenames for include/require in PHP (often described as a PHP Remote File Inclusion issue). The connected sources confirm the affected p...

CVE-2025-69385 WordPress Cartify - WooCommerce Gutenberg WordPress Theme theme <= 1.3 - Arbitrary Content Deletion vulnerability

Missing Authorization vulnerability in AgniHD Cartify - WooCommerce Gutenberg WordPress Theme cartify allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Cartify - WooCommerce Gutenberg WordPress Theme: from n/a through = 1.3...

CVE-2025-69371

CVE-2025-69371 is a PHP Object Injection vulnerability in the WordPress KindlyCare theme (

CVE-2025-69367 WordPress Oyster - Photography WordPress Theme theme <= 4.4.3 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in GT3themes Oyster - Photography WordPress Theme oyster allows DOM-Based XSS.This issue affects Oyster - Photography WordPress Theme: from n/a through = 4.4.3...

CVE-2025-69368 WordPress SOHO - Photography WordPress Theme theme <= 3.0.3 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in GT3themes SOHO - Photography WordPress Theme soho allows DOM-Based XSS.This issue affects SOHO - Photography WordPress Theme: from n/a through = 3.0.3...

CVE-2025-69296 WordPress Aardvark theme <= 4.6.3 - Reflected Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in GhostPool Aardvark aardvark allows Reflected XSS.This issue affects Aardvark: from n/a through = 4.6.3...

CVE-2025-68549 WordPress Wiguard theme < 2.0.1 - Arbitrary File Upload vulnerability

Unrestricted Upload of File with Dangerous Type vulnerability in zozothemes Wiguard wiguard allows Upload a Web Shell to a Web Server.This issue affects Wiguard: from n/a through 2.0.1...

CVE-2025-68543 WordPress Diza theme <= 1.3.15 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in thembay Diza diza allows PHP Local File Inclusion.This issue affects Diza: from n/a through = 1.3.15...

CVE-2025-68541 WordPress Ippsum theme <= 1.2.0 - PHP Object Injection vulnerability

Deserialization of Untrusted Data vulnerability in BoldThemes Ippsum ippsum allows Object Injection.This issue affects Ippsum: from n/a through = 1.2.0...

CVE-2025-67992

CVE-2025-67992 is a Local File Inclusion vulnerability in the PatioTime WordPress theme from LoftOcean, affecting versions before 2.1. The issue is described as improper control of the filename used by include/require statements in PHP, enabling LFI. Connected documents confirm the affected produ...

CVE-2025-67982 WordPress Urna theme <= 2.5.12 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in thembay Urna urna allows PHP Local File Inclusion.This issue affects Urna: from n/a through = 2.5.12...

CVE-2025-67988 WordPress CozyStay theme < 1.9.1 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in LoftOcean CozyStay cozystay allows PHP Local File Inclusion.This issue affects CozyStay: from n/a through 1.9.1...

CVE-2025-12117

The Renden theme for WordPress is vulnerable to Stored Cross-Site Scripting via the post title in all versions up to, and including, 1.8.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to...

CVE-2025-14357

The Mega Store Woocommerce theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the setupwidgets function in core/includes/importer/whizzie.php in all versions up to, and including, 5.9. This makes it possible for authenticated attackers, wit...

PT-2026-21224

Name of the Vulnerable Software and Affected Versions Mikado-Themes PawFriends - Pet Shop and Veterinary WordPress Theme versions through 1.3 Description The software contains a flaw related to improper control of filenames used in include/require statements, specifically a PHP Local File Inclusi...