PT-2026-21150

Name of the Vulnerable Software and Affected Versions GT3themes SOHO - Photography WordPress Theme versions through 3.0.3 Description The GT3themes SOHO - Photography WordPress Theme contains a flaw related to improper input handling during web page generation, leading to a DOM-Based Cross-site...

PT-2026-21166

Name of the Vulnerable Software and Affected Versions AgniHD Cartify - WooCommerce Gutenberg WordPress Theme versions through 1.3 Description The software contains a missing authorization issue related to incorrectly configured access control security levels. This allows for exploitation of the...

PT-2026-21149

Name of the Vulnerable Software and Affected Versions GT3themes Oyster - Photography WordPress Theme versions through 4.4.3 Description The GT3themes Oyster - Photography WordPress Theme contains a flaw related to improper input handling during web page generation, leading to a DOM-Based Cross-si...

CVE-2026-27069

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in PenciDesign Soledad soledad allows DOM-Based XSS.This issue affects Soledad: from n/a through = 8.7.2...

CVE-2026-25422

Cross-Site Request Forgery CSRF vulnerability in Themes4WP Popularis Extra popularis-extra allows Cross Site Request Forgery.This issue affects Popularis Extra: from n/a through = 1.2.10...

CVE-2026-27069

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in PenciDesign Soledad soledad allows DOM-Based XSS.This issue affects Soledad: from n/a through = 8.7.2...

CVE-2026-25459 WordPress Sober theme <= 3.5.12 - Broken Access Control vulnerability

Missing Authorization vulnerability in uixthemes Sober sober allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Sober: from n/a through = 3.5.12...

CVE-2026-25395 WordPress Business Roy theme <= 1.1.4 - Broken Access Control vulnerability

Missing Authorization vulnerability in ikreatethemes Business Roy business-roy allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Business Roy: from n/a through = 1.1.4...

CVE-2026-25394 WordPress Fitness FSE theme <= 1.0.6 - Broken Access Control vulnerability

Missing Authorization vulnerability in sparklewpthemes Fitness FSE fitness-fse allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Fitness FSE: from n/a through = 1.0.6...

CVE-2026-25395

CVE-2026-25395 – WordPress Business Roy theme

CVE-2026-25374

CVE-2026-25374 describes a Missing Authorization (Broken Access Control) vulnerability in the WordPress Spa and Salon theme (raratheme) prior to/including version 1.3.2. The issue is tied to misconfigured access control levels and allows unauthorized actions due to insufficient authorization chec...

CVE-2025-12074

The Context Blog theme for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.2.5 via the 'contextblogmodalpopup' due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from passwor...

CVE-2025-13091 Shopire <= 1.0.57 - Missing Authorization to Authenticated (Subscriber+) Limited Plugin Install

The Shopire theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the shopireadmininstallplugin function in all versions up to, and including, 1.0.57. This makes it possible for authenticated attackers, with Subscriber-level access and above, ...

CVE-2025-13091

CVE-2025-13091 refers to the WordPress Shopire theme (Shopire) with versions up to and including 1.0.57, where a missing capability check in shopire_admin_install_plugin() allows authenticated users with Subscriber-level access and above to install the external plugin “fable-extra”, enabling unau...

CVE-2025-12117 Renden <= 1.8.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Post Title

The Renden theme for WordPress is vulnerable to Stored Cross-Site Scripting via the post title in all versions up to, and including, 1.8.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to...

PT-2026-20616

The Mega Store Woocommerce theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the setup widgets function in core/includes/importer/whizzie.php in all versions up to, and including, 5.9. This makes it possible for authenticated attackers, wi...

WordPress Spa and Salon theme <= 1.3.2 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Trương Hữu Phúc truonghuuphuc in WordPress Theme Spa and Salon versions = 1.3.2...

CVE-2025-12074

The Context Blog theme for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.2.5 via the 'contextblogmodalpopup' due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from passwor...

CVE-2025-12074 Context Blog <= 1.2.5 - Unauthenticated Private Post Disclosure

The Context Blog theme for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.2.5 via the 'contextblogmodalpopup' due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from passwor...

PT-2026-20219

Name of the Vulnerable Software and Affected Versions Context Blog theme for WordPress versions through 1.2.5 Description The Context Blog theme for WordPress is susceptible to information disclosure in versions up to and including 1.2.5. This is due to inadequate restrictions on post inclusion...