WordPress Exhibz theme <= 3.0.9 - Local File Inclusion vulnerability

Software : Exhibz Type : Theme Vulnerable versions : = 3.0.9 Fixed in : 3.0.10 OWASP Top 10 : A3: Injection Classification : Local File Inclusion CVE ID : CVE-2025-67523 Patchstack priority : Low CVSS severity : 7.5 Required privilege : Contributor Developer : Claim ownership PSID : 211f5649fefe...

WordPress Mavix Education plugin <= 1.0 - Missing Authorization to Authenticated (Subscriber+) 'Creativ Demo Importer' Plugin Activation vulnerability

Missing Authorization to Authenticated Subscriber+ 'Creativ Demo Importer' Plugin Activation vulnerability discovered by Jonas Benjamin Friedli in WordPress Theme Mavix Education versions = 1.0...

EUVD-2025-203030

The Construction Light WordPress theme before 1.6.8 does not have authorisation and CSRF when activating via an AJAX action, allowing any authenticated users, such as subscriber to activate arbitrary...

CVE-2025-10684

The Construction Light WordPress theme before 1.6.8 does not have authorisation and CSRF when activating via an AJAX action, allowing any authenticated users, such as subscriber to activate arbitrary...

CVE-2025-10684 Construction Light < 1.6.8 - Subscriber+ Arbitrary Plugin Activation

The Construction Light WordPress theme before 1.6.8 does not have authorisation and CSRF when activating via an AJAX action, allowing any authenticated users, such as subscriber to activate arbitrary...

CVE-2025-10684 Construction Light < 1.6.8 - Subscriber+ Arbitrary Plugin Activation

The Construction Light WordPress theme before 1.6.8 does not have authorisation and CSRF when activating via an AJAX action, allowing any authenticated users, such as subscriber to activate arbitrary...

CVE-2025-10684

CVE-2025-10684 affects the Construction Light WordPress theme prior to version 1.6.8. Multiple sources (NVD, Red Hat, CIRCL, CVE list) describe a lack of authorization and CSRF protection for an AJAX activation action, allowing any authenticated user (e.g., subscribers) to activate arbitrary func...

PT-2025-50885

Name of the Vulnerable Software and Affected Versions Construction Light WordPress theme versions prior to 1.6.8 Description The Construction Light WordPress theme lacks proper authorization and Cross-Site Request Forgery CSRF protection when activated through an AJAX action. This allows any...

CVE-2025-63074 WordPress The7 theme < 12.8.1.1 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in Dream-Theme The7 dt-the7 allows PHP Local File Inclusion.This issue affects The7: from n/a through 12.8.1.1...

CVE-2025-67526

CVE-2025-67526 affects Sailing (WordPress theme) older than 4.4.6. It is a Local File Inclusion via improper filename handling in PHP include/require, exploitable by authenticated users with Contributor+ privileges. The WordFence vulnerability list notes a high severity (9.8 in some entries; CVSS...

CVE-2025-66534 WordPress The Aisle theme <= 2.9 - Broken Access Control vulnerability

Missing Authorization vulnerability in Elated-Themes The Aisle theaisle allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects The Aisle: from n/a through = 2.9...

WordPress houzez cross-site scripting vulnerability

WordPress houzez is a WordPress theme designed for real estate brokers and companies, providing powerful Elementor integration, listing management, map search and other features, supporting multi-language and currency conversion, aiming to create a professional and user-friendly real estate...

CVE-2025-9163

The Houzez theme for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 4.1.6 due to insufficient input sanitization and output escaping in the houzezpropertyimgupload and houzezpropertyattachmentupload functions. This makes it possib...

WordPress Houzez plugin <= 4.1.6 - Unauthenticated Stored Cross-Site Scripting via SVG File Upload vulnerability

Unauthenticated Stored Cross-Site Scripting via SVG File Upload vulnerability discovered by Alex Thomas - Wordfence in WordPress Theme Houzez versions = 4.1.6...

WordPress Pool Services theme <= 3.3 - Server Side Request Forgery (SSRF) vulnerability

Server Side Request Forgery SSRF vulnerability discovered by Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity in WordPress Theme Pool Services versions = 3.3...

EUVD-2025-199798

The Tiger theme for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 101.2.1. This is due to the plugin allowing a user to update the user role through the $user-setrole function. This makes it possible for authenticated attackers, with Subscriber-level access...

CVE-2025-13680

CVE-2025-13680 affects the WordPress Tiger theme (versions up to and including 101.2.1). The vulnerability is an Authenticated Privilege Escalation where an attacker with Subscriber-level access or higher can exploit the plugin to elevate privileges via the $user-&gt;set_role() function, potentia...

CVE-2025-13675 Tiger <= 101.2.1 - Unauthenticated Privilege Escalation

The Tiger theme for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 101.2.1. This is due to the 'paypal-submit.php' file not restricting what user roles a user can register with. This makes it possible for unauthenticated attackers to supply the 'administrato...

CVE-2025-13675 Tiger <= 101.2.1 - Unauthenticated Privilege Escalation

The Tiger theme for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 101.2.1. This is due to the 'paypal-submit.php' file not restricting what user roles a user can register with. This makes it possible for unauthenticated attackers to supply the 'administrato...

PT-2025-48230

Name of the Vulnerable Software and Affected Versions Tiger theme for WordPress versions prior to 101.2.2 Description The Tiger theme for WordPress is susceptible to a privilege escalation issue. The paypal-submit.php file does not properly restrict user roles during registration. This allows...