2134 matches found
PT-2026-42722
Name of the Vulnerable Software and Affected Versions FastX theme for WordPress versions prior to 1.0.3 Description The FastX theme for WordPress allows authenticated attackers with Subscriber-level access or higher to install and activate the PostX plugin. This is caused by missing capability...
CVE-2020-37235
WordPress Theme Wibar 1.1.8 contains a stored cross-site scripting vulnerability in the Brand component that allows authenticated users to inject malicious scripts by manipulating the Logo URL parameter. Attackers with editor, administrator, contributor, or author privileges can inject...
CVE-2020-37235 WordPress Theme Wibar 1.1.8 Stored Cross-Site Scripting via Brand Component
WordPress Theme Wibar 1.1.8 contains a stored cross-site scripting vulnerability in the Brand component that allows authenticated users to inject malicious scripts by manipulating the Logo URL parameter. Attackers with editor, administrator, contributor, or author privileges can inject...
EUVD-2026-27303
The Betheme theme for WordPress is vulnerable to Arbitrary File Deletion in versions up to, and including, 28.4. This is due to the uploadicons function workflow using a user-controlled upload path mfn-icon-upload in a filesystem move operation without constraining it to the uploads directory. Th...
CVE-2026-6261
The Betheme theme for WordPress is vulnerable to Arbitrary File Upload in versions up to, and including, 28.4. This is due to the uploadicons function workflow moving and unzipping user-controlled ZIP files into a public uploads directory without validating extracted file types. This makes it...
VulnCheck KEV: CVE-2024-11350
The AdForest theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 5.1.6. This is due to the plugin not properly validating a user's identity prior to updating their password through the adforestresetpassword function. This makes it...
VulnCheck KEV: CVE-2025-4606
The Sala - Startup & SaaS WordPress Theme theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.1.4. This is due to the theme not properly validating a user's identity prior to updating their details like password. This makes it...
VulnCheck KEV: CVE-2024-12281
The Homey theme for WordPress is vulnerable to privilege escalation in all versions up to, and including, 2.4.2. This is due to the plugin allowing users who are registering new accounts to set their own role. This makes it possible for unauthenticated attackers to gain elevated privileges by...
VulnCheck KEV: CVE-2024-13421
The Real Estate 7 WordPress theme for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 3.5.1. This is due to the plugin not properly restricting the roles allowed to be selected during registration. This makes it possible for unauthenticated attackers to...
CVE-2026-5077
The Total theme for WordPress is vulnerable to Stored Cross-Site Scripting via post titles in versions up to, and including, 2.2.1 due to insufficient output escaping when rendering thetitle inside HTML attribute context in the home blog section template. This makes it possible for authenticated...
EUVD-2026-26768
The Total theme for WordPress is vulnerable to Stored Cross-Site Scripting via post titles in versions up to, and including, 2.2.1 due to insufficient output escaping when rendering thetitle inside HTML attribute context in the home blog section template. This makes it possible for authenticated...
CVE-2026-5077
The Total theme for WordPress is vulnerable to Stored Cross-Site Scripting via post titles in versions up to, and including, 2.2.1 due to insufficient output escaping when rendering thetitle inside HTML attribute context in the home blog section template. This makes it possible for authenticated...
CVE-2026-6812 Ona <= 1.26 - Authenticated (Administrator+) Blind Server-Side Request Forgery via 'download_link' Parameter
The Ona theme for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.26 via the onaactivatechildtheme. This makes it possible for authenticated attackers, with administrator-level access and above, to make web requests to arbitrary locations originating...
PT-2026-36579
The Ona theme for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.26 via the ona activate child theme. This makes it possible for authenticated attackers, with administrator-level access and above, to make web requests to arbitrary locations...
Avada < 7.13.2 - Cross-Site Request Forgery
Description The Avada theme for WordPress is vulnerable to Cross-Site Request Forgery in versions up to 7.13.2. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to perform an unauthorized action via a forged request granted...
WordPress AI Lab theme < 5.4.2 - PHP Object Injection vulnerability
PHP Object Injection vulnerability discovered by Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity in WordPress Theme AI Lab versions 5.4.2...
WordPress Bricks Builder theme <= 2.2 - Cross Site Scripting (XSS) vulnerability
Cross Site Scripting XSS vulnerability discovered by w41bu1 in WordPress Theme Bricks Builder versions = 2.2...
EUVD-2025-209463
The Eleganzo theme for WordPress is vulnerable to arbitrary directory deletion due to insufficient path validation in the akdrequiredplugincallback function in all versions up to, and including, 1.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to...
WordPress Kids Gift Shop theme <= 0.5.4 - Arbitrary File Upload vulnerability
Arbitrary File Upload vulnerability discovered by Denver Jackson in WordPress Theme Kids Gift Shop versions = 0.5.4...
CVE-2025-15470
The Eleganzo theme for WordPress is vulnerable to arbitrary directory deletion due to insufficient path validation in the akdrequiredplugincallback function in all versions up to, and including, 1.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to...