CVE-2025-7726

The The7 theme for WordPress is vulnerable to Stored Cross-Site Scripting via its lightbox rendering code in all versions up to, and including, 12.6.0 due to insufficient input sanitization and output escaping. The theme’s JavaScript reads user-supplied 'title' and 'data-dt-img-description'...

CVE-2025-7726

The7 theme for WordPress (

CVE-2025-7726 The7 <= 12.6.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via title and data-dt-img-description Attributes

The The7 theme for WordPress is vulnerable to Stored Cross-Site Scripting via its lightbox rendering code in all versions up to, and including, 12.6.0 due to insufficient input sanitization and output escaping. The theme’s JavaScript reads user-supplied 'title' and 'data-dt-img-description'...

PT-2025-32438 · WordPress · The7 Theme

Name of the Vulnerable Software and Affected Versions: The7 theme for WordPress versions prior to 12.6.1 Description: The The7 theme for WordPress is susceptible to Stored Cross-Site Scripting through its lightbox rendering code. Insufficient input sanitization and output escaping allow the theme...

WordPress Xinterio Theme <= 4.2 - Local File Inclusion Vulnerability

Local File Inclusion Vulnerability discovered by Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity in WordPress Theme Xinterio versions = 4.2...

CVE-2025-8595

Summary of CVE-2025-8595 (Zakra WordPress theme) : The Zakra theme is vulnerable to unauthorized data modification due to a missing capability check in welcome_notice_import_handler(), affecting all versions up to 4.1.5. This allows authenticated attackers with Subscriber-level access and above t...

PT-2025-32097 · WordPress · Betheme

Name of the Vulnerable Software and Affected Versions: Betheme theme for WordPress versions prior to 28.1.4 Description: The Betheme theme for WordPress is susceptible to Stored Cross-Site Scripting through an Elementor display setting. Insufficient input sanitization and output escaping allows...

WordPress plugin Zakra 安全漏洞

WordPress Zakra is a WordPress theme known for its power, compatibility and lightweight design, suitable for creating personal blogs, business websites, WooCommerce stores and more. WordPress Zakra suffers from an unauthorized modification vulnerability that stems from a missing...

WordPress Shopo Theme <= 1.1.4 is vulnerable to Arbitrary File Upload

Software Shopo Type Theme Vulnerable versions = 1.1.4 Fixed in N/A OWASP Top 10 A1: Injection Classification Arbitrary File Upload CVE CVE-2025-31048 Patch priority Medium CVSS severity Medium 9.9 Developer Claim ownership PSID 148bf5acafb9 Credits Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity...

Exploit for CVE-2025-5394

CVE-2025-5394 – WordPress Alone Theme = 7.8.3 - Unauthenticat...

Exploit for CVE-2025-5394

🚨 CVE-2025-5394 - Unauthenticated Arbitrary Plugin Upload in A...

WordPress WeMusic theme <= 1.9.1 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity in WordPress Theme WeMusic versions = 1.9.1...

WordPress WeMusic Theme <= 1.9.1 - PHP Object Injection Vulnerability

PHP Object Injection Vulnerability discovered by Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity in WordPress Theme WeMusic versions = 1.9.1...

WordPress UpStore Theme <= 1.7.0 is vulnerable to Cross Site Scripting (XSS)

Software UpStore Type Theme Vulnerable versions = 1.7.0 Fixed in 1.7.1 OWASP Top 10 A3: Injection Classification Cross Site Scripting XSS CVE CVE-2025-48296 Patch priority Medium CVSS severity Medium 7.1 Developer Claim ownership PSID 78b49b9e10bc Credits Tran Nguyen Bao Khanh VCI - VNPT Cyber...

Hackers Exploit Critical WordPress Theme Flaw to Hijack Sites via Remote Plugin Install

Threat actors are actively exploiting a critical security flaw in "Alone – Charity Multipurpose Non-profit WordPress Theme" to take over susceptible sites. The vulnerability, tracked as CVE-2025-5394 , carries a CVSS score of 9.8. Security researcher Thái An has been credited with discovering and...

WordPress Exertio Theme <= 1.3.2 is vulnerable to PHP Object Injection

Software Exertio Type Theme Vulnerable versions = 1.3.2 Fixed in 1.3.3 OWASP Top 10 A3: Injection Classification PHP Object Injection CVE CVE-2025-54686 Patch priority High CVSS severity High 9.8 Developer Claim ownership PSID d25a71f8c070 Credits Aiden Required privilege Unauthenticated Publishe...

WordPress SmilePure Theme < 1.8.5 - Local File Inclusion Vulnerability

Local File Inclusion Vulnerability discovered by Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity in WordPress Theme SmilePure versions 1.8.5...

WordPress Blogger Buzz Theme <= 1.2.6 is vulnerable to Cross Site Scripting (XSS)

Software Blogger Buzz Type Theme Vulnerable versions = 1.2.6 Fixed in 1.2.7 OWASP Top 10 A3: Injection Classification Cross Site Scripting XSS CVE CVE-2025-54680 Patch priority Low CVSS severity Low 6.5 Developer Claim ownership PSID b2b9bc739162 Credits Peter Thaleikis Required privilege...

WordPress Cook&Meal; Theme <= 1.2.3 is vulnerable to Local File Inclusion

Software Cook&Meal Type Theme Vulnerable versions = 1.2.3 Fixed in 1.2.4 OWASP Top 10 A3: Injection Classification Local File Inclusion CVE CVE-2025-48149 Patch priority High CVSS severity High 8.1 Developer Claim ownership PSID ab26fb7dc392 Credits Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity...

WordPress Appzend theme <= 1.2.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via progressbarLayout Parameter vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via progressbarLayout Parameter vulnerability discovered by Peter Thaleikis in WordPress Theme Appzend versions = 1.2.6...