CVE-2025-1313 Nokri - Job Board WordPress Theme <= 1.6.3 - Authenticated (Subscriber+) Privilege Escalation via Account Takeover

The Nokri - Job Board WordPress Theme theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.6.3. This is due to the plugin not properly validating a user's identity prior to updating their details like email address. This makes it...

CVE-2025-1313 Nokri - Job Board WordPress Theme <= 1.6.3 - Authenticated (Subscriber+) Privilege Escalation via Account Takeover

The Nokri - Job Board WordPress Theme theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.6.3. This is due to the plugin not properly validating a user's identity prior to updating their details like email address. This makes it...

PT-2025-29296 · WordPress · The Nokri – Job Board Wordpress Theme

Name of the Vulnerable Software and Affected Versions: Nokri - Job Board WordPress Theme versions prior to 1.6.4 Description: The Nokri - Job Board WordPress Theme is susceptible to privilege escalation, potentially leading to account takeover. The issue stems from insufficient validation of a...

WordPress Houzez theme <= 4.2.5 - Insecure Direct Object References (IDOR) vulnerability

Insecure Direct Object References IDOR vulnerability discovered by Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity in WordPress Theme Houzez versions = 4.2.5...

WordPress Red Art Code Injection Vulnerability

WordPress Red Art is a theme designed for the art field, mainly used to create artist portfolios, galleries, photography exhibitions, tattoo studios and other art websites. WordPress Red Art suffers from a code injection vulnerability that stems from deserializing untrustworthy data, which can be...

WordPress Uncode Core Cross-Site Scripting Vulnerability

WordPress Uncode Core is a creative multipurpose theme for the WordPress platform. WordPress Uncode Core suffers from a cross-site scripting vulnerability that stems from insufficient input cleanup and output escaping, which can be exploited by an attacker to steal user session information by...

WordPress Traveler Theme < 3.2.2 is vulnerable to SQL Injection

Software Traveler Type Theme Vulnerable versions 3.2.2 Fixed in 3.2.2 OWASP Top 10 A3: Injection Classification SQL Injection CVE CVE-2025-52714 Patch priority High CVSS severity High 9.3 Developer Claim ownership PSID d97b1d91ed8e Credits Thái An Required privilege Unauthenticated Published 10...

CVE-2025-4606

The Sala - Startup & SaaS WordPress Theme theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.1.4. This is due to the theme not properly validating a user's identity prior to updating their details like password. This makes it...

CVE-2025-4606 Sala - Startup & SaaS WordPress Theme <= 1.1.4 - Unauthenticated Privilege Escalation via Password Reset/Account Takeover

The Sala - Startup & SaaS WordPress Theme theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.1.4. This is due to the theme not properly validating a user's identity prior to updating their details like password. This makes it...

CVE-2025-4606

The CVE-2025-4606 entry describes unauthenticated privilege escalation in the Sala - Startup & SaaS WordPress Theme (versions prior to or up to 1.1.4). The root cause is the theme’s failure to properly validate a user’s identity before updating details (e.g., passwords), enabling an unauthenticat...

PT-2025-28838 · Unknown · Sala - Startup & Saas Wordpress Theme

Name of the Vulnerable Software and Affected Versions: Sala - Startup & SaaS WordPress Theme versions prior to 1.1.5 Description: The issue arises from the theme's failure to properly validate a user's identity before updating their details, such as the password. This allows unauthenticated...

WordPress Hillter Theme <= 3.0.7 is vulnerable to PHP Object Injection

Software Hillter Type Theme Vulnerable versions = 3.0.7 Fixed in N/A OWASP Top 10 A3: Injection Classification PHP Object Injection CVE CVE-2025-24777 Patch priority High CVSS severity High 8.8 Developer Claim ownership PSID 8e030521d3a0 Credits Bonds Required privilege Subscriber Published 8 Jul...

WordPress Nuss Theme <= 1.3.3 is vulnerable to Broken Access Control

Software Nuss Type Theme Vulnerable versions = 1.3.3 Fixed in N/A OWASP Top 10 A1: Broken Access Control Classification Broken Access Control CVE CVE-2025-52804 Patch priority High CVSS severity High 7.5 Developer Claim ownership PSID bd7e0e488ec4 Credits Thái An Required privilege Unauthenticate...

WordPress Sala Theme <= 1.1.4 is vulnerable to Privilege Escalation

Software Sala Type Theme Vulnerable versions = 1.1.4 Fixed in N/A OWASP Top 10 A7: Identification and Authentication Failures Classification Privilege Escalation CVE CVE-2025-4606 Patch priority High CVSS severity High 9.8 Developer Claim ownership PSID e358e6b6574a Credits Thái An Required...

WordPress Noisa Theme <= 2.6.0 is vulnerable to PHP Object Injection

Software Noisa Type Theme Vulnerable versions = 2.6.0 Fixed in 2.6.2 OWASP Top 10 A3: Injection Classification PHP Object Injection CVE CVE-2025-53560 Patch priority High CVSS severity High 8.8 Developer Claim ownership PSID 60e4fbd75f25 Credits Bonds Required privilege Subscriber Published 8 Jul...

WordPress Sala Theme <= 1.1.3 is vulnerable to Broken Access Control

Software Sala Type Theme Vulnerable versions = 1.1.3 Fixed in N/A OWASP Top 10 A1: Broken Access Control Classification Broken Access Control CVE CVE-2025-52803 Patch priority High CVSS severity High 7.5 Developer Claim ownership PSID 485a6b36a4e6 Credits Thái An Required privilege Unauthenticate...

WordPress Vikinger Path Traversal Vulnerability

WordPress Vikinger is a WordPress blog theme developed by a foreign developer. WordPress Vikinger has a path traversal vulnerability that stems from insufficient file path validation in the function vikingerdeleteactivitymediaajax, which can be exploited by an attacker to tamper with the system...

WordPress Easy Video Player Wordpress & WooCommerce Theme <= 10.0 is vulnerable to Arbitrary File Download

Software Easy Video Player Wordpress & WooCommerce Type Theme Vulnerable versions = 10.0 Fixed in N/A OWASP Top 10 A3: Injection Classification Arbitrary File Download CVE CVE-2025-28955 Patch priority High CVSS severity High 7.5 Developer Claim ownership PSID 646c16d60f12 Credits 0xd4rk5id3...

WordPress WoodMart Theme <= 8.2.3 is vulnerable to Cross Site Scripting (XSS)

Software WoodMart Type Theme Vulnerable versions = 8.2.3 Fixed in 8.2.4 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2025-6743 Patch priority Low CVSS severity Low 6.5 Developer Xtemos PSID 119b4b01c8c2 Credits stealthcopter Required privilege...

WordPress WoodMart Theme <= 8.2.3 is vulnerable to Content Injection

Software WoodMart Type Theme Vulnerable versions = 8.2.3 Fixed in 8.2.4 OWASP Top 10 A3: Injection Classification Content Injection CVE CVE-2025-6744 Patch priority Medium CVSS severity Medium 7.3 Developer Xtemos PSID 56c1aba7e1f2 Credits stealthcopter Required privilege Unauthenticated Publishe...