WordPress The Business Theme <= 1.6.1 is vulnerable to Broken Access Control

Software The Business Type Theme Vulnerable versions = 1.6.1 Fixed in N/A OWASP Top 10 A1: Broken Access Control Classification Broken Access Control CVE CVE-2025-31630 Patch priority Low CVSS severity Low 5.3 Developer Claim ownership PSID f1f03f03f89d Credits Tran Nguyen Bao Khanh VCI - VNPT...

WordPress Rozario Theme <= 1.4 is vulnerable to Broken Access Control

Software Rozario Type Theme Vulnerable versions = 1.4 Fixed in N/A OWASP Top 10 A1: Broken Access Control Classification Broken Access Control CVE CVE-2025-31065 Patch priority Low CVSS severity Low 5.3 Developer Claim ownership PSID 039f36178658 Credits Tran Nguyen Bao Khanh VCI - VNPT Cyber...

WordPress Bimber - Viral Magazine WordPress Theme theme <= 9.2.5 - Local File Inclusion vulnerability

WordPress Bimber - Viral Magazine WordPress Theme theme = 9.2.5 - Local File Inclusion vulnerability discovered by Ananda Dhakal Patchstack in WordPress Theme Bimber - Viral Magazine WordPress Theme versions = 9.2.5...

CVE-2025-4339 TheGem <= 5.10.3 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Theme Options Update

The TheGem theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajaxApi function in all versions up to, and including, 5.10.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary...

WordPress Bimber - Viral Magazine WordPress Theme Theme <= 9.2.5 is vulnerable to Local File Inclusion

Software Bimber - Viral Magazine WordPress Theme Type Theme Vulnerable versions = 9.2.5 Fixed in N/A OWASP Top 10 A3: Injection Classification Local File Inclusion CVE CVE-2025-47576 Patch priority Low CVSS severity Low 8.8 Developer EPC PSID 08c8e83478ea Credits Ananda Dhakal Patchstack Required...

82,000 WordPress Sites Affected by Arbitrary File Upload Vulnerability in TheGem WordPress Theme

📢In case you missed it, Wordfence just published itsannual WordPress security report for 2024. Read it now to learn more about the evolving risk landscape of WordPress so you can keep your sites protected in 2025 and beyond. On May 4th, 2025, we received a submission for an Arbitrary File Upload...

WordPress TheGem Theme <= 5.10.3 is vulnerable to Arbitrary File Upload

Software TheGem Type Theme Vulnerable versions = 5.10.3 Fixed in 5.10.3.1 OWASP Top 10 A1: Injection Classification Arbitrary File Upload CVE CVE-2025-4317 Patch priority High CVSS severity High 8.8 Developer Claim ownership PSID 9a2acfb1e3cd Credits Foxyyy Required privilege Subscriber Published...

CVE-2024-13793

The Wolmart | Multi-Vendor Marketplace WooCommerce Theme theme for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.8.11. This is due to the software allowing users to execute an action that does not properly validate a value before running...

CVE-2025-47647 WordPress Sidebar Manager Light plugin <= 1.18 - Cross Site Request Forgery (CSRF) Vulnerability

Cross-Site Request Forgery CSRF vulnerability in OTWthemes Sidebar Manager Light sidebar-manager-light allows Cross Site Request Forgery.This issue affects Sidebar Manager Light: from n/a through = 1.18...

Exploit for CVE-2025-4524

CVE-2025-4524 - Unauthenticated madara-core Wordpress theme LF...

CVE-2024-13738

CVE-2024-13738 affects the WordPress theme “Motors – Car Dealer, Rental & Listing” for versions up to 5.6.65. The issue is an unauthenticated arbitrary shortcode execution caused by insufficient validation before running do_shortcode, enabling an attacker to run arbitrary shortcodes. Connected so...

CVE-2024-13738 Motors - Car Dealer, Rental & Listing WordPress theme <= 5.6.65 - Unauthenticated Arbitrary Shortcode Execution

The The Motors - Car Dealer, Rental & Listing WordPress theme theme for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 5.6.65. This is due to the software allowing users to execute an action that does not properly validate a value before running...

PT-2025-18937 · WordPress · The Motors – Car Dealer

Name of the Vulnerable Software and Affected Versions: The Motors - Car Dealer, Rental & Listing WordPress theme versions up to, and including, 5.6.65 Description: The issue is related to arbitrary shortcode execution due to improper validation of a value before running do shortcode, allowing...

WordPress Theme Blvd Sliders plugin <= 1.2.5 - Reflected Cross Site Scripting (XSS) vulnerability

Reflected Cross Site Scripting XSS vulnerability discovered by Nguyen Xuan Chien in WordPress Plugin Theme Blvd Sliders versions = 1.2.5...

Exploit for Missing Authorization in Spicethemes Newsblogger

🚨 WordPress NewsBlogger Theme = 0.2.5.1 - Arbitrary File Uplo...

CVE-2025-1327 Homey - Booking and Rentals WordPress Theme <= 2.4.4 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary User Deletion

The Homey theme for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.4.4 via the 'homeydeleteuseraccount' action due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access...

WordPress Motors Theme <= 5.6.65 is vulnerable to Content Injection

Software Motors Type Theme Vulnerable versions = 5.6.65 Fixed in 5.6.66 OWASP Top 10 A3: Injection Classification Content Injection CVE CVE-2024-13738 Patch priority Medium CVSS severity Medium 7.3 Developer Claim ownership PSID 81285145e079 Credits Lucio Sá Required privilege Unauthenticated...

CVE-2025-1304

The NewsBlogger theme for WordPress is vulnerable to arbitrary file uploads due to a missing capability check on the newsbloggerinstallandactivateplugin function in all versions up to, and including, 0.2.5.1. This makes it possible for authenticated attackers, with subscriber-level access and...

CVE-2025-1304 NewsBlogger <= 0.2.5.1 - Authenticated (Subscriber+) Arbitrary File Upload

The NewsBlogger theme for WordPress is vulnerable to arbitrary file uploads due to a missing capability check on the newsbloggerinstallandactivateplugin function in all versions up to, and including, 0.2.5.1. This makes it possible for authenticated attackers, with subscriber-level access and...

CVE-2025-1304 NewsBlogger <= 0.2.5.1 - Authenticated (Subscriber+) Arbitrary File Upload

The NewsBlogger theme for WordPress is vulnerable to arbitrary file uploads due to a missing capability check on the newsbloggerinstallandactivateplugin function in all versions up to, and including, 0.2.5.1. This makes it possible for authenticated attackers, with subscriber-level access and...