WordPress NewsBlogger theme <= 0.2.5.4 - Cross-Site Request Forgery to Arbitrary Plugin Installation vulnerability

Cross-Site Request Forgery to Arbitrary Plugin Installation vulnerability discovered by Gibran Abdillah in WordPress Theme NewsBlogger versions = 0.2.5.4...

WordPress NewsBlogger Theme <= 0.2.5.1 is vulnerable to Arbitrary File Upload

Software NewsBlogger Type Theme Vulnerable versions = 0.2.5.1 Fixed in 0.2.5.2 OWASP Top 10 A1: Injection Classification Arbitrary File Upload CVE CVE-2025-1304 Patch priority High CVSS severity High 8.8 Developer Claim ownership PSID 233ab859c905 Credits CVEhunter Required privilege Subscriber...

WordPress NewsBlogger Theme <= 0.2.5.4 is vulnerable to Cross Site Request Forgery (CSRF)

Software NewsBlogger Type Theme Vulnerable versions = 0.2.5.4 Fixed in 0.2.5.5 OWASP Top 10 A5: Broken Access Control Classification Cross Site Request Forgery CSRF CVE CVE-2025-1305 Patch priority Low CVSS severity Low 8.8 Developer Claim ownership PSID 0ec134d8edb7 Credits Gibran Abdillah...

CVE-2015-4582

The TheCartPress boot-store aka Boot Store theme 1.6.4 for WordPress allows header.php tcpregistererror XSS. NOTE: CVE-2015-4582 is not assigned to any Oracle product...

CVE-2015-4582

CVE-2015-4582 affects TheCartPress boot-store theme (WordPress) version 1.6.4. The flaw is a cross-site scripting (XSS) vulnerability in header.php via the tcp_register_error function. Public sources in the connected docs identify the affected software and the XSS outcome, but do not provide a co...

CVE-2025-2558

The-wound WordPress theme through 0.0.1 does not validate some parameters before using them to generate paths passed to include function/s, allowing unauthenticated users to perform LFI attacks and download arbitrary file from the server...

WordPress EduMall Theme <= 4.2.4 is vulnerable to Local File Inclusion

Software EduMall Type Theme Vulnerable versions = 4.2.4 Fixed in 4.3.0 OWASP Top 10 A1: Injection Classification Local File Inclusion CVE CVE-2025-2101 Patch priority High CVSS severity High 8.1 Developer Claim ownership PSID ce27fee25f49 Credits Tonn Required privilege Unauthenticated Published ...

CVE-2025-39359 WordPress CWW Portfolio theme <= 1.3.1 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in codeworkweb CWW Portfolio cww-portfolio allows PHP Local File Inclusion.This issue affects CWW Portfolio: from n/a through = 1.3.1...

CVE-2025-39359 WordPress CWW Portfolio theme <= 1.3.1 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in codeworkweb CWW Portfolio cww-portfolio allows PHP Local File Inclusion.This issue affects CWW Portfolio: from n/a through = 1.3.1...

CVE-2024-13307

CVE-2024-13307 concerns the Reales WP Real Estate WordPress Theme (versions

CVE-2025-2558

The-wound WordPress theme through 0.0.1 does not validate some parameters before using them to generate paths passed to include function/s, allowing unauthenticated users to perform LFI attacks and download arbitrary file from the server...

CVE-2025-2558 The Wound <= 0.0.1 - Unauthenticated LFI

The-wound WordPress theme through 0.0.1 does not validate some parameters before using them to generate paths passed to include function/s, allowing unauthenticated users to perform LFI attacks and download arbitrary file from the server...

WordPress Vikinger Theme <= 1.9.30 is vulnerable to Privilege Escalation

Software Vikinger Type Theme Vulnerable versions = 1.9.30 Fixed in 1.9.31 OWASP Top 10 A7: Identification and Authentication Failures Classification Privilege Escalation CVE CVE-2025-2238 Patch priority Low CVSS severity Low 8.8 Developer Claim ownership PSID 27a6956156c8 Credits Tonn Required...

PT-2025-17707 · WordPress · The Reales Wp

Name of the Vulnerable Software and Affected Versions: The Reales WP - Real Estate WordPress Theme versions up to, and including, 2.1.2 Description: The issue allows unauthorized modification and loss of data due to a missing capability check on the reales delete file, reales delete file plans,...

PT-2025-17690

Name of the Vulnerable Software and Affected Versions The-wound WordPress theme version 0.0.1 Description The issue concerns the failure to validate certain parameters before using them to generate paths passed to include functions, allowing unauthenticated users to perform Local File Inclusion L...

WordPress Theme Switcha plugin <= 3.4 - Cross Site Scripting (XSS) Vulnerability

Cross Site Scripting XSS Vulnerability discovered by muhammad yudha in WordPress Plugin Theme Switcha versions = 3.4...

CVE-2025-46239

CVE-2025-46239 affects Theme Switcha (WordPress plugin) up to version 3.4. It is a Stored XSS caused by improper input neutralization during web page generation. The impact is that malicious input could execute scripts in users’ browsers when viewing affected pages. Mitigation: update to a versio...

WordPress plugin Theme Switcha 跨站脚本漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A cross-site scripting...

WordPress Hotel + Bed and Breakfast Booking Calendar Theme | Bellevue Theme <= 4.2.2 is vulnerable to Broken Access Control

Software Hotel + Bed and Breakfast Booking Calendar Theme | Bellevue Type Theme Vulnerable versions = 4.2.2 Fixed in N/A OWASP Top 10 A1: Broken Access Control Classification Broken Access Control CVE CVE-2025-39398 Patch priority Low CVSS severity Low 4.3 Developer Claim ownership PSID...

WordPress wProject Theme < 5.8.0 is vulnerable to Cross Site Scripting (XSS)

Software wProject Type Theme Vulnerable versions 5.8.0 Fixed in 5.8.0 OWASP Top 10 A3: Injection Classification Cross Site Scripting XSS CVE CVE-2025-39365 Patch priority Medium CVSS severity Medium 7.1 Developer Claim ownership PSID d25ce780039c Credits Dave Jong Patchstack Required privilege...