CVE-2025-26955 WordPress Industrial Lite theme <= 1.0.8 - Broken Access Control vulnerability

Missing Authorization vulnerability in vowelweb Industrial Lite industrial-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Industrial Lite: from n/a through = 1.0.8...

CVE-2025-26955 WordPress Industrial Lite theme <= 1.0.8 - Broken Access Control vulnerability

Missing Authorization vulnerability in vowelweb Industrial Lite industrial-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Industrial Lite: from n/a through = 1.0.8...

WordPress Betheme Theme <= 28.0.3 is vulnerable to Cross Site Scripting (XSS)

Software Betheme Type Theme Vulnerable versions = 28.0.3 Fixed in 28.0.4 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2025-3077 Patch priority Low CVSS severity Low 6.5 Developer Claim ownership PSID 7b297a9d938e Credits Webbernaut Required privilege...

WordPress Grip Theme <= 1.0.9 is vulnerable to Local File Inclusion

Software Grip Type Theme Vulnerable versions = 1.0.9 Fixed in N/A OWASP Top 10 A3: Injection Classification Local File Inclusion CVE CVE-2025-26735 Patch priority High CVSS severity High 7.5 Developer Claim ownership PSID b5e4d6f7b083 Credits tahu.datar Required privilege Unauthenticated Publishe...

WordPress Celestial Aura Theme <= 2.2 is vulnerable to Arbitrary File Upload

Software Celestial Aura Type Theme Vulnerable versions = 2.2 Fixed in N/A OWASP Top 10 A1: Broken Access Control Classification Arbitrary File Upload CVE CVE-2025-26892 Patch priority High CVSS severity High 9.9 Developer Claim ownership PSID 6836679a2db2 Credits stealthcopter Required privilege...

WordPress SpaBiz Theme <= 1.0.18 is vulnerable to Cross Site Scripting (XSS)

Software SpaBiz Type Theme Vulnerable versions = 1.0.18 Fixed in N/A OWASP Top 10 A3: Injection Classification Cross Site Scripting XSS CVE CVE-2025-26740 Patch priority Low CVSS severity Low 6.5 Developer Claim ownership PSID df996b7e733c Credits stealthcopter Required privilege Contributor...

WordPress Wireless Butler Theme <= 1.0.11 is vulnerable to Cross Site Scripting (XSS)

Software Wireless Butler Type Theme Vulnerable versions = 1.0.11 Fixed in N/A OWASP Top 10 A4: Insecure Design Classification Cross Site Scripting XSS CVE CVE-2025-26997 Patch priority Medium CVSS severity Medium 7.1 Developer Claim ownership PSID 66608dec313c Credits 0xd4rk5id3 Required privileg...

WordPress Bulk Theme <= 1.0.11 is vulnerable to Broken Access Control

Software Bulk Type Theme Vulnerable versions = 1.0.11 Fixed in N/A OWASP Top 10 A1: Broken Access Control Classification Broken Access Control CVE CVE-2025-26867 Patch priority Low CVSS severity Low 5.3 Developer Claim ownership PSID a2112daa471f Credits Fariq Fadillah Gusti Insani Required...

CVE-2025-2519

The Sreamit theme for WordPress is vulnerable to arbitrary file downloads in all versions up to, and including, 4.0.1. This is due to insufficient file validation in the 'stsenddownloadfile' function. This makes it possible for authenticated attackers, with subscriber-level access and above, to...

CVE-2025-2526

The Streamit theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 4.0.2. This is due to the plugin not properly validating a user's identity prior to updating their details like email in the 'stAuthenticationController::editprofile'...

WordPress Industrial Lite Theme <= 1.0.8 is vulnerable to Broken Access Control

Software Industrial Lite Type Theme Vulnerable versions = 1.0.8 Fixed in N/A OWASP Top 10 A1: Broken Access Control Classification Broken Access Control CVE CVE-2025-26955 Patch priority Low CVSS severity Low 4.3 Developer Claim ownership PSID 1a08c3e67c74 Credits Mika Required privilege Subscrib...

WordPress Photography Theme <= 7.5.2 is vulnerable to Server Side Request Forgery (SSRF)

Software Photography Type Theme Vulnerable versions = 7.5.2 Fixed in N/A OWASP Top 10 A1: Broken Access Control Classification Server Side Request Forgery SSRF CVE CVE-2025-30964 Patch priority Low CVSS severity Low 5.4 Developer EPC PSID 1dff91d3e1ce Credits Rafie Muhammad Patchstack Required...

CVE-2025-2519

CVE-2025-2519 affects the Streamit WordPress theme and permits authenticated (Subscriber+) users to download arbitrary files due to insufficient validation in the st_send_download_file function. Affected versions: all up to 4.0.1. The vulnerability has been patched by the vendor; upgrading to the...

CVE-2025-2525 Streamit <= 4.0.1 - Authenticated (Subscriber+) Arbitrary File Upload

The Streamit theme for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'stAuthenticationController::editprofile' function in all versions up to, and including, 4.0.1. This makes it possible for authenticated attackers, with subscriber-level and above...

WordPress Streamit Theme <= 4.0.1 is vulnerable to Arbitrary File Upload

Software Streamit Type Theme Vulnerable versions = 4.0.1 Fixed in 4.0.2 OWASP Top 10 A1: Injection Classification Arbitrary File Upload CVE CVE-2025-2525 Patch priority High CVSS severity High 9.9 Developer Claim ownership PSID 0e50f93134fe Credits István Márton Required privilege Subscriber...

CVE-2025-22281 WordPress Simplish theme <= 2.6.4 - Stored Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in joshix Simplish simplish allows Stored XSS.This issue affects Simplish: from n/a through = 2.6.4...

CVE-2024-51800 WordPress Homey theme <= 2.4.1 - Privilege Escalation vulnerability

Incorrect Privilege Assignment vulnerability in Favethemes Homey allows Privilege Escalation.This issue affects Homey: from n/a through 2.4.1...

CVE-2025-31407 WordPress Tiger theme <= 2.0 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in hutsixdigital Tiger allows Stored XSS.This issue affects Tiger: from n/a through 2.0...

CVE-2025-3105 Vehica Core <= 1.0.97 - Authenticated (Subscriber+) Privilege Escalation

The Vehica Core plugin for WordPress, used by the Vehica - Car Dealer & Listing WordPress Theme, is vulnerable to privilege escalation in all versions up to, and including, 1.0.97. This is due to the plugin not properly validating user meta fields prior to updating them in the database. This make...

WordPress Wigi <= 2.0.1 - Arbitrary File Upload Vulnerability

Arbitrary File Upload Vulnerability discovered by Tran Nguyen Bao KhanhVCI - VNPT in WordPress Theme Wigi versions = 2.0.1...