WordPress Cardealer theme <= 1.6.4 - Cross-Site Request Forgery to User Update via update_user_profile vulnerability

Cross-Site Request Forgery to User Update via updateuserprofile vulnerability discovered by István Márton in WordPress Theme Car Dealer versions = 1.6.4...

CVE-2024-13693

The Enfold theme for WordPress is vulnerable to unauthorized access of data due to a missing capability check in avia-export-class.php in all versions up to, and including, 6.0.9. This makes it possible for unauthenticated attackers to export all avia settings which may included sensitive...

CVE-2025-1282

The Car Dealer Automotive WordPress Theme – Responsive theme for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the deletepostphoto and addcar functions in all versions up to, and including, 1.6.3. This makes it possible for authenticated attackers,...

CVE-2025-1282

CVE-2025-1282 affects the Car Dealer Automotive WordPress Theme – Responsive (WordPress Theme) up to version 1.6.3. The vulnerability arises from insufficient file path validation in delete_post_photo() and add_car(), allowing authenticated users with Subscriber+ privileges to delete arbitrary se...

CVE-2025-1282 Car Dealer Automotive WordPress Theme – Responsive <= 1.6.3 - Authenticated (Subscriber+) Arbitrary File Deletion and Read

The Car Dealer Automotive WordPress Theme – Responsive theme for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the deletepostphoto and addcar functions in all versions up to, and including, 1.6.3. This makes it possible for authenticated attackers,...

DWT - Directory & Listing Theme for WordPress < 3.3.4 Cross-Site Scripting

The WordPress DWT - Directory & Listing Theme installed on the remote host is affected by an unauthenticated Reflected Cross-Site Scripting. Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number. No source data...

CVE-2024-13636

The Brooklyn theme for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.9.9.2 via deserialization of untrusted input in the otdecode function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject a PHP Object...

CVE-2025-27013

Missing Authorization vulnerability in QuanticaLabs MediCenter - Health Medical Clinic medicenter allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects MediCenter - Health Medical Clinic: from n/a through 14.7...

CVE-2025-27013

CVE-2025-27013 affects MediCenter - Health Medical Clinic WordPress Theme (MediCenter). Described as a Missing Authorization vulnerability, with CVSS v3.1 base score 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N). Wordfence documentation confirms the affected software and labels the issue as Missing A...

CVE-2025-27013 WordPress MediCenter theme < 14.7 - Sensitive Data Exposure vulnerability

Missing Authorization vulnerability in QuanticaLabs MediCenter - Health Medical Clinic medicenter allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects MediCenter - Health Medical Clinic: from n/a through 14.7...

CVE-2024-13667

The Uncode theme for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘mle-description’ parameter in all versions up to, and including, 2.9.1.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level acces...

CVE-2024-13797 PressMart - Modern Elementor WooCommerce WordPress Theme <= 1.2.16 - Unauthenticated Arbitrary Shortcode Execution

The PressMart - Modern Elementor WooCommerce WordPress Theme theme for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.2.16. This is due to the software allowing users to execute an action that does not properly validate a value before running...

CVE-2024-12860

The CarSpot – Dealership Wordpress Classified Theme theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 2.4.3. This is due to the plugin not properly validating a token prior to updating a user's password. This makes it possible for...

CVE-2024-12860 CarSpot – Dealership Wordpress Classified Theme <= 2.4.3 - Unauthenticated Arbitrary Password Reset/Account Takeover

The CarSpot – Dealership Wordpress Classified Theme theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 2.4.3. This is due to the plugin not properly validating a token prior to updating a user's password. This makes it possible for...

CVE-2024-12860

CVE-2024-12860 refers to the CarSpot – Dealership WordPress Classified Theme. The vulnerability allows unauthenticated privilege escalation via account takeover because the plugin does not properly validate a token before updating a user’s password. The issue affects CarSpot up to and including v...

PT-2025-6588 · WordPress · Brooklyn

Name of the Vulnerable Software and Affected Versions: Brooklyn theme for WordPress versions up to, and including, 4.9.9.2 Description: The vulnerability is related to PHP Object Injection, which occurs through the deserialization of untrusted input in the ot decode function. This allows...

PT-2025-7243 · WordPress · Medicenter - Health Medical Clinic Wordpress Theme

Name of the Vulnerable Software and Affected Versions: MediCenter - Health Medical Clinic WordPress Theme affected versions not specified Description: The issue is related to a Missing Authorization vulnerability in the MediCenter - Health Medical Clinic WordPress Theme, which allows exploitation...

WordPress CarSpot theme <= 2.4.3 - Unauthenticated Arbitrary Password Reset/Account Takeover vulnerability

Unauthenticated Arbitrary Password Reset/Account Takeover vulnerability discovered by Lucio Sá in WordPress Theme CarSpot versions = 2.4.3...

CVE-2024-13867

The Listivo - Classified Ads WordPress Theme theme for WordPress is vulnerable to Reflected Cross-Site Scripting via the 's' parameter in all versions up to, and including, 2.3.67 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to...

CVE-2025-0837

The Puzzles theme for WordPress is vulnerable to Stored Cross-Site Scripting via shortcodes in versions up to, and including, 4.2.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and...