CVE-2024-11912

The Travel Booking WordPress Theme theme for WordPress is vulnerable to blind time-based SQL Injection via the ‘orderid’ parameter in all versions up to, and including, 3.1.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query...

CVE-2024-13545

The Bootstrap Ultimate theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.4.9 via the path parameter. This makes it possible for unauthenticated attackers to include PHP files on the server, allowing the execution of any PHP code in those files. This...

CVE-2024-10847

Storely (WordPress theme) is affected by CVE-2024-10847. Versions up to and including 16.6 are vulnerable to a Stored Cross-Site Scripting (XSS) via a malicious display name due to insufficient input sanitization and output escaping. Exploitation requires authentication at Contributor level or hi...

CVE-2024-11936

The Zox News theme for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the 'backupoptions' and 'restoreoptions' function in all versions up to, and including, 3.16.0. This makes it possible for authenticated...

CVE-2024-13698 Jobify - Job Board WordPress Theme <= 4.2.7 - Missing Authorization to Unauthenticated Server-Side Request Forgery, Arbitrary Image Upload, and Image Generation

The Jobify - Job Board WordPress Theme for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on the 'downloadimageviaai' and 'generateimageviaai' functions in all versions up to, and including, 4.2.7. This makes it possible for unauthenticat...

CVE-2024-13545

The Bootstrap Ultimate theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.4.9 via the path parameter. This makes it possible for unauthenticated attackers to include PHP files on the server, allowing the execution of any PHP code in those files. This...

CVE-2024-13545 Bootstrap Ultimate <= 1.4.9 - Unauthenticated Limited Local File Inclusion

The Bootstrap Ultimate theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.4.9 via the path parameter. This makes it possible for unauthenticated attackers to include PHP files on the server, allowing the execution of any PHP code in those files. This...

PT-2025-5544 · Rextheme · Rextheme Wp Vr

Name of the Vulnerable Software and Affected Versions: Rextheme WP VR versions through 8.5.14 Description: The issue is related to Improper Neutralization of Input During Web Page Generation, also known as Cross-site Scripting, which allows DOM-Based XSS. This enables potential attackers to execu...

WordPress InspiryThemes RealHomes Theme Privilege Escalation Vulnerability (Jan 2025)

The WordPress theme RealHomes by InspiryThemes is prone to a privilege escalation vulnerability. SPDX-FileCopyrightText: 2025 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-onl...

Drupal Ignition by Thrive Themes module < 1.0.4 - Unauthenticated Cross Site Scripting (XSS) vulnerability

Unauthenticated Cross Site Scripting XSS vulnerability discovered by Dieter Holvoet in WordPress Theme Ignition by Thrive Themes versions 1.0.4...

PT-2025-3932 · WordPress · The Buzz Club – Night Club

Name of the Vulnerable Software and Affected Versions: The Buzz Club – Night Club, DJ and Music Festival Event WordPress Theme versions up to, and including, 2.0.4 Description: The issue allows unauthorized modification of data, potentially leading to a denial of service. This is due to a missing...

WordPress my white theme <= 2.0.8 - Reflected Cross Site Scripting (XSS) vulnerability

Reflected Cross Site Scripting XSS vulnerability discovered by justakazh Patchstack Alliance in WordPress Theme my white versions = 2.0.8...

WordPress Tantyyellow theme <= 1.0.0.5 - Reflected Cross Site Scripting (XSS) vulnerability

Reflected Cross Site Scripting XSS vulnerability discovered by justakazh Patchstack Alliance in WordPress Theme Tantyyellow versions = 1.0.0.5...

WordPress my zebra theme <= 2.0.6 - Reflected Cross Site Scripting (XSS) vulnerability

Reflected Cross Site Scripting XSS vulnerability discovered by justakazh Patchstack Alliance in WordPress Theme my zebra versions = 2.0.6...

CVE-2025-23717 WordPress Theme My Ontraport Smartform plugin <= 1.2.11 - CSRF to Stored XSS vulnerability

Cross-Site Request Forgery CSRF vulnerability in itmooti Theme My Ontraport Smartform theme-my-ontraport-smartform allows Stored XSS.This issue affects Theme My Ontraport Smartform: from n/a through = 1.2.11...

CVE-2025-0170

The DWT - Directory & Listing WordPress Theme is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 3.3.3 due to insufficient input sanitization and output escaping on the 'sortby' and 'token' parameters. This makes it possible for unauthenticated attackers to inject...

CVE-2025-0170 DWT - Directory & Listing WordPress Theme <= 3.3.3 - Reflected Cross-Site Scripting

The DWT - Directory & Listing WordPress Theme is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 3.3.3 due to insufficient input sanitization and output escaping on the 'sortby' and 'token' parameters. This makes it possible for unauthenticated attackers to inject...

CVE-2025-0170

The CVE-2025-0170 entry documents a Reflected Cross-Site Scripting vulnerability in the DWT - Directory & Listing WordPress Theme (versions up to and including 3.3.3). The root cause is insufficient input sanitization and output escaping on the sort_by and token parameters, enabling unauthenticat...

PT-2025-3759 · WordPress · Dwt - Directory & Listing Wordpress Theme

Name of the Vulnerable Software and Affected Versions: DWT - Directory & Listing WordPress Theme versions up to, and including, 3.3.3 Description: The issue is related to Reflected Cross-Site Scripting due to insufficient input sanitization and output escaping on the sort by and token parameters...

CVE-2025-22769

CVE-2025-22769 is tied to a Stored XSS in the WordPress plugin Multifox. The connected Red Hat/ENISA/Wordfence entries confirm an authenticated (Contributor+) Stored Cross-Site Scripting issue in Multifox, affecting versions up to 1.3.7 and described as Improper Neutralization of Input During Web...