CVE-2025-67982 WordPress Urna theme <= 2.5.12 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in thembay Urna urna allows PHP Local File Inclusion.This issue affects Urna: from n/a through = 2.5.12...

CVE-2025-67988 WordPress CozyStay theme < 1.9.1 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in LoftOcean CozyStay cozystay allows PHP Local File Inclusion.This issue affects CozyStay: from n/a through 1.9.1...

CVE-2025-12117

The Renden theme for WordPress is vulnerable to Stored Cross-Site Scripting via the post title in all versions up to, and including, 1.8.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to...

CVE-2025-14357

The Mega Store Woocommerce theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the setupwidgets function in core/includes/importer/whizzie.php in all versions up to, and including, 5.9. This makes it possible for authenticated attackers, wit...

PT-2026-21149

Name of the Vulnerable Software and Affected Versions GT3themes Oyster - Photography WordPress Theme versions through 4.4.3 Description The GT3themes Oyster - Photography WordPress Theme contains a flaw related to improper input handling during web page generation, leading to a DOM-Based Cross-si...

PT-2026-21150

Name of the Vulnerable Software and Affected Versions GT3themes SOHO - Photography WordPress Theme versions through 3.0.3 Description The GT3themes SOHO - Photography WordPress Theme contains a flaw related to improper input handling during web page generation, leading to a DOM-Based Cross-site...

PT-2026-21224

Name of the Vulnerable Software and Affected Versions Mikado-Themes PawFriends - Pet Shop and Veterinary WordPress Theme versions through 1.3 Description The software contains a flaw related to improper control of filenames used in include/require statements, specifically a PHP Local File Inclusi...

PT-2026-21166

Name of the Vulnerable Software and Affected Versions AgniHD Cartify - WooCommerce Gutenberg WordPress Theme versions through 1.3 Description The software contains a missing authorization issue related to incorrectly configured access control security levels. This allows for exploitation of the...

CVE-2026-27069

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in PenciDesign Soledad soledad allows DOM-Based XSS.This issue affects Soledad: from n/a through = 8.7.2...

CVE-2026-25422

Cross-Site Request Forgery CSRF vulnerability in Themes4WP Popularis Extra popularis-extra allows Cross Site Request Forgery.This issue affects Popularis Extra: from n/a through = 1.2.10...

CVE-2026-27069

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in PenciDesign Soledad soledad allows DOM-Based XSS.This issue affects Soledad: from n/a through = 8.7.2...

CVE-2026-25459 WordPress Sober theme <= 3.5.12 - Broken Access Control vulnerability

Missing Authorization vulnerability in uixthemes Sober sober allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Sober: from n/a through = 3.5.12...

CVE-2026-25395

CVE-2026-25395 – WordPress Business Roy theme

CVE-2026-25395 WordPress Business Roy theme <= 1.1.4 - Broken Access Control vulnerability

Missing Authorization vulnerability in ikreatethemes Business Roy business-roy allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Business Roy: from n/a through = 1.1.4...

CVE-2026-25394 WordPress Fitness FSE theme <= 1.0.6 - Broken Access Control vulnerability

Missing Authorization vulnerability in sparklewpthemes Fitness FSE fitness-fse allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Fitness FSE: from n/a through = 1.0.6...

CVE-2026-25374

CVE-2026-25374 describes a Missing Authorization (Broken Access Control) vulnerability in the WordPress Spa and Salon theme (raratheme) prior to/including version 1.3.2. The issue is tied to misconfigured access control levels and allows unauthorized actions due to insufficient authorization chec...

CVE-2025-12074

The Context Blog theme for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.2.5 via the 'contextblogmodalpopup' due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from passwor...

CVE-2025-13091

CVE-2025-13091 refers to the WordPress Shopire theme (Shopire) with versions up to and including 1.0.57, where a missing capability check in shopire_admin_install_plugin() allows authenticated users with Subscriber-level access and above to install the external plugin “fable-extra”, enabling unau...

CVE-2025-13091 Shopire <= 1.0.57 - Missing Authorization to Authenticated (Subscriber+) Limited Plugin Install

The Shopire theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the shopireadmininstallplugin function in all versions up to, and including, 1.0.57. This makes it possible for authenticated attackers, with Subscriber-level access and above, ...

CVE-2025-12117 Renden <= 1.8.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Post Title

The Renden theme for WordPress is vulnerable to Stored Cross-Site Scripting via the post title in all versions up to, and including, 1.8.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to...