Avada < 7.13.2 - Cross-Site Request Forgery

Description The Avada theme for WordPress is vulnerable to Cross-Site Request Forgery in versions up to 7.13.2. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to perform an unauthorized action via a forged request granted...

WordPress AI Lab theme < 5.4.2 - PHP Object Injection vulnerability

PHP Object Injection vulnerability discovered by Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity in WordPress Theme AI Lab versions 5.4.2...

WordPress Bricks Builder theme <= 2.2 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by w41bu1 in WordPress Theme Bricks Builder versions = 2.2...

EUVD-2025-209463

The Eleganzo theme for WordPress is vulnerable to arbitrary directory deletion due to insufficient path validation in the akdrequiredplugincallback function in all versions up to, and including, 1.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to...

WordPress Kids Gift Shop theme <= 0.5.4 - Arbitrary File Upload vulnerability

Arbitrary File Upload vulnerability discovered by Denver Jackson in WordPress Theme Kids Gift Shop versions = 0.5.4...

CVE-2025-15470

The Eleganzo theme for WordPress is vulnerable to arbitrary directory deletion due to insufficient path validation in the akdrequiredplugincallback function in all versions up to, and including, 1.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to...

CVE-2026-1555

The WebStack WordPress theme is vulnerable to unauthenticated arbitrary file upload via the io_img_upload() function in all versions up to 1.2024. This allows attackers with no authentication to upload arbitrary files to the server, with the potential for remote code execution. Affected product: ...

CVE-2026-1555 WebStack <= 1.2024 - Unauthenticated Arbitrary File Upload

The WebStack theme for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the ioimgupload function in all versions up to, and including, 1.2024. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which...

PT-2026-32996

Name of the Vulnerable Software and Affected Versions WebStack versions prior to 1.2025 Description The WebStack theme for WordPress allows unauthenticated attackers to upload arbitrary files to the server. This is caused by a lack of file type validation within the io img upload function, which...

EUVD-2024-47052

The Scylla lite theme for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘url’ parameter within the theme's Button shortcode in all versions up to, and including, 1.8.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers,...

WordPress WaveRide theme <= 1.4 - Local File Inclusion vulnerability

Local File Inclusion vulnerability discovered by João Pedro S Alcântara Kinorth in WordPress Theme WaveRide versions = 1.4...

WordPress Uppercase theme < 1.2.2 - Local File Inclusion vulnerability

Local File Inclusion vulnerability discovered by João Pedro S Alcântara Kinorth in WordPress Theme Uppercase versions 1.2.2...

WordPress Mr. SEO theme <= 2.0 - Local File Inclusion vulnerability

Local File Inclusion vulnerability discovered by Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity in WordPress Theme Mr. SEO versions = 2.0...

CVE-2026-39714

CVE-2026-39714 describes a Missing Authorization (broken access control) vulnerability in G5Theme G5Plus April for WordPress, affecting versions up to 6.8. The root cause is misconfigured access control enabling unauthorized access (no privileges, no user interaction required) over network. The C...

CVE-2026-39640 WordPress Theme Editor plugin <= 3.2 - Cross Site Request Forgery (CSRF) to Remote Code Execution vulnerability

Cross-Site Request Forgery CSRF vulnerability in mndpsingh287 Theme Editor theme-editor allows Code Injection.This issue affects Theme Editor: from n/a through = 3.2...

CVE-2026-39633 WordPress Grand Car Rental theme <= 3.6.9 - Cross Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery CSRF vulnerability in ThemeGoods Grand Car Rental grandcarrental allows Cross Site Request Forgery.This issue affects Grand Car Rental: from n/a through = 3.6.9...

CVE-2026-39634

CVE-2026-39634 : CSRF in the ThemeGoods Grand Portfolio (WordPress theme, grandportfolio) affects versions up to 3.3. The connected docs confirm a CSRF issue but do not provide the explicit root cause details, exploit scenarios, or a remediation path. The CVSS v3.1 base score is 5.4 (Medium). No ...

CVE-2026-39635 WordPress Grand Magazine theme <= 3.5.5 - Cross Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery CSRF vulnerability in ThemeGoods Grand Magazine grandmagazine allows Cross Site Request Forgery.This issue affects Grand Magazine: from n/a through = 3.5.5...

CVE-2026-39633

The CVE-2026-39633 entry concerns a Cross-Site Request Forgery (CSRF) vulnerability in the WordPress ThemeGoods Grand Car Rental theme (grandcarrental) up to version 3.6.9. Public descriptions across NVD, Red Hat, CVE List, ENISA EUVD, and other feeds consistently indicate CSRF as the issue and i...

CVE-2026-39629 WordPress Uminex theme <= 1.0.9 - Arbitrary Shortcode Execution vulnerability

Improper Neutralization of Script-Related HTML Tags in a Web Page Basic XSS vulnerability in kutethemes Uminex uminex allows Code Injection.This issue affects Uminex: from n/a through = 1.0.9...