CVE-2025-9163

The Houzez theme for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 4.1.6 due to insufficient input sanitization and output escaping in the houzezpropertyimgupload and houzezpropertyattachmentupload functions. This makes it possib...

WordPress Houzez plugin <= 4.1.6 - Unauthenticated Stored Cross-Site Scripting via SVG File Upload vulnerability

Unauthenticated Stored Cross-Site Scripting via SVG File Upload vulnerability discovered by Alex Thomas - Wordfence in WordPress Theme Houzez versions = 4.1.6...

WordPress Pool Services theme <= 3.3 - Server Side Request Forgery (SSRF) vulnerability

Server Side Request Forgery SSRF vulnerability discovered by Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity in WordPress Theme Pool Services versions = 3.3...

EUVD-2025-199798

The Tiger theme for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 101.2.1. This is due to the plugin allowing a user to update the user role through the $user-setrole function. This makes it possible for authenticated attackers, with Subscriber-level access...

CVE-2025-13680

CVE-2025-13680 affects the WordPress Tiger theme (versions up to and including 101.2.1). The vulnerability is an Authenticated Privilege Escalation where an attacker with Subscriber-level access or higher can exploit the plugin to elevate privileges via the $user-&gt;set_role() function, potentia...

CVE-2025-13675 Tiger <= 101.2.1 - Unauthenticated Privilege Escalation

The Tiger theme for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 101.2.1. This is due to the 'paypal-submit.php' file not restricting what user roles a user can register with. This makes it possible for unauthenticated attackers to supply the 'administrato...

CVE-2025-13675 Tiger <= 101.2.1 - Unauthenticated Privilege Escalation

The Tiger theme for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 101.2.1. This is due to the 'paypal-submit.php' file not restricting what user roles a user can register with. This makes it possible for unauthenticated attackers to supply the 'administrato...

PT-2025-48230

Name of the Vulnerable Software and Affected Versions Tiger theme for WordPress versions prior to 101.2.2 Description The Tiger theme for WordPress is susceptible to a privilege escalation issue. The paypal-submit.php file does not properly restrict user roles during registration. This allows...

EUVD-2025-199719

The Houzez theme for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.1.6 via deserialization of untrusted input in saved-search-item.php. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject a PHP Object. No...

Wordfence Intelligence Weekly WordPress Vulnerability Report (November 17, 2025 to November 23, 2025)

Last week, there were 167 vulnerabilities disclosed in 152 WordPress Plugins and 2 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 69 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities...

CVE-2025-9163 Houzez <= 4.1.6 - Unauthenticated Stored Cross-Site Scripting via SVG File Upload

The Houzez theme for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 4.1.6 due to insufficient input sanitization and output escaping in the houzezpropertyimgupload and houzezpropertyattachmentupload functions. This makes it possib...

CVE-2025-9191 Houzez <= 4.1.6 - Authenticated (Subscriber+) PHP Object Injection via Saved Search

The Houzez theme for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.1.6 via deserialization of untrusted input in saved-search-item.php. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject a PHP Object. No...

PT-2025-48135

The Houzez theme for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 4.1.6 due to insufficient input sanitization and output escaping in the houzez property img upload and houzez property attachment upload functions. This makes it...

CVE-2025-10295

The Angel – Fashion Model Agency WordPress CMS Theme theme for WordPress is vulnerable to Stored Cross-Site Scripting the profile media uploader in all versions up to, and including, 3.2.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...

CVE-2025-10295

The Angel – Fashion Model Agency WordPress CMS Theme theme for WordPress is vulnerable to Stored Cross-Site Scripting the profile media uploader in all versions up to, and including, 3.2.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...

EUVD-2025-158259

The Angel – Fashion Model Agency WordPress CMS Theme theme for WordPress is vulnerable to Stored Cross-Site Scripting the profile media uploader in all versions up to, and including, 3.2.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...

CVE-2025-10295 Angel – Fashion Model Agency WordPress CMS Theme <= 3.2.3 - Authenticated (Subscriber+) Stored Cross-Site Scripting

The Angel – Fashion Model Agency WordPress CMS Theme theme for WordPress is vulnerable to Stored Cross-Site Scripting the profile media uploader in all versions up to, and including, 3.2.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...

CVE-2025-10295 Angel – Fashion Model Agency WordPress CMS Theme <= 3.2.3 - Authenticated (Subscriber+) Stored Cross-Site Scripting

The Angel – Fashion Model Agency WordPress CMS Theme theme for WordPress is vulnerable to Stored Cross-Site Scripting the profile media uploader in all versions up to, and including, 3.2.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...

PT-2025-46790

Name of the Vulnerable Software and Affected Versions Angel – Fashion Model Agency WordPress CMS Theme versions through 3.2.3 Description The software is susceptible to Stored Cross-Site Scripting in the profile media uploader. Insufficient input sanitization and output escaping allow authenticat...

WordPress Angel Theme <= 3.2.3 is vulnerable to Cross Site Scripting (XSS)

Software Angel Type Theme Vulnerable versions = 3.2.3 Fixed in N/A OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2025-10295 Patch priority Medium CVSS severity Medium 6.5 Developer Claim ownership PSID 731931b06fd6 Credits WordFence Required privilege...