CVE-2025-10897

The WooCommerce Designer Pro theme for WordPress is vulnerable to arbitrary file read in all versions up to, and including, 1.9.28. This makes it possible for unauthenticated attackers to read arbitrary files on the server, which can expose DB credentials when the wp-config.php file is read...

CVE-2025-5397 Jobmonster - Job Board WordPress Theme <= 4.8.1 - Authentication Bypass

The Noo JobMonster theme for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 4.8.1. This is due to the checklogin function not properly verifying a user's identity prior to successfully authenticating them This makes it possible for unauthenticated attackers...

CVE-2025-5397

The CVE-2025-5397 entry concerns the WordPress Noo JobMonster plugin/theme (Noo JobMonster) with an Authentication Bypass vulnerability reported in versions up to and including 4.8.1. The root cause is a failure in the check_login() function to properly verify a user’s identity before authenticat...

EUVD-2025-37307

The Noo JobMonster theme for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 4.8.1. This is due to the checklogin function not properly verifying a user's identity prior to successfully authenticating them This makes it possible for unauthenticated attackers...

CVE-2025-64286 WordPress WP Rentals theme <= 3.13.1 - Cross Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery CSRF vulnerability in WpEstate WP Rentals wprentals allows Cross Site Request Forgery.This issue affects WP Rentals: from n/a through = 3.13.1...

CVE-2025-64194 WordPress Eduma theme <= 5.7.6 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in ThimPress Eduma eduma allows Stored XSS.This issue affects Eduma: from n/a through = 5.7.6...

CVE-2025-10737

The Open Source Genesis Framework theme for WordPress is vulnerable to Stored Cross-Site Scripting via the theme's shortcodes in all versions up to, and including, 3.6.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticate...

CVE-2025-11897

The The7 — Website and eCommerce Builder for WordPress theme for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘ the7fancytitlecss’ parameter in all versions up to, and including, 12.9.1 due to insufficient input sanitization and output escaping. This makes it possible for...

CVE-2025-10737

The Open Source Genesis Framework theme for WordPress is vulnerable to Stored Cross-Site Scripting via the theme's shortcodes in all versions up to, and including, 3.6.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticate...

EUVD-2025-35916

The Open Source Genesis Framework theme for WordPress is vulnerable to Stored Cross-Site Scripting via the theme's shortcodes in all versions up to, and including, 3.6.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticate...

CVE-2025-10737

The CVE-2025-10737 entry describes a stored XSS vulnerability in the Open Source Genesis Framework WordPress theme (versions up to 3.6.0) via shortcode attributes, exploitable by authenticated users withContributor-level access and above. Wordfence notes this as CVSS 3.1 base score 6.4 (Medium) w...

CVE-2025-10737 Open Source Genesis Framework <= 3.6.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Shortcodes

The Open Source Genesis Framework theme for WordPress is vulnerable to Stored Cross-Site Scripting via the theme's shortcodes in all versions up to, and including, 3.6.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticate...

CVE-2025-8413 Listeo <= 2.0.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via soundcloud Shortcode

The Listeo theme for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's soundcloud shortcode in version less than, or equal to, 2.0.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, wi...

CVE-2025-8413 Listeo <= 2.0.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via soundcloud Shortcode

The Listeo theme for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's soundcloud shortcode in version less than, or equal to, 2.0.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, wi...

WordPress The7 theme <= 12.9.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'the7_fancy_title_css' vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via 'the7fancytitlecss' vulnerability discovered by Muhammad Yudha - DJ in WordPress Theme The7 versions = 12.9.1...

PT-2025-43730

Name of the Vulnerable Software and Affected Versions The7 — Website and eCommerce Builder for WordPress theme versions prior to 12.9.2 Description The software is susceptible to a Stored Cross-Site Scripting issue because of inadequate input sanitization and output escaping. This allows...

Exploit for CVE-2025-6758

Real Spaces - WordPress Properties Directory Theme ≤ 3.6...

CVE-2025-62029 WordPress Grevo theme <= 2.4 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in themesion Grevo grevo.This issue affects Grevo: from n/a through = 2.4...

CVE-2025-60234 WordPress Single Property theme <= 2.8 - PHP Object Injection vulnerability

Deserialization of Untrusted Data vulnerability in designthemes Single Property single-property allows Object Injection.This issue affects Single Property: from n/a through = 2.8...

CVE-2025-59564 WordPress EduMall Theme < 4.4.5 - Local File Inclusion Vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in ThemeMove EduMall edumall allows PHP Local File Inclusion.This issue affects EduMall: from n/a through 4.4.5...