CVE-2025-59564 WordPress EduMall Theme < 4.4.5 - Local File Inclusion Vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in ThemeMove EduMall edumall allows PHP Local File Inclusion.This issue affects EduMall: from n/a through 4.4.5...

CVE-2025-58971 WordPress Doctreat theme <= 1.6.7 - Cross Site Scripting (XSS) Vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in AmentoTech Doctreat doctreat allows Reflected XSS.This issue affects Doctreat: from n/a through = 1.6.7...

CVE-2025-53229 WordPress RockON DJ theme <= 3.3 - Reflected Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in kamleshyadav RockON DJ rockon allows Reflected XSS.This issue affects RockON DJ: from n/a through = 3.3...

WordPress Theme Importer plugin cross-site request forgery vulnerability

WordPress Theme Importer plugin is mainly used to import website content such as pages, menus, images, etc. from other platforms or websites into WordPress for quick migration or rebuilding of websites. The WordPress Theme Importer plugin suffers from a cross-site request forgery vulnerability,...

WordPress Theme Editor plugin <= 3.0 - Cross-Site Request Forgery to Remote Code Execution vulnerability

Cross-Site Request Forgery to Remote Code Execution vulnerability discovered by Jonas Benjamin Friedli in WordPress Plugin Theme Editor versions = 3.0...

WordPress Sale! Immigration law, Visa services support, Migration Agent Consulting theme <= 1.5.8 - Privilege Escalation vulnerability

Privilege Escalation vulnerability discovered by Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity in WordPress Theme Sale! Immigration law, Visa services support, Migration Agent Consulting versions = 1.5.8...

WordPress Sparkle FSE theme <= 1.0.9 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Denver Jackson in WordPress Theme Sparkle FSE versions = 1.0.9...

WordPress Construction Light theme <= 1.6.7 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Denver Jackson in WordPress Theme Construction Light versions = 1.6.7...

CVE-2025-10312

The Theme Importer plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing nonce validation when processing form submissions in the theme-importer.php file. This makes it possible for unauthenticated attackers to trigger...

CVE-2025-10706

The Classified Pro theme for WordPress is vulnerable to unauthorized plugin installation due to a missing capability check in the 'cwpaddonsupdateplugincb' function in all versions up to, and including, 1.0.14. This makes it possible for authenticated attackers, with subscriber-level access and...

CVE-2025-10706 Classified Pro <= 1.0.14 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Installation

The Classified Pro theme for WordPress is vulnerable to unauthorized plugin installation due to a missing capability check in the 'cwpaddonsupdateplugincb' function in all versions up to, and including, 1.0.14. This makes it possible for authenticated attackers, with subscriber-level access and...

CVE-2025-10706

CVE-2025-10706 pertains to the Classified Pro WordPress theme. Wordfence and CVE records confirm a missing capability check in cwp_addons_update_plugin_cb across all versions

EUVD-2025-34723

The Classified Pro theme for WordPress is vulnerable to unauthorized plugin installation due to a missing capability check in the 'cwpaddonsupdateplugincb' function in all versions up to, and including, 1.0.14. This makes it possible for authenticated attackers, with subscriber-level access and...

CVE-2025-10706 Classified Pro <= 1.0.14 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Installation

The Classified Pro theme for WordPress is vulnerable to unauthorized plugin installation due to a missing capability check in the 'cwpaddonsupdateplugincb' function in all versions up to, and including, 1.0.14. This makes it possible for authenticated attackers, with subscriber-level access and...

CVE-2025-10312

The Theme Importer plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing nonce validation when processing form submissions in the theme-importer.php file. This makes it possible for unauthenticated attackers to trigger...

CVE-2025-6042

The Lisfinity Core - Lisfinity Core plugin used for pebas® Lisfinity WordPress theme plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.4.0. This is due to the plugin assigning the editor role by default. While limitations with respect to capabiliti...

CVE-2025-6042

CVE-2025-6042 is a privilege-escalation vulnerability in the WordPress plugin Lisfinity Core (for pebas Lisfinity WordPress theme). Affected: all versions up to and including 1.4.0. Root cause: the plugin assigns the editor role by default and does not restrict API usage, enabling privilege escal...

CVE-2025-6042 Lisfinity Core - Lisfinity Core plugin used for pebas® Lisfinity WordPress theme <= 1.4.0 - Unauthenticated Privilege Escalation to Editor

The Lisfinity Core - Lisfinity Core plugin used for pebas® Lisfinity WordPress theme plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.4.0. This is due to the plugin assigning the editor role by default. While limitations with respect to capabiliti...

CVE-2025-11746 XStore | Multipurpose WooCommerce Theme <= 9.5.4 - Authenticated (Subscriber+) Local File Inclusion

The XStore theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 9.5.4 via theetajaxrequiredpluginspopup function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to include and execute arbitrary .php files on t...

CVE-2025-8682

The Newsup theme for WordPress is vulnerable to unauthorized plugin installation due to a missing capability check on the newsupadmininfoinstallplugin function in all versions up to, and including, 5.0.10. This makes it possible for unauthenticated attackers to install the ansar-import plugin...