2105 matches found
CVE-2025-58244
CVE-2025-58244 (Constructo) is a CSRF-related vulnerability in the Constructo WordPress theme that, per the provided documents, allows object injection. Affected software ranges to Constructo versions up to 4.3.9. The CVE description and related references (including Wordfence summaries) confirm ...
CVE-2025-58259 WordPress Nokri Theme <= 1.6.4 - Cross Site Request Forgery (CSRF) Vulnerability
Cross-Site Request Forgery CSRF vulnerability in scriptsbundle Nokri nokri allows Cross Site Request Forgery.This issue affects Nokri: from n/a through = 1.6.4...
CVE-2025-58668
CVE-2025-58668 is a Missing Authorization vulnerability affecting WPLMS (WordPress-based Learning Management System). The CVE entry states impact on WPLMS versions up to 4.970, with a high-severity exposure. The available metrics indicate a network-exposed flaw with no required privileges, and no...
WordPress CouponXxL Theme <= 4.5.0 is vulnerable to Cross Site Request Forgery (CSRF)
Software CouponXxL Type Theme Vulnerable versions = 4.5.0 Fixed in N/A OWASP Top 10 A5: Security Misconfiguration Classification Cross Site Request Forgery CSRF CVE CVE-2025-58013 Patch priority Low CVSS severity Low 8.8 Developer Claim ownership PSID 7ea2a224d874 Credits Bonds Required privilege...
CVE-2025-10690
The Goza - Nonprofit Charity WordPress Theme is affected (versions
PT-2025-38501
Name of the Vulnerable Software and Affected Versions Goza - Nonprofit Charity WordPress Theme versions prior to and including 3.2.2 Description The Goza - Nonprofit Charity WordPress Theme is vulnerable to unauthorized arbitrary file uploads due to a missing capability check on the beplus import...
CVE-2025-8999
The Sydney theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'activatemodules' function in all versions up to, and including, 2.56. This makes it possible for authenticated attackers, with Subscriber-level access and above, to activate...
CVE-2025-8999 Sydney <= 2.56 - Missing Authorization to Authenticated (Subscriber+) Limited Theme Options Update
The Sydney theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'activatemodules' function in all versions up to, and including, 2.56. This makes it possible for authenticated attackers, with Subscriber-level access and above, to activate...
WordPress Logtik theme <= 2.3 - Cross Site Scripting (XSS) vulnerability
Cross Site Scripting XSS vulnerability discovered by Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity in WordPress Theme Logtik versions = 2.3...
WordPress Themia Lite Theme <= 1.5.0 is vulnerable to Sensitive Data Exposure
Software Themia Lite Type Theme Vulnerable versions = 1.5.0 Fixed in N/A OWASP Top 10 A3: Sensitive Data Exposure Classification Sensitive Data Exposure CVE CVE-2025-59003 Patch priority Low CVSS severity Low 5.8 Developer Claim ownership PSID 9716909e2868 Credits Legion Hunter Required privilege...
WordPress Compass Theme <= 1.1.4 is vulnerable to Sensitive Data Exposure
Software Compass Type Theme Vulnerable versions = 1.1.4 Fixed in N/A OWASP Top 10 A3: Sensitive Data Exposure Classification Sensitive Data Exposure CVE CVE-2025-59003 Patch priority Low CVSS severity Low 5.8 Developer Claim ownership PSID 702f7ac34caf Credits Legion Hunter Required privilege...
WordPress Poloray Theme <= 1.3.2 is vulnerable to Sensitive Data Exposure
Software Poloray Type Theme Vulnerable versions = 1.3.2 Fixed in N/A OWASP Top 10 A3: Sensitive Data Exposure Classification Sensitive Data Exposure CVE CVE-2025-59003 Patch priority Low CVSS severity Low 5.8 Developer Claim ownership PSID 5bedfaf94c3f Credits Legion Hunter Required privilege...
CVE-2025-10134
The Goza - Nonprofit Charity WordPress Theme theme for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the aloneimportpackrestoredata function in all versions up to, and including, 3.2.2. This makes it possible for unauthenticated attackers to delete...
WordPress Jobify - Job Board WordPress Theme Theme <= 1.4.4 is vulnerable to Cross Site Scripting (XSS)
Software Jobify - Job Board WordPress Theme Type Theme Vulnerable versions = 1.4.4 Fixed in N/A OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2025-8318 Patch priority Low CVSS severity Low 6.5 Developer Claim ownership PSID edb43386dd8c Credits Muhammad...
CVE-2025-9113
The Doccure Core plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'doccuretempuploadtomedia' function in all versions up to, and including, 1.5.3. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected...
CVE-2025-9112
The Doccure theme for WordPress is vulnerable to arbitrary file uploads due to incorrect file type validation in the 'doccuretempfileuploader' function in all versions up to, and including, 1.5.0. This makes it possible for authenticated attackers, with subscriber-level and above permissions, to...
CVE-2025-7718
The Resideo Plugin for Resideo - Real Estate WordPress Theme plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 2.5.4. This is due to the plugin not properly validating a user's identity prior to updating their details like email...
WordPress XStore theme < 9.6.1 - Local File Inclusion vulnerability
Local File Inclusion vulnerability discovered by Rafie Muhammad Patchstack in WordPress Theme XStore versions 9.6.1...
WordPress XStore theme < 9.6.1 - Cross Site Scripting (XSS) vulnerability
Cross Site Scripting XSS vulnerability discovered by Rafie Muhammad Patchstack in WordPress Theme XStore versions 9.6.1...
PT-2025-37042
Name of the Vulnerable Software and Affected Versions: Resideo Plugin for Resideo - Real Estate WordPress Theme versions prior to 2.5.5 Description: The Resideo Plugin for Resideo - Real Estate WordPress Theme plugin for WordPress is susceptible to privilege escalation via account takeover. The...