Exploit for CVE-2025-5394

🚨 CVE-2025-5394 - Unauthenticated Arbitrary Plugin Upload in A...

WordPress WeMusic theme <= 1.9.1 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity in WordPress Theme WeMusic versions = 1.9.1...

WordPress WeMusic Theme <= 1.9.1 - PHP Object Injection Vulnerability

PHP Object Injection Vulnerability discovered by Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity in WordPress Theme WeMusic versions = 1.9.1...

WordPress UpStore Theme <= 1.7.0 is vulnerable to Cross Site Scripting (XSS)

Software UpStore Type Theme Vulnerable versions = 1.7.0 Fixed in 1.7.1 OWASP Top 10 A3: Injection Classification Cross Site Scripting XSS CVE CVE-2025-48296 Patch priority Medium CVSS severity Medium 7.1 Developer Claim ownership PSID 78b49b9e10bc Credits Tran Nguyen Bao Khanh VCI - VNPT Cyber...

Hackers Exploit Critical WordPress Theme Flaw to Hijack Sites via Remote Plugin Install

Threat actors are actively exploiting a critical security flaw in "Alone – Charity Multipurpose Non-profit WordPress Theme" to take over susceptible sites. The vulnerability, tracked as CVE-2025-5394 , carries a CVSS score of 9.8. Security researcher Thái An has been credited with discovering and...

WordPress Exertio Theme <= 1.3.2 is vulnerable to PHP Object Injection

Software Exertio Type Theme Vulnerable versions = 1.3.2 Fixed in 1.3.3 OWASP Top 10 A3: Injection Classification PHP Object Injection CVE CVE-2025-54686 Patch priority High CVSS severity High 9.8 Developer Claim ownership PSID d25a71f8c070 Credits Aiden Required privilege Unauthenticated Publishe...

WordPress SmilePure Theme < 1.8.5 - Local File Inclusion Vulnerability

Local File Inclusion Vulnerability discovered by Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity in WordPress Theme SmilePure versions 1.8.5...

WordPress Cook&Meal; Theme <= 1.2.3 is vulnerable to Local File Inclusion

Software Cook&Meal Type Theme Vulnerable versions = 1.2.3 Fixed in 1.2.4 OWASP Top 10 A3: Injection Classification Local File Inclusion CVE CVE-2025-48149 Patch priority High CVSS severity High 8.1 Developer Claim ownership PSID ab26fb7dc392 Credits Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity...

WordPress Blogger Buzz Theme <= 1.2.6 is vulnerable to Cross Site Scripting (XSS)

Software Blogger Buzz Type Theme Vulnerable versions = 1.2.6 Fixed in 1.2.7 OWASP Top 10 A3: Injection Classification Cross Site Scripting XSS CVE CVE-2025-54680 Patch priority Low CVSS severity Low 6.5 Developer Claim ownership PSID b2b9bc739162 Credits Peter Thaleikis Required privilege...

WordPress Appzend theme <= 1.2.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via progressbarLayout Parameter vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via progressbarLayout Parameter vulnerability discovered by Peter Thaleikis in WordPress Theme Appzend versions = 1.2.6...

CVE-2025-6989

The Kallyas theme for WordPress is vulnerable to arbitrary folder deletion due to insufficient file path validation in the deletefont function in all versions up to, and including, 4.21.0. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete...

WordPress News Magazine X Theme <= 1.2.35 is vulnerable to Local File Inclusion

Software News Magazine X Type Theme Vulnerable versions = 1.2.35 Fixed in N/A OWASP Top 10 A3: Injection Classification Local File Inclusion CVE CVE-2025-24766 Patch priority High CVSS severity High 7.5 Developer Claim ownership PSID b88166b6f805 Credits LVT-tholv2k Required privilege...

WordPress KALLYAS - Creative eCommerce Multi-Purpose WordPress Theme Theme <= 4.21.0 is vulnerable to Arbitrary File Deletion

Software KALLYAS - Creative eCommerce Multi-Purpose WordPress Theme Type Theme Vulnerable versions = 4.21.0 Fixed in 4.22.0 OWASP Top 10 A3: Injection Classification Arbitrary File Deletion CVE CVE-2025-6989 Patch priority Medium CVSS severity Medium 8.1 Developer EPC PSID fbbebe81e3b7 Credits...

WordPress Platform Theme < 1.4.4 is vulnerable to Broken Access Control

Software Platform Type Theme Vulnerable versions 1.4.4 Fixed in 1.4.4 OWASP Top 10 A5: Broken Access Control Classification Broken Access Control CVE CVE-2015-10143 Patch priority High CVSS severity High 9.8 Developer Claim ownership PSID 04b827207d59 Credits Marc-Alexandre Montpas Required...

WordPress MediCenter - Health Medical Clinic Theme <= 15.1 is vulnerable to PHP Object Injection

Software MediCenter - Health Medical Clinic Type Theme Vulnerable versions = 15.1 Fixed in 15.2 OWASP Top 10 A3: Injection Classification PHP Object Injection CVE CVE-2025-54014 Patch priority High CVSS severity High 9.8 Developer EPC PSID b489f4cff59c Credits Aiden Required privilege...

WordPress MinimogWP Theme <= 3.9.0 is vulnerable to Content Injection

Software MinimogWP Type Theme Vulnerable versions = 3.9.0 Fixed in 3.9.1 OWASP Top 10 A3: Injection Classification Content Injection CVE CVE-2025-8198 Patch priority Low CVSS severity Low 7.5 Developer Claim ownership PSID d80fff95e821 Credits Valatty Required privilege Unauthenticated Published ...

CVE-2025-5529 Educenter <= 1.6.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

The Educenter theme for WordPress is vulnerable to Stored Cross-Site Scripting via the Circle Counter Block in all versions up to, and including, 1.6.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and...

CVE-2015-10143

The CVE-2015-10143 entry concerns the Platform theme for WordPress prior to version 1.4.4, where a missing capability check in the _ajax_save_options() function allows unauthenticated modification of options. Affects the Platform theme (WordPress Platform) and enables updating arbitrary site opti...

WordPress Educenter Theme <= 1.6.2 is vulnerable to Cross Site Scripting (XSS)

Software Educenter Type Theme Vulnerable versions = 1.6.2 Fixed in N/A OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2025-5529 Patch priority Low CVSS severity Low 6.5 Developer Claim ownership PSID 8465b696cfd2 Credits Peter Thaleikis Required privileg...

WordPress Cena Store Theme <= 2.11.26 is vulnerable to Local File Inclusion

Software Cena Store Type Theme Vulnerable versions = 2.11.26 Fixed in 2.11.27 OWASP Top 10 A3: Injection Classification Local File Inclusion CVE CVE-2025-48171 Patch priority High CVSS severity High 8.1 Developer Claim ownership PSID 349bfe1912dd Credits Tran Nguyen Bao Khanh VCI - VNPT Cyber...