WordPress KALLYAS - Creative eCommerce Multi-Purpose WordPress Theme Theme <= 4.21.0 is vulnerable to Local File Inclusion

Software KALLYAS - Creative eCommerce Multi-Purpose WordPress Theme Type Theme Vulnerable versions = 4.21.0 Fixed in 4.22.0 OWASP Top 10 A1: Injection Classification Local File Inclusion CVE CVE-2025-6991 Patch priority Low CVSS severity Low 7.5 Developer EPC PSID 34bd1e68ee25 Credits stealthcopt...

WordPress Jobmonster Theme <= 4.7.8 is vulnerable to Cross Site Scripting (XSS)

Software Jobmonster Type Theme Vulnerable versions = 4.7.8 Fixed in 4.7.9 OWASP Top 10 A3: Injection Classification Cross Site Scripting XSS CVE CVE-2025-53201 Patch priority Medium CVSS severity Medium 7.1 Developer Claim ownership PSID 24486db3ae4e Credits Tran Nguyen Bao Khanh VCI - VNPT Cyber...

CVE-2025-6222

The WooCommerce Refund And Exchange with RMA - Warranty Management, Refund Policy, Manage User Wallet theme for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'cedrnxorderexchangeattachfiles' function in all versions up to, and including, 3.2.6. This...

CVE-2025-31072

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in designthemes Ofiz - WordPress Business Consulting Theme ofiz allows Reflected XSS.This issue affects Ofiz - WordPress Business Consulting Theme: from n/a through = 2.0...

CVE-2025-5393

The Alone – Charity Multipurpose Non-profit WordPress Theme theme for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the aloneimportpackrestoredata function in all versions up to, and including, 7.8.5. This makes it possible for unauthenticated...

CVE-2025-5394

The Alone – Charity Multipurpose Non-profit WordPress Theme theme for WordPress is vulnerable to arbitrary file uploads due to a missing capability check on the aloneimportpackinstallplugin function in all versions up to, and including, 7.8.3. This makes it possible for unauthenticated attackers ...

WordPress Theme Builder For Elementor plugin <= 1.2.3 - Cross Site Request Forgery (CSRF) Vulnerability

Cross Site Request Forgery CSRF Vulnerability discovered by Nguyen Xuan Chien in WordPress Plugin Theme Builder For Elementor versions = 1.2.3...

CVE-2025-31422

Deserialization of Untrusted Data vulnerability in designthemes Visual Art | Gallery WordPress Theme visual-arts allows Object Injection.This issue affects Visual Art | Gallery WordPress Theme: from n/a through = 2.4...

CVE-2025-31427

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in designthemes Invico - WordPress Consulting Business Theme invico allows Reflected XSS.This issue affects Invico - WordPress Consulting Business Theme: from n/a through = 1.9...

CVE-2025-31072

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in designthemes Ofiz - WordPress Business Consulting Theme ofiz allows Reflected XSS.This issue affects Ofiz - WordPress Business Consulting Theme: from n/a through = 2.0...

CVE-2025-30955 WordPress ListingEasy theme <= 1.9.2 - Reflected Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in GT3themes ListingEasy listingeasy allows Reflected XSS.This issue affects ListingEasy: from n/a through = 1.9.2...

CVE-2025-31055

CVE-2025-31055 affects the WordPress theme “vergatheme Electrician - Electrical Service” (versions ≤ 1.0). Root cause: improper input neutralization during web page generation, yielding a reflected XSS. Impact: attacker can inject script to a user’s browser (network attack vector, UI: required, l...

CVE-2025-31055 WordPress Electrician - Electrical Service WordPress theme <= 1.0 - Cross Site Scripting (XSS) Vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in vergatheme Electrician - Electrical Service WordPress electrician allows Reflected XSS.This issue affects Electrician - Electrical Service WordPress: from n/a through = 1.0...

CVE-2025-31072

CVE-2025-31072 is a reflected Cross-Site Scripting vulnerability in the Ofiz - WordPress Business Consulting Theme (designthemes) up to version 2.0. The issue stems from improper input neutralization during web page generation, enabling attacker-controlled input to be reflected in the page. The C...

CVE-2025-31422 WordPress Visual Art | Gallery WordPress Theme <= 2.4 - PHP Object Injection Vulnerability

Deserialization of Untrusted Data vulnerability in designthemes Visual Art | Gallery WordPress Theme visual-arts allows Object Injection.This issue affects Visual Art | Gallery WordPress Theme: from n/a through = 2.4...

CVE-2025-31427 WordPress Invico - WordPress Consulting Business Theme <= 1.9 - Cross Site Scripting (XSS) Vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in designthemes Invico - WordPress Consulting Business Theme invico allows Reflected XSS.This issue affects Invico - WordPress Consulting Business Theme: from n/a through = 1.9...

CVE-2025-52804 WordPress Nuss theme <= 1.3.7.1 - Broken Access Control Vulnerability

Missing Authorization vulnerability in uxper Nuss nuss allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Nuss: from n/a through = 1.3.7.1...

CVE-2025-54033

CVE-2025-54033 affects the WordPress plugin family BlocksWP Theme Builder For Elementor / Theme Builder For Elementor. The vulnerability is a Cross-Site Request Forgery (CSRF) that could enable unintended actions by an authenticated user. Affected versions are 1.2.3 and earlier. The CVSS 3.1 vect...

WordPress Houzez Theme <= 4.0.4 is vulnerable to Broken Access Control

Software Houzez Type Theme Vulnerable versions = 4.0.4 Fixed in 4.1.1 OWASP Top 10 A1: Broken Access Control Classification Broken Access Control CVE CVE-2025-53997 Patch priority Low CVSS severity Low 4.3 Developer Claim ownership PSID d8d88cb889a1 Credits Tran Nguyen Bao Khanh VCI - VNPT Cyber...

WordPress Hestia Theme <= 3.2.10 is vulnerable to Broken Access Control

Software Hestia Type Theme Vulnerable versions = 3.2.10 Fixed in 3.2.11 OWASP Top 10 A1: Broken Access Control Classification Broken Access Control CVE CVE-2025-53986 Patch priority Low CVSS severity Low 5.3 Developer Claim ownership PSID 41f2dbfe1ff2 Credits Martino Spagnuolo r3verii Required...