CVE-2026-40753

CVE-2026-40753 affects the WordPress EasyMeals theme (versions ≤ 1.5.1). The vulnerability is an unauthenticated PHP Object Injection in EasyMeals, caused by unsafe object handling in the affected component. The published metrics indicate a high impact (CVSS v3.1: 8.1, HIGH) with network attack v...

CVE-2026-40749

The CVE covers the WordPress Charity Zone theme (versions <= 1.1.1) with a Subscriber Arbitrary File Upload vulnerability. The underlying issue enables arbitrary files to be uploaded due to insecure handling in Charity Zone

CVE-2026-40748

CVE-2026-40748 affects the WordPress Kids Gift Shop theme (versions ≤ 0.5.4). The vulnerability is described as an Arbitrary File Upload in the Subscriber context. Public details in connected sources indicate a very high severity CVSS v3.1 score (9.9, CRITICAL) with network access, low attack com...

CVE-2026-40747

CVE-2026-40747 affects the WordPress Ecommerce Zone theme (versions <= 0.9.7) and is an Arbitrary File Upload vulnerability. The connected documents confirm a subscriber Arbitrary File Upload issue in Ecommerce Zone

CVE-2026-40746

The CVE-2026-40746 entry concerns WordPress Theme Restaurant Zone (versions

CVE-2026-40735

Summary: CVE-2026-40735 concerns unauthenticated PHP Object Injection in WordPress Reina theme versions <= 2.1. The vulnerability is tied to the Reina plugin/theme codebase and is described as an unauthenticated PHP Object Injection, with CVSSv3.1 impact vector indicating high severity (8.1 ba...

CVE-2026-40731

The CVE CVE-2026-40731 documents an Unauthenticated Local File Inclusion in the WordPress ChapterOne theme, version

CVE-2026-40726

CVE-2026-40726 affects the WordPress plugin User Registration Stripe (versions

CVE-2026-40725

CVE-2026-40725 affects the WordPress WooCommerce Product Filters plugin (versions

CVE-2026-40724

CVE-2026-40724 concerns the WordPress Client Portal (Pro) plugin, affected versions <= 5.6.2. The vulnerability is described as an Arbitrary File Download in CP Client Arbitrary File Download for Client Portal (Pro)

CVE-2026-40723

The advisory describes CVE-2026-40723 as a Broken Access Control issue in the WordPress Bricks Builder theme, affecting versions

CVE-2026-40721

CVE-2026-40721 affects WordPress Element Pack Pro plugin, <= 9.0.6, with a Local File Inclusion vulnerability. The CVSS 3.1 vector (AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) yields a base score of 7.5 (HIGH). Exploitation is reported as network-based with high attack complexity and requires no user...

CVE-2026-39597

This CVE covers an unauthenticated, reflected Cross Site Scripting (XSS) in the WordPress WPZOOM Addons for Elementor plugin (versions

CVE-2026-39596

The CVE covers WordPress Blocksy Companion Pro plugin, vulnerable in versions

CVE-2026-39595

Technical details are not publicly available in the provided documents. Monitor for updates on CVE-2026-39595 for W3 Total Cache plugin

CVE-2026-39589

The CVE-2026-39589 affects the WordPress Webenvo theme

CVE-2026-39573

CVE-2026-39573 : Unauthenticated PHP Object Injection in WordPress Mildhill theme <= 1.5. Affected component: Mildhill theme (WordPress). Root cause: PHP Object Injection vulnerability. Impact: high across confidentiality, integrity, and availability (CVSSv3.1: AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/...

CVE-2026-39582

CVE-2026-39582 affects the WordPress Hitek theme prior to version 1.8.3, with an unauthenticated Local File Inclusion vulnerability in the theme. The CVSSv3.1 score is 8.1 (HIGH), driven by network access, high attack complexity, no privileges required, and impacts to confidentiality, integrity, ...

CVE-2026-39558

CVE-2026-39558 is an unauthenticated Local File Inclusion vulnerability affecting WordPress Malmö theme

CVE-2026-39546

This CVE concerns the WordPress plugin MultiLoca (WooCommerce Multi-Locations Inventory Management) up to version 4.2.15, with a Subscriber Privilege Escalation vulnerability. The vulnerability is described as enabling a subscriber to escalate privileges, indicating a potential elevation from a l...

CVE-2026-39545

The CVE-2026-39545 entry affects the WordPress Zermatt theme (versions <= 1.6.1) and describes an unauthenticated PHP Object Injection vulnerability in Zermatt

CVE-2026-39537

CVE-2026-39537 concerns WordPress Mikado Core plugin versions

CVE-2026-34888

CVE-2026-34888 concerns the WordPress Bricksforge plugin (versions ≤ 3.1.8.4) with an unauthenticated sensitive data exposure vulnerability. The connected Patchstack entry specifies that it is a vulnerability in Bricksforge where sensitive data could be exposed without authentication, resulting i...

CVE-2026-27410

CVE-2026-27410 concerns WordPress Slimstat Analytics plugin prior to 5.4.0, with unauthenticated deserialization of untrusted data exposed by versions

CVE-2026-27400

CVE-2026-27400 affects the WordPress BookPro plugin; versions

CVE-2026-27041

CVE-2026-27041 : Affected software is WordPress Unlimited Elements for Elementor – Premium, versions

CVE-2026-25446

CVE-2026-25446 affects the WordPress plugin Wishlist Member X (WishList Member X) up to version 3.29.0. The vulnerability is an authenticated Arbitrary File Upload that could enable a subscriber to upload arbitrary files on affected sites. According to the provided sources, this CVE is currently ...

CVE-2026-24611

CVE-2026-24611 affects WordPress MetForm Pro plugin (versions

CVE-2026-25439

CVE-2026-25439 affects the WordPress Booknetic plugin up to version 4.8.5, with unauthenticated broken authentication leading to account takeover. The CVSSv3.1 vector (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) yields a base score of 8.1 (HIGH). Documented impact includes high confidentiality, integrit...

CVE-2026-24610

CVE-2026-24610: A Broken Access Control vulnerability in WordPress MetForm Pro plugin (versions ≤ 3.9.1) potentially allows a subscriber to access restricted functionality. Public technical details are limited in the provided documents; PatchStack lists the issue, but no remediation version is st...

CVE-2026-24575

CVE-2026-24575 affects WordPress WishList Member X plugin

CVE-2026-22343

CVE-2026-22343 describes an which affects the WordPress Dating Theme (DA10) up to version 11.2.0, with an Unauthenticated Broken Access Control vulnerability. The connected records confirm an unauthenticated path to perform actions that should require authorization, indicating potential impact on...

CVE-2026-22342

CVE-2026-22342 affects WordPress Dating Theme (WordPress) versions

CVE-2026-22340

CVE-2026-22340: Unauthenticated SQL Injection in WordPress WPJobster theme

CVE-2026-22339

CVE-2026-22339 affects WordPress WPJobster theme

CVE-2026-22338

CVE-2026-22338 : WordPress EcoBlue theme

CVE-2026-22334

CVE-2026-22334 concerns the WordPress Woocommerce Book Price plugin (<= 1.3). The vulnerability is an Arbitrary File Download that requires authentication (Subscriber level or higher). The CVE entry notes an authenticated path to download arbitrary files, with a base CVSS v3.1 score of 7.5 (HI...

CVE-2026-22335

The CVE CVE-2026-22335 affects WordPress: WooCommerce Frontend Manager – Ultimate (wc-frontend-manager-ultimate) versions below 6.7.7. It is a SQL Injection vulnerability exploitable by an authenticated subscriber, with a CVSS base score of 8.5 per Patchstack (high impact: confidentiality) and 6....

CVE-2026-22332

CVE-2026-22332 covers an unauthenticated SQL injection in WordPress Tutor LMS Pro plugin versions up to 3.9.6. The CVE entry and Patchstack reference document this vulnerability (including a CVSS v3.1 base score of 9.3, CRITICAL) affecting Tutor LMS Pro <=3.9.6, with exploitation status not pr...

CVE-2026-22331

CVE-2026-22331: Unauthenticated Local File Inclusion in WordPress AutoParts theme (

CVE-2026-22330

CVE-2026-22330 describes an Unauthenticated Local File Inclusion vulnerability in the WordPress theme Right Way (version ≤ 4.0). The Patchstack entry and CVE listing confirm the flaw exists in this theme and is currently described as unpatched within the dataset. The CVSS/metrics indicate a high-...

CVE-2026-22329

CVE-2026-22329 is a WordPress Skillate theme vulnerability: unauthenticated, reflected cross-site scripting (XSS) affecting Skillate versions ≤ 1.2.10. Connected sources confirm the impact as a reflected XSS with unauthenticated access. No patch details are provided in the documents; remediation ...

CVE-2026-22328

CVE-2026-22328 corresponds to a reflected XSS in WordPress Theme Auto Repair <= 22.6, described as unauthenticated in the Initial description and reflected XSS in the product detail. CVSS shows Network attack vector, no privileges required, low impact to confidentiality/integrity/availability,...

CVE-2026-22327

CVE-2026-22327 : WordPress Restaurt theme

CVE-2026-22326

CVE-2026-22326 : Unauthenticated Local File Inclusion in the WordPress theme Reprizo

CVE-2026-22325

CVE-2026-22325 — Local File Inclusion in WordPress Promo theme <= 1.3.0, unauthenticated. Affected: Promo (WordPress theme). Root cause: local file inclusion vulnerability enabling access to local files. Impact: high (CVE metrics show Confidentiality, Integrity, Availability all at High; CVSS ...

CVE-2026-9690

CVE-2026-9690 concerns the WordPress WP Media folder Addon plugin (versions <= 4.0.1). The vulnerability is an unauthenticated arbitrary file download, enabling an attacker to download arbitrary files from the affected site without authentication. The issue is associated with the WP Media fold...

CVE-2025-69179

Technical details (affected plugin version

CVE-2025-69173

CVE-2025-69173 affects the WordPress Tipsy theme (<= 1.1) with unauthenticated Local File Inclusion (LFI). Connected PT entries also list additional WordPress themes with similar LFI issues: Ingenioso (<= 1.14.0) and AirSupply (

CVE-2025-69172

Technical details for CVE-2025-69172 are not provided in the connected documents. The Initial description notes an unauthenticated Local File Inclusion in Resurs theme