WordPress Xinterio Theme <= 4.2 is vulnerable to Local File Inclusion

Software Xinterio Type Theme Vulnerable versions = 4.2 Fixed in 4.3 OWASP Top 10 A3: Injection Classification Local File Inclusion CVE CVE-2025-54690 Patch priority High CVSS severity High 8.1 Developer PBM Infotech Private Limited PSID c4ee256251ba Credits Tran Nguyen Bao Khanh VCI - VNPT Cyber...

WordPress Urna Theme <= 2.5.7 is vulnerable to Local File Inclusion

Software Urna Type Theme Vulnerable versions = 2.5.7 Fixed in 2.5.8 OWASP Top 10 A3: Injection Classification Local File Inclusion CVE CVE-2025-54689 Patch priority High CVSS severity High 8.1 Developer Claim ownership PSID 1413940e912e Credits Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity...

WordPress Advanced Custom Fields plugin <= 3.5.1 - Remote Code Execution via Remote File Inclusion vulnerability

Remote Code Execution via Remote File Inclusion vulnerability discovered by Charlie Eriksen in WordPress Plugin Advanced Custom Fields versions = 3.5.1...

WordPress Gutenverse plugin <= 3.1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Animated Text and Fun Fact Blocks vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Animated Text and Fun Fact Blocks vulnerability discovered by zer0gh0st in WordPress Plugin Gutenverse versions = 3.1.0...

WordPress Reveal Listing plugin <= 3.3 - Unauthenticated Privilege Escalation vulnerability

Unauthenticated Privilege Escalation vulnerability discovered by Alyudin Nafiie in WordPress Plugin Reveal Listing versions = 3.3...

WordPress Betheme plugin <= 28.1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by stealthcopter in WordPress Theme Betheme versions = 28.1.3...

WordPress Element Pack Elementor Addons plugin <= 8.1.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Open Street Map Widget Marker Content vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Open Street Map Widget Marker Content vulnerability discovered by zer0gh0st in WordPress Plugin Element Pack Elementor Addons versions = 8.1.5...

WordPress Zakra plugin <= 4.1.5 - Missing Authorization to Subscriber+ Demo Import vulnerability

Missing Authorization to Subscriber+ Demo Import vulnerability discovered by Dmitrii Ignatyev in WordPress Theme Zakra versions = 4.1.5...

WordPress Request a Quote Form plugin <= 2.5.2 - Unauthenticated Limited Remote Code Execution vulnerability

Unauthenticated Limited Remote Code Execution vulnerability discovered by mikemyers in WordPress Plugin Request a Quote versions = 2.5.2...

WordPress WPBakery Page Builder for WordPress plugin <= 8.5 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by stealthcopter in WordPress Plugin WPBakery Page Builder versions = 8.5...

WordPress FileBird – WordPress Media Library Folders & File Manager plugin <= 6.4.8 - Authenticated (Author+) SQL Injection vulnerability

Authenticated Author+ SQL Injection vulnerability discovered by Kenneth Billones in WordPress Plugin Filebird versions = 6.4.8...

WordPress WP Tournament Registration plugin <= 1.3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via field Parameter vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via field Parameter vulnerability discovered by Gilang in WordPress Plugin WP Tournament Registration versions = 1.3.0...

WordPress esri-map-view plugin <= 1.2.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via esri-map-view Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via esri-map-view Shortcode vulnerability discovered by Gilang in WordPress Plugin esri-map-view versions = 1.2.3...

WordPress Flex Guten plugin <= 1.2.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via thumbnailHoverEffect Parameter vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via thumbnailHoverEffect Parameter vulnerability discovered by Peter Thaleikis in WordPress Plugin Flex Guten versions = 1.2.5...

WordPress Boldermail Plugin <= 2.4.0 - PHP Object Injection Vulnerability

PHP Object Injection Vulnerability discovered by Drew / mcdruid in WordPress Plugin Boldermail versions = 2.4.0...

WordPress Seriously Simple Podcasting plugin <= 3.11.1 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by 63n0 in WordPress Plugin Seriously Simple Podcasting versions = 3.11.1...

WordPress JetReviews plugin <= 3.0.0 - Local File Inclusion vulnerability

Local File Inclusion vulnerability discovered by stealthcopter in WordPress Plugin JetReviews versions = 3.0.0...

WordPress Groundhogg plugin <= 4.2.2 - PHP Object Injection vulnerability

PHP Object Injection vulnerability discovered by 63n0 in WordPress Plugin Groundhogg versions = 4.2.2...

WordPress Zakra Theme <= 4.1.5 is vulnerable to Broken Access Control

Software Zakra Type Theme Vulnerable versions = 4.1.5 Fixed in 4.1.6 OWASP Top 10 A5: Broken Access Control Classification Broken Access Control CVE CVE-2025-8595 Patch priority Low CVSS severity Low 5.4 Developer Claim ownership PSID 7c24beb6f4b4 Credits Dmitrii Ignatyev Required privilege...

WordPress Betheme Theme <= 28.1.3 is vulnerable to Cross Site Scripting (XSS)

Software Betheme Type Theme Vulnerable versions = 28.1.3 Fixed in 28.1.4 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2025-7399 Patch priority Low CVSS severity Low 6.5 Developer Claim ownership PSID 9f439b9a2b5e Credits stealthcopter Required privileg...

WordPress Download Counter plugin <= 1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via name Parameter vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via name Parameter vulnerability discovered by Gilang in WordPress Plugin Download Counter versions = 1.3...

WordPress WP Import Export Lite plugin <= 3.9.29 - Authenticated (Subscriber+) Arbitrary File Upload vulnerability

Authenticated Subscriber+ Arbitrary File Upload vulnerability discovered by Vincent Fourcade vinceMatsui in WordPress Plugin WP Import Export Lite versions = 3.9.29...

WordPress WP Import Export Lite plugin <= 3.9.28 - Authenticated (Subscriber+) Arbitrary File Upload vulnerability

Authenticated Subscriber+ Arbitrary File Upload vulnerability discovered by Vincent Fourcade vinceMatsui in WordPress Plugin WP Import Export Lite versions = 3.9.28...

WordPress Employee Directory plugin <= 4.5.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via noaccess_msg Parameter vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via noaccessmsg Parameter vulnerability discovered by muhammad yudha in WordPress Plugin Employee Directory – Staff Listing & Team Directory Plugin for WordPress versions = 4.5.1...

WordPress Campus Directory plugin <= 1.9.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via noaccess_msg Parameter vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via noaccessmsg Parameter vulnerability discovered by muhammad yudha in WordPress Plugin Campus Directory versions = 1.9.1...

WordPress Use-your-Drive plugin <= 3.3.1- Unauthenticated Stored Cross-Site Scripting via File Metadata vulnerability

WordPress Use-your-Drive plugin = 3.3.1- Unauthenticated Stored Cross-Site Scripting via File Metadata vulnerability discovered by floerer in WordPress Plugin Use-your-Drive versions = 3.3.1...

WordPress WP Easy Contact plugin <= 4.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via noaccess_msg Parameter vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via noaccessmsg Parameter vulnerability discovered by muhammad yudha in WordPress Plugin WP Easy Contact versions = 4.0.1...

WordPress Mmm Unity Loader plugin <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via attributes Parameter vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via attributes Parameter vulnerability discovered by muhammad yudha in WordPress Plugin Mmm Unity Loader versions = 1.0...

WordPress Qi Addons for Elementor plugin <= 1.9.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via TypeOut Text Widget vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via TypeOut Text Widget vulnerability discovered by zer0gh0st in WordPress Plugin Qi Addons For Elementor versions = 1.9.2...

WordPress Woffice Core plugin <= 5.4.26 - Authenticated (Contributor+) Arbitrary File Deletion vulnerability

Authenticated Contributor+ Arbitrary File Deletion vulnerability discovered by Trương Hữu Phúc truonghuuphuc in WordPress Plugin Woffice Core versions = 5.4.26...

WordPress Ocean Social Sharing plugin <= 2.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by muhammad yudha in WordPress Plugin Ocean Social Sharing versions = 2.2.1...

WordPress Brave Conversion Engine (PRO) plugin <= 0.7.7 - Authentication Bypass to Administrator vulnerability

Authentication Bypass to Administrator vulnerability discovered by Thái An in WordPress Plugin Brave Conversion Engine PRO versions = 0.7.7...

WordPress BitFire plugin <= 4.5 - Unauthenticated Information Exposure vulnerability

Unauthenticated Information Exposure vulnerability discovered by Aurélien BOURDOIS Elymaro in WordPress Plugin BitFire Security versions = 4.5...

WordPress Ultimate Addons for Elementor - Lite plugin <= 2.4.6 - Missing Authorization to Authenticated (Subscriber+) Limited Settings Update vulnerability

WordPress Ultimate Addons for Elementor - Lite plugin = 2.4.6 - Missing Authorization to Authenticated Subscriber+ Limited Settings Update vulnerability discovered by Peter Thaleikis in WordPress Plugin Ultimate Addons for Elementor - Lite versions = 2.4.6...

WordPress Sala theme <= 1.1.3 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity in WordPress Theme Sala versions = 1.1.3...

WordPress Shopo <= 1.1.4 - Arbitrary File Upload Vulnerability

Arbitrary File Upload Vulnerability discovered by Tran Nguyen Bao KhanhVCI - VNPT in WordPress Theme Shopo versions = 1.1.4...

WordPress Rosalinda theme <= 1.2.3 - Local File Inclusion vulnerability

Local File Inclusion vulnerability discovered by Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity in WordPress Theme Rosalinda versions = 1.2.3...

WordPress Eventer plugin < 3.9.9.1 - Content Injection vulnerability

Content Injection vulnerability discovered by Bonds in WordPress Plugin Eventer versions 3.9.9.1...

WordPress Renewal theme <= 1.2.2 - Local File Inclusion vulnerability

Local File Inclusion vulnerability discovered by Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity in WordPress Theme Renewal versions = 1.2.2...

WordPress Pinevale theme <= 1.0.14 - Local File Inclusion vulnerability

Local File Inclusion vulnerability discovered by Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity in WordPress Theme Pinevale versions = 1.0.14...

WordPress Katelyn theme <= 1.0.10 - Local File Inclusion vulnerability

Local File Inclusion vulnerability discovered by Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity in WordPress Theme Katelyn versions = 1.0.10...

WordPress Giardino theme <= 1.1.10 - Local File Inclusion vulnerability

Local File Inclusion vulnerability discovered by Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity in WordPress Theme Giardino versions = 1.1.10...

WordPress Shopo Theme <= 1.1.4 is vulnerable to Arbitrary File Upload

Software Shopo Type Theme Vulnerable versions = 1.1.4 Fixed in N/A OWASP Top 10 A1: Injection Classification Arbitrary File Upload CVE CVE-2025-31048 Patch priority Medium CVSS severity Medium 9.9 Developer Claim ownership PSID 148bf5acafb9 Credits Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity...

WordPress JetWooBuilder plugin <= 2.1.20.1 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by stealthcopter in WordPress Plugin JetWooBuilder versions = 2.1.20.1...

WordPress JetBlog plugin <= 2.4.4.1 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by stealthcopter in WordPress Plugin JetBlog versions = 2.4.4.1...

WordPress Wikipedia Preview plugin <= 1.15.0 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Nabil Irawan in WordPress Plugin Wikipedia Preview versions = 1.15.0...

WordPress JetElements For Elementor plugin <= 2.7.8 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by stealthcopter in WordPress Plugin JetElements For Elementor versions = 2.7.8...

WordPress Javo Core plugin <= 3.0.0.266 - Arbitrary Code Execution vulnerability

Arbitrary Code Execution vulnerability discovered by Trương Hữu Phúc truonghuuphuc in WordPress Plugin Javo Core versions = 3.0.0.266...

WordPress UpStore <= 1.7.0 - Cross Site Scripting (XSS) Vulnerability

Cross Site Scripting XSS Vulnerability discovered by Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity in WordPress Theme UpStore versions = 1.7.0...

WordPress Yogi - Health Beauty & Yoga theme <= 2.9.2 - Cross Site Scripting (XSS) vulnerability

WordPress Yogi - Health Beauty & Yoga theme = 2.9.2 - Cross Site Scripting XSS vulnerability discovered by Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity in WordPress Theme Yogi - Health Beauty & Yoga versions = 2.9.2...