WordPress Yogi - Health Beauty & Yoga Theme <= 2.9.2 - Deserialization of untrusted data Vulnerability

WordPress Yogi - Health Beauty & Yoga Theme = 2.9.2 - Deserialization of untrusted data Vulnerability discovered by Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity in WordPress Theme Yogi - Health Beauty & Yoga versions = 2.9.2...

WordPress WeMusic theme <= 1.9.1 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity in WordPress Theme WeMusic versions = 1.9.1...

WordPress WeMusic Theme <= 1.9.1 - PHP Object Injection Vulnerability

PHP Object Injection Vulnerability discovered by Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity in WordPress Theme WeMusic versions = 1.9.1...

WordPress PenNews theme < 6.7.3 - Local File Inclusion vulnerability

Local File Inclusion vulnerability discovered by Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity in WordPress Theme PenNews versions 6.7.3...

WordPress MinimogWP theme <= 3.9.6 - Local File Inclusion vulnerability

Local File Inclusion vulnerability discovered by Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity in WordPress Theme MinimogWP versions = 3.9.6...

WordPress EduMall Theme < 4.4.5 - Local File Inclusion Vulnerability

Local File Inclusion Vulnerability discovered by Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity in WordPress Theme EduMall versions 4.4.5...

WordPress Molla - Multipurpose Responsive Shopify theme <= 1.5.13 - Arbitrary Code Execution vulnerability

WordPress Molla - Multipurpose Responsive Shopify theme = 1.5.13 - Arbitrary Code Execution vulnerability discovered by Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity in WordPress Theme Molla versions = 1.5.13...

WordPress Druco <= 1.5.2 - Cross Site Scripting (XSS) Vulnerability

Cross Site Scripting XSS Vulnerability discovered by Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity in WordPress Theme Druco versions = 1.5.2...

WordPress Riode | Multi-Purpose WooCommerce theme <= 1.6.23 - Local File Inclusion vulnerability

Local File Inclusion vulnerability discovered by Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity in WordPress Theme Riode | Multi-Purpose WooCommerce versions = 1.6.23...

WordPress Doctreat theme <= 1.6.7 - Content Injection vulnerability

Content Injection vulnerability discovered by Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity in WordPress Theme Doctreat versions = 1.6.7...

WordPress Doctreat theme <= 1.6.7 - Cross Site Scripting (XSS) Vulnerability

Cross Site Scripting XSS Vulnerability discovered by Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity in WordPress Theme Doctreat versions = 1.6.7...

WordPress Alone < 7.8.5 - Arbitrary Code Execution Vulnerability

Arbitrary Code Execution Vulnerability discovered by Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity in WordPress Theme Alone versions 7.8.5...

WordPress Alone Theme < 7.8.5 is vulnerable to Arbitrary Code Execution

Software Alone Type Theme Vulnerable versions 7.8.5 Fixed in 7.8.5 OWASP Top 10 A3: Injection Classification Arbitrary Code Execution CVE CVE-2025-54019 Patch priority High CVSS severity High 6.5 Developer Claim ownership PSID 50d5e97b9c8b Credits Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity...

WordPress UpStore Theme <= 1.7.0 is vulnerable to Cross Site Scripting (XSS)

Software UpStore Type Theme Vulnerable versions = 1.7.0 Fixed in 1.7.1 OWASP Top 10 A3: Injection Classification Cross Site Scripting XSS CVE CVE-2025-48296 Patch priority Medium CVSS severity Medium 7.1 Developer Claim ownership PSID 78b49b9e10bc Credits Tran Nguyen Bao Khanh VCI - VNPT Cyber...

WordPress Druco Theme <= 1.5.2 is vulnerable to Cross Site Scripting (XSS)

Software Druco Type Theme Vulnerable versions = 1.5.2 Fixed in 1.5.3 OWASP Top 10 A3: Injection Classification Cross Site Scripting XSS CVE CVE-2025-54055 Patch priority Medium CVSS severity Medium 7.1 Developer Claim ownership PSID 5fecdac8e286 Credits Tran Nguyen Bao Khanh VCI - VNPT Cyber...

WordPress Magic Edge – Lite plugin <= 1.1.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via height Parameter vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via height Parameter vulnerability discovered by muhammad yudha in WordPress Plugin Magic Edge – Lite versions = 1.1.6...

WordPress Image Gallery plugin <= 1.0.0 - Reflected Cross-Site Scripting vulnerability

Reflected Cross-Site Scripting vulnerability discovered by muhammad yudha in WordPress Plugin Image Gallery versions = 1.0.0...

WordPress All in One Time Clock Lite plugin <= 2.0 - Reflected Cross-Site Scripting vulnerability

Reflected Cross-Site Scripting vulnerability discovered by Jonas Benjamin Friedli in WordPress Plugin All in One Time Clock Lite versions = 2.0...

WordPress ShortPixel Adaptive Images – WebP, AVIF, CDN, Image Optimization plugin <= 3.10.4 - Authenticated (Administrator+) Stored Cross-Site Scripting via API URL vulnerability

Authenticated Administrator+ Stored Cross-Site Scripting via API URL vulnerability discovered by Jonas Benjamin Friedli in WordPress Plugin ShortPixel Adaptive Images versions = 3.10.4...

WordPress Medical Addon for Elementor plugin <= 1.6.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via Typewriter Widget vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Typewriter Widget vulnerability discovered by zer0gh0st in WordPress Plugin Medical Addon for Elementor versions = 1.6.3...

WordPress 360 Photo Spheres plugin <= 1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by Chuck in WordPress Plugin 360 Photo Spheres versions = 1.3...

WordPress Custom Word Cloud plugin <= 0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via angle Parameter vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via angle Parameter vulnerability discovered by muhammad yudha in WordPress Plugin Custom Word Cloud versions = 0.3...

WordPress SEO Metrics plugin <= 1.0.15 - Missing Authorization to Authenticated (Subscriber+) Privilege Escalation vulnerability

Missing Authorization to Authenticated Subscriber+ Privilege Escalation vulnerability discovered by kr0d in WordPress Plugin SEO Metrics versions = 1.0.15...

WordPress WP CTA plugin <= 1.7.0 - Missing Authorization to Unauthenticated Sticky Status Update vulnerability

Missing Authorization to Unauthenticated Sticky Status Update vulnerability discovered by Sushi Com Abacate in WordPress Plugin WordPress CTA versions = 1.7.0...

WordPress Preserve Code Formatting Plugin <= 4.0.1 - PHP Object Injection Vulnerability

PHP Object Injection Vulnerability discovered by Drew / mcdruid in WordPress Plugin Preserve Code Formatting versions = 4.0.1...

WordPress GiveWP plugin < 4.6.1 - PII Sensitive Data Exposure vulnerability

PII Sensitive Data Exposure vulnerability discovered by kxkv in WordPress Plugin GiveWP versions 4.6.1...

WordPress Blockspare plugin <= 3.2.13.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Image Carousel and Image Slider Widgets vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Image Carousel and Image Slider Widgets vulnerability discovered by Webbernaut in WordPress Plugin Blockspare versions = 3.2.13.1...

WordPress Sina Extension for Elementor plugin <= 3.7.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via `Sina Posts`, `Sina Blog Post` and `Sina Table` Widgets vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Sina Posts, Sina Blog Post and Sina Table Widgets vulnerability discovered by stealthcopter in WordPress Plugin Sina Extension for Elementor versions = 3.7.0...

WordPress The Plus Addons for Elementor Page Builder Lite plugin <= 6.3.10 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by zer0gh0st in WordPress Plugin The Plus Addons for Elementor Page Builder Lite versions = 6.3.10...

WordPress Contest Gallery plugin <= 26.1.0 - Unauthenticated Stored Cross-Site Scripting vulnerability

Unauthenticated Stored Cross-Site Scripting vulnerability discovered by zer0gh0st in WordPress Plugin Contest Gallery versions = 26.1.0...

WordPress BerqWP plugin <= 2.2.42 - Unauthenticated Arbitrary File Upload vulnerability

Unauthenticated Arbitrary File Upload vulnerability discovered by mikemyers in WordPress Plugin BerqWP versions = 2.2.42...

WordPress Service Finder SMS System plugin <= 2.0.0 - Unauthenticated Privilege Escalation vulnerability

Unauthenticated Privilege Escalation vulnerability discovered by Foxyyy in WordPress Plugin Service Finder SMS System versions = 2.0.0...

WordPress HT Mega plugin <= 2.9.1 - Authenticated (Author+) Path Traversal to Limited Arbitrary CSS File Actions vulnerability

Authenticated Author+ Path Traversal to Limited Arbitrary CSS File Actions vulnerability discovered by wesley wcraft in WordPress Plugin HT Mega versions = 2.9.1...

WordPress NinjaScanner plugin <= 3.2.5 - Authenticated (Administrator+) Arbitrary File Deletion vulnerability

Authenticated Administrator+ Arbitrary File Deletion vulnerability discovered by Jonas Benjamin Friedli in WordPress Plugin NinjaScanner versions = 3.2.5...

WordPress HT Mega plugin <= 2.9.1 - Authenticated (Author+) Sensitive Information Exposure vulnerability

Authenticated Author+ Sensitive Information Exposure vulnerability discovered by wesley wcraft in WordPress Plugin HT Mega versions = 2.9.1...

WordPress HT Mega plugin <= 2.9.1 - Improper Authorization to Authenticated (Contributor+) Limited Administrator Actions vulnerability

Improper Authorization to Authenticated Contributor+ Limited Administrator Actions vulnerability discovered by wesley wcraft in WordPress Plugin HT Mega versions = 2.9.1...

WordPress Benaa Framework plugin <= 4.0.0 - Authenticated (Subscriber+) Arbitrary File Upload

Authenticated Subscriber+ Arbitrary File Upload vulnerability discovered by Lucio Sá in WordPress Plugin Benaa Framework versions = 4.0.0...

WordPress Benaa Framework plugin <= 4.0.0 - Missing Authorization to Authenticated (Subscriber+) Settings Updates vulnerability

Missing Authorization to Authenticated Subscriber+ Settings Updates vulnerability discovered by Lucio Sá in WordPress Plugin Benaa Framework versions = 4.0.0...

WordPress April Framework plugin <= 5.1 - Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting

Missing Authorization to Authenticated Subscriber+ Stored Cross-Site Scripting vulnerability discovered by Lucio Sá in WordPress Plugin April Framework versions = 5.1...

WordPress April Framework plugin <= 5.1 - Missing Authorization to Authenticated (Subscriber+) Settings Updates vulnerability

Missing Authorization to Authenticated Subscriber+ Settings Updates vulnerability discovered by Lucio Sá in WordPress Plugin April Framework versions = 5.1...

WordPress April Framework plugin <= 5.1 - Authenticated (Subscriber+) Arbitrary File Upload

Authenticated Subscriber+ Arbitrary File Upload vulnerability discovered by Lucio Sá in WordPress Plugin April Framework versions = 5.1...

WordPress Auteur Framework plugin <= 7.1 - Missing Authorization to Authenticated (Subscriber+) Settings Updates vulnerability

Missing Authorization to Authenticated Subscriber+ Settings Updates vulnerability discovered by Lucio Sá in WordPress Plugin Auteur Framework versions = 7.1...

WordPress Auteur Framework plugin <= 7.1 - Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting

Missing Authorization to Authenticated Subscriber+ Stored Cross-Site Scripting vulnerability discovered by Lucio Sá in WordPress Plugin Auteur Framework versions = 7.1...

WordPress Auteur Framework plugin <= 7.1 - Authenticated (Subscriber+) Arbitrary File Upload

Authenticated Subscriber+ Arbitrary File Upload vulnerability discovered by Lucio Sá in WordPress Plugin Auteur Framework versions = 7.1...

WordPress Benaa Framework plugin <= 4.0.0 - Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting

Missing Authorization to Authenticated Subscriber+ Stored Cross-Site Scripting vulnerability discovered by Lucio Sá in WordPress Plugin Benaa Framework versions = 4.0.0...

WordPress Beyot Framework plugin <= 6.0.6 - Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting

Missing Authorization to Authenticated Subscriber+ Stored Cross-Site Scripting vulnerability discovered by Lucio Sá in WordPress Plugin Beyot Framework versions = 6.0.6...

WordPress Beyot Framework plugin <= 6.0.6 - Missing Authorization to Authenticated (Subscriber+) Settings Updates vulnerability

Missing Authorization to Authenticated Subscriber+ Settings Updates vulnerability discovered by Lucio Sá in WordPress Plugin Beyot Framework versions = 6.0.6...

WordPress Beyot Framework plugin <= 6.0.6 - Authenticated (Subscriber+) Arbitrary File Upload

Authenticated Subscriber+ Arbitrary File Upload vulnerability discovered by Lucio Sá in WordPress Plugin Beyot Framework versions = 6.0.6...

WordPress Super Store Finder Plugin <= 7.5 - SQL Injection Vulnerability

SQL Injection Vulnerability discovered by Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity in WordPress Plugin Super Store Finder versions = 7.5...

WordPress PressForward <= 5.9.4 - Server Side Request Forgery (SSRF) vulnerability

Server Side Request Forgery SSRF vulnerability discovered by 0xd4rk5id3 in WordPress Plugin PressForward versions = 5.9.5...