Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2026-05-27
CVE-2026-6268 - Before 22 Theme
The EventPress WordPress theme before 22.2 does not sanitize or escape the 'id' parameter in the eventpress_customizer_notify_dismiss_action AJAX handler before outputting it back in the response, allowing unauthenticated attackers to perform Reflected Cross-Site Scripting attacks against logged-in users.
THEME
Before 22
CVE-2026-6268
Risk Score
Threat Entry
Updated 2026-05-22
CVE-2026-9018 - Easy Elements for Elementor – Addons & Website Templates Theme
The Easy Elements for Elementor – Addons & Website Templates plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.4.5 via the `easyel_handle_register()` function. This is due to the `wp_ajax_nopriv_eel_register` AJAX handler iterating the attacker-controlled `custom_meta` POST array and writing every supplied key-value pair to the newly created user's meta via `update_user_meta()` without any key whitelist or blocklist, allowing the `wp_capabilities` user meta key to be overwritten after `wp_insert_user()` has already assigned a safe role. This makes it possible for unauthenticated attackers to register…
THEME
Easy Elements for Elementor – Addons & Website Templates
CVE-2026-9018
Risk Score
Threat Entry
Updated 2026-05-22
CVE-2026-2518 - Fastx Theme
The FastX theme for WordPress is vulnerable to unauthorized limited plugin installation and activation due to missing capability checks on the 'ultp_install_callback' and 'ultp_activate_callback' functions in all versions up to, and including, 1.0.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install and activate the PostX plugin.
THEME
Fastx
CVE-2026-2518
Risk Score
Threat Entry
Updated 2026-05-21
CVE-2026-6279 - Avada (Fusion) Builder Theme
The Avada Builder (fusion-builder) plugin for WordPress is vulnerable to Unauthenticated Remote Code Execution via PHP Function Injection in versions up to and including 3.15.2. This is due to the `wp_conditional_tags` case in `Fusion_Builder_Conditional_Render_Helper::get_value()` passing attacker-controlled values from a base64-decoded JSON blob directly to `call_user_func()` without any allowlist validation. This is exploitable by unauthenticated attackers through the `fusion_get_widget_markup` AJAX endpoint, which is registered for non-privileged (unauthenticated) users via `wp_ajax_nopriv_fusion_get_widget_markup`. The endpoint is protected only by a nonce (`fusion_load_nonce`), but this nonce is generated for user ID 0 and is deterministically…
THEME
Avada (Fusion) Builder
CVE-2026-6279
Risk Score
Threat Entry
Updated 2026-05-21
CVE-2026-1543 - Avada (Fusion) Builder Theme
The Avada (Fusion) Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple shortcodes in all versions up to, and including, 3.15.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user (typically an administrator) accesses a page displaying dynamic user data (such as via the Dynamic Data feature pulling user biographical information).
THEME
Avada (Fusion) Builder
CVE-2026-1543
Risk Score
Threat Entry
Updated 2026-05-20
CVE-2026-8423 - JaviBola Custom Theme Test
The JaviBola Custom Theme Test plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.5. This is due to missing or incorrect nonce validation on the options page. This makes it possible for unauthenticated attackers to change the site's active theme by modifying the jbct_theme option via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
THEME
JaviBola Custom Theme Test
CVE-2026-8423
Risk Score
Threat Entry
Updated 2026-05-20
CVE-2026-7284 - Easy Elements for Elementor – Addons & Website Templates Theme
The Easy Elements for Elementor – Addons & Website Templates plugin for WordPress is vulnerable to privilege escalation via user registration in all versions up to, and including, 1.4.4. This is due to the 'easyel_handle_register' function not restricting what user roles a user can register with. This makes it possible for unauthenticated attackers to supply the 'administrator' role during registration and gain administrator access to the site.
THEME
Easy Elements for Elementor – Addons & Website Templates
CVE-2026-7284
Risk Score
Threat Entry
Updated 2026-05-19
CVE-2026-8073 - Kirki – Freeform Page Builder, Website Builder & Customizer Theme
The Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation and missing capability check in the 'downloadZIP' function in all versions up to, and including, 6.0.6. This makes it possible for unauthenticated attackers to read and delete arbitrary files limited in the WordPress uploads base directory.
THEME
Kirki – Freeform Page Builder, Website Builder & Customizer
CVE-2026-8073
Risk Score
Threat Entry
Updated 2026-05-19
CVE-2026-8096 - Kirki – Freeform Page Builder, Website Builder & Customizer Theme
The Kirki – Freeform Page Builder, Website Builder & Customizer plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 6.0.6. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to view all Kirki frontend forms and read stored visitor form submission data, including contact details, messages, and any other visitor-provided information submitted through site forms.
THEME
Kirki – Freeform Page Builder, Website Builder & Customizer
CVE-2026-8096
Risk Score
Threat Entry
Updated 2026-05-15
CVE-2026-6646 - The7 — Website and eCommerce Builder for WordPress Theme
The The7 theme for WordPress is vulnerable to Stored Cross-Site Scripting via the 'dt_default_button' shortcode in all versions up to, and including, 14.3.2. This is due to insufficient input sanitization and output escaping on the 'title' component of the 'link' shortcode parameter. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
THEME
The7 — Website and eCommerce Builder for WordPress
CVE-2026-6646
Risk Score
Threat Entry
Updated 2026-05-05
CVE-2026-6261 - Betheme
The Betheme theme for WordPress is vulnerable to Arbitrary File Upload in versions up to, and including, 28.4. This is due to the upload_icons() function workflow moving and unzipping user-controlled ZIP files into a public uploads directory without validating extracted file types. This makes it possible for authenticated attackers, with author-level access and above, to upload arbitrary files (including PHP) and achieve remote code execution via the Icons icon-pack upload flow.
THEME
Betheme
CVE-2026-6261
Risk Score
Threat Entry
Updated 2026-05-05
CVE-2026-6262 - Betheme
The Betheme theme for WordPress is vulnerable to Arbitrary File Deletion in versions up to, and including, 28.4. This is due to the upload_icons() function workflow using a user-controlled upload path (`mfn-icon-upload`) in a filesystem move operation without constraining it to the uploads directory. This makes it possible for authenticated attackers, with contributor-level access and above, to move/delete arbitrary local files via path traversal.
THEME
Betheme
CVE-2026-6262
Risk Score
Threat Entry
Updated 2026-05-05
CVE-2026-5077 - Total Theme
The Total theme for WordPress is vulnerable to Stored Cross-Site Scripting via post titles in versions up to, and including, 2.2.1 due to insufficient output escaping when rendering the_title() inside HTML attribute context in the home blog section template. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Exploitation requires the malicious post to be published and displayed with a featured image in the Home Page blog section.
THEME
Total
CVE-2026-5077
Risk Score
Threat Entry
Updated 2026-05-05
CVE-2026-6812 - Ona Theme
The Ona theme for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.26 via the ona_activate_child_theme. This makes it possible for authenticated attackers, with administrator-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
THEME
Ona
CVE-2026-6812
Risk Score
Threat Entry
Updated 2026-04-30
CVE-2026-2892 - Otter Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE Theme
The Otter Blocks plugin for WordPress is vulnerable to Purchase Verification Bypass in all versions up to, and including, 3.1.4. This is due to the 'get_customer_data' method relying on an unsigned 'o_stripe_data' cookie to determine Stripe product ownership for unauthenticated users. The 'check_purchase' method trusts this cookie data without performing server-side verification against the Stripe API for one-time 'payment' mode purchases. This makes it possible for unauthenticated attackers to bypass Stripe purchase-gated content visibility conditions by forging the 'o_stripe_data' cookie with a target product ID, which is publicly exposed in…
THEME
Otter Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE
CVE-2026-2892
Risk Score
Threat Entry
Updated 2026-04-28
CVE-2026-4805 - Woostify Theme
The Woostify plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.5.0 This is due to insufficient input sanitization and output escaping in the bundled Lity.js lightbox library, where user-controlled input from the href attribute is concatenated directly into a jQuery HTML string without sanitization. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
THEME
Woostify
CVE-2026-4805
Risk Score
Threat Entry
Updated 2026-04-22
CVE-2026-5070 - Vantage Theme
The Vantage theme for WordPress is vulnerable to Stored Cross-Site Scripting via Gallery block text content in versions up to, and including, 1.20.32 due to insufficient output escaping in the gallery template. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
THEME
Vantage
CVE-2026-5070
Risk Score
Threat Entry
Updated 2026-04-22
CVE-2026-1555 - Webstack Theme
The WebStack theme for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the io_img_upload() function in all versions up to, and including, 1.2024. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
THEME
Webstack
CVE-2026-1555
Risk Score
Threat Entry
Updated 2026-04-24
CVE-2026-22523 - Ultra WordPress Admin Theme
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in themepassion Ultra WordPress Admin ultra-admin allows Reflected XSS.This issue affects Ultra WordPress Admin: from n/a through
THEME
Ultra WordPress Admin
CVE-2026-22523
Risk Score
Threat Entry
Updated 2026-04-22
CVE-2026-2294 - UiPress lite | Effortless custom dashboards, admin themes and pages
The UiPress lite | Effortless custom dashboards, admin themes and pages plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'uip_save_global_settings' function in all versions up to, and including, 3.5.09. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change arbitrary plugin settings.
THEME
UiPress lite | Effortless custom dashboards, admin themes and pages
CVE-2026-2294
Risk Score