Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2026-04-15
CVE-2026-1555 - Webstack Theme
The WebStack theme for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the io_img_upload() function in all versions up to, and including, 1.2024. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
THEME
Webstack
CVE-2026-1555
Risk Score
Threat Entry
Updated 2026-03-30
CVE-2026-22523 - Ultra WordPress Admin Theme
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in themepassion Ultra WordPress Admin ultra-admin allows Reflected XSS.This issue affects Ultra WordPress Admin: from n/a through
THEME
Ultra WordPress Admin
CVE-2026-22523
Risk Score
Threat Entry
Updated 2026-03-23
CVE-2026-2294 - UiPress lite | Effortless custom dashboards, admin themes and pages
The UiPress lite | Effortless custom dashboards, admin themes and pages plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'uip_save_global_settings' function in all versions up to, and including, 3.5.09. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change arbitrary plugin settings.
THEME
UiPress lite | Effortless custom dashboards, admin themes and pages
CVE-2026-2294
Risk Score
Threat Entry
Updated 2026-03-19
CVE-2026-27096 - Allows Object Injection Theme
Deserialization of Untrusted Data vulnerability in BuddhaThemes ColorFolio - Freelance Designer WordPress Theme allows Object Injection.This issue affects ColorFolio - Freelance Designer WordPress Theme: from n/a through 1.3.
THEME
Allows Object Injection
CVE-2026-27096
Risk Score
Threat Entry
Updated 2026-04-08
CVE-2026-3231 - Checkout Field Editor (Checkout Manager) for WooCommerce Theme
The Checkout Field Editor (Checkout Manager) for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via custom radio and checkboxgroup field values submitted through the WooCommerce Block Checkout Store API in all versions up to, and including, 2.1.7. This is due to the `prepare_single_field_data()` method in `class-thwcfd-block-order-data.php` first escaping values with `esc_html()` then immediately reversing the escaping with `html_entity_decode()` for radio and checkboxgroup field types, combined with a permissive `wp_kses()` allowlist in `get_allowed_html()` that explicitly permits the `` element with the `onchange` event handler attribute. This makes it…
THEME
Checkout Field Editor (Checkout Manager) for WooCommerce
CVE-2026-3231
Risk Score
Threat Entry
Updated 2026-03-11
CVE-2026-1454 - Lead Form Builder & Contact Form Theme
The Responsive Contact Form Builder & Lead Generation Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.0.1 via form field submissions. This is due to insufficient input sanitization in the lfb_lead_sanitize() function which omits certain field types from its sanitization whitelist, combined with an overly permissive wp_kses() filter at output time that allows onclick attributes on anchor tags. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever an administrator views the lead…
THEME
Lead Form Builder & Contact Form
CVE-2026-1454
Risk Score
Threat Entry
Updated 2026-03-11
CVE-2026-3534 - Astra Theme
The Astra theme for WordPress is vulnerable to Stored Cross-Site Scripting via the `ast-page-background-meta` and `ast-content-background-meta` post meta fields in all versions up to, and including, 4.12.3. This is due to insufficient input sanitization on meta registration and missing output escaping in the `astra_get_responsive_background_obj()` function for four CSS-context sub-properties (`background-color`, `background-image`, `overlay-color`, `overlay-gradient`). This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
THEME
Astra
CVE-2026-3534
Risk Score
Threat Entry
Updated 2026-03-11
CVE-2026-0953 - Tutor LMS Pro Theme
The Tutor LMS Pro plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 3.9.5 via the Social Login addon. This is due to the plugin failing to verify that the email provided in the authentication request matches the email from the validated OAuth token. This makes it possible for unauthenticated attackers to log in as any existing user, including administrators, by supplying a valid OAuth token from their own account along with the victim's email address.
THEME
Tutor LMS Pro
CVE-2026-0953
Risk Score
Threat Entry
Updated 2026-03-09
CVE-2026-1073 - Purchase Button For Affiliate Link Theme
The Purchase Button For Affiliate Link plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.2. This is due to missing nonce validation on the settings page form handler in `inc/purchase-btn-options-page.php`. This makes it possible for unauthenticated attackers to modify plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
THEME
Purchase Button For Affiliate Link
CVE-2026-1073
Risk Score
Threat Entry
Updated 2026-03-06
CVE-2026-28043 - Healer - Doctor, Clinic & Medical WordPress Theme
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Healer - Doctor, Clinic & Medical WordPress Theme healer allows PHP Local File Inclusion.This issue affects Healer - Doctor, Clinic & Medical WordPress Theme: from n/a through
THEME
Healer - Doctor, Clinic & Medical WordPress Theme
CVE-2026-28043
Risk Score
Threat Entry
Updated 2026-03-09
CVE-2026-27342 - TopFit - Fitness and Gym WordPress Theme
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes TopFit - Fitness and Gym WordPress Theme topfit allows PHP Local File Inclusion.This issue affects TopFit - Fitness and Gym WordPress Theme: from n/a through
THEME
TopFit - Fitness and Gym WordPress Theme
CVE-2026-27342
Risk Score
Threat Entry
Updated 2026-03-06
CVE-2026-27341 - TopScorer - Sports WordPress Theme
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes TopScorer - Sports WordPress Theme topscorer allows PHP Local File Inclusion.This issue affects TopScorer - Sports WordPress Theme: from n/a through
THEME
TopScorer - Sports WordPress Theme
CVE-2026-27341
Risk Score
Threat Entry
Updated 2026-03-09
CVE-2026-27340 - Apollo | Night Club, DJ Event WordPress Theme
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Apollo | Night Club, DJ Event WordPress Theme apollo allows PHP Local File Inclusion.This issue affects Apollo | Night Club, DJ Event WordPress Theme: from n/a through
THEME
Apollo | Night Club, DJ Event WordPress Theme
CVE-2026-27340
Risk Score
Threat Entry
Updated 2026-03-11
CVE-2026-27339 - Buzz Stone | Magazine & Viral Blog WordPress Theme
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Buzz Stone | Magazine & Viral Blog WordPress Theme buzzstone allows PHP Local File Inclusion.This issue affects Buzz Stone | Magazine & Viral Blog WordPress Theme: from n/a through
THEME
Buzz Stone | Magazine & Viral Blog WordPress Theme
CVE-2026-27339
Risk Score
Threat Entry
Updated 2026-03-09
CVE-2026-27337 - Chronicle - Lifestyle Magazine & Blog WordPress Theme
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Chronicle - Lifestyle Magazine & Blog WordPress Theme chronicle allows PHP Local File Inclusion.This issue affects Chronicle - Lifestyle Magazine & Blog WordPress Theme: from n/a through
THEME
Chronicle - Lifestyle Magazine & Blog WordPress Theme
CVE-2026-27337
Risk Score
Threat Entry
Updated 2026-03-09
CVE-2026-27336 - Consultor | Consulting, Accounting & Legal Counsel WordPress Theme
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Consultor | Consulting, Accounting & Legal Counsel WordPress Theme consultor allows PHP Local File Inclusion.This issue affects Consultor | Consulting, Accounting & Legal Counsel WordPress Theme: from n/a through
THEME
Consultor | Consulting, Accounting & Legal Counsel WordPress Theme
CVE-2026-27336
Risk Score
Threat Entry
Updated 2026-03-09
CVE-2026-27326 - AC Services | HVAC, Air Conditioning & Heating Company WordPress Theme
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes AC Services | HVAC, Air Conditioning & Heating Company WordPress Theme window-ac-services allows PHP Local File Inclusion.This issue affects AC Services | HVAC, Air Conditioning & Heating Company WordPress Theme: from n/a through
THEME
AC Services | HVAC, Air Conditioning & Heating Company WordPress Theme
CVE-2026-27326
Risk Score
Threat Entry
Updated 2026-03-09
CVE-2026-27097 - CasaMia | Property Rental Real Estate WordPress Theme
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes CasaMia | Property Rental Real Estate WordPress Theme casamia allows PHP Local File Inclusion.This issue affects CasaMia | Property Rental Real Estate WordPress Theme: from n/a through
THEME
CasaMia | Property Rental Real Estate WordPress Theme
CVE-2026-27097
Risk Score
Threat Entry
Updated 2026-03-03
CVE-2026-2583 - Blocksy Theme
The Blocksy theme for WordPress is vulnerable to Stored Cross-Site Scripting via the `blocksy_meta` metadata fields in all versions up to, and including, 2.1.30 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
THEME
Blocksy
CVE-2026-2583
Risk Score
Threat Entry
Updated 2026-03-02
CVE-2026-3132 - Master Addons for Elementor Premium Theme
The Master Addons for Elementor Premium plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.1.3 via the 'JLTMA_Widget_Admin::render_preview'. This is due to missing capability check. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute code on the server.
THEME
Master Addons for Elementor Premium
CVE-2026-3132
Risk Score