Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-08-08
CVE-2025-2798 - Woffice Crm Theme
The Woffice CRM theme for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 5.4.21. This is due to a misconfiguration of excluded roles during registration. This makes it possible for unauthenticated attackers to register with an Administrator role if a custom login form is being used. This can be combined with CVE-2025-2797 to bypass the user approval process if an Administrator can be tricked into taking an action such as clicking a link.
THEME
Woffice Crm
CVE-2025-2798
Risk Score
Threat Entry
Updated 2025-04-07
CVE-2025-3105 - Listing Theme
The Vehica Core plugin for WordPress, used by the Vehica - Car Dealer & Listing WordPress Theme, is vulnerable to privilege escalation in all versions up to, and including, 1.0.97. This is due to the plugin not properly validating user meta fields prior to updating them in the database. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change escalate their privileges to Administrator.
THEME
Listing
CVE-2025-3105
Risk Score
Threat Entry
Updated 2025-04-01
CVE-2025-2891 - Real Estate 7 Wordpress Theme
The Real Estate 7 WordPress theme for WordPress is vulnerable to arbitrary file uploads due to missing file type validation via the 'template-submit-listing.php' file in all versions up to, and including, 3.5.4. This makes it possible for authenticated attackers, with Seller-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible if front-end listing submission has been enabled.
THEME
Real Estate 7 Wordpress
CVE-2025-2891
Risk Score
Threat Entry
Updated 2025-03-28
CVE-2025-2294 - Kubio AI Page Builder Theme
The Kubio AI Page Builder plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.5.1 via thekubio_hybrid_theme_load_template function. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
THEME
Kubio AI Page Builder
CVE-2025-2294
Risk Score
Threat Entry
Updated 2025-03-27
CVE-2025-2576 - Ayyash Studio — The kick-start kit Theme
The Ayyash Studio — The kick-start kit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.0.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
THEME
Ayyash Studio — The kick-start kit
CVE-2025-2576
Risk Score
Threat Entry
Updated 2025-03-27
CVE-2025-0845 - DesignThemes Core Features
The DesignThemes Core Features plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcodes in versions up to, and including, 4.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
THEME
DesignThemes Core Features
CVE-2025-0845
Risk Score
Threat Entry
Updated 2025-03-19
CVE-2024-13933 - Delivery Restaurant Directory Wordpress Theme
The FoodBakery | Delivery Restaurant Directory WordPress Theme theme for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.7. This is due to missing or incorrect nonce validation on the foodbakery_var_backup_file_delete, foodbakery_widget_file_delete, theme_option_save, export_widget_settings, ajax_import_widget_data, foodbakery_var_settings_backup_generate, foodbakery_var_backup_file_restore, and theme_option_rest_all functions. This makes it possible for unauthenticated attackers to delete arbitrary files, update theme options, export widget options, import widget options, generate backups, restore backups, and reset theme options via a forged request granted they can trick a site administrator into performing an action such…
THEME
Delivery Restaurant Directory Wordpress Theme
CVE-2024-13933
Risk Score
Threat Entry
Updated 2025-03-19
CVE-2024-12920 - Delivery Restaurant Directory Wordpress Theme
The FoodBakery | Delivery Restaurant Directory WordPress Theme theme for WordPress is vulnerable to unauthorized access of data and modification of data due to a missing capability check on the foodbakery_var_backup_file_delete, foodbakery_widget_file_delete, theme_option_save, export_widget_settings, ajax_import_widget_data, foodbakery_var_settings_backup_generate, foodbakery_var_backup_file_restore, and theme_option_rest_all functions in all versions up to, and including, 4.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files, update theme options, export widget options, import widget options, generate backups, restore backups, and reset theme options.
THEME
Delivery Restaurant Directory Wordpress Theme
CVE-2024-12920
Risk Score
Threat Entry
Updated 2025-03-19
CVE-2024-13790 - High Converting Ecommerce Wordpress Theme
The MinimogWP – The High Converting eCommerce WordPress Theme theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.7.0 via the 'template' parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
THEME
High Converting Ecommerce Wordpress Theme
CVE-2024-13790
Risk Score
Threat Entry
Updated 2025-03-19
CVE-2024-13412 - Cozystay Theme
The CozyStay theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_handler function in all versions up to, and including, 1.7.0. This makes it possible for unauthenticated attackers to execute arbitrary actions.
THEME
Cozystay
CVE-2024-13412
Risk Score
Threat Entry
Updated 2025-03-19
CVE-2024-12922 - Altair Theme
The Altair theme for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check within functions.php in all versions up to, and including, 5.2.4. This makes it possible for unauthenticated attackers to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.
THEME
Altair
CVE-2024-12922
Risk Score
Threat Entry
Updated 2025-03-28
CVE-2025-1771 - Traveler Theme
The Traveler theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.1.8 via the 'hotel_alone_load_more_post' function 'style' parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where php file type can be uploaded and included.
THEME
Traveler
CVE-2025-1771
Risk Score
Threat Entry
Updated 2025-03-28
CVE-2025-1773 - Traveler Theme
The Traveler theme for WordPress is vulnerable to Reflected Cross-Site Scripting via multiple parameters in all versions up to, and including, 3.1.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
THEME
Traveler
CVE-2025-1773
Risk Score
Threat Entry
Updated 2025-03-27
CVE-2024-13773 - Civi Theme
The Civi - Job Board & Freelance Marketplace WordPress Theme plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.1.4 via hard-coded credentials. This makes it possible for unauthenticated attackers to extract sensitive data including LinkedIn client and secret keys.
THEME
Civi
CVE-2024-13773
Risk Score
Threat Entry
Updated 2025-03-28
CVE-2024-13771 - Plugin For Wordpress Is Vulnerable To Authentication Bypass In All Versions Up To Theme
The Civi - Job Board & Freelance Marketplace WordPress Theme plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.1.4. This is due to a lack of user validation before changing a password. This makes it possible for unauthenticated attackers to change the password of arbitrary users, including administrators, if the attacker knows the username of the victim.
THEME
Plugin For Wordpress Is Vulnerable To Authentication Bypass In All Versions Up To
CVE-2024-13771
Risk Score
Threat Entry
Updated 2025-03-27
CVE-2024-12810 - Job Board Responsive Wordpress Theme
The JobCareer | Job Board Responsive WordPress Theme theme for WordPress is vulnerable to unauthorized access, modification, and loss of data due to a missing capability checks on multiple functions in all versions up to, and including, 7.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files, generate backups, restore backups, update theme options, and reset theme options to default settings.
THEME
Job Board Responsive Wordpress Theme
CVE-2024-12810
Risk Score
Threat Entry
Updated 2025-06-17
CVE-2024-13772 - Plugin For Wordpress Is Vulnerable To Authentication Bypass In All Versions Up To Theme
The Civi - Job Board & Freelance Marketplace WordPress Theme plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.1.6.1. This is due to a lack of password randomization and user validation through the fb_ajax_login_or_register and google_ajax_login_or_register actions. This makes it possible for unauthenticated attackers to login as any user as long as they have access to the email.
THEME
Plugin For Wordpress Is Vulnerable To Authentication Bypass In All Versions Up To
CVE-2024-13772
Risk Score
Threat Entry
Updated 2025-03-24
CVE-2025-1526 - Dethemekit For Elementor
The DethemeKit for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the De Product Display Widget (countdown feature) in all versions up to, and including, 2.1.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
THEME
Dethemekit For Elementor
CVE-2025-1526
Risk Score
Threat Entry
Updated 2025-03-21
CVE-2024-13824 - Ciyashop Multipurpose Woocommerce Theme
The CiyaShop - Multipurpose WooCommerce Theme theme for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.19.0 via deserialization of untrusted input in the 'add_ciyashop_wishlist' and 'ciyashop_get_compare' functions. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed…
THEME
Ciyashop Multipurpose Woocommerce Theme
CVE-2024-13824
Risk Score
Threat Entry
Updated 2025-03-21
CVE-2025-2289 - Zegen Church Wordpress Theme
The Zegen - Church WordPress Theme theme for WordPress is vulnerable to unauthorized access due to a missing capability check on several AJAX endpoints in all versions up to, and including, 1.1.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to import, export, and update theme options.
THEME
Zegen Church Wordpress Theme
CVE-2025-2289
Risk Score