Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-03-14
CVE-2025-0952 - Eco Nature - Environment & Ecology WordPress Theme
The Eco Nature - Environment & Ecology WordPress Theme theme for WordPress is vulnerable to unauthorized modification of data that can lead to a denial of service due to a missing capability check on the 'cmsmasters_hide_admin_notice' AJAX action in all versions up to, and including, 2.0.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update option values to 'hide' on the WordPress site. This can be leveraged to update an option that would create an error on the site and deny service to legitimate users…
THEME
Eco Nature - Environment & Ecology WordPress Theme
CVE-2025-0952
Risk Score
Threat Entry
Updated 2025-03-14
CVE-2024-13376 - Industrial Theme
The Industrial theme for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the _ajax_get_total_content_import_items() function in all versions up to, and including, 1.7.8. This makes it possible for authenticated attackers, with subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.
THEME
Industrial
CVE-2024-13376
Risk Score
Threat Entry
Updated 2025-03-14
CVE-2025-1285 - Resido - Real Estate WordPress Theme
The Resido - Real Estate WordPress Theme theme for WordPress is vulnerable to unauthorized access due to a missing capability check on the delete_api_key and save_api_key AJAX actions in all versions up to, and including, 3.6. This makes it possible for unauthenticated attackers to issue requests to internal services and update API key details.
THEME
Resido - Real Estate WordPress Theme
CVE-2025-1285
Risk Score
Threat Entry
Updated 2025-03-12
CVE-2024-10326 - Romethemekit For Elementor
The RomethemeKit For Elementor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the save_options and reset_widgets functions in all versions up to, and including, 1.5.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify plugin settings or reset plugin widgets to their default state (all enabled). NOTE: This vulnerability was partially fixed in version 1.5.3.
THEME
Romethemekit For Elementor
CVE-2024-10326
Risk Score
Threat Entry
Updated 2025-03-13
CVE-2024-12876 - Golo City Travel Guide Wordpress Theme
The Golo - City Travel Guide WordPress Theme theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.6.10. This is due to the plugin not properly validating a user's identity prior to updating their password. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account.
THEME
Golo City Travel Guide Wordpress Theme
CVE-2024-12876
Risk Score
Threat Entry
Updated 2025-03-07
CVE-2025-1309 - UiPress lite | Effortless custom dashboards, admin themes and pages
The UiPress lite | Effortless custom dashboards, admin themes and pages plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the uip_save_form_as_option() function in all versions up to, and including, 3.5.04. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to…
THEME
UiPress lite | Effortless custom dashboards, admin themes and pages
CVE-2025-1309
Risk Score
Threat Entry
Updated 2025-03-07
CVE-2024-13655 - Flex Mag Responsive Wordpress News Theme
The Flex Mag - Responsive WordPress News Theme theme for WordPress is vulnerable to unauthorized modification of data that can lead to a denial of service due to a missing capability check on the propanel_of_ajax_callback() function in all versions up to, and including, 3.5.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary option values on the WordPress site. This can be leveraged to delete an option that would create an error on the site and deny service to legitimate users.
THEME
Flex Mag Responsive Wordpress News Theme
CVE-2024-13655
Risk Score
Threat Entry
Updated 2025-03-07
CVE-2025-0749 - Homey Theme
The Homey theme for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.4.3. This is due to the 'verification_id' value being set to empty, and the not empty check is missing in the dashboard user profile page. This makes it possible for unauthenticated attackers to log in to the first verified user.
THEME
Homey
CVE-2025-0749
Risk Score
Threat Entry
Updated 2025-03-07
CVE-2025-0748 - Homey Theme
The Homey theme for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.4.3. This is due to missing or incorrect nonce validation on the 'homey_verify_user_manually' function. This makes it possible for unauthenticated attackers to update verify an user via a forged request, granted they can trick a site administrator into performing an action such as clicking on a link.
THEME
Homey
CVE-2025-0748
Risk Score
Threat Entry
Updated 2025-03-05
CVE-2024-12281 - Homey Theme
The Homey theme for WordPress is vulnerable to privilege escalation in all versions up to, and including, 2.4.2. This is due to the plugin allowing users who are registering new accounts to set their own role. This makes it possible for unauthenticated attackers to gain elevated privileges by creating an account with the Editor or Shop Manager role.
THEME
Homey
CVE-2024-12281
Risk Score
Threat Entry
Updated 2025-03-05
CVE-2024-13423 - Sparkling Theme
The Sparkling theme for WordPress is vulnerable to unauthorized plugin activation/deactivation due to a missing capability check on the 'sparkling_activate_plugin' and 'sparkling_deactivate_plugin' functions in versions up to, and including, 2.4.9. This makes it possible for unauthenticated attackers to activate/deactivate arbitrary plugins.
THEME
Sparkling
CVE-2024-13423
Risk Score
Threat Entry
Updated 2025-03-05
CVE-2024-13815 - The Listingo Theme
The The Listingo theme for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 3.2.7. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
THEME
The Listingo
CVE-2024-13815
Risk Score
Threat Entry
Updated 2025-03-05
CVE-2024-13811 - Food Delivery Woocommerce Theme
The Lafka - Multi Store Burger - Pizza & Food Delivery WooCommerce Theme theme for WordPress is vulnerable to unauthorized access due to a missing capability check on the 'lafka_import_lafka' AJAX actions in all versions up to, and including, 4.5.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to import demo data that overrides the site.
THEME
Food Delivery Woocommerce Theme
CVE-2024-13811
Risk Score
Threat Entry
Updated 2025-03-05
CVE-2024-13810 - Zass Woocommerce Theme For Handmade Artists And Artisans
The Zass - WooCommerce Theme for Handmade Artists and Artisans theme for WordPress is vulnerable to unauthorized access due to a missing capability check on the 'zass_import_zass' AJAX actions in all versions up to, and including, 3.9.9.10. This makes it possible for authenticated attackers, with Subscriber-level access and above, to import demo content and overwrite the site.
THEME
Zass Woocommerce Theme For Handmade Artists And Artisans
CVE-2024-13810
Risk Score
Threat Entry
Updated 2025-03-05
CVE-2024-13787 - Theme For Wordpress Is Vulnerable To Php Object Injection In All Versions Up To
The VEDA - MultiPurpose WordPress Theme theme for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.2 via deserialization of untrusted input in the 'veda_backup_and_restore_action' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin…
THEME
Theme For Wordpress Is Vulnerable To Php Object Injection In All Versions Up To
CVE-2024-13787
Risk Score
Threat Entry
Updated 2025-03-05
CVE-2024-8682 - Jnews Wordpress Newspaper Magazine Blog Amp Theme
The JNews - WordPress Newspaper Magazine Blog AMP Theme theme for WordPress is vulnerable to unauthorized user registration in all versions up to, and including, 11.6.6. This is due to the plugin not properly validate if the user can register option is enabled prior to creating a user though the register_handler() function. This makes it possible for unauthenticated attackers to register as a user even when user registration is disabled.
THEME
Jnews Wordpress Newspaper Magazine Blog Amp Theme
CVE-2024-8682
Risk Score
Threat Entry
Updated 2025-03-05
CVE-2025-1307 - Newscrunch Theme
The Newscrunch theme for WordPress is vulnerable to arbitrary file uploads due to a missing capability check in the newscrunch_install_and_activate_plugin() function in all versions up to, and including, 1.8.4.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
THEME
Newscrunch
CVE-2025-1307
Risk Score
Threat Entry
Updated 2025-03-05
CVE-2025-1306 - Newscrunch Theme
The Newscrunch theme for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.8.4. This is due to missing or incorrect nonce validation on the newscrunch_install_and_activate_plugin() function. This makes it possible for unauthenticated attackers to upload arbitrary files via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
THEME
Newscrunch
CVE-2025-1306
Risk Score
Threat Entry
Updated 2025-03-05
CVE-2024-13686 - Vw Storefront Theme
The VW Storefront theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the vw_storefront_reset_all_settings() function in all versions up to, and including, 0.9.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to reset the themes settings.
THEME
Vw Storefront
CVE-2024-13686
Risk Score
Threat Entry
Updated 2025-03-01
CVE-2025-1671 - Academist Membership Theme
The Academist Membership plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.1.6. This is due to the academist_membership_check_facebook_user() function not properly verifying a user's identity prior to authenticating them. This makes it possible for unauthenticated attackers to log in as any user, including site administrators.
THEME
Academist Membership
CVE-2025-1671
Risk Score