Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-03-01
CVE-2025-1671 - Academist Membership Theme
The Academist Membership plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.1.6. This is due to the academist_membership_check_facebook_user() function not properly verifying a user's identity prior to authenticating them. This makes it possible for unauthenticated attackers to log in as any user, including site administrators.
THEME
Academist Membership
CVE-2025-1671
Risk Score
Threat Entry
Updated 2025-03-01
CVE-2025-1638 - Alloggio Membership Theme
The Alloggio Membership plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.0.2. This is due to the plugin not properly validating a user's identity through the alloggio_membership_init_rest_api_facebook_login and alloggio_membership_init_rest_api_google_login functions. This makes it possible for unauthenticated attackers to log in as any user, including administrators, without knowing a password.
THEME
Alloggio Membership
CVE-2025-1638
Risk Score
Threat Entry
Updated 2025-03-01
CVE-2025-1564 - SetSail Membership Theme
The SetSail Membership plugin for WordPress is vulnerable to in all versions up to, and including, 1.0.3. This is due to the plugin not properly verifying a users identity through the social login. This makes it possible for unauthenticated attackers to log in as any user, including administrators and take over access to their account.
THEME
SetSail Membership
CVE-2025-1564
Risk Score
Threat Entry
Updated 2025-03-01
CVE-2024-12824 - Job Board Wordpress Theme
The Nokri – Job Board WordPress Theme theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.6.2. This is due to the plugin not properly checking for an empty token value prior updating their details like password. This makes it possible for unauthenticated attackers to change arbitrary user's password, including administrators, and leverage that to gain access to their account.
THEME
Job Board Wordpress Theme
CVE-2024-12824
Risk Score
Threat Entry
Updated 2025-02-28
CVE-2025-1687 - Car Dealer Automotive WordPress Theme – Responsive
The Cardealer theme for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.6.4. This is due to missing nonce validation on the 'update_user_profile' function. This makes it possible for unauthenticated attackers to update the user email and password via a forged request, granted they can trick a site administrator into performing an action such as clicking on a link.
THEME
Car Dealer Automotive WordPress Theme – Responsive
CVE-2025-1687
Risk Score
Threat Entry
Updated 2025-02-28
CVE-2025-1682 - Car Dealer Automotive WordPress Theme – Responsive
The Cardealer theme for WordPress is vulnerable to privilege escalation in versions up to, and including, 1.6.4 due to missing capability check on the 'save_settings' function. This makes it possible for authenticated attackers, with subscriber-level access and above, to modify the default user role.
THEME
Car Dealer Automotive WordPress Theme – Responsive
CVE-2025-1682
Risk Score
Threat Entry
Updated 2025-02-28
CVE-2024-12811 - Traveler Theme
The Traveler theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.1.8 via the 'hotel_alone_slider' shortcode 'style' attribute. This makes it possible for authenticated attackers, with contributor-level and above permissions, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where php file type can be uploaded and included.
THEME
Traveler
CVE-2024-12811
Risk Score
Threat Entry
Updated 2025-02-28
CVE-2025-1681 - Car Dealer Automotive WordPress Theme – Responsive
The Cardealer theme for WordPress is vulnerable to unauthorized modification of data and loss of data due to a missing capability check and missing filename sanitization on the demo theme scheme AJAX functions in versions up to, and including, 1.6.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to change or delete arbitrary css and js files.
THEME
Car Dealer Automotive WordPress Theme – Responsive
CVE-2025-1681
Risk Score
Threat Entry
Updated 2025-03-11
CVE-2025-1282 - Responsive Theme
The Car Dealer Automotive WordPress Theme – Responsive theme for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the delete_post_photo() and add_car() functions in all versions up to, and including, 1.6.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). The add_car() function may also make it possible to read arbitrary files.
THEME
Responsive
CVE-2025-1282
Risk Score
Threat Entry
Updated 2025-03-11
CVE-2024-2297 - Bricks Theme
The Bricks theme for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.9.6.1. This is due to insufficient validation checks placed on the create_autosave AJAX function. This makes it possible for authenticated attackers, with contributor-level access and above, to execute arbitrary PHP code with elevated (administrator-level) privileges. NOTE: Successful exploitation requires (1) the Bricks Builder to be enabled for posts (2) Builder access to be enabled for contributor-level users, and (3) "Code Execution" to be enabled for administrator-level users within the theme's settings.
THEME
Bricks
CVE-2024-2297
Risk Score
Threat Entry
Updated 2025-02-28
CVE-2024-13695 - Enfold Theme
The Enfold theme for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 6.0.9 via the 'attachment_id' parameter. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
THEME
Enfold
CVE-2024-13695
Risk Score
Threat Entry
Updated 2025-02-28
CVE-2024-13693 - Enfold Theme
The Enfold theme for WordPress is vulnerable to unauthorized access of data due to a missing capability check in avia-export-class.php in all versions up to, and including, 6.0.9. This makes it possible for unauthenticated attackers to export all avia settings which may included sensitive information such as the Mailchimp API Key, reCAPTCHA Secret Key, or Envato private token if they are set.
THEME
Enfold
CVE-2024-13693
Risk Score
Threat Entry
Updated 2025-02-19
CVE-2025-1065 - Visualizer: Tables and Charts Manager for WordPress Theme
The Visualizer: Tables and Charts Manager for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Import Data From File feature in all versions up to, and including, 3.11.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
THEME
Visualizer: Tables and Charts Manager for WordPress
CVE-2025-1065
Risk Score
Threat Entry
Updated 2025-02-18
CVE-2025-27013 - MediCenter - Health Medical Clinic WordPress Theme
Missing Authorization vulnerability in EPC MediCenter - Health Medical Clinic WordPress Theme allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects MediCenter - Health Medical Clinic WordPress Theme: from n/a through n/a.
THEME
MediCenter - Health Medical Clinic WordPress Theme
CVE-2025-27013
Risk Score
Threat Entry
Updated 2025-02-21
CVE-2024-13681 - Uncode Theme
The Uncode theme for WordPress is vulnerable to arbitrary file read due to insufficient input validation in the 'uncode_admin_get_oembed' function in all versions up to, and including, 2.9.1.6. This makes it possible for unauthenticated attackers to read arbitrary files on the server.
THEME
Uncode
CVE-2024-13681
Risk Score
Threat Entry
Updated 2025-02-21
CVE-2024-13797 - Pressmart Modern Elementor Woocommerce Wordpress Theme
The PressMart - Modern Elementor WooCommerce WordPress Theme theme for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.2.16. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
THEME
Pressmart Modern Elementor Woocommerce Wordpress Theme
CVE-2024-13797
Risk Score
Threat Entry
Updated 2025-02-21
CVE-2024-13691 - Uncode Theme
The Uncode theme for WordPress is vulnerable to arbitrary file read due to insufficient input validation in the 'uncode_recordMedia' function in all versions up to, and including, 2.9.1.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read arbitrary files on the server.
THEME
Uncode
CVE-2024-13691
Risk Score
Threat Entry
Updated 2025-02-21
CVE-2024-13667 - Uncode Theme
The Uncode theme for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘mle-description’ parameter in all versions up to, and including, 2.9.1.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
THEME
Uncode
CVE-2024-13667
Risk Score
Threat Entry
Updated 2025-02-21
CVE-2024-12860 - Dealership Wordpress Classified Theme
The CarSpot – Dealership Wordpress Classified Theme theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 2.4.3. This is due to the plugin not properly validating a token prior to updating a user's password. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account.
THEME
Dealership Wordpress Classified Theme
CVE-2024-12860
Risk Score
Threat Entry
Updated 2025-05-21
CVE-2024-13726 - Themes Coder
The Coder WordPress plugin through 1.3.4 does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection
THEME
Themes Coder
CVE-2024-13726
Risk Score