Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2024-11-21
CVE-2024-2962 - Networker - Tech News WordPress Theme with Dark Mode
The Networker - Tech News WordPress Theme with Dark Mode theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the admin_reload_nav_menu() function in all versions up to, and including, 1.1.9. This makes it possible for unauthenticated attackers to modify the location of display menus.
THEME
Networker - Tech News WordPress Theme with Dark Mode
CVE-2024-2962
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-2025 - buddypress_woocommerce_my_account_integration Theme
The "BuddyPress WooCommerce My Account Integration. Create WooCommerce Member Pages" plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.4.20 via deserialization of untrusted input in the get_simple_request function. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject a PHP Object. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
THEME
buddypress_woocommerce_my_account_integration
CVE-2024-2025
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-2500 - Colormag Theme
The ColorMag theme for WordPress is vulnerable to Stored Cross-Site Scripting via a user's Display Name in all versions up to, and including, 3.1.6 due to insufficient input sanitization and output escaping. This makes it possible for authentciated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
THEME
Colormag
CVE-2024-2500
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-2252 - Droit Elementor Addons – Widgets, Blocks, Templates Library For Elementor Builder Theme
The Droit Elementor Addons – Widgets, Blocks, Templates Library For Elementor Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's widgets in all versions up to, and including, 3.1.5 due to insufficient input sanitization and output escaping on user supplied attributes such as URL. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
THEME
Droit Elementor Addons – Widgets, Blocks, Templates Library For Elementor Builder
CVE-2024-2252
Risk Score
Threat Entry
Updated 2025-01-31
CVE-2024-1668 - Woocommerce Theme
The Avada | Website Builder For WordPress & WooCommerce theme for WordPress is vulnerable to Sensitive Information Exposure in versions up to and including 7.11.5 via the form entries page. This makes it possible for authenticated attackers, with contributor access and above, to view the contents of all form submissions, including fields that are obfuscated (such as the contact form's "password" field).
THEME
Woocommerce
CVE-2024-1668
Risk Score
Threat Entry
Updated 2025-01-22
CVE-2024-2107 - Blossom Spa Theme
The Blossom Spa theme for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.3.4 via generated source. This makes it possible for unauthenticated attackers to extract sensitive data including contents of password-protected or scheduled posts.
THEME
Blossom Spa
CVE-2024-2107
Risk Score
Threat Entry
Updated 2025-02-04
CVE-2024-1767 - Blocksy Theme
The Blocksy theme for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's blocks in all versions up to, and including, 2.0.26 due to insufficient input sanitization and output escaping on user supplied attributes like 'className' and 'radius'. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
THEME
Blocksy
CVE-2024-1767
Risk Score
Threat Entry
Updated 2025-03-11
CVE-2024-1771 - Total Theme
The Total theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the total_order_sections() function in all versions up to, and including, 2.1.59. This makes it possible for authenticated attackers, with subscriber-level access and above, to repeat sections on the homepage.
THEME
Total
CVE-2024-1771
Risk Score
Threat Entry
Updated 2025-02-05
CVE-2024-1468 - Woocommerce Theme
The Avada | Website Builder For WordPress & WooCommerce theme for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the ajax_import_options() function in all versions up to, and including, 7.11.4. This makes it possible for authenticated attackers, with contributor-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
THEME
Woocommerce
CVE-2024-1468
Risk Score
Threat Entry
Updated 2025-01-08
CVE-2024-1943 - Yuki Theme
The Yuki theme for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including 1.3.14. This is due to missing or incorrect nonce validation on the reset_customizer_options() function. This makes it possible for unauthenticated attackers to reset the themes settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
THEME
Yuki
CVE-2024-1943
Risk Score
Threat Entry
Updated 2025-01-16
CVE-2024-1388 - Yuki Theme
The Yuki theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the reset_customizer_options() function in all versions up to, and including, 1.3.13. This makes it possible for authenticated attackers, with subscriber-level access and above, to reset the theme's settings.
THEME
Yuki
CVE-2024-1388
Risk Score
Threat Entry
Updated 2025-02-05
CVE-2024-1360 - Colibri Wp Theme
The Colibri WP theme for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.94. This is due to missing or incorrect nonce validation on the colibriwp_install_plugin() function. This makes it possible for unauthenticated attackers to install recommended plugins via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
THEME
Colibri Wp
CVE-2024-1360
Risk Score
Threat Entry
Updated 2025-06-17
CVE-2023-4826 - Socialdriver Theme
The SocialDriver WordPress theme before version 2024 has a prototype pollution vulnerability that could allow an attacker to inject arbitrary properties resulting in a cross-site scripting (XSS) attack.
THEME
Socialdriver
CVE-2023-4826
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-24926 - Creative Multi Purpose Responsive Theme
Deserialization of Untrusted Data vulnerability in UnitedThemes Brooklyn | Creative Multi-Purpose Responsive WordPress Theme.This issue affects Brooklyn | Creative Multi-Purpose Responsive WordPress Theme: from n/a through 4.9.7.6.
THEME
Creative Multi Purpose Responsive
CVE-2024-24926
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-24927 - Allows Reflected Xss Theme
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in UnitedThemes Brooklyn | Creative Multi-Purpose Responsive WordPress Theme allows Reflected XSS.This issue affects Brooklyn | Creative Multi-Purpose Responsive WordPress Theme: from n/a through 4.9.7.6.
THEME
Allows Reflected Xss
CVE-2024-24927
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2024-0835 - Royal Elementor Kit Theme
The Royal Elementor Kit theme for WordPress is vulnerable to unauthorized arbitrary transient update due to a missing capability check on the dismissed_handler function in all versions up to, and including, 1.0.116. This makes it possible for authenticated attackers, with subscriber access or higher, to update arbitrary transients. Note, that these transients can only be updated to true and not arbitrary values.
THEME
Royal Elementor Kit
CVE-2024-0835
Risk Score
Threat Entry
Updated 2025-05-30
CVE-2023-7194 - Meris Wp Theme
The Meris WordPress theme through 1.1.2 does not sanitise and escape some parameters before outputting them back in the page, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin
THEME
Meris Wp Theme
CVE-2023-7194
Risk Score
Threat Entry
Updated 2025-05-30
CVE-2024-0679 - Colormag Theme
The ColorMag theme for WordPress is vulnerable to unauthorized access due to a missing capability check on the plugin_action_callback() function in all versions up to, and including, 3.1.2. This makes it possible for authenticated attackers, with subscriber-level access and above, to install and activate arbitrary plugins.
THEME
Colormag
CVE-2024-0679
Risk Score
Threat Entry
Updated 2025-06-20
CVE-2023-3771 - Through 19 Theme
The T1 WordPress theme through 19.0 is vulnerable to unauthenticated open redirect with which any attacker and redirect users to arbitrary websites.
THEME
Through 19
CVE-2023-3771
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2023-6990 - Weaver Xtreme Theme Support
The Weaver Xtreme theme for WordPress is vulnerable to Stored Cross-Site Scripting via custom post meta in all versions up to, and including, 6.3.0 due to insufficient input sanitization and output escaping on user supplied meta (page-head-code). This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
THEME
Weaver Xtreme Theme Support
CVE-2023-6990
Risk Score