Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-02-06
CVE-2023-0889 - Themeflection Numbers
Themeflection Numbers WordPress plugin before 2.0.1 does not have authorisation and CSRF check in an AJAX action, and does not ensure that the options to be updated belong to the plugin. As a result, it could allow any authenticated users, such as subscriber, to update arbitrary blog options, such as enabling registration and set the default role to administrator
THEME
Themeflection Numbers
CVE-2023-0889
Risk Score
Threat Entry
Updated 2025-02-19
CVE-2023-0503 - Free Woocommerce Theme 99fy Extension
The Free WooCommerce Theme 99fy Extension WordPress plugin before 1.2.8 does not have CSRF check when activating plugins, which could allow attackers to make logged in admins activate arbitrary plugins present on the blog via a CSRF attack
THEME
Free Woocommerce Theme 99fy Extension
CVE-2023-0503
Risk Score
Threat Entry
Updated 2025-05-08
CVE-2022-2627 - Before 12 Does Not Sanitise A Parameter Theme
The Newspaper WordPress theme before 12 does not sanitise a parameter before outputting it back in an HTML attribute via an AJAX action, leading to a Reflected Cross-Site Scripting.
THEME
Before 12 Does Not Sanitise A Parameter
CVE-2022-2627
Risk Score
Threat Entry
Updated 2025-05-07
CVE-2022-2167 - Before 12 Does Not Sanitise A Parameter Theme
The Newspaper WordPress theme before 12 does not sanitise a parameter before outputting it back in an HTML attribute via an AJAX action, leading to a Reflected Cross-Site Scripting
THEME
Before 12 Does Not Sanitise A Parameter
CVE-2022-2167
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-3401 - Bricks Theme
The Bricks theme for WordPress is vulnerable to remote code execution due to the theme allowing site editors to include executable code blocks in website content in versions 1.2 to 1.5.3. This, combined with the missing authorization vulnerability (CVE-2022-3400), makes it possible for authenticated attackers with minimal permissions, such as a subscriber, can edit any page, post, or template on the vulnerable WordPress website and inject a code execution block that can be used to achieve remote code execution.
THEME
Bricks
CVE-2022-3401
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-3400 - Bricks Theme
The Bricks theme for WordPress is vulnerable to authorization bypass due to a missing capability check on the bricks_save_post AJAX action in versions 1.0 to 1.5.3. This makes it possible for authenticated attackers with minimal permissions, such as a subscriber, to edit any page, post, or template on the vulnerable WordPress website.
THEME
Bricks
CVE-2022-3400
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-3209 - Before 8 Theme
The soledad WordPress theme before 8.2.5 does not sanitise the {id,datafilter[type],...} parameters in its penci_more_slist_post_ajax AJAX action, leading to a Reflected Cross-Site Scripting (XSS) vulnerability.
THEME
Before 8
CVE-2022-3209
Risk Score
Threat Entry
Updated 2025-06-05
CVE-2022-2654 - Before 2 Theme
The Classima WordPress theme before 2.1.11 and some of its required plugins (Classified Listing before 2.2.14, Classified Listing Pro before 2.0.20, Classified Listing Store & Membership before 1.4.20 and Classima Core before 1.10) do not escape a parameter before outputting it back in attributes, leading to Reflected Cross-Site Scripting
THEME
Before 2
CVE-2022-2654
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1251 - Ask Me Theme
The Ask me WordPress theme before 6.8.4 does not perform nonce checks when processing POST requests to the Edit Profile page, allowing an attacker to trick a user to change their profile information by sending a crafted request.
THEME
Ask Me
CVE-2022-1251
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-2180 - Does Not Properly Validate Uploaded Custom Font Packages Theme
The GREYD.SUITE WordPress theme does not properly validate uploaded custom font packages, and does not perform any authorization or csrf checks, allowing an unauthenticated attacker to upload arbitrary files including php source files, leading to possible remote code execution (RCE).
THEME
Does Not Properly Validate Uploaded Custom Font Packages
CVE-2022-2180
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1323 - Before 5 Theme
The Discy WordPress theme before 5.0 lacks authorization checks then processing ajax requests to the discy_update_options action, allowing any logged in users (with privileges as low as Subscriber,) to change Theme options by sending a crafted POST request.
THEME
Before 5
CVE-2022-1323
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1951 - Core Plugin For Kitestudio Themes
The core plugin for kitestudio WordPress plugin before 2.3.1 does not sanitise and escape some parameters before outputting them back in a response of an AJAX action, available to both unauthenticated and authenticated users when a premium theme from the vendor is active, leading to a Reflected Cross-Site Scripting.
THEME
Core Plugin For Kitestudio Themes
CVE-2022-1951
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1910 - Shortcodes And Extra Features For Phlox Theme
The Shortcodes and extra features for Phlox WordPress plugin before 2.9.8 does not sanitise and escape a parameter before outputting it back in the response, leading to a Reflected Cross-Site Scripting
THEME
Shortcodes And Extra Features For Phlox Theme
CVE-2022-1910
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1424 - Ask Me Theme
The Ask me WordPress theme before 6.8.2 does not perform CSRF checks for any of its AJAX actions, allowing an attacker to trick logged in users to perform various actions on their behalf on the site.
THEME
Ask Me
CVE-2022-1424
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1422 - Before 5 Theme
The Discy WordPress theme before 5.2 does not check for CSRF tokens in the AJAX action discy_reset_options, allowing an attacker to trick an admin into resetting the site settings back to defaults.
THEME
Before 5
CVE-2022-1422
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1241 - Ask Me Theme
The Ask me WordPress theme before 6.8.2 does not properly sanitise and escape several of the fields in the Edit Profile page, leading to Reflected Cross-Site Scripting issues
THEME
Ask Me
CVE-2022-1241
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1421 - Before 5 Theme
The Discy WordPress theme before 5.2 lacks CSRF checks in some AJAX actions, allowing an attacker to make a logged in admin change arbitrary 's settings including payment methods via a CSRF attack
THEME
Before 5
CVE-2022-1421
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1170 - In The Noo Jobmonster Theme
In the Noo JobMonster WordPress theme before 4.5.2.9 JobMonster there is a XSS vulnerability as the input for the search form is provided through unsanitized GET requests.
THEME
In The Noo Jobmonster
CVE-2022-1170
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2022-1167 - Vulnerabilities In Careerup Careerup Theme
There are unauthenticated reflected Cross-Site Scripting (XSS) vulnerabilities in CareerUp Careerup WordPress theme before 2.3.1, via the filter parameters.
THEME
Vulnerabilities In Careerup Careerup
CVE-2022-1167
Risk Score
Threat Entry
Updated 2024-11-21
CVE-2021-24982 - Child Theme Generator
The Child Theme Generator WordPress plugin through 2.2.7 does not sanitise escape the parade parameter before outputting it back, leading to a Reflected Cross-Site Scripting in the admin dashboard
THEME
Child Theme Generator
CVE-2021-24982
Risk Score