Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2026-01-08
CVE-2026-22521 - Handmade Framework Theme
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in G5Theme Handmade Framework allows PHP Local File Inclusion.This issue affects Handmade Framework: from n/a through 3.9.
THEME
Handmade Framework
CVE-2026-22521
Risk Score
Threat Entry
Updated 2026-01-20
CVE-2026-0676 - Zorka Theme
Missing Authorization vulnerability in G5Theme Zorka zorka allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Zorka: from n/a through
THEME
Zorka
CVE-2026-0676
Risk Score
Threat Entry
Updated 2026-01-08
CVE-2025-31051 - Allows Retrieve Embedded Sensitive Data Theme
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in EngoTheme Plant - Gardening & Houseplants WordPress Theme allows Retrieve Embedded Sensitive Data.This issue affects Plant - Gardening & Houseplants WordPress Theme: from n/a through 1.0.0.
THEME
Allows Retrieve Embedded Sensitive Data
CVE-2025-31051
Risk Score
Threat Entry
Updated 2026-01-08
CVE-2025-30996 - Cted Upload Of File With Dangerous Type Vulnerability In Themify Themify Sidepane Theme
Unrestricted Upload of File with Dangerous Type vulnerability in Themify Themify Sidepane WordPress Theme, Themify Themify Newsy, Themify Themify Folo, Themify Themify Edmin, Themify Bloggie, Themify Photobox, Themify Wigi, Themify Rezo, Themify Slide allows Upload a Web Shell to a Web Server.This issue affects Themify Sidepane WordPress Theme: from n/a through 1.9.8; Themify Newsy: from n/a through 1.9.9; Themify Folo: from n/a through 1.9.6; Themify Edmin: from n/a through 2.0.0; Bloggie: from n/a through 2.0.8; Photobox: from n/a through 2.0.1; Wigi: from n/a through 2.0.1; Rezo: from n/a through 1.9.7;…
THEME
Cted Upload Of File With Dangerous Type Vulnerability In Themify Themify Sidepane
CVE-2025-30996
Risk Score
Threat Entry
Updated 2026-01-08
CVE-2025-4776 - Phlox Theme
The Phlox theme for WordPress is vulnerable to Stored Cross-Site Scripting via the `data-caption` HTML attribute in all versions up to, and including, 2.17.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
THEME
Phlox
CVE-2025-4776
Risk Score
Threat Entry
Updated 2026-01-20
CVE-2025-68987 - For Movie Studios And Filmmakers Cinerama Allows Php Local File Inclusion Theme
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Edge-Themes Cinerama - A WordPress Theme for Movie Studios and Filmmakers cinerama allows PHP Local File Inclusion.This issue affects Cinerama - A WordPress Theme for Movie Studios and Filmmakers: from n/a through
THEME
For Movie Studios And Filmmakers Cinerama Allows Php Local File Inclusion
CVE-2025-68987
Risk Score
Threat Entry
Updated 2025-12-15
CVE-2025-7058 - Kingcabs Theme
The Kingcabs theme for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘progressbarLayout’ parameter in all versions up to, and including, 1.1.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
THEME
Kingcabs
CVE-2025-7058
Risk Score
Threat Entry
Updated 2025-12-15
CVE-2025-11164 - Mavix Education Theme
The Mavix Education theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'mavix_education_activate_plugin' AJAX action in all versions up to, and including, 1.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to activate the Creativ Demo Importer plugin.
THEME
Mavix Education
CVE-2025-11164
Risk Score
Threat Entry
Updated 2026-01-09
CVE-2025-10684 - Construction Light Theme
The Construction Light WordPress theme before 1.6.8 does not have authorisation and CSRF when activating via an AJAX action, allowing any authenticated users, such as subscriber to activate arbitrary .
THEME
Construction Light
CVE-2025-10684
Risk Score
Threat Entry
Updated 2025-12-01
CVE-2025-13675 - Tiger Theme
The Tiger theme for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 101.2.1. This is due to the 'paypal-submit.php' file not restricting what user roles a user can register with. This makes it possible for unauthenticated attackers to supply the 'administrator' role during registration and gain administrator access to the site.
THEME
Tiger
CVE-2025-13675
Risk Score
Threat Entry
Updated 2025-12-01
CVE-2025-13680 - Tiger Theme
The Tiger theme for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 101.2.1. This is due to the plugin allowing a user to update the user role through the $user->set_role() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to elevate their privileges to that of an administrator.
THEME
Tiger
CVE-2025-13680
Risk Score
Threat Entry
Updated 2025-12-01
CVE-2025-9191 - Houzez Theme
The Houzez theme for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.1.6 via deserialization of untrusted input in saved-search-item.php. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target…
THEME
Houzez
CVE-2025-9191
Risk Score
Threat Entry
Updated 2025-12-01
CVE-2025-9163 - Houzez Theme
The Houzez theme for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 4.1.6 due to insufficient input sanitization and output escaping in the houzez_property_img_upload() and houzez_property_attachment_upload() functions. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
THEME
Houzez
CVE-2025-9163
Risk Score
Threat Entry
Updated 2025-11-24
CVE-2025-5092 - Changeset Theme
Multiple plugins and/or themes for WordPress are vulnerable to Stored Cross-Site Scripting via the plugin's bundled lightGallery library (
THEME
Changeset
CVE-2025-5092
Risk Score
Threat Entry
Updated 2025-11-14
CVE-2025-10295 - Fashion Model Agency Wordpress Cms Theme
The Angel – Fashion Model Agency WordPress CMS Theme theme for WordPress is vulnerable to Stored Cross-Site Scripting the profile media uploader in all versions up to, and including, 3.2.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This requires the user has access to the edit profile form with the media upload option.
THEME
Fashion Model Agency Wordpress Cms Theme
CVE-2025-10295
Risk Score
Threat Entry
Updated 2026-01-20
CVE-2025-60199 - Inhype Allows Php Local File Inclusion Theme
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in dedalx InHype - Blog & Magazine WordPress Theme inhype allows PHP Local File Inclusion.This issue affects InHype - Blog & Magazine WordPress Theme: from n/a through
THEME
Inhype Allows Php Local File Inclusion
CVE-2025-60199
Risk Score
Threat Entry
Updated 2026-01-20
CVE-2025-60198 - Saxon Allows Php Local File Inclusion Theme
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in dedalx Saxon - Viral Content Blog & Magazine Marketing WordPress Theme saxon allows PHP Local File Inclusion.This issue affects Saxon - Viral Content Blog & Magazine Marketing WordPress Theme: from n/a through
THEME
Saxon Allows Php Local File Inclusion
CVE-2025-60198
Risk Score
Threat Entry
Updated 2026-01-20
CVE-2025-48090 - Blanka Wp Allows Php Local File Inclusion Theme
Path Traversal: '.../...//' vulnerability in CocoBasic Blanka - One Page WordPress Theme blanka-wp allows PHP Local File Inclusion.This issue affects Blanka - One Page WordPress Theme: from n/a through < 1.5.
THEME
Blanka Wp Allows Php Local File Inclusion
CVE-2025-48090
Risk Score
Threat Entry
Updated 2025-11-04
CVE-2025-6990 - Kallyas Theme
The kallyas theme for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.24.0 via the `TH_PhpCode` pagebuilder widget. This is due to the theme not restricting access to the code editor widget for non-administrators. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute code on the server.
THEME
Kallyas
CVE-2025-6990
Risk Score
Threat Entry
Updated 2025-11-04
CVE-2025-6988 - Kallyas Theme
The kallyas theme for WordPress is vulnerable to Stored Cross-Site Scripting via several of the plugin's shortcodes in all versions up to, and including, 4.23.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
THEME
Kallyas
CVE-2025-6988
Risk Score