Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-11-04
CVE-2025-10897 - Woocommerce Designer Pro Theme
The WooCommerce Designer Pro theme for WordPress is vulnerable to arbitrary file read in all versions up to, and including, 1.9.28. This makes it possible for unauthenticated attackers to read arbitrary files on the server, which can expose DB credentials when the wp-config.php file is read.
THEME
Woocommerce Designer Pro
CVE-2025-10897
Risk Score
Threat Entry
Updated 2025-11-04
CVE-2025-5397 - Noo Jobmonster Theme
The Noo JobMonster theme for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 4.8.1. This is due to the check_login() function not properly verifying a user's identity prior to successfully authenticating them This makes it possible for unauthenticated attackers to bypass standard authentication and access administrative user accounts. Please note social login needs to be enabled in order for a site to be impacted by this vulnerability.
THEME
Noo Jobmonster
CVE-2025-5397
Risk Score
Threat Entry
Updated 2025-10-27
CVE-2025-11897 - Website And Ecommerce Builder For Wordpress Theme
The The7 — Website and eCommerce Builder for WordPress theme for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘ the7_fancy_title_css’ parameter in all versions up to, and including, 12.9.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
THEME
Website And Ecommerce Builder For Wordpress
CVE-2025-11897
Risk Score
Threat Entry
Updated 2025-10-27
CVE-2025-8413 - Listeo Theme
The Listeo theme for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `soundcloud` shortcode in version less than, or equal to, 2.0.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
THEME
Listeo
CVE-2025-8413
Risk Score
Threat Entry
Updated 2025-10-27
CVE-2025-10737 - Open Source Genesis Framework Theme
The Open Source Genesis Framework theme for WordPress is vulnerable to Stored Cross-Site Scripting via the theme's shortcodes in all versions up to, and including, 3.6.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
THEME
Open Source Genesis Framework
CVE-2025-10737
Risk Score
Threat Entry
Updated 2025-10-27
CVE-2025-6440 - Design Services Theme
The WooCommerce Designer Pro plugin for WordPress, used by the Pricom - Printing Company & Design Services WordPress theme, is vulnerable to arbitrary file uploads due to missing file type validation in the 'wcdp_save_canvas_design_ajax' function in all versions up to, and including, 1.9.26. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
THEME
Design Services
CVE-2025-6440
Risk Score
Threat Entry
Updated 2025-10-16
CVE-2025-10706 - Classified Pro Theme
The Classified Pro theme for WordPress is vulnerable to unauthorized plugin installation due to a missing capability check in the 'cwp_addons_update_plugin_cb' function in all versions up to, and including, 1.0.14. This makes it possible for authenticated attackers, with subscriber-level access and above, to install arbitrary plugins on the affected site's server which may make remote code execution possible. Note: The required nonce for the vulnerability is in the CubeWP Framework plugin.
THEME
Classified Pro
CVE-2025-10706
Risk Score
Threat Entry
Updated 2025-10-16
CVE-2025-6042 - Plugin For Wordpress Is Vulnerable To Privilege Escalation In All Versions Up To Theme
The Lisfinity Core - Lisfinity Core plugin used for pebas® Lisfinity WordPress theme plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.4.0. This is due to the plugin assigning the editor role by default. While limitations with respect to capabilities are put in place, use of the API is not restricted. This vulnerability can be leveraged together with CVE-2025-6038 to obtain admin privileges.
THEME
Plugin For Wordpress Is Vulnerable To Privilege Escalation In All Versions Up To
CVE-2025-6042
Risk Score
Threat Entry
Updated 2025-10-16
CVE-2025-11746 - Xstore Theme
The XStore theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 9.5.4 via theet_ajax_required_plugins_popup() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included.
THEME
Xstore
CVE-2025-11746
Risk Score
Threat Entry
Updated 2025-10-14
CVE-2025-8682 - Newsup Theme
The Newsup theme for WordPress is vulnerable to unauthorized plugin installation due to a missing capability check on the newsup_admin_info_install_plugin() function in all versions up to, and including, 5.0.10. This makes it possible for unauthenticated attackers to install the ansar-import plugin.
THEME
Newsup
CVE-2025-8682
Risk Score
Threat Entry
Updated 2025-10-14
CVE-2025-6439 - Design Services Theme
The WooCommerce Designer Pro plugin for WordPress, used by the Pricom - Printing Company & Design Services WordPress theme, is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'wcdp_save_canvas_design_ajax' function in all versions up to, and including, 1.9.26. This makes it possible for unauthenticated attackers to delete all files in an arbitrary directory on the server, which can lead to remote code execution, data loss, or site unavailability.
THEME
Design Services
CVE-2025-6439
Risk Score
Threat Entry
Updated 2025-10-09
CVE-2025-9371 - Betheme
The Betheme theme for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘page_title’ parameter in all versions up to, and including, 28.1.6 due to insufficient input sanitization and output escaping of theme breadcrumbs. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
THEME
Betheme
CVE-2025-9371
Risk Score
Threat Entry
Updated 2025-10-09
CVE-2025-11522 - Go Directory Wordpress Theme
The Search & Go - Directory WordPress Theme theme for WordPress is vulnerable to Authentication Bypass via account takeover in all versions up to, and including, 2.7. This is due to insufficient user validation in the search_and_go_elated_check_facebook_user() function This makes it possible for unauthenticated attackers to gain access to other user's accounts, including administrators, when Facebook login is enabled.
THEME
Go Directory Wordpress Theme
CVE-2025-11522
Risk Score
Threat Entry
Updated 2025-10-06
CVE-2025-9194 - Constructor Theme
The Constructor theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the clean() function in all versions up to, and including, 1.6.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to trigger a theme clean.
THEME
Constructor
CVE-2025-9194
Risk Score
Threat Entry
Updated 2025-10-06
CVE-2025-8669 - Customify Theme
The Customify theme for WordPress is vulnerable to Cross-Site Request Forgery in version 0.4.11. This is due to missing or incorrect nonce validation on the reset_customize_section function. This makes it possible for unauthenticated attackers to reset theme customization settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
THEME
Customify
CVE-2025-8669
Risk Score
Threat Entry
Updated 2025-09-26
CVE-2025-10137 - Snow Monkey Theme
The Snow Monkey theme for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 29.1.5 via the request() function. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
THEME
Snow Monkey
CVE-2025-10137
Risk Score
Threat Entry
Updated 2025-09-19
CVE-2025-10690 - Goza Nonprofit Charity Wordpress Theme
The Goza - Nonprofit Charity WordPress Theme theme for WordPress is vulnerable to unauthorized arbitrary file uploads due to a missing capability check on the 'beplus_import_pack_install_plugin' function in all versions up to, and including, 3.2.2. This makes it possible for unauthenticated attackers to upload zip files containing webshells disguised as plugins from remote locations to achieve remote code execution.
THEME
Goza Nonprofit Charity Wordpress Theme
CVE-2025-10690
Risk Score
Threat Entry
Updated 2025-09-17
CVE-2025-8999 - Sydney Theme
The Sydney theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'activate_modules' function in all versions up to, and including, 2.56. This makes it possible for authenticated attackers, with Subscriber-level access and above, to activate or deactivate various theme modules.
THEME
Sydney
CVE-2025-8999
Risk Score
Threat Entry
Updated 2025-09-09
CVE-2025-10134 - Goza Nonprofit Charity Wordpress Theme
The Goza - Nonprofit Charity WordPress Theme theme for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the alone_import_pack_restore_data() function in all versions up to, and including, 3.2.2. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
THEME
Goza Nonprofit Charity Wordpress Theme
CVE-2025-10134
Risk Score
Threat Entry
Updated 2025-09-09
CVE-2025-9114 - Doccure Theme
The Doccure theme for WordPress is vulnerable to Arbitrary User Password Change in versions up to, and including, 1.4.8. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources. This makes it possible for unauthenticated attackers to change user passwords and potentially take over administrator accounts.
THEME
Doccure
CVE-2025-9114
Risk Score