Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2025-07-29
CVE-2025-5587 - Appzend Theme
The Appzend theme for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘progressbarLayout’ parameter in all versions up to, and including, 1.2.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
THEME
Appzend
CVE-2025-5587
Risk Score
Threat Entry
Updated 2025-07-29
CVE-2025-6495 - Bricks Theme
The Bricks theme for WordPress is vulnerable to blind SQL Injection via the ‘p’ parameter in all versions up to, and including, 1.12.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
THEME
Bricks
CVE-2025-6495
Risk Score
Threat Entry
Updated 2025-07-29
CVE-2025-6989 - Kallyas Theme
The Kallyas theme for WordPress is vulnerable to arbitrary folder deletion due to insufficient file path validation in the delete_font() function in all versions up to, and including, 4.21.0. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete arbitrary folders on the server.
THEME
Kallyas
CVE-2025-6989
Risk Score
Threat Entry
Updated 2025-07-29
CVE-2025-6991 - Kallyas Theme
The kallyas theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.21.0 via the 'TH_LatestPosts4` widget. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included.
THEME
Kallyas
CVE-2025-6991
Risk Score
Threat Entry
Updated 2025-07-29
CVE-2025-5529 - Educenter Theme
The Educenter theme for WordPress is vulnerable to Stored Cross-Site Scripting via the Circle Counter Block in all versions up to, and including, 1.6.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
THEME
Educenter
CVE-2025-5529
Risk Score
Threat Entry
Updated 2025-07-29
CVE-2025-8097 - Woodmart Theme
The WoodMart theme for WordPress is vulnerable to Improper Input Validation in all versions up to, and including, 8.2.6. This is due to insufficient validation of the qty parameter in the woodmart_update_cart_item function. This makes it possible for unauthenticated attackers to manipulate cart quantities using fractional values, allowing them to obtain products for free by setting extremely small quantities (e.g., 0.00001) that round cart totals to $0.00, effectively bypassing payment requirements and allowing unauthorized acquisition of virtual or downloadable products.
THEME
Woodmart
CVE-2025-8097
Risk Score
Threat Entry
Updated 2025-07-29
CVE-2025-8198 - High Converting Ecommerce Wordpress Theme
The MinimogWP – The High Converting eCommerce WordPress Theme theme for WordPress is vulnerable to price manipulation in all versions up to, and including, 3.9.0. This is due to an insufficient check on quantity values when changing quantities in the cart. This makes it possible for unauthenticated attackers to add items to the cart and adjust the quantity to a fractional amount, causing the price to change based on the fractional amount. The vulnerability cannot be exploited if WooCommerce version 9.8.2+ is installed.
THEME
High Converting Ecommerce Wordpress Theme
CVE-2025-8198
Risk Score
Threat Entry
Updated 2025-07-22
CVE-2025-6222 - Manage User Wallet Theme
The WooCommerce Refund And Exchange with RMA - Warranty Management, Refund Policy, Manage User Wallet theme for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'ced_rnx_order_exchange_attach_files' function in all versions up to, and including, 3.2.6. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.
THEME
Manage User Wallet
CVE-2025-6222
Risk Score
Threat Entry
Updated 2025-07-16
CVE-2025-31422 - Allows Object Injection Theme
Deserialization of Untrusted Data vulnerability in designthemes Visual Art | Gallery WordPress Theme allows Object Injection. This issue affects Visual Art | Gallery WordPress Theme: from n/a through 2.4.
THEME
Allows Object Injection
CVE-2025-31422
Risk Score
Threat Entry
Updated 2025-07-15
CVE-2025-5394 - Charity Multipurpose Non Profit Wordpress Theme
The Alone – Charity Multipurpose Non-profit WordPress Theme theme for WordPress is vulnerable to arbitrary file uploads due to a missing capability check on the alone_import_pack_install_plugin() function in all versions up to, and including, 7.8.3. This makes it possible for unauthenticated attackers to upload zip files containing webshells disguised as plugins from remote locations to achieve remote code execution.
THEME
Charity Multipurpose Non Profit Wordpress Theme
CVE-2025-5394
Risk Score
Threat Entry
Updated 2025-07-15
CVE-2025-5393 - Charity Multipurpose Non Profit Wordpress Theme
The Alone – Charity Multipurpose Non-profit WordPress Theme theme for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the alone_import_pack_restore_data() function in all versions up to, and including, 7.8.3. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
THEME
Charity Multipurpose Non Profit Wordpress Theme
CVE-2025-5393
Risk Score
Threat Entry
Updated 2025-07-15
CVE-2025-1313 - Nokri Job Board Wordpress Theme
The Nokri - Job Board WordPress Theme theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.6.3. This is due to the plugin not properly validating a user's identity prior to updating their details like email address. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account.
THEME
Nokri Job Board Wordpress Theme
CVE-2025-1313
Risk Score
Threat Entry
Updated 2025-07-10
CVE-2025-4606 - Saas Wordpress Theme
The Sala - Startup & SaaS WordPress Theme theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.1.4. This is due to the theme not properly validating a user's identity prior to updating their details like password. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account.
THEME
Saas Wordpress Theme
CVE-2025-4606
Risk Score
Threat Entry
Updated 2025-07-09
CVE-2025-6744 - The Woodmart Theme
The The Woodmart theme for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 8.2.3. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode through the woodmart_get_products_shortcode() function. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
THEME
The Woodmart
CVE-2025-6744
Risk Score
Threat Entry
Updated 2025-07-09
CVE-2025-6743 - Woodmart Theme
The Woodmart theme for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'multiple_markers' attribute in all versions up to, and including, 8.2.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
THEME
Woodmart
CVE-2025-6743
Risk Score
Threat Entry
Updated 2025-07-08
CVE-2025-52807 - Allows Php Local File Inclusion Theme
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ApusWP Kossy - Minimalist eCommerce WordPress Theme allows PHP Local File Inclusion. This issue affects Kossy - Minimalist eCommerce WordPress Theme: from n/a through 1.45.
THEME
Allows Php Local File Inclusion
CVE-2025-52807
Risk Score
Threat Entry
Updated 2025-07-08
CVE-2025-32311 - Allows Reflected Xss Theme
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in QuanticaLabs Pressroom - News Magazine WordPress Theme allows Reflected XSS. This issue affects Pressroom - News Magazine WordPress Theme: from n/a through 6.9.
THEME
Allows Reflected Xss
CVE-2025-32311
Risk Score
Threat Entry
Updated 2025-07-03
CVE-2024-5647 - Changeset Theme
Multiple plugins for WordPress are vulnerable to Stored Cross-Site Scripting via the plugin's bundled Magnific Popups library (version 1.1.0) in various versions due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. NOTE: This vulnerability was fixed in the upstream library (Magnific Popups version 1.2.0) by disabling the loading of HTML within certain fields by default.
THEME
Changeset
CVE-2024-5647
Risk Score
Threat Entry
Updated 2025-07-03
CVE-2025-4946 - Vikinger Theme
The Vikinger theme for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the vikinger_delete_activity_media_ajax() function in all versions up to, and including, 1.9.32. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). Note: Requires Vikinger Media plugin to be installed and active.
THEME
Vikinger
CVE-2025-4946
Risk Score
Threat Entry
Updated 2025-07-03
CVE-2024-13786 - Education Theme
The education theme for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.6.10 via deserialization of untrusted input in the 'themerex_callback_view_more_posts' function. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may…
THEME
Education
CVE-2024-13786
Risk Score