Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total470
Critical68
High135
Medium267
Reset
Showing 141-160 of 470 records
Threat Entry Updated 2025-07-03

CVE-2025-5014 - Real Estate Wordpress Theme

The Home Villas | Real Estate WordPress Theme theme for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'wp_rem_cs_widget_file_delete' function in all versions up to, and including, 2.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).

THEME Real Estate Wordpress Theme

CVE-2025-5014

HIGH CVSS 8.8 2025-07-02
Open Full Technical Breakdown
Threat Entry Updated 2025-07-03

CVE-2025-6934 - Used By The Fullhouse Real Estate Responsive Theme

The Opal Estate Pro – Property Management and Submission plugin for WordPress, used by the FullHouse - Real Estate Responsive WordPress Theme, is vulnerable to privilege escalation via in all versions up to, and including, 1.7.5. This is due to a lack of role restriction during registration in the 'on_regiser_user' function. This makes it possible for unauthenticated attackers to arbitrarily choose the role, including the Administrator role, assigned when registering.

THEME Used By The Fullhouse Real Estate Responsive

CVE-2025-6934

CRITICAL CVSS 9.8 2025-07-01
Open Full Technical Breakdown
Threat Entry Updated 2025-06-30

CVE-2025-52811 - Allows Php Local File Inclusion Theme

Path Traversal vulnerability in Creanncy Davenport - Versatile Blog and Magazine WordPress Theme allows PHP Local File Inclusion. This issue affects Davenport - Versatile Blog and Magazine WordPress Theme: from n/a through 1.3.

THEME Allows Php Local File Inclusion

CVE-2025-52811

HIGH CVSS 8.1 2025-06-27
Open Full Technical Breakdown
Threat Entry Updated 2025-06-30

CVE-2025-28947 - Allows Php Local File Inclusion Theme

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in snstheme MBStore - Digital WooCommerce WordPress Theme allows PHP Local File Inclusion. This issue affects MBStore - Digital WooCommerce WordPress Theme: from n/a through 2.3.

THEME Allows Php Local File Inclusion

CVE-2025-28947

HIGH CVSS 8.1 2025-06-27
Open Full Technical Breakdown
Threat Entry Updated 2025-06-30

CVE-2023-25998 - Allows Php Local File Inclusion Theme

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in snstheme Samex - Clean, Minimal Shop WooCommerce WordPress Theme allows PHP Local File Inclusion. This issue affects Samex - Clean, Minimal Shop WooCommerce WordPress Theme: from n/a through 2.6.

THEME Allows Php Local File Inclusion

CVE-2023-25998

HIGH CVSS 8.1 2025-06-27
Open Full Technical Breakdown
Threat Entry Updated 2025-06-30

CVE-2024-12827 - Listing Wordpress Theme

The DWT - Directory & Listing WordPress Theme theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.3.6. This is due to the plugin not properly checking for an empty token value prior to resetting a user's password through the dwt_listing_reset_password() function. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account.

THEME Listing Wordpress Theme

CVE-2024-12827

CRITICAL CVSS 9.8 2025-06-27
Open Full Technical Breakdown
Threat Entry Updated 2025-06-23

CVE-2025-5524 - Oceanwp Theme

The OceanWP theme for WordPress is vulnerable to Stored Cross-Site Scripting via the Select HTML tag in all versions up to, and including, 4.0.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

THEME Oceanwp

CVE-2025-5524

MEDIUM CVSS 4.9 2025-06-19
Open Full Technical Breakdown
Threat Entry Updated 2025-06-16

CVE-2025-4200 - Accessories Woocommerce Wordpress Theme

The Zagg - Electronics & Accessories WooCommerce WordPress Theme theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.4.1 via the load_view() function that is called via at least three AJAX actions: 'load_more_post', 'load_shop', and 'load_more_product. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other…

THEME Accessories Woocommerce Wordpress Theme

CVE-2025-4200

HIGH CVSS 8.1 2025-06-14
Open Full Technical Breakdown
Threat Entry Updated 2025-07-10

CVE-2025-4973 - Used By The Workreap Freelance Marketplace Theme

The Workreap plugin for WordPress, used by the Workreap - Freelance Marketplace WordPress Theme, is vulnerable to authentication bypass in all versions up to, and including, 3.3.1. This is due to the plugin not properly verifying a user's identity prior to logging them in when verifying an account with an email address. This makes it possible for unauthenticated attackers to log in as registered users, including administrators, if they know user's email address. This is only exploitable fi the user's confirmation_key has not already been set by the plugin.

THEME Used By The Workreap Freelance Marketplace

CVE-2025-4973

CRITICAL CVSS 9.8 2025-06-12
Open Full Technical Breakdown
Threat Entry Updated 2025-07-10

CVE-2025-5012 - Used By The Workreap Freelance Marketplace Theme

The Workreap plugin for WordPress, used by the Workreap - Freelance Marketplace WordPress Theme, is vulnerable to arbitrary file uploads due to missing file type validation in the 'workreap_temp_upload_to_media' function in all versions up to, and including, 3.3.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.

THEME Used By The Workreap Freelance Marketplace

CVE-2025-5012

HIGH CVSS 8.8 2025-06-12
Open Full Technical Breakdown
Threat Entry Updated 2025-06-12

CVE-2025-31396 - Allows Object Injection Theme

Deserialization of Untrusted Data vulnerability in themeton FLAP - Business WordPress Theme allows Object Injection. This issue affects FLAP - Business WordPress Theme: from n/a through 1.5.

THEME Allows Object Injection

CVE-2025-31396

CRITICAL CVSS 9.8 2025-06-09
Open Full Technical Breakdown
Threat Entry Updated 2025-06-12

CVE-2025-28945 - Allows Php Local File Inclusion Theme

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in snstheme Valen - Sport, Fashion WooCommerce WordPress Theme allows PHP Local File Inclusion. This issue affects Valen - Sport, Fashion WooCommerce WordPress Theme: from n/a through 2.4.

THEME Allows Php Local File Inclusion

CVE-2025-28945

HIGH CVSS 8.1 2025-06-09
Open Full Technical Breakdown
Threat Entry Updated 2025-06-12

CVE-2023-25999 - Allows Php Local File Inclusion Theme

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in snstheme BodyCenter - Gym, Fitness WooCommerce WordPress Theme allows PHP Local File Inclusion. This issue affects BodyCenter - Gym, Fitness WooCommerce WordPress Theme: from n/a through 2.4.

THEME Allows Php Local File Inclusion

CVE-2023-25999

HIGH CVSS 8.1 2025-06-09
Open Full Technical Breakdown
Threat Entry Updated 2025-06-06

CVE-2025-1778 - Art Theme

The Art Theme for WordPress is vulnerable to unauthorized access due to a missing capability check on the 'arttheme_theme_option_restore' AJAX function in all versions up to, and including, 3.12.2.3. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete the theme option.

THEME Art

CVE-2025-1778

MEDIUM CVSS 4.3 2025-06-06
Open Full Technical Breakdown
Threat Entry Updated 2025-06-04

CVE-2025-4797 - Golo City Travel Guide Wordpress Theme

The Golo - City Travel Guide WordPress Theme theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.7.0. This is due to the plugin not properly validating a user's identity prior to setting an authorization cookie. This makes it possible for unauthenticated attackers to log in as any user, including administrators, provided they know the user's email address.

THEME Golo City Travel Guide Wordpress Theme

CVE-2025-4797

CRITICAL CVSS 9.8 2025-06-03
Open Full Technical Breakdown
Threat Entry Updated 2025-05-23

CVE-2025-31912 - Allows Php Local File Inclusion Theme

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in gavias Enzio - Responsive Business WordPress Theme allows PHP Local File Inclusion. This issue affects Enzio - Responsive Business WordPress Theme: from n/a through 1.1.8.

THEME Allows Php Local File Inclusion

CVE-2025-31912

HIGH CVSS 8.1 2025-05-23
Open Full Technical Breakdown
Threat Entry Updated 2025-05-23

CVE-2025-31633 - Allows Php Local File Inclusion Theme

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in gavias Kiamo - Responsive Business Service WordPress Theme allows PHP Local File Inclusion. This issue affects Kiamo - Responsive Business Service WordPress Theme: from n/a through 1.3.3.

THEME Allows Php Local File Inclusion

CVE-2025-31633

HIGH CVSS 8.1 2025-05-23
Open Full Technical Breakdown
Threat Entry Updated 2025-05-21

CVE-2025-4524 - Responsive And Modern Wordpress Theme For Manga Sites

The Madara – Responsive and modern WordPress theme for manga sites theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.2.2 via the 'template' parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.

THEME Responsive And Modern Wordpress Theme For Manga Sites

CVE-2025-4524

CRITICAL CVSS 9.8 2025-05-21
Open Full Technical Breakdown
Threat Entry Updated 2025-05-21

CVE-2025-4322 - Motors Theme

The Motors theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 5.6.67. This is due to the theme not properly validating a user's identity prior to updating their password. This makes it possible for unauthenticated attackers to change arbitrary user passwords, including those of administrators, and leverage that to gain access to their account.

THEME Motors

CVE-2025-4322

CRITICAL CVSS 9.8 2025-05-20
Open Full Technical Breakdown
Threat Entry Updated 2025-05-21

CVE-2025-47576 - Vulnerability In Bringthepixel Bimber Viral Magazine Theme

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Bringthepixel Bimber - Viral Magazine WordPress Theme.This issue affects Bimber - Viral Magazine WordPress Theme: from n/a through 9.2.5.

THEME Vulnerability In Bringthepixel Bimber Viral Magazine

CVE-2025-47576

HIGH CVSS 8.8 2025-05-19
Open Full Technical Breakdown
Scroll to top