Live Vulnerability Intelligence
Threat Database
Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.
Threat Entry
Updated 2026-03-06
CVE-2026-28043 - Healer - Doctor, Clinic & Medical WordPress Theme
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Healer - Doctor, Clinic & Medical WordPress Theme healer allows PHP Local File Inclusion.This issue affects Healer - Doctor, Clinic & Medical WordPress Theme: from n/a through
THEME
Healer - Doctor, Clinic & Medical WordPress Theme
CVE-2026-28043
Risk Score
Threat Entry
Updated 2026-03-09
CVE-2026-27342 - TopFit - Fitness and Gym WordPress Theme
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes TopFit - Fitness and Gym WordPress Theme topfit allows PHP Local File Inclusion.This issue affects TopFit - Fitness and Gym WordPress Theme: from n/a through
THEME
TopFit - Fitness and Gym WordPress Theme
CVE-2026-27342
Risk Score
Threat Entry
Updated 2026-03-06
CVE-2026-27341 - TopScorer - Sports WordPress Theme
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes TopScorer - Sports WordPress Theme topscorer allows PHP Local File Inclusion.This issue affects TopScorer - Sports WordPress Theme: from n/a through
THEME
TopScorer - Sports WordPress Theme
CVE-2026-27341
Risk Score
Threat Entry
Updated 2026-03-09
CVE-2026-27340 - Apollo | Night Club, DJ Event WordPress Theme
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Apollo | Night Club, DJ Event WordPress Theme apollo allows PHP Local File Inclusion.This issue affects Apollo | Night Club, DJ Event WordPress Theme: from n/a through
THEME
Apollo | Night Club, DJ Event WordPress Theme
CVE-2026-27340
Risk Score
Threat Entry
Updated 2026-03-11
CVE-2026-27339 - Buzz Stone | Magazine & Viral Blog WordPress Theme
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Buzz Stone | Magazine & Viral Blog WordPress Theme buzzstone allows PHP Local File Inclusion.This issue affects Buzz Stone | Magazine & Viral Blog WordPress Theme: from n/a through
THEME
Buzz Stone | Magazine & Viral Blog WordPress Theme
CVE-2026-27339
Risk Score
Threat Entry
Updated 2026-03-09
CVE-2026-27337 - Chronicle - Lifestyle Magazine & Blog WordPress Theme
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Chronicle - Lifestyle Magazine & Blog WordPress Theme chronicle allows PHP Local File Inclusion.This issue affects Chronicle - Lifestyle Magazine & Blog WordPress Theme: from n/a through
THEME
Chronicle - Lifestyle Magazine & Blog WordPress Theme
CVE-2026-27337
Risk Score
Threat Entry
Updated 2026-03-09
CVE-2026-27336 - Consultor | Consulting, Accounting & Legal Counsel WordPress Theme
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Consultor | Consulting, Accounting & Legal Counsel WordPress Theme consultor allows PHP Local File Inclusion.This issue affects Consultor | Consulting, Accounting & Legal Counsel WordPress Theme: from n/a through
THEME
Consultor | Consulting, Accounting & Legal Counsel WordPress Theme
CVE-2026-27336
Risk Score
Threat Entry
Updated 2026-03-09
CVE-2026-27326 - AC Services | HVAC, Air Conditioning & Heating Company WordPress Theme
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes AC Services | HVAC, Air Conditioning & Heating Company WordPress Theme window-ac-services allows PHP Local File Inclusion.This issue affects AC Services | HVAC, Air Conditioning & Heating Company WordPress Theme: from n/a through
THEME
AC Services | HVAC, Air Conditioning & Heating Company WordPress Theme
CVE-2026-27326
Risk Score
Threat Entry
Updated 2026-03-09
CVE-2026-27097 - CasaMia | Property Rental Real Estate WordPress Theme
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes CasaMia | Property Rental Real Estate WordPress Theme casamia allows PHP Local File Inclusion.This issue affects CasaMia | Property Rental Real Estate WordPress Theme: from n/a through
THEME
CasaMia | Property Rental Real Estate WordPress Theme
CVE-2026-27097
Risk Score
Threat Entry
Updated 2026-04-01
CVE-2026-22459 - WordPress CTA Plugin
Missing Authorization vulnerability in Blend Media WordPress CTA easy-sticky-sidebar allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WordPress CTA: from n/a through
PLUGIN
WordPress CTA
CVE-2026-22459
Risk Score
Threat Entry
Updated 2026-03-10
CVE-2026-22390 - Builderall Builder for WordPress Plugin
Improper Control of Generation of Code ('Code Injection') vulnerability in Builderall Builderall Builder for WordPress builderall-cheetah-for-wp allows Code Injection.This issue affects Builderall Builder for WordPress: from n/a through
PLUGIN
Builderall Builder for WordPress
CVE-2026-22390
Risk Score
Threat Entry
Updated 2026-03-05
CVE-2026-3523 - Apocalypse Meow Plugin
The Apocalypse Meow plugin for WordPress is vulnerable to SQL Injection via the 'type' parameter in all versions up to, and including, 22.1.0. This is due to a flawed logical operator in the type validation check on line 261 of ajax.php — the condition uses `&&` (AND) instead of `||` (OR), causing the `in_array()` validation to be short-circuited and never evaluated for any non-empty type value. Combined with `stripslashes_deep()` being called on line 101 which removes `wp_magic_quotes()` protection, attacker-controlled single quotes pass through unescaped into the SQL query on line…
PLUGIN
Apocalypse Meow
CVE-2026-3523
Risk Score
Threat Entry
Updated 2026-03-05
CVE-2026-2899 - Fluent Forms Pro Add On Pack Plugin
The Fluent Forms Pro Add On Pack plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 6.1.17. This is due to the `deleteFile()` method in the `Uploader` class lacking nonce verification and capability checks. The AJAX action is registered via `addPublicAjaxAction()` which creates both `wp_ajax_` and `wp_ajax_nopriv_` hooks. This makes it possible for unauthenticated attackers to delete arbitrary WordPress media attachments via the `attachment_id` parameter. Note: The researcher described file deletion via the `path` parameter using `sanitize_file_name()`, but the actual code uses `Protector::decrypt()` for…
PLUGIN
Fluent Forms Pro Add On Pack
CVE-2026-2899
Risk Score
Threat Entry
Updated 2026-03-05
CVE-2026-3034 - Ooohboi Steroids For Elementor Plugin
The OoohBoi Steroids for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the _ob_spacerat_link, _ob_bbad_link, and _ob_teleporter_link URL parameters in all versions up to, and including, 2.1.24. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user clicks on the injected element.
PLUGIN
Ooohboi Steroids For Elementor
CVE-2026-3034
Risk Score
Threat Entry
Updated 2026-03-05
CVE-2026-2365 - Fluent Forms Pro Add On Pack Plugin
The Fluent Forms Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `fluentform_step_form_save_data` AJAX action in all versions up to, and including, 6.1.17. This is due to the draft form submission endpoint being publicly accessible without authentication or nonce verification, combined with insufficient input sanitization and output escaping of form field data. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever an administrator views a partial form entry.
PLUGIN
Fluent Forms Pro Add On Pack
CVE-2026-2365
Risk Score
Threat Entry
Updated 2026-03-04
CVE-2026-2355 - My Calendar – Accessible Event Manager Plugin
The My Calendar – Accessible Event Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `template` attribute of the `[my_calendar_upcoming]` shortcode in all versions up to, and including, 3.7.3. This is due to the use of `stripcslashes()` on user-supplied shortcode attribute values in the `mc_draw_template()` function, which decodes C-style hex escape sequences (e.g., `\x3c` to `
PLUGIN
My Calendar – Accessible Event Manager
CVE-2026-2355
Risk Score
Threat Entry
Updated 2026-03-31
CVE-2026-3058 - Seraphinite Accelerator Plugin
The Seraphinite Accelerator plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.28.14 via the `seraph_accel_api` AJAX action with `fn=GetData`. This is due to the `OnAdminApi_GetData()` function not performing any capability checks. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve sensitive operational data including cache status, scheduled task information, and external database state.
PLUGIN
Seraphinite Accelerator
CVE-2026-3058
Risk Score
Threat Entry
Updated 2026-03-04
CVE-2026-3056 - Seraphinite Accelerator Plugin
The Seraphinite Accelerator plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `seraph_accel_api` AJAX action with `fn=LogClear` in all versions up to, and including, 2.28.14. This makes it possible for authenticated attackers, with Subscriber-level access and above, to clear the plugin's debug/operational logs.
PLUGIN
Seraphinite Accelerator
CVE-2026-3056
Risk Score
Threat Entry
Updated 2026-03-04
CVE-2026-1674 - And Custom Form Builder Plugin
The Gutena Forms – Contact Form, Survey Form, Feedback Form, Booking Form, and Custom Form Builder plugin for WordPress is vulnerable to unauthorized modification of data due to missing authorization within the save_gutena_forms_schema() function in all versions up to, and including, 1.6.0. This makes it possible for authenticated attackers, with Contributor-level access and above, to update option values to a structured array value on the WordPress site. This can be leveraged to update an option that would create an error on the site and deny service to legitimate users or…
PLUGIN
And Custom Form Builder
CVE-2026-1674
Risk Score
Threat Entry
Updated 2026-03-04
CVE-2026-1706 - All In One Video Gallery Plugin
The All-in-One Video Gallery plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'vi' parameter in all versions up to, and including, 4.7.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
PLUGIN
All In One Video Gallery
CVE-2026-1706
Risk Score