CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-22712 – WordPress Typify theme <= 3.0.2 - Local File Inclusion vulnerability
https://notcve.org/view.php?id=CVE-2025-22712
07 Jan 2026 — The Typify theme for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 3.0.2. • https://vdp.patchstack.com/database/Wordpress/Theme/typify/vulnerability/wordpress-typify-theme-3-0-2-local-file-inclusion-vulnerability?_s_id=cve • CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-14358 – WordPress REHub Framework plugin <= 19.9.5 - Broken Access Control vulnerability
https://notcve.org/view.php?id=CVE-2025-14358
07 Jan 2026 — The REHub Framework plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 19.9.5. • https://vdp.patchstack.com/database/Wordpress/Plugin/rehub-framework/vulnerability/wordpress-rehub-framework-plugin-19-9-5-broken-access-control-vulnerability?_s_id=cve • CWE-862: Missing Authorization •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-22707 – WordPress Moody theme <= 2.7.3 - Local File Inclusion vulnerability
https://notcve.org/view.php?id=CVE-2025-22707
07 Jan 2026 — The Moody theme for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 2.7.3. • https://vdp.patchstack.com/database/Wordpress/Theme/tm-moody/vulnerability/wordpress-moody-theme-2-7-3-local-file-inclusion-vulnerability?_s_id=cve • CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-67924 – WordPress Corpkit theme <= 2.0 - Arbitrary File Upload vulnerability
https://notcve.org/view.php?id=CVE-2025-67924
05 Jan 2026 — The Corpkit - Business Consulting WordPress Theme theme for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 2.0. • https://vdp.patchstack.com/database/Wordpress/Theme/corpkit/vulnerability/wordpress-corpkit-theme-2-0-arbitrary-file-upload-vulnerability?_s_id=cve • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-67915 – WordPress Timetics plugin <= 1.0.46 - Broken Authentication vulnerability
https://notcve.org/view.php?id=CVE-2025-67915
05 Jan 2026 — The Appointment Booking Calendar – WP Timetics Booking Plugin plugin for WordPress is vulnerable to unauthorized access due to a insufficient capability check in the api-customer.php file in all versions up to, and including, 1.0.46. • https://vdp.patchstack.com/database/Wordpress/Plugin/timetics/vulnerability/wordpress-timetics-plugin-1-0-46-broken-authentication-vulnerability?_s_id=cve • CWE-288: Authentication Bypass Using an Alternate Path or Channel CWE-863: Incorrect Authorization •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-67920 – WordPress Neo Ocular theme < 1.2 - Local File Inclusion vulnerability
https://notcve.org/view.php?id=CVE-2025-67920
05 Jan 2026 — The Neo Ocular theme for WordPress is vulnerable to Local File Inclusion in versions up to 1.2. • https://vdp.patchstack.com/database/Wordpress/Theme/neoocular/vulnerability/wordpress-neo-ocular-theme-1-2-local-file-inclusion-vulnerability?_s_id=cve • CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-67921 – WordPress Lobo theme < 2.8.6 - SQL Injection vulnerability
https://notcve.org/view.php?id=CVE-2025-67921
05 Jan 2026 — The Lobo theme for WordPress is vulnerable to SQL Injection in versions up to 2.8.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. • https://vdp.patchstack.com/database/Wordpress/Theme/lobo/vulnerability/wordpress-lobo-theme-2-8-6-sql-injection-vulnerability?_s_id=cve • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-67928 – WordPress Automotive Listings plugin <= 18.6 - SQL Injection vulnerability
https://notcve.org/view.php?id=CVE-2025-67928
05 Jan 2026 — The Automotive Listings plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 18.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. • https://vdp.patchstack.com/database/Wordpress/Plugin/automotive/vulnerability/wordpress-automotive-listings-plugin-18-6-sql-injection-vulnerability?_s_id=cve • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-67913 – WordPress Aruba HiSpeed Cache plugin < 3.0.3 - Broken Access Control vulnerability
https://notcve.org/view.php?id=CVE-2025-67913
01 Jan 2026 — The Aruba HiSpeed Cache plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to 3.0.3 (exclusive). • https://vdp.patchstack.com/database/Wordpress/Plugin/aruba-hispeed-cache/vulnerability/wordpress-aruba-hispeed-cache-plugin-3-0-3-broken-access-control-vulnerability?_s_id=cve • CWE-862: Missing Authorization •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-67911 – WordPress Newsletters plugin <= 4.11 - PHP Object Injection vulnerability
https://notcve.org/view.php?id=CVE-2025-67911
31 Dec 2025 — The Newsletters plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 4.11 via deserialization of untrusted input. • https://vdp.patchstack.com/database/Wordpress/Plugin/newsletters-lite/vulnerability/wordpress-newsletters-plugin-4-11-php-object-injection-vulnerability?_s_id=cve • CWE-502: Deserialization of Untrusted Data •