2081 results (0.086 seconds)

CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0

17 Oct 2025 — The Theme Editor plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.0. • https://plugins.trac.wordpress.org/browser/theme-editor/trunk/app/controller/theme_controller.php#L87 • CWE-352: Cross-Site Request Forgery (CSRF) •

CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0

17 Oct 2025 — The PPOM – Product Addons & Custom Fields for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the image cropper functionality in all versions up to, and including, 33.0.15. • https://plugins.trac.wordpress.org/browser/woocommerce-product-addon/trunk/inc/hooks.php#L45 • CWE-434: Unrestricted Upload of File with Dangerous Type •

CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0

15 Oct 2025 — The Felan Framework plugin for WordPress is vulnerable to improper authentication in versions up to, and including, 1.1.4. • https://themeforest.net/item/felan-freelance-marketplace-and-job-board-wordpress-theme/53612955 • CWE-798: Use of Hard-coded Credentials •

CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0

15 Oct 2025 — The Truelysell Core plugin for WordPress is vulnerable to Arbitrary User Password Change in versions up to, and including, 1.8.6. • https://themeforest.net/item/truelysell-service-booking-wordpress-theme/43398124 • CWE-639: Authorization Bypass Through User-Controlled Key •

CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0

14 Oct 2025 — The Orion SMS OTP Verification plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.1.7. • https://plugins.trac.wordpress.org/browser/orion-sms-otp-verification/trunk/vendor/js/reset-password.js • CWE-288: Authentication Bypass Using an Alternate Path or Channel •

CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1

14 Oct 2025 — The Flex QR Code Generator plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in thesave_qr_code_to_db() function in all versions up to, and including, 1.2.5. ... WordPress Flex QR Code Generator versions 1.2.5 and below are vulnerable to arbitrary file uploads due to missing file type validation in the save_qr_code_to_db() function. • https://wordpress.org/plugins/flex-qr-code-generator • CWE-434: Unrestricted Upload of File with Dangerous Type •

CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0

14 Oct 2025 — The OwnID Passwordless Login plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.3.4. • https://wordpress.org/plugins/ownid-passwordless-login • CWE-288: Authentication Bypass Using an Alternate Path or Channel •

CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0

10 Oct 2025 — The WooCommerce Designer Pro plugin for WordPress, used by the Pricom - Printing Company & Design Services WordPress theme, is vulnerable to arbitrary file deletion due to insufficient file path validation in the 'wcdp_save_canvas_design_ajax' function in all versions up to, and including, 1.9.26. • https://codecanyon.net/item/woocommerce-designer-pro-cmyk-card-flyer/22027731 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •

CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0

10 Oct 2025 — The WP Freeio plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.2.21. • https://themeforest.net/item/freeio-freelance-marketplace-wordpress-theme/42045416 • CWE-269: Improper Privilege Management •

CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0

10 Oct 2025 — The Ovatheme Events Manager plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the process_checkout() function in all versions up to, and including, 1.8.5. • https://themeforest.net/item/em4u-event-management-multipurpose-wordpress-theme/20846579 • CWE-434: Unrestricted Upload of File with Dangerous Type •