
CVE-2025-31423 – WordPress Umberto <= 1.2.8 - PHP Object Injection Vulnerability
https://notcve.org/view.php?id=CVE-2025-31423
21 May 2025 — If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. • https://patchstack.com/database/wordpress/theme/umberto/vulnerability/wordpress-umberto-1-2-8-php-object-injection-vulnerability?_s_id=cve • CWE-502: Deserialization of Untrusted Data •

CVE-2025-31631 – WordPress Fish House <= 1.2.7 - PHP Object Injection Vulnerability
https://notcve.org/view.php?id=CVE-2025-31631
21 May 2025 — If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. • https://patchstack.com/database/wordpress/theme/fish-house/vulnerability/wordpress-fish-house-1-2-7-php-object-injection-vulnerability?_s_id=cve • CWE-502: Deserialization of Untrusted Data •

CVE-2025-31632 – WordPress La Boom <= 2.7 - Local File Inclusion Vulnerability
https://notcve.org/view.php?id=CVE-2025-31632
21 May 2025 — Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in SpyroPress La Boom allows PHP Local File Inclusion. ... This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file t... • https://patchstack.com/database/wordpress/theme/laboom/vulnerability/wordpress-la-boom-2-7-local-file-inclusion-vulnerability?_s_id=cve • CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') •

CVE-2025-31633 – WordPress Kiamo - Responsive Business Service WordPress Theme <= 1.3.3 - Local File Inclusion Vulnerability
https://notcve.org/view.php?id=CVE-2025-31633
21 May 2025 — Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in gavias Kiamo - Responsive Business Service WordPress Theme allows PHP Local File Inclusion. ... This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in ca... • https://patchstack.com/database/wordpress/theme/kiamo/vulnerability/wordpress-kiamo-responsive-business-service-wordpress-theme-1-3-3-local-file-inclusion-vulnerability?_s_id=cve • CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') •

CVE-2025-31634 – Insurance <= 3.5 - Authenticated (Subscriber+) PHP Object Injection
https://notcve.org/view.php?id=CVE-2025-31634
21 May 2025 — If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. • CWE-502: Deserialization of Untrusted Data •

CVE-2025-31912 – WordPress Enzio - Responsive Business WordPress Theme <= 1.1.8 - Local File Inclusion Vulnerability
https://notcve.org/view.php?id=CVE-2025-31912
21 May 2025 — Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in gavias Enzio - Responsive Business WordPress Theme allows PHP Local File Inclusion. ... This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases wher... • https://patchstack.com/database/wordpress/theme/enzio/vulnerability/wordpress-enzio-responsive-business-wordpress-theme-1-1-8-local-file-inclusion-vulnerability?_s_id=cve • CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') •

CVE-2025-31913 – WordPress Ogami <= 1.53 - Local File Inclusion Vulnerability
https://notcve.org/view.php?id=CVE-2025-31913
21 May 2025 — Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ApusTheme Ogami allows PHP Local File Inclusion. ... This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file type... • https://patchstack.com/database/wordpress/theme/ogami/vulnerability/wordpress-ogami-1-53-local-file-inclusion-vulnerability?_s_id=cve • CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') •

CVE-2025-31916 – WordPress JP Students Result Management System Premium plugin 1.1.7 - Arbitrary File Upload vulnerability
https://notcve.org/view.php?id=CVE-2025-31916
21 May 2025 — The JP Students Result Management System Premium plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in version 1.1.7. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://patchstack.com/database/wordpress/plugin/jp-students-result-system-premium/vulnerability/wordpress-jp-students-result-management-system-premium-plugin-1-1-7-arbitrary-file-upload-vulnerability? • CWE-434: Unrestricted Upload of File with Dangerous Type •

CVE-2025-32284 – WordPress Pet World <= 2.8 - PHP Object Injection Vulnerability
https://notcve.org/view.php?id=CVE-2025-32284
21 May 2025 — If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. • https://patchstack.com/database/wordpress/theme/petsworld/vulnerability/wordpress-pet-world-2-8-php-object-injection-vulnerability?_s_id=cve • CWE-502: Deserialization of Untrusted Data •

CVE-2025-32286 – WordPress Butcher <= 2.40 - Local File Inclusion Vulnerability
https://notcve.org/view.php?id=CVE-2025-32286
21 May 2025 — Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ApusTheme Butcher allows PHP Local File Inclusion. ... This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file ty... • https://patchstack.com/database/wordpress/theme/butcher/vulnerability/wordpress-butcher-2-40-local-file-inclusion-vulnerability?_s_id=cve • CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') •