CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-12922 – Altair <= 5.2.4 - Unauthenticated Arbitrary Options Update via pp_import_current
https://notcve.org/view.php?id=CVE-2024-12922
18 Mar 2025 — The Altair theme for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check within functions.php in all versions up to, and including, 5.2.4. This makes it possible for unauthenticated attackers to update arbitrary options on the WordPress site. ... El tema Altair para WordPress es vulnerable a la modificación no autorizada de datos, lo que puede provocar una escalada de privilegios debido a la falta de una co... • https://themeforest.net/item/tour-travel-agency-altair-theme/9318575 • CWE-862: Missing Authorization •
CVSS: 10.0EPSS: 0%CPEs: 2EXPL: 0CVE-2024-13410 – CozyStay <= 1.7.0 and TinySalt <= 3.9.0 - Unauthenticated PHP Object Injection in ajax_handler
https://notcve.org/view.php?id=CVE-2024-13410
18 Mar 2025 — The CozyStay and TinySalt plugins for WordPress are vulnerable to PHP Object Injection in all versions up to, and including, 1.7.0, and in all versions up to, and including 3.9.0, respectively, via deserialization of untrusted input in the 'ajax_handler' function. ... Los complementos CozyStay y TinySalt para WordPress son vulnerables a la inyección de objetos PHP en todas las versiones hasta la 1.7.0 incluida, y las versiones hasta la 3.9.0 incluida, respectivamente, mediante la deserializaci... • https://themeforest.net/item/cozystay-hotel-booking-wordpress-theme/47383367#item-description__changelog • CWE-502: Deserialization of Untrusted Data •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-13442 – Service Finder Bookings <= 5.0 - Unauthenticated Privilege Escalation via Account Takeover
https://notcve.org/view.php?id=CVE-2024-13442
18 Mar 2025 — The Service Finder Bookings plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 5.0. • https://themeforest.net/item/service-finder-service-and-business-listing-wordpress-theme/15208793 • CWE-288: Authentication Bypass Using an Alternate Path or Channel •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-13790 – MinimogWP – The High Converting eCommerce WordPress Theme <= 3.7.0 - Unauthenticated Local PHP File Inclusion
https://notcve.org/view.php?id=CVE-2024-13790
18 Mar 2025 — The MinimogWP – The High Converting eCommerce WordPress Theme theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.7.0 via the 'template' parameter. ... El tema MinimogWP – The High Converting eCommerce WordPress Theme para WordPress, es vulnerable a la inclusión local de archivos en todas las versiones hasta la 3.7.0 incluida, a través del parámetro 'template'. • https://themeforest.net/item/minimog-the-high-converting-ecommerce-wordpress-theme/36947163 • CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-13933 – FoodBakery | Delivery Restaurant Directory WordPress Theme <= 4.7 - Cross-Site Request Forgery in Multiple Functions
https://notcve.org/view.php?id=CVE-2024-13933
18 Mar 2025 — The FoodBakery | Delivery Restaurant Directory WordPress Theme theme for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.7. • https://themeforest.net/item/food-bakery-restaurant-bakery-responsive-wordpress-theme/18970331 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-1771 – Traveler <= 3.1.8 - Unauthenticated Local File Inclusion via hotel_alone_load_more_post
https://notcve.org/view.php?id=CVE-2025-1771
14 Mar 2025 — The Traveler theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.1.8 via the 'hotel_alone_load_more_post' function 'style' parameter. • https://travelerwp.com/traveler-changelog • CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-22526 – WordPress PHP/MySQL CPU performance statistics Plugin <= 1.2.1 - PHP Object Injection vulnerability
https://notcve.org/view.php?id=CVE-2025-22526
14 Mar 2025 — The PHP/MySQL CPU performance statistics plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.2.1 via deserialization of untrusted input. • https://patchstack.com/database/wordpress/plugin/mywebtonet-performancestats/vulnerability/wordpress-php-mysql-cpu-performance-statistics-plugin-1-2-1-php-object-injection-vulnerability? • CWE-502: Deserialization of Untrusted Data •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-2232 – Realteo - Real Estate Plugin by Purethemes <= 1.2.8 - Authentication Bypass via 'do_register_user'
https://notcve.org/view.php?id=CVE-2025-2232
13 Mar 2025 — The Realteo - Real Estate Plugin by Purethemes plugin for WordPress, used by the Findeo Theme, is vulnerable to authentication bypass in all versions up to, and including, 1.2.8. • https://docs.purethemes.net/findeo/knowledge-base/changelog-findeo • CWE-269: Improper Privilege Management •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-13824 – CiyaShop - Multipurpose WooCommerce Theme <= 4.19.0 - Unauthenticated PHP Object Injection
https://notcve.org/view.php?id=CVE-2024-13824
13 Mar 2025 — The CiyaShop - Multipurpose WooCommerce Theme theme for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.19.0 via deserialization of untrusted input in the 'add_ciyashop_wishlist' and 'ciyashop_get_compare' functions. • https://themeforest.net/item/ciyashop-responsive-multipurpose-woocommerce-wordpress-theme/22055376#item-description__changelog • CWE-502: Deserialization of Untrusted Data •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-13913 – InstaWP Connect – 1-click WP Staging & Migration <= 0.1.0.83 - Cross-Site Request Forgery to Local File Inclusion
https://notcve.org/view.php?id=CVE-2024-13913
13 Mar 2025 — The InstaWP Connect – 1-click WP Staging & Migration plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.1.0.83. • https://plugins.trac.wordpress.org/browser/instawp-connect/trunk/admin/class-instawp-admin.php#L159 • CWE-352: Cross-Site Request Forgery (CSRF) •