
CVE-2025-31396 – WordPress FLAP - Business WordPress Theme <= 1.5 - PHP Object Injection Vulnerability
https://notcve.org/view.php?id=CVE-2025-31396
03 Jun 2025 — Deserialization of Untrusted Data vulnerability in themeton FLAP - Business WordPress Theme allows Object Injection. This issue affects FLAP - Business WordPress Theme: from n/a through 1.5. The FLAP - Business WordPress Theme theme for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 1.5 via deserialization of untrusted input [from the vulnerable parameter? • https://patchstack.com/database/wordpress/theme/flap/vulnerability/wordpress-flap-business-wordpress-theme-1-5-php-object-injection-vulnerability? • CWE-502: Deserialization of Untrusted Data •

CVE-2025-31398 – WordPress PIMP - Creative MultiPurpose <= 1.7 - Deserialization of untrusted data Vulnerability
https://notcve.org/view.php?id=CVE-2025-31398
03 Jun 2025 — The PIMP theme for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.7 via deserialization of untrusted input. • https://patchstack.com/database/wordpress/theme/pimp/vulnerability/wordpress-pimp-creative-multipurpose-1-7-deserialization-of-untrusted-data-vulnerability? • CWE-502: Deserialization of Untrusted Data •

CVE-2025-49073 – WordPress Sweet Dessert < 1.1.13 - PHP Object Injection Vulnerability
https://notcve.org/view.php?id=CVE-2025-49073
03 Jun 2025 — The Sweet Dessert theme for WordPress is vulnerable to PHP Object Injection in versions up to 1.1.13 via deserialization of untrusted input. • https://patchstack.com/database/wordpress/theme/sweet-dessert/vulnerability/wordpress-sweet-dessert-1-1-13-php-object-injection-vulnerability? • CWE-502: Deserialization of Untrusted Data •

CVE-2025-4797 – Golo <= 1.7.0 - Authentication Bypass to Account Takeover
https://notcve.org/view.php?id=CVE-2025-4797
02 Jun 2025 — The Golo - City Travel Guide WordPress Theme theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.7.0. • https://themeforest.net/item/golo-directory-listing-travel-wordpress-theme/25397810 • CWE-288: Authentication Bypass Using an Alternate Path or Channel •

CVE-2025-4607 – PSW Front-end Login & Registration <= 1.12 - Insufficiently Random Values to Unauthenticated Account Takeover/Privilege Escalation via customer_registration Function
https://notcve.org/view.php?id=CVE-2025-4607
30 May 2025 — The PSW Front-end Login & Registration plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.12 via the customer_registration() function. • https://wordpress.org/plugins/psw-login-and-registration/#developers • CWE-330: Use of Insufficiently Random Values •

CVE-2025-4631 – Profitori 2.0.6.0 - 2.1.1.3 - Missing Authorization to Unauthenticated Privilege Escalation via stocktend_object Endpoint
https://notcve.org/view.php?id=CVE-2025-4631
30 May 2025 — The Profitori plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the stocktend_object endpoint in versions 2.0.6.0 to 2.1.1.3. • https://wordpress.org/plugins/profitori/#developers • CWE-285: Improper Authorization •

CVE-2025-32291 – WordPress SUMO Affiliates Pro <= 10.7.0 - Arbitrary File Upload Vulnerability
https://notcve.org/view.php?id=CVE-2025-32291
30 May 2025 — The SUMO Affiliates Pro plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 10.7.0. • https://patchstack.com/database/wordpress/plugin/affs/vulnerability/wordpress-sumo-affiliates-pro-10-7-0-arbitrary-file-upload-vulnerability? • CWE-434: Unrestricted Upload of File with Dangerous Type •

CVE-2025-48336 – WordPress Course Builder < 3.6.6 - PHP Object Injection Vulnerability
https://notcve.org/view.php?id=CVE-2025-48336
29 May 2025 — The Course Builder - Online Course WordPress Theme theme for WordPress is vulnerable to PHP Object Injection in all versions up to 3.6.6 (exclusive) via deserialization of untrusted input. • https://patchstack.com/database/wordpress/theme/course-builder/vulnerability/wordpress-course-builder-3-6-6-php-object-injection-vulnerability? • CWE-502: Deserialization of Untrusted Data •

CVE-2025-31052 – WordPress The Fashion - Model Agency One Page Beauty Theme <= 1.4.4 - Deserialization of untrusted data Vulnerability
https://notcve.org/view.php?id=CVE-2025-31052
29 May 2025 — The The Fashion - Model Agency One Page Beauty Theme theme for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.4.4 via deserialization of untrusted input. • https://patchstack.com/database/wordpress/theme/nrgfashion/vulnerability/wordpress-the-fashion-model-agency-one-page-beauty-theme-1-4-4-deserialization-of-untrusted-data-vulnerability? • CWE-502: Deserialization of Untrusted Data •

CVE-2025-5058 – eMagicOne Store Manager for WooCommerce <= 1.2.5 - Unauthenticated Arbitrary File Upload via set_image()
https://notcve.org/view.php?id=CVE-2025-5058
23 May 2025 — The eMagicOne Store Manager for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the set_image() function in all versions up to, and including, 1.2.5. • https://github.com/d0n601/CVE-2025-5058 • CWE-434: Unrestricted Upload of File with Dangerous Type •