
CVE-2025-49455 – WordPress TinySalt < 3.10.0 - PHP Object Injection Vulnerability
https://notcve.org/view.php?id=CVE-2025-49455
09 Jun 2025 — The TinySalt theme for WordPress is vulnerable to PHP Object Injection in versions up to 3.10.0 via deserialization of untrusted input. • https://patchstack.com/database/wordpress/theme/tinysalt/vulnerability/wordpress-tinysalt-3-10-0-php-object-injection-vulnerability? • CWE-502: Deserialization of Untrusted Data •

CVE-2025-5486 – WP Email Debug 1.0 - 1.1.0 - Missing Authorization to Unauthenticated Privilege Escalation via Password Reset
https://notcve.org/view.php?id=CVE-2025-5486
05 Jun 2025 — The WP Email Debug plugin for WordPress is vulnerable to privilege escalation due to a missing capability check on the WPMDBUG_handle_settings() function in versions 1.0 to 1.1.0. • https://www.wordfence.com/threat-intel/vulnerabilities/id/d3af64a2-3bd6-47af-919e-00c5249dcc74?source=cve • CWE-862: Missing Authorization •

CVE-2025-31022 – WordPress PayU India plugin < 3.8.8 - Account Takeover vulnerability
https://notcve.org/view.php?id=CVE-2025-31022
05 Jun 2025 — The PayU CommercePro Plugin plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 3.8.7. • https://patchstack.com/database/wordpress/plugin/payu-india/vulnerability/wordpress-payu-india-plugin-3-8-5-account-takeover-vulnerability? • CWE-288: Authentication Bypass Using an Alternate Path or Channel •

CVE-2025-5701 – HyperComments <= 1.2.2 - Unauthenticated (Subscriber+) Arbitrary Options Update
https://notcve.org/view.php?id=CVE-2025-5701
04 Jun 2025 — The HyperComments plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the hc_request_handler function in all versions up to, and including, 1.2.2. This makes it possible for unauthenticated attackers to update arbitrary options on the WordPress site. • https://packetstorm.news/files/id/200686 • CWE-862: Missing Authorization •

CVE-2025-31429 – WordPress PressGrid - Frontend Publish Reaction & Multimedia Theme <= 1.3.1 - Deserialization of untrusted data Vulnerability
https://notcve.org/view.php?id=CVE-2025-31429
04 Jun 2025 — The PressGrid theme for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.3.1 via deserialization of untrusted input. • https://patchstack.com/database/wordpress/theme/press-grid/vulnerability/wordpress-pressgrid-frontend-publish-reaction-multimedia-theme-1-3-1-deserialization-of-untrusted-data-vulnerability? • CWE-502: Deserialization of Untrusted Data •

CVE-2025-31396 – WordPress FLAP - Business WordPress Theme <= 1.5 - PHP Object Injection Vulnerability
https://notcve.org/view.php?id=CVE-2025-31396
03 Jun 2025 — Deserialization of Untrusted Data vulnerability in themeton FLAP - Business WordPress Theme allows Object Injection. This issue affects FLAP - Business WordPress Theme: from n/a through 1.5. The FLAP - Business WordPress Theme theme for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 1.5 via deserialization of untrusted input [from the vulnerable parameter? • https://patchstack.com/database/wordpress/theme/flap/vulnerability/wordpress-flap-business-wordpress-theme-1-5-php-object-injection-vulnerability? • CWE-502: Deserialization of Untrusted Data •

CVE-2025-31398 – WordPress PIMP - Creative MultiPurpose <= 1.7 - Deserialization of untrusted data Vulnerability
https://notcve.org/view.php?id=CVE-2025-31398
03 Jun 2025 — The PIMP theme for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.7 via deserialization of untrusted input. • https://patchstack.com/database/wordpress/theme/pimp/vulnerability/wordpress-pimp-creative-multipurpose-1-7-deserialization-of-untrusted-data-vulnerability? • CWE-502: Deserialization of Untrusted Data •

CVE-2025-49073 – WordPress Sweet Dessert < 1.1.13 - PHP Object Injection Vulnerability
https://notcve.org/view.php?id=CVE-2025-49073
03 Jun 2025 — The Sweet Dessert theme for WordPress is vulnerable to PHP Object Injection in versions up to 1.1.13 via deserialization of untrusted input. • https://patchstack.com/database/wordpress/theme/sweet-dessert/vulnerability/wordpress-sweet-dessert-1-1-13-php-object-injection-vulnerability? • CWE-502: Deserialization of Untrusted Data •

CVE-2025-4797 – Golo <= 1.7.0 - Authentication Bypass to Account Takeover
https://notcve.org/view.php?id=CVE-2025-4797
02 Jun 2025 — The Golo - City Travel Guide WordPress Theme theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.7.0. • https://themeforest.net/item/golo-directory-listing-travel-wordpress-theme/25397810 • CWE-288: Authentication Bypass Using an Alternate Path or Channel •

CVE-2025-49072 – WordPress Mr.
https://notcve.org/view.php?id=CVE-2025-49072
02 Jun 2025 — Murphy - Custom Dress Tailoring Clothing WordPress Theme theme for WordPress is vulnerable to PHP Object Injection in all versions up to 1.2.12.1 (exclusive) via deserialization of untrusted input. • https://patchstack.com/database/wordpress/theme/mr-murphy/vulnerability/wordpress-mr-murphy-1-2-12-1-php-object-injection-vulnerability? • CWE-502: Deserialization of Untrusted Data •