CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2025-49454 – WordPress TinySalt < 3.10.0 - Local File Inclusion Vulnerability
https://notcve.org/view.php?id=CVE-2025-49454
09 Jun 2025 — Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in LoftOcean TinySalt allows PHP Local File Inclusion.This issue affects TinySalt: from n/a before 3.10.0. The TinySalt theme for WordPress is vulnerable to Local File Inclusion in versions up to 3.10.0. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass a... • https://patchstack.com/database/wordpress/theme/tinysalt/vulnerability/wordpress-tinysalt-3-10-0-local-file-inclusion-vulnerability?_s_id=cve • CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2025-49455 – WordPress TinySalt < 3.10.0 - PHP Object Injection Vulnerability
https://notcve.org/view.php?id=CVE-2025-49455
09 Jun 2025 — Deserialization of Untrusted Data vulnerability in LoftOcean TinySalt allows Object Injection.This issue affects TinySalt: from n/a before 3.10.0. The TinySalt theme for WordPress is vulnerable to PHP Object Injection in versions up to 3.10.0 via deserialization of untrusted input. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it... • https://patchstack.com/database/wordpress/theme/tinysalt/vulnerability/wordpress-tinysalt-3-10-0-php-object-injection-vulnerability?_s_id=cve • CWE-502: Deserialization of Untrusted Data •