Skip to main content
CVE-2025-58932 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Prisma prisma allows PHP Local File Inclusion.This issue affects Prisma: from n/a through <= 1.10.

PHP Information Disclosure LFI
NVD
CVSS 3.1
8.1
EPSS
0.1%
CVE-2025-58931 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Palatio palatio allows PHP Local File Inclusion.This issue affects Palatio: from n/a through <= 1.6.

PHP Information Disclosure LFI
NVD
CVSS 3.1
8.1
EPSS
0.1%
CVE-2025-58930 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes FitFlex fitflex allows PHP Local File Inclusion.This issue affects FitFlex: from n/a through <= 1.6.

PHP Information Disclosure LFI
NVD
CVSS 3.1
8.1
EPSS
0.1%
CVE-2025-58929 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Pantry pantry allows PHP Local File Inclusion.This issue affects Pantry: from n/a through <= 1.4.

PHP Information Disclosure LFI
NVD
CVSS 3.1
8.1
EPSS
0.1%
CVE-2025-58898 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes HealthHub healthhub allows PHP Local File Inclusion.This issue affects HealthHub: from n/a through <= 1.3.0.

PHP Information Disclosure LFI
NVD
CVSS 3.1
8.1
EPSS
0.1%
CVE-2025-58896 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Otaku otaku allows PHP Local File Inclusion.This issue affects Otaku: from n/a through <= 1.8.0.

PHP Information Disclosure LFI
NVD
CVSS 3.1
8.1
EPSS
0.1%
CVE-2025-58895 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Integro integro allows PHP Local File Inclusion.This issue affects Integro: from n/a through <= 1.8.0.

PHP Information Disclosure LFI
NVD
CVSS 3.1
8.1
EPSS
0.1%
CVE-2025-58894 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Good Mood good-mood allows PHP Local File Inclusion.This issue affects Good Mood: from n/a through <= 1.16.

PHP Information Disclosure LFI
NVD
CVSS 3.1
8.1
EPSS
0.1%
CVE-2025-58893 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Alright alright allows PHP Local File Inclusion.This issue affects Alright: from n/a through <= 1.6.1.

PHP Information Disclosure LFI
NVD
CVSS 3.1
8.1
EPSS
0.1%
CVE-2025-58892 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Tourimo tourimo allows PHP Local File Inclusion.This issue affects Tourimo: from n/a through <= 1.2.3.

PHP Information Disclosure LFI
NVD
CVSS 3.1
8.1
EPSS
0.1%
CVE-2025-58891 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Sanger sanger allows PHP Local File Inclusion.This issue affects Sanger: from n/a through <= 1.24.0.

PHP Information Disclosure LFI
NVD
CVSS 3.1
8.1
EPSS
0.1%
CVE-2025-58890 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Playful playful allows PHP Local File Inclusion.This issue affects Playful: from n/a through <= 1.19.0.

PHP Information Disclosure LFI
NVD
CVSS 3.1
8.1
EPSS
0.1%
CVE-2025-58889 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Towny towny allows PHP Local File Inclusion.This issue affects Towny: from n/a through <= 1.16.

PHP Information Disclosure LFI
NVD
CVSS 3.1
8.1
EPSS
0.1%
CVE-2025-58888 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes The Flash theflash allows PHP Local File Inclusion.This issue affects The Flash: from n/a through <= 1.15.

PHP Information Disclosure LFI
NVD
CVSS 3.1
8.1
EPSS
0.1%
CVE-2025-58885 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Pathfinder pathfinder allows PHP Local File Inclusion.This issue affects Pathfinder: from n/a through <= 1.16.

PHP Information Disclosure LFI
NVD
CVSS 3.1
8.1
EPSS
0.1%
CVE-2025-58879 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Festy festy allows PHP Local File Inclusion.This issue affects Festy: from n/a through <= 1.13.0.

PHP Information Disclosure LFI
NVD
CVSS 3.1
8.1
EPSS
0.1%
CVE-2025-58803 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Algenix algenix allows PHP Local File Inclusion.This issue affects Algenix: from n/a through <= 1.0.

PHP Information Disclosure LFI
NVD
CVSS 3.1
8.1
EPSS
0.1%
CVE-2025-53453 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Hygia hygia allows PHP Local File Inclusion.This issue affects Hygia: from n/a through <= 1.16.

PHP Information Disclosure LFI
NVD
CVSS 3.1
8.1
EPSS
0.1%
CVE-2025-49366 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Hanani hanani allows PHP Local File Inclusion.This issue affects Hanani: from n/a through <= 1.2.11.

PHP Information Disclosure LFI
NVD
CVSS 3.1
8.1
EPSS
0.1%
CVE-2025-49365 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Jack Well jack-well allows PHP Local File Inclusion.This issue affects Jack Well: from n/a through <= 1.0.14.

PHP Information Disclosure LFI
NVD
CVSS 3.1
8.1
EPSS
0.1%
CVE-2025-49364 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Ludos Paradise ludos-paradise allows PHP Local File Inclusion.This issue affects Ludos Paradise: from n/a through <= 2.1.3.

PHP Information Disclosure LFI
NVD
CVSS 3.1
8.1
EPSS
0.1%
CVE-2025-49363 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Kings & Queens kings-queens allows PHP Local File Inclusion.This issue affects Kings & Queens: from n/a through <= 1.1.16.

PHP Information Disclosure LFI
NVD
CVSS 3.1
8.1
EPSS
0.1%
CVE-2025-49362 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Gracioza gracioza allows PHP Local File Inclusion.This issue affects Gracioza: from n/a through <= 1.0.15.

PHP Information Disclosure LFI
NVD
CVSS 3.1
8.1
EPSS
0.1%
CVE-2025-49361 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Mamita mamita allows PHP Local File Inclusion.This issue affects Mamita: from n/a through <= 1.0.9.

PHP Information Disclosure LFI
NVD
CVSS 3.1
8.1
EPSS
0.1%
CVE-2025-49360 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Militarology militarology allows PHP Local File Inclusion.This issue affects Militarology: from n/a through <= 1.0.15.

PHP Information Disclosure LFI
NVD
CVSS 3.1
8.1
EPSS
0.1%
CVE-2025-49359 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes ShieldGroup shieldgroup allows PHP Local File Inclusion.This issue affects ShieldGroup: from n/a through <= 2.13.

PHP Information Disclosure LFI
NVD
CVSS 3.1
8.1
EPSS
0.1%
CVE-2025-60071 HIGH This Week

Local file inclusion in Riode WordPress theme versions ≤1.6.23 allows remote unauthenticated attackers to read arbitrary files from the web server filesystem, potentially exposing configuration files, credentials, and source code. The vulnerability stems from improper filename control in PHP include/require statements. Despite the high CVSS score of 8.1, EPSS indicates only 0.06% exploitation probability (18th percentile), suggesting limited attacker interest. No active exploitation confirmed (not in CISA KEV) and no public POC identified at time of analysis.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.1%
CVE-2025-64230 HIGH This Week

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in WP Chill Filr filr-protection allows Path Traversal.This issue affects Filr: from n/a through <= 1.2.10.

Path Traversal
NVD
CVSS 3.1
7.7
EPSS
0.1%
CVE-2025-58938 HIGH This Week

Missing Authorization vulnerability in ThemeAtelier IDonatePro idonate-pro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects IDonatePro: from n/a through <= 2.1.9.

Authentication Bypass
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-60080 HIGH This Week

PHP object injection in PDF for Gravity Forms + Drag And Drop Template Builder (WordPress plugin) versions up to 6.5.0 allows authenticated attackers with low privileges to execute arbitrary code or manipulate application logic via unsafe deserialization. CVSS 7.5 (High) but EPSS probability of 0.07% (22nd percentile) indicates low observed exploitation likelihood. No public exploit identified at time of analysis, and attack requires high complexity (AC:H) with authenticated access (PR:L).

WordPress PHP Deserialization
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-60076 HIGH This Week

Local file inclusion in Ray Enterprise Translation WordPress plugin through version 1.7.1 allows remote attackers to read arbitrary files on the server via path traversal in PHP include statements. Despite the moderate CVSS score of 7.5, the EPSS probability of 0.06% (20th percentile) indicates minimal observed exploitation activity in the wild. Patchstack has cataloged this vulnerability with proof-of-concept details, requiring attackers to overcome high complexity conditions and user interaction to achieve impact across confidentiality, integrity, and availability.

PHP LFI Information Disclosure
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-60078 HIGH This Week

Local file inclusion in Task Manager WordPress plugin versions ≤3.0.2 enables authenticated attackers with low privileges to read arbitrary files from the web server through improper filename control in PHP include/require statements. Exploitation requires network access with high attack complexity. EPSS score of 0.06% (18th percentile) indicates low probability of mass exploitation. No active exploitation confirmed in CISA KEV at time of analysis, though Patchstack vulnerability database documents this as a disclosed LFI vulnerability.

PHP LFI Information Disclosure
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-64222 HIGH This Week

Missing Authorization vulnerability in FantasticPlugins WooCommerce Recover Abandoned Cart rac allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WooCommerce Recover Abandoned Cart: from n/a through <= 24.6.0.

WordPress Authentication Bypass
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-64214 HIGH This Week

Missing Authorization vulnerability in StylemixThemes MasterStudy LMS Pro masterstudy-lms-learning-management-system-pro allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects MasterStudy LMS Pro: from n/a through < 4.7.16.

Authentication Bypass
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-60086 HIGH This Week

Missing Authorization vulnerability in Matt WP Voting Contest wp-voting-contest allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Voting Contest: from n/a through <= 5.8.

Authentication Bypass
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-58877 HIGH This Week

Missing Authorization vulnerability in javothemes Javo Core javo-core allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Javo Core: from n/a through <= 3.0.0.529.

Authentication Bypass
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-7358 HIGH This Week

Hard-coded credentials in Utarit Informatics SoliClub Android application versions prior to 5.3.7 allow remote unauthenticated attackers to abuse authentication and access confidential data. The flaw is tracked under CWE-798 with a CVSS 7.5 (high) confidentiality-only impact, and currently shows no public exploit identified at time of analysis with a low EPSS score of 0.06% (18th percentile).

Authentication Bypass Soliclub
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-66117 HIGH This Week

Missing Authorization vulnerability in Ays Pro Easy Form easy-form allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Easy Form: from n/a through <= 2.7.8.

Authentication Bypass
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-66088 HIGH This Week

Missing Authorization vulnerability in Property Hive PropertyHive propertyhive allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects PropertyHive: from n/a through <= 2.1.12.

Authentication Bypass
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-66070 HIGH This Week

Missing Authorization vulnerability in Tomdever wpForo Forum wpforo allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects wpForo Forum: from n/a through <= 2.4.10.

Authentication Bypass
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-66054 HIGH This Week

Missing Authorization vulnerability in ThimPress LearnPress learnpress allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects LearnPress: from n/a through <= 4.2.9.4.

Authentication Bypass
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-1031 HIGH This Week

Authorization bypass in Utarit Informatics SoliClub Android application versions 5.2.4 through 5.3.6 allows remote unauthenticated attackers to access or manipulate other users' data by tampering with user-controlled identifiers (IDOR). The flaw enables functionality misuse with high impact on confidentiality (CVSS 7.5), though no public exploit identified at time of analysis and EPSS exploitation probability is very low at 0.04%.

Authentication Bypass Soliclub
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-1029 HIGH This Week

Hard-coded credentials in Utarit Information Services SoliClub Android app (versions 5.2.4 through 5.3.7) allow remote unauthenticated attackers to read sensitive constants embedded within the executable. The flaw was reported by Turkey's national CERT (USOM) and carries a CVSS 7.5 with high confidentiality impact but no integrity or availability effect; no public exploit identified at time of analysis and EPSS is very low at 0.04%.

Authentication Bypass Soliclub
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-1030 HIGH This Week

Information disclosure in Utarit Informatics SoliClub Android app versions 5.2.4 through 5.3.6 allows remote unauthenticated attackers to query the system and retrieve private personal information belonging to other users. The flaw stems from inadequate access controls on a query interface, and while CVSS rates it 7.5 (High), the EPSS probability of exploitation is very low (0.04%, 13th percentile) and no public exploit identified at time of analysis.

Authentication Bypass Soliclub
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-40898 HIGH This Week

Path traversal in Nozomi Networks CMC and Guardian allows authenticated users with limited privileges to write arbitrary files to any system location by uploading a malicious Arc data archive. This enables device configuration tampering and denial-of-service attacks. Attack requires low-privilege authentication but has high integrity and availability impact (CVSS 7.2). No public exploit identified at time of analysis, though the attack vector is straightforward for authenticated insiders or compromised accounts.

Path Traversal Cmc Guardian
NVD
CVSS 4.0
7.2
EPSS
0.1%
CVE-2025-64372 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in shinetheme Traveler traveler allows Reflected XSS.This issue affects Traveler: from n/a through < 3.2.6.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-64189 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in 8theme XStore Core et-core-plugin allows Reflected XSS.This issue affects XStore Core: from n/a through < 5.6.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-64378 HIGH This Week

Missing Authorization vulnerability in CridioStudio ListingPro listingpro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ListingPro: from n/a through < 2.9.10.

Authentication Bypass
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-60079 HIGH This Week

Missing Authorization vulnerability in bPlugins Parallax Section block parallax-section allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Parallax Section block: from n/a through <= 1.0.9.

Authentication Bypass
NVD
CVSS 3.1
7.1
EPSS
0.1%
CVE-2025-40892 HIGH This Week

Stored cross-site scripting in Nozomi Networks CMC and Guardian allows authenticated users with report privileges to inject malicious JavaScript payloads into report definitions. When victims view or import these weaponized reports, the XSS executes in their browser context, enabling attackers to modify application data, disrupt availability, and access sensitive information. The vulnerability requires low-privilege authentication and user interaction (CVSS:4.0 score 7.1, PR:L/UI:P), with high integrity and availability impacts but limited confidentiality exposure. No public exploit identified at time of analysis, though the attack technique is well-understood and straightforward given the stored XSS nature.

XSS Cmc Guardian
NVD
CVSS 4.0
7.1
EPSS
0.1%
Prev Page 2 of 2

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy