Skip to main content
CVE-2025-67920 HIGH This Week

Neo Ocular WordPress theme (before 1.2) allows PHP Local File Inclusion through improper filename control in include/require statements.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-22712 HIGH This Week

Typify WordPress theme (through 3.0.2) allows PHP Local File Inclusion via improper filename control.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-22708 HIGH This Week

Mitech WordPress theme (through 2.3.4) allows PHP Local File Inclusion through improper filename control in include/require statements.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-22707 HIGH This Week

Moody WordPress theme (through 2.7.3) allows PHP Local File Inclusion through improper filename control.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-22509 HIGH This Week

Atlas WordPress theme (through 2.1.0) allows PHP Local File Inclusion through improper filename control in PHP include statements.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-14431 HIGH This Week

Navian WordPress theme (through 1.5.4) allows PHP Local File Inclusion through improper filename control.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-14430 HIGH This Week

Brook WordPress theme (through 2.8.9) allows PHP Local File Inclusion via improper filename control in PHP include statements.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-14429 HIGH This Week

AeroLand WordPress theme (through 1.6.6) allows PHP Local File Inclusion through improper filename control. Unauthenticated RCE possible via include chain.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-14359 HIGH This Week

Oshine WordPress theme (through 7.2.7) allows PHP Local File Inclusion via improper filename control in include/require statements.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-12550 HIGH This Week

OchaHouse WordPress theme (through 2.2.8) allows PHP Local File Inclusion via improper filename control. Same vulnerability class as CVE-2025-12549.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.1%
CVE-2025-12549 HIGH This Week

Rozy Flower Shop WordPress theme (through 1.2.25) allows PHP Local File Inclusion through improper filename control in include/require statements. Unauthenticated RCE possible.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.1%
CVE-2025-67937 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Hendon hendon allows PHP Local File Inclusion.This issue affects Hendon: from n/a through < 1.7. [CVSS 8.1 HIGH]

PHP LFI Hendon
NVD
CVSS 3.1
8.1
EPSS
0.1%
CVE-2025-67936 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Curly curly allows PHP Local File Inclusion.This issue affects Curly: from n/a through < 3.3. [CVSS 8.1 HIGH]

PHP LFI Curly
NVD
CVSS 3.1
8.1
EPSS
0.1%
CVE-2025-67935 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Optimize optimizewp allows PHP Local File Inclusion.This issue affects Optimize: from n/a through < 2.4. [CVSS 8.1 HIGH]

PHP LFI Optimize
NVD
CVSS 3.1
8.1
EPSS
0.1%
CVE-2025-67934 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Wellspring wellspring allows PHP Local File Inclusion.This issue affects Wellspring: from n/a through < 2.8. [CVSS 8.1 HIGH]

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.0%
CVE-2025-55125 HIGH This Week

This vulnerability allows a Backup or Tape Operator to perform remote code execution (RCE) as root by creating a malicious backup configuration file. [CVSS 7.8 HIGH]

RCE Veeam Backup Replication
NVD
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-21427 HIGH This Week

Arbitrary code execution in PIONEER CORPORATION product installers through DLL search path manipulation allows local attackers with user interaction to execute malicious code with installer privileges. The vulnerability affects multiple products and requires user interaction to trigger, potentially compromising system integrity during software installation. No patch is currently available.

Privilege Escalation RCE
NVD
CVSS 3.0
7.8
EPSS
0.0%
CVE-2025-67914 HIGH This Week

Path Traversal: '.../...//' vulnerability in beeteam368 VidMov vidmov allows Path Traversal.This issue affects VidMov: from n/a through <= 2.3.8. [CVSS 7.5 HIGH]

Path Traversal
NVD
CVSS 3.1
7.7
EPSS
0.1%
CVE-2026-22230 HIGH This Week

OPEXUS eCASE Audit contains an access control bypass that allows authenticated users to circumvent administrative restrictions by manipulating client-side JavaScript or crafting direct HTTP requests to re-enable disabled functions and buttons. This vulnerability affects eCASE Platform versions prior to 11.14.1.0 and could enable attackers to perform unauthorized actions that administrators have explicitly blocked. No patch is currently available for affected deployments.

Authentication Bypass Ecase Audit
NVD
CVSS 3.1
7.6
EPSS
0.0%
CVE-2026-22521 HIGH This Week

PHP Local File Inclusion in G5Theme Handmade Framework versions up to 3.9 enables authenticated attackers to read arbitrary files on the server through improper validation of include/require statements. An attacker with valid credentials can exploit this vulnerability to access sensitive configuration files, source code, or other protected data without requiring user interaction. No patch is currently available for this vulnerability.

PHP LFI Information Disclosure
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-68151 HIGH PATCH This Week

CoreDNS is a DNS server that chains plugins. Prior to version 1.14.0, multiple CoreDNS server implementations (gRPC, HTTPS, and HTTP/3) lack critical resource-limiting controls. An unauthenticated remote attacker can exhaust memory and degrade or crash the server by opening many concurrent connections, streams, or sending oversized request bodies. The issue is similar in nature to CVE-2025-47950 (QUIC DoS) but affects additional server types that do not enforce connection limits, stream limit...

DNS Denial Of Service Coredns Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-21868 HIGH This Week

Flagforge versions 2.3.2 and earlier suffer from a Regular Expression Denial of Service (ReDoS) vulnerability in the user profile API endpoint that accepts unvalidated usernames containing regex metacharacters, allowing unauthenticated remote attackers to trigger excessive CPU consumption and deny service to legitimate users. The MongoDB regex engine processes these malicious patterns inefficiently, making the platform unavailable without administrator intervention. No patch is currently available; users should implement WAF rules to filter regex metacharacters from username inputs as a temporary mitigation.

MongoDB Denial Of Service Flagforge
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-14360 HIGH This Week

Blockons WordPress plugin (through 1.2.15) has missing authorization allowing unauthenticated access to restricted functionality with full CIA impact.

Authentication Bypass
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-14358 HIGH This Week

REHub Framework for WordPress (through 19.9.5) has missing authorization allowing unauthenticated access to restricted functionality with full CIA impact.

Authentication Bypass
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-67925 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in zozothemes Corpkit corpkit allows PHP Local File Inclusion.This issue affects Corpkit: from n/a through <= 2.0. [CVSS 8.1 HIGH]

PHP LFI Information Disclosure
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-67931 HIGH This Week

Insertion of Sensitive Information Into Sent Data vulnerability in AITpro BulletProof Security bulletproof-security allows Retrieve Embedded Sensitive Data.This issue affects BulletProof Security: from n/a through <= 6.9. [CVSS 7.5 HIGH]

Information Disclosure
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-65518 HIGH This Week

Plesk Obsidian versions 8.0.1 through 18.0.73 are vulnerable to a Denial of Service (DoS) condition. [CVSS 7.5 HIGH]

PHP Denial Of Service Plesk Obsidian
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-22245 HIGH PATCH This Week

Mastodon's IP address filtering bypass (CWE-918) permits attackers to craft requests using unblocked IP ranges to reach local and loopback services, potentially exposing private resources and internal APIs. An unauthenticated remote attacker can exploit incomplete private address range validation in Mastodon instances to perform Server-Side Request Forgery (SSRF) attacks. Patched versions 4.5.4, 4.4.11, 4.3.17, and 4.2.29 are available.

SSRF Mastodon
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-22715 HIGH This Week

Missing Authorization vulnerability in loopus WP Attractive Donations System - Easy Stripe & Paypal donations WP_AttractiveDonationsSystem allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Attractive Donations System - Easy Stripe & Paypal donations: from n/a through <= 1.25. [CVSS 8.1 HIGH]

Authentication Bypass
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-22235 HIGH This Week

Ecase Ecomplaint versions up to 9.0.45.0 is affected by authorization bypass through user-controlled key (CVSS 7.5).

Authentication Bypass Ecase Ecomplaint
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-14436 HIGH This Week

The Brevo for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘user_connection_id’ parameter in all versions up to, and including, 4.0.49 due to insufficient input sanitization and output escaping. [CVSS 7.2 HIGH]

WordPress XSS PHP
NVD
CVSS 3.1
7.2
EPSS
0.2%
CVE-2025-15224 LOW POC PATCH Monitor

When doing SSH-based transfers using either SCP or SFTP, and asked to do public key authentication, curl would wrongly still ask and authenticate using a locally running SSH agent. [CVSS 3.1 LOW]

SSH
NVD VulDB
CVSS 3.1
3.1
EPSS
0.1%
CVE-2025-68891 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ryan Sutana WP App Bar wp-app-bar allows Reflected XSS.This issue affects WP App Bar: from n/a through <= 1.5. [CVSS 7.1 HIGH]

WordPress XSS PHP
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-68874 HIGH This Week

Shahjada Visitor Stats Widget visitor-stats-widget is affected by cross-site scripting (xss) (CVSS 7.1).

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-68873 HIGH This Week

chloédigital PRIMER by chloédigital primer-by-chloedigital is affected by cross-site scripting (xss) (CVSS 7.1).

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-68892 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in gopiplus@hotmail.com Scroll rss excerpt scroll-rss-excerpt allows Reflected XSS.This issue affects Scroll rss excerpt: from n/a through <= 5.0. [CVSS 6.1 MEDIUM]

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-68890 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in hands01 e-shops e-shops-cart2 allows DOM-Based XSS.This issue affects e-shops: from n/a through <= 1.0.4. [CVSS 6.1 MEDIUM]

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-67933 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in taskbuilder Taskbuilder taskbuilder allows Reflected XSS.This issue affects Taskbuilder: from n/a through <= 4.0.9. [CVSS 6.1 MEDIUM]

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-67932 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in purethemes Listeo Core listeo-core allows Reflected XSS.This issue affects Listeo Core: from n/a through < 2.0.19. [CVSS 6.1 MEDIUM]

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-67930 HIGH This Week

Vernon Systems Limited eHive Search ehive-search is affected by cross-site scripting (xss) (CVSS 6.1).

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-67927 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Spencer Haws Link Whisper Free link-whisper allows Reflected XSS.This issue affects Link Whisper Free: from n/a through <= 0.8.8. [CVSS 6.1 MEDIUM]

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-67922 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeGoods Grand Restaurant grandrestaurant allows Reflected XSS.This issue affects Grand Restaurant: from n/a through < 7.0.9. [CVSS 6.1 MEDIUM]

XSS Grand Restaurant
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-67918 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WofficeIO Woffice woffice allows Reflected XSS.This issue affects Woffice: from n/a through <= 5.4.30. [CVSS 6.1 MEDIUM]

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-67916 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Astoundify Jobify jobify allows Reflected XSS.This issue affects Jobify: from n/a through <= 4.3.0. [CVSS 6.1 MEDIUM]

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-27004 HIGH This Week

LambertGroup Famous - Responsive Image And Video Grid Gallery WordPress Plugin famous_grid_image_and_video_gallery is affected by cross-site scripting (xss) (CVSS 6.1).

WordPress XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-27002 HIGH This Week

LambertGroup CountDown With Image or Video Background countdown-with-background is affected by cross-site scripting (xss) (CVSS 6.1).

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-22725 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in loopus WP Virtual Assistant VirtualAssistant allows Stored XSS.This issue affects WP Virtual Assistant: from n/a through <= 3.0. [CVSS 5.4 MEDIUM]

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-13504 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in e-plugins Real Estate Pro real-estate-pro allows Reflected XSS.This issue affects Real Estate Pro: from n/a through <= 2.1.4. [CVSS 6.1 MEDIUM]

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-12551 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in e-plugins ListingHub listinghub allows Reflected XSS.This issue affects ListingHub: from n/a through 1.2.6. [CVSS 6.1 MEDIUM]

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-68889 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Pinpoll Pinpoll pinpoll allows Reflected XSS.This issue affects Pinpoll: from n/a through <= 4.0.0. [CVSS 7.1 HIGH]

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
Prev Page 3 of 5 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy