Skip to main content
CVE-2026-27338 HIGH This Week

Object injection through unsafe deserialization in AivahThemes Car Zone up to version 3.7 allows authenticated attackers to execute arbitrary code with network access and no user interaction required. With a CVSS score of 8.8 indicating high severity, this vulnerability poses a significant risk to affected installations, though no patch is currently available. Attackers with valid credentials can exploit this flaw to gain complete system compromise including confidentiality, integrity, and availability impact.

Deserialization
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-23798 HIGH This Week

blubrry PowerPress Podcasting powerpress is affected by deserialization of untrusted data (CVSS 8.8).

Deserialization
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-22473 HIGH This Week

Object injection through unsafe deserialization in designthemes Dental Clinic version 3.7 and earlier allows authenticated attackers to execute arbitrary code with high impact on confidentiality, integrity, and availability. An attacker with valid credentials can exploit this CWE-502 weakness to inject malicious objects during the deserialization process, potentially compromising the entire application. No patch is currently available for this vulnerability.

Deserialization
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-28210 HIGH This Week

Unauthenticated SQL injection in the FreePBX CDR module (versions before 16.0.49 and 17.0.7) allows authenticated users to execute arbitrary SQL commands and potentially compromise the entire database. An attacker with valid credentials can exploit this vulnerability to read sensitive call records, modify system data, or escalate privileges within the FreePBX system. No patch is currently available, leaving affected installations at high risk until upgrades are deployed.

SQLi Freepbx
NVD GitHub
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-22471 HIGH This Week

maximsecudeal Secudeal Payments for Ecommerce secudeal-payments-for-ecommerce is affected by deserialization of untrusted data (CVSS 8.6).

Deserialization
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-1720 HIGH This Week

WowOptin: Next-Gen Popup Maker plugin for WordPress versions up to 1.4.24 fails to validate user permissions on plugin installation functions, allowing authenticated subscribers to install and activate arbitrary plugins. This privilege escalation vulnerability enables low-privileged attackers to execute remote code with full WordPress permissions. No patch is currently available.

WordPress Authentication Bypass
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-26416 HIGH This Week

Privilege escalation in Cognix Platform v3.0 permits authenticated users to bypass authorization controls and assume higher-privileged roles through specially crafted requests. This vulnerability affects all users with valid credentials and could allow attackers to gain unauthorized administrative access. No patch is currently available.

Privilege Escalation Cognix Platform
NVD GitHub
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-28284 HIGH This Week

SQL injection in the FreePBX logfiles module allows authenticated attackers to manipulate database queries and potentially extract sensitive data or modify system records. Versions prior to 16.0.10 and 17.0.5 are vulnerable, and attackers with valid FreePBX credentials can exploit this weakness to achieve high-impact unauthorized access to confidential information and system integrity. No patch is currently available for affected deployments.

SQLi Freepbx
NVD GitHub
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-25048 HIGH PATCH This Week

Denial of service in the mlc-ai xgrammar structured-generation library (versions prior to 0.1.32) allows remote attackers to crash the host process via deeply multi-level nested grammar syntax that triggers a segmentation fault (core dump). Because xgrammar is typically embedded in LLM inference servers to constrain model output, an attacker who can influence the grammar/schema passed to the engine can take the service offline. No public exploit identified at time of analysis, and EPSS exploitation probability is very low (0.06%), but the issue is fixed and has been picked up in multiple Red Hat advisories.

Information Disclosure Xgrammar
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-30795 HIGH This Week

RustDesk Client through version 1.4.5 transmits sensitive preset address book credentials in cleartext during heartbeat synchronization, enabling network eavesdropping attacks across Windows, macOS, Linux, iOS, and Android platforms. An attacker positioned to intercept network traffic can capture authentication credentials by sniffing the unencrypted JSON payload. No patch is currently available for this high-severity vulnerability (CVSS 8.7).

Apple Information Disclosure Microsoft Google Android +2
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-3598 HIGH This Week

RustDesk Server Pro through version 1.7.5 uses weak cryptographic algorithms in configuration string generation and web console export functions, enabling attackers to extract sensitive embedded data from exported configurations. This vulnerability affects Windows, macOS, and Linux deployments and requires no authentication or user interaction to exploit. No patch is currently available.

Information Disclosure Apple Microsoft Windows macOS
NVD VulDB
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-29125 MEDIUM POC This Month

Sfx2100 Firmware versions up to - is affected by incorrect permission assignment for critical resource (CVSS 4.7).

DNS Denial Of Service Sfx2100 Firmware
NVD
CVSS 3.1
4.7
EPSS
0.0%
CVE-2026-26125 HIGH PATCH This Week

Payment Orchestrator Service Elevation of Privilege Vulnerability [CVSS 8.6 HIGH]

Authentication Bypass Payment Orchestrator Service
NVD VulDB
CVSS 3.1
8.6
EPSS
0.1%
CVE-2026-22460 HIGH This Week

Path traversal in wpWax FormGent plugin versions up to 1.4.2 enables unauthenticated remote attackers to access files outside intended directories. The vulnerability requires no user interaction and can be exploited over the network to cause denial of service or potentially disclose sensitive information. No patch is currently available for this high-severity issue.

Path Traversal
NVD
CVSS 3.1
8.6
EPSS
0.1%
CVE-2026-28463 HIGH PATCH This Week

OpenClaw's exec-approvals feature validates command allowlists before shell expansion but fails to account for expansion during actual execution, enabling authorized users or attackers performing prompt injection to read arbitrary files through glob patterns and environment variables. This arbitrary file disclosure affects systems with host execution enabled in allowlist mode, potentially exposing sensitive data accessible to the gateway or node process. A patch is available to address this command injection vulnerability.

Command Injection Openclaw
NVD GitHub
CVSS 4.0
8.6
EPSS
0.0%
CVE-2026-28134 HIGH This Week

Remote code execution in Crocoblock JetEngine versions 3.7.2 and earlier allows authenticated attackers to execute arbitrary code through improper handling of code generation. An attacker with valid credentials can leverage this code injection vulnerability to achieve remote code inclusion and gain full control over affected WordPress installations. No patch is currently available, leaving all users of vulnerable JetEngine versions at risk.

Code Injection RCE
NVD
CVSS 3.1
8.5
EPSS
0.1%
CVE-2026-28133 HIGH This Week

Arbitrary file upload in Filr WordPress plugin versions ≤1.2.12 allows authenticated attackers with low privileges to upload web shells, achieving remote code execution with changed scope (S:C). Despite high CVSS 8.5, exploitation requires authentication and moderately complex conditions (AC:H). EPSS probability remains very low at 0.03% (10th percentile), and no active exploitation or public proof-of-concept has been identified. Patchstack disclosure indicates this is a targeted vulnerability requiring specific WordPress role permissions rather than mass-exploitable issue.

File Upload
NVD
CVSS 3.1
8.5
EPSS
0.0%
CVE-2026-27428 HIGH This Week

Eagle Booking plugin versions 1.3.4.3 and earlier contain an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries over the network. An attacker with user-level privileges can exploit this to extract sensitive data from the database or potentially modify application data, though no patch is currently available.

SQLi
NVD
CVSS 3.1
8.5
EPSS
0.0%
CVE-2026-27373 HIGH This Week

Essekia Tablesome versions up to 1.2.3 contain a blind SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries through improper input sanitization. An attacker with valid credentials can exploit this to extract sensitive data from the database, though no patch is currently available. The vulnerability has a CVSS score of 8.5 and requires network access with low attack complexity.

SQLi
NVD
CVSS 3.1
8.5
EPSS
0.0%
CVE-2026-28485 HIGH PATCH This Week

Openclaw versions up to 2026.2.12 is affected by missing authentication for critical function (CVSS 8.4).

Authentication Bypass RCE Openclaw
NVD GitHub
CVSS 3.1
8.4
EPSS
0.1%
CVE-2026-30792 HIGH This Week

Configuration tampering in RustDesk Client through 1.4.5 allows a network-positioned attacker to manipulate Application API messages exchanged between the client and its rendezvous/sync server, altering client strategy and configuration options. The flaw spans every supported platform (Windows, macOS, Linux, iOS, Android, WebClient) and stems from insecure handling in the Strategy merge loop and Config::set_options(), giving an MitM attacker the ability to silently rewrite client behavior. No public exploit identified at time of analysis, and EPSS exploitation probability is very low at 0.05% (16th percentile).

Apple Information Disclosure Microsoft Google Rustdesk
NVD VulDB
CVSS 4.0
8.3
EPSS
0.1%
CVE-2026-28451 HIGH PATCH This Week

OpenClaw versions before 2026.2.14 contain unprotected server-side request forgery flaws in the Feishu extension that enable remote attackers to access internal services and exfiltrate data without authentication. Attackers can exploit the sendMediaFeishu function and markdown image processing through direct manipulation or prompt injection to force the application to fetch attacker-controlled URLs and re-upload responses as Feishu media. A patch is available to remediate this network-accessible vulnerability affecting AI/ML deployments.

SSRF AI / ML Openclaw
NVD GitHub
CVSS 3.1
8.3
EPSS
0.0%
CVE-2026-28135 HIGH This Week

WP Royal Royal Elementor Addons royal-elementor-addons is affected by inclusion of functionality from untrusted control sphere (CVSS 8.2).

Information Disclosure
NVD VulDB
CVSS 3.1
8.2
EPSS
0.1%
CVE-2026-30790 HIGH This Week

Password brute-forcing weakness in RustDesk Server Pro through 1.7.5 and RustDesk Server (OSS) through 1.1.15 allows remote attackers to attack the peer authentication and API login modules without triggering rate limiting, while the SHA256(SHA256(pwd+salt)+challenge) construction provides insufficient computational cost to resist offline guessing. The flaw combines CWE-307 (missing throttling of authentication attempts) with weak password hashing on Windows, macOS, and Linux deployments, and no public exploit has been identified at time of analysis.

Information Disclosure Microsoft Apple Rustdesk Server
NVD GitHub VulDB
CVSS 4.0
8.2
EPSS
0.0%
CVE-2026-30785 HIGH This Week

RustDesk Client through version 1.4.5 on Windows, macOS, and Linux uses weak password hashing and improper object prototype handling in its password security and configuration encryption modules, allowing local authenticated attackers to extract embedded sensitive data including passwords and machine identifiers. The vulnerability affects critical cryptographic functions including symmetric_crypt() and decrypt_str_or_original(), enabling attackers with local access and valid credentials to compromise encrypted credentials and system identifiers. No patch is currently available.

Information Disclosure Microsoft Apple Windows macOS
NVD GitHub VulDB
CVSS 4.0
8.2
EPSS
0.0%
CVE-2026-3459 HIGH This Week

Unauthenticated attackers can upload arbitrary files to WordPress sites running the Drag and Drop Multiple File Upload - Contact Form 7 plugin through versions 1.3.7.3 due to insufficient file type validation when wildcard characters are configured in upload fields. Successful exploitation could enable remote code execution on the affected server. No patch is currently available.

WordPress RCE File Upload
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-28129 HIGH This Week

Local file inclusion in axiomthemes Little Birdies plugin version 1.3.16 and earlier enables unauthenticated remote attackers to read arbitrary files from the server through improper input validation on file inclusion parameters. An attacker can exploit this vulnerability to access sensitive configuration files, source code, or other data without authentication. No patch is currently available for this vulnerability.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-28128 HIGH This Week

Local file inclusion in ThemeREX Verse PHP theme versions 1.7.0 and earlier allows unauthenticated attackers to read arbitrary files on the server through improper input validation on file inclusion functions. The vulnerability requires specific conditions for exploitation but carries high impact potential including confidentiality and integrity compromise. No patch is currently available.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-28125 HIGH This Week

Local file inclusion in AncoraThemes Midi through version 1.14 enables unauthenticated remote attackers to read arbitrary files on affected systems. The vulnerability stems from improper validation of file paths in PHP include/require statements, allowing attackers to traverse directories and access sensitive data. Currently no patch is available for this vulnerability.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-28124 HIGH This Week

AncoraThemes Notarius through version 1.9 contains a local file inclusion vulnerability in its PHP file handling that allows unauthenticated remote attackers to read arbitrary files from the affected server. The vulnerability stems from improper validation of filenames in include/require statements, enabling attackers to traverse the filesystem and access sensitive data. No patch is currently available for this high-severity flaw.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-28123 HIGH This Week

AncoraThemes Veil through version 1.9 contains a local file inclusion vulnerability in PHP that allows unauthenticated attackers to read arbitrary files on the affected server. The vulnerability stems from improper input validation on file include/require statements, enabling attackers to manipulate filename parameters to access sensitive system files. While no patch is currently available, the exploit requires specific conditions (high complexity) to successfully leverage.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-28121 HIGH This Week

Local and remote file inclusion in AncoraThemes Anderson through version 1.4.2 enables attackers to read arbitrary files or execute malicious code on affected systems. The vulnerability stems from improper validation of file paths in PHP include/require statements, allowing unauthenticated attackers to manipulate input parameters over the network. No patch is currently available for this high-severity issue affecting PHP-based installations.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-28120 HIGH This Week

Local file inclusion in ThemeREX Dr.Patterson plugin versions up to 1.3.2 enables unauthenticated attackers to read arbitrary files from the server through improper input validation on file inclusion parameters. The vulnerability allows information disclosure and potential code execution depending on server configuration and accessible files. No patch is currently available for this vulnerability.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-28119 HIGH This Week

Axiomthemes Nirvana version 2.6 and earlier contains a local file inclusion vulnerability in its PHP include/require handling that allows unauthenticated attackers to read arbitrary files from the server. The vulnerability stems from improper filename validation and could enable information disclosure or facilitate further compromise, though no patch is currently available. With a CVSS score of 8.1 and low exploitation likelihood (0.2% EPSS), organizations running affected versions should prioritize mitigation strategies until an official patch is released.

PHP LFI Information Disclosure
NVD VulDB
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-28118 HIGH This Week

The Welldone WordPress theme through version 2.4 contains a local file inclusion vulnerability in its PHP include/require handling that enables unauthenticated remote attackers to read arbitrary files from the affected server. With a CVSS score of 8.1, this vulnerability allows full compromise of confidentiality and integrity without requiring user interaction. No patch is currently available, making immediate mitigation through other means necessary.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-28117 HIGH This Week

Remote attackers can include arbitrary local files in the smartSEO WordPress theme (≤2.9) via a PHP Local File Inclusion vulnerability, potentially exposing sensitive configuration data or enabling server-side code execution. Despite high CVSS (8.1), EPSS exploitation probability is low (0.15%, 36th percentile) with no confirmed active exploitation or CISA KEV listing. The vulnerability requires specific preconditions that increase attack complexity (AC:H), though exploitation succeeds without authentication or user interaction once conditions are met.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-28107 HIGH This Week

Local file inclusion in ThemeREX Muzicon WordPress theme versions ≤1.9.0 allows remote unauthenticated attackers to read arbitrary files from the web server filesystem and potentially execute PHP code. Despite a CVSS score of 8.1, real-world risk is moderated by high attack complexity (AC:H) and no confirmed active exploitation - EPSS probability is only 0.15% (36th percentile). The Patchstack report confirms the vulnerability but no public exploit code has been identified at time of analysis.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-28098 HIGH This Week

Local File Inclusion (LFI) in ThemeREX Save Life WordPress theme versions 1.2.13 and earlier enables remote unauthenticated attackers to read arbitrary files from the server filesystem and potentially achieve code execution by including uploaded or log files. Despite the network attack vector (AV:N), high attack complexity (AC:H) suggests successful exploitation requires specific server configurations or carefully crafted payloads. EPSS score of 0.15% (36th percentile) indicates low current exploitation probability, and no active exploitation is confirmed per CISA KEV or public exploit databases at time of analysis.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-28097 HIGH This Week

Local file inclusion in Artrium WordPress theme versions ≤1.0.14 allows remote unauthenticated attackers to read arbitrary server files and potentially execute PHP code through improper file inclusion controls. Despite a high CVSS 8.1 score, EPSS shows only 0.15% exploitation probability (36th percentile), suggesting limited real-world targeting. The vulnerability was disclosed by Patchstack's audit team with no confirmed active exploitation or public POC at time of analysis, though LFI vulnerabilities in WordPress themes are commonly targeted once proof-of-concept code becomes available.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-28096 HIGH This Week

Remote file inclusion vulnerability in ThemeREX WealthCo WordPress theme versions up to 2.18 allows unauthenticated remote attackers to include and execute arbitrary PHP files via manipulated filename parameters. Despite CVSS 8.1 rating, EPSS exploitation probability is low (0.15%, 36th percentile) with no CISA KEV listing or public exploit identified at time of analysis. Vulnerability stems from improper validation of file paths in PHP include/require statements, though attack complexity is rated High, suggesting specific conditions or chained exploitation required.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-28095 HIGH This Week

Local file inclusion in ThemeREX Marcell WordPress theme versions ≤1.2.14 allows remote attackers to read arbitrary files from the server filesystem and potentially execute malicious code. The vulnerability stems from improper validation of file paths in PHP include/require statements. Exploitation probability is low (EPSS 0.15%) with no confirmed active exploitation or public proof-of-concept at time of analysis. Discovered and reported by Patchstack's security audit team.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-28094 HIGH This Week

Local file inclusion in ThemeREX RexCoin WordPress theme versions up to 1.2.6 allows remote attackers to read arbitrary files and potentially achieve code execution without authentication. Despite the high CVSS score of 8.1, the low EPSS percentile (36%) and AC:H complexity suggest limited active exploitation. Patchstack audit team reported this vulnerability with proof-of-concept available, indicating realistic exploit feasibility against improperly configured installations.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-28093 HIGH This Week

Local file inclusion in ThemeREX Ozisti WordPress theme versions up to 1.1.10 enables remote unauthenticated attackers to read arbitrary files from the web server filesystem and potentially execute PHP code by including malicious local files. Despite the high CVSS score of 8.1, exploitation requires high complexity (AC:H) and EPSS indicates only 0.15% probability of exploitation in the wild (36th percentile), suggesting limited real-world targeting. No active exploitation confirmed by CISA KEV, though Patchstack has documented the vulnerability with security researchers.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-28092 HIGH This Week

Local File Inclusion in ThemeREX Sounder WordPress theme versions through 1.3.11 enables remote attackers to include and execute arbitrary local PHP files without authentication. Despite the CVE title referencing 'Remote File Inclusion', technical analysis and Patchstack classification confirm this is a Local File Inclusion (LFI) vulnerability. With EPSS at 0.15% (36th percentile), widespread exploitation is unlikely, but successful attacks achieve high impact across confidentiality, integrity, and availability. No active exploitation confirmed via CISA KEV at time of analysis.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-28091 HIGH This Week

Local file inclusion in ThemeREX Coleo WordPress theme (versions ≤1.1.7) allows remote attackers to read arbitrary files and potentially execute PHP code via crafted file path manipulation. Despite high CVSS 8.1, exploitation requires high attack complexity (AC:H), and EPSS score of 0.15% (36th percentile) suggests limited real-world exploitation activity. No CISA KEV listing indicates this is not confirmed as actively exploited, though Patchstack database inclusion suggests security researcher identification and likely proof-of-concept existence.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-28090 HIGH This Week

Local file inclusion (LFI) vulnerability in ThemeREX Gamezone WordPress theme versions up to 1.1.11 allows remote unauthenticated attackers to read arbitrary files from the web server, potentially exposing configuration files, credentials, and sensitive application data. The CVSS score of 8.1 reflects high complexity exploitation requiring specific conditions, while the low EPSS score (0.15%, 36th percentile) indicates minimal observed exploitation attempts in the wild. No active exploitation confirmed by CISA KEV at time of analysis.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-28089 HIGH This Week

PHP Local File Inclusion in ThemeREX Daiquiri WordPress theme versions ≤1.2.4 allows remote attackers to read arbitrary files or execute PHP code by exploiting improper filename control in include/require statements. Despite high CVSS (8.1), real-world risk is moderate: EPSS exploitation probability is low (0.15%, 36th percentile), no confirmed active exploitation exists, and attack complexity is high (AC:H). Patchstack audit identified this vulnerability, suggesting professional security review but no public exploit code at time of analysis.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-28088 HIGH This Week

Local file inclusion vulnerability in ThemeREX Aqualots WordPress theme versions up to 1.1.6 enables remote attackers to include arbitrary PHP files on the server without authentication. Despite the description's mention of 'remote file inclusion', the CVE is classified as CWE-98 (PHP Local File Inclusion) and tagged as LFI by Patchstack, indicating attackers can read sensitive files or execute local PHP code. EPSS exploitation probability is low (0.15%, 36th percentile) with no evidence of active exploitation or public POCs, though the high-complexity network attack vector suggests targeted exploitation scenarios.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-28087 HIGH This Week

Local file inclusion in ThemeREX Filmax WordPress theme versions ≤1.1.11 enables remote attackers to read arbitrary files from the web server and potentially execute malicious code. The vulnerability stems from improper filename validation in PHP include/require statements, categorized as CWE-98. Despite a CVSS score of 8.1, EPSS probability is low (0.15%, 36th percentile), suggesting targeted rather than widespread exploitation. Patchstack database identifies this as affecting information disclosure through LFI techniques, with no confirmed active exploitation or KEV listing at time of analysis.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-28086 HIGH This Week

Local file inclusion vulnerability in ThemeREX Run Gran WordPress theme versions through 2.0 allows remote attackers to read arbitrary files from the web server filesystem via crafted PHP include statements. Despite the moderate EPSS score (0.15%, 36th percentile), the high-complexity attack vector suggests exploitation requires specific knowledge of file paths or application structure. No active exploitation confirmed (not in CISA KEV), and no public proof-of-concept code identified at time of analysis. Patchstack has documented this vulnerability, indicating awareness within the WordPress security community.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
Prev Page 3 of 10 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy