Object injection through unsafe deserialization in AivahThemes Car Zone up to version 3.7 allows authenticated attackers to execute arbitrary code with network access and no user interaction required. With a CVSS score of 8.8 indicating high severity, this vulnerability poses a significant risk to affected installations, though no patch is currently available. Attackers with valid credentials can exploit this flaw to gain complete system compromise including confidentiality, integrity, and availability impact.
blubrry PowerPress Podcasting powerpress is affected by deserialization of untrusted data (CVSS 8.8).
Object injection through unsafe deserialization in designthemes Dental Clinic version 3.7 and earlier allows authenticated attackers to execute arbitrary code with high impact on confidentiality, integrity, and availability. An attacker with valid credentials can exploit this CWE-502 weakness to inject malicious objects during the deserialization process, potentially compromising the entire application. No patch is currently available for this vulnerability.
Unauthenticated SQL injection in the FreePBX CDR module (versions before 16.0.49 and 17.0.7) allows authenticated users to execute arbitrary SQL commands and potentially compromise the entire database. An attacker with valid credentials can exploit this vulnerability to read sensitive call records, modify system data, or escalate privileges within the FreePBX system. No patch is currently available, leaving affected installations at high risk until upgrades are deployed.
maximsecudeal Secudeal Payments for Ecommerce secudeal-payments-for-ecommerce is affected by deserialization of untrusted data (CVSS 8.6).
WowOptin: Next-Gen Popup Maker plugin for WordPress versions up to 1.4.24 fails to validate user permissions on plugin installation functions, allowing authenticated subscribers to install and activate arbitrary plugins. This privilege escalation vulnerability enables low-privileged attackers to execute remote code with full WordPress permissions. No patch is currently available.
Privilege escalation in Cognix Platform v3.0 permits authenticated users to bypass authorization controls and assume higher-privileged roles through specially crafted requests. This vulnerability affects all users with valid credentials and could allow attackers to gain unauthorized administrative access. No patch is currently available.
SQL injection in the FreePBX logfiles module allows authenticated attackers to manipulate database queries and potentially extract sensitive data or modify system records. Versions prior to 16.0.10 and 17.0.5 are vulnerable, and attackers with valid FreePBX credentials can exploit this weakness to achieve high-impact unauthorized access to confidential information and system integrity. No patch is currently available for affected deployments.
Denial of service in the mlc-ai xgrammar structured-generation library (versions prior to 0.1.32) allows remote attackers to crash the host process via deeply multi-level nested grammar syntax that triggers a segmentation fault (core dump). Because xgrammar is typically embedded in LLM inference servers to constrain model output, an attacker who can influence the grammar/schema passed to the engine can take the service offline. No public exploit identified at time of analysis, and EPSS exploitation probability is very low (0.06%), but the issue is fixed and has been picked up in multiple Red Hat advisories.
RustDesk Client through version 1.4.5 transmits sensitive preset address book credentials in cleartext during heartbeat synchronization, enabling network eavesdropping attacks across Windows, macOS, Linux, iOS, and Android platforms. An attacker positioned to intercept network traffic can capture authentication credentials by sniffing the unencrypted JSON payload. No patch is currently available for this high-severity vulnerability (CVSS 8.7).
RustDesk Server Pro through version 1.7.5 uses weak cryptographic algorithms in configuration string generation and web console export functions, enabling attackers to extract sensitive embedded data from exported configurations. This vulnerability affects Windows, macOS, and Linux deployments and requires no authentication or user interaction to exploit. No patch is currently available.
Sfx2100 Firmware versions up to - is affected by incorrect permission assignment for critical resource (CVSS 4.7).
Payment Orchestrator Service Elevation of Privilege Vulnerability [CVSS 8.6 HIGH]
Path traversal in wpWax FormGent plugin versions up to 1.4.2 enables unauthenticated remote attackers to access files outside intended directories. The vulnerability requires no user interaction and can be exploited over the network to cause denial of service or potentially disclose sensitive information. No patch is currently available for this high-severity issue.
OpenClaw's exec-approvals feature validates command allowlists before shell expansion but fails to account for expansion during actual execution, enabling authorized users or attackers performing prompt injection to read arbitrary files through glob patterns and environment variables. This arbitrary file disclosure affects systems with host execution enabled in allowlist mode, potentially exposing sensitive data accessible to the gateway or node process. A patch is available to address this command injection vulnerability.
Remote code execution in Crocoblock JetEngine versions 3.7.2 and earlier allows authenticated attackers to execute arbitrary code through improper handling of code generation. An attacker with valid credentials can leverage this code injection vulnerability to achieve remote code inclusion and gain full control over affected WordPress installations. No patch is currently available, leaving all users of vulnerable JetEngine versions at risk.
Arbitrary file upload in Filr WordPress plugin versions ≤1.2.12 allows authenticated attackers with low privileges to upload web shells, achieving remote code execution with changed scope (S:C). Despite high CVSS 8.5, exploitation requires authentication and moderately complex conditions (AC:H). EPSS probability remains very low at 0.03% (10th percentile), and no active exploitation or public proof-of-concept has been identified. Patchstack disclosure indicates this is a targeted vulnerability requiring specific WordPress role permissions rather than mass-exploitable issue.
Eagle Booking plugin versions 1.3.4.3 and earlier contain an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries over the network. An attacker with user-level privileges can exploit this to extract sensitive data from the database or potentially modify application data, though no patch is currently available.
Essekia Tablesome versions up to 1.2.3 contain a blind SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries through improper input sanitization. An attacker with valid credentials can exploit this to extract sensitive data from the database, though no patch is currently available. The vulnerability has a CVSS score of 8.5 and requires network access with low attack complexity.
Openclaw versions up to 2026.2.12 is affected by missing authentication for critical function (CVSS 8.4).
Configuration tampering in RustDesk Client through 1.4.5 allows a network-positioned attacker to manipulate Application API messages exchanged between the client and its rendezvous/sync server, altering client strategy and configuration options. The flaw spans every supported platform (Windows, macOS, Linux, iOS, Android, WebClient) and stems from insecure handling in the Strategy merge loop and Config::set_options(), giving an MitM attacker the ability to silently rewrite client behavior. No public exploit identified at time of analysis, and EPSS exploitation probability is very low at 0.05% (16th percentile).
OpenClaw versions before 2026.2.14 contain unprotected server-side request forgery flaws in the Feishu extension that enable remote attackers to access internal services and exfiltrate data without authentication. Attackers can exploit the sendMediaFeishu function and markdown image processing through direct manipulation or prompt injection to force the application to fetch attacker-controlled URLs and re-upload responses as Feishu media. A patch is available to remediate this network-accessible vulnerability affecting AI/ML deployments.
WP Royal Royal Elementor Addons royal-elementor-addons is affected by inclusion of functionality from untrusted control sphere (CVSS 8.2).
Password brute-forcing weakness in RustDesk Server Pro through 1.7.5 and RustDesk Server (OSS) through 1.1.15 allows remote attackers to attack the peer authentication and API login modules without triggering rate limiting, while the SHA256(SHA256(pwd+salt)+challenge) construction provides insufficient computational cost to resist offline guessing. The flaw combines CWE-307 (missing throttling of authentication attempts) with weak password hashing on Windows, macOS, and Linux deployments, and no public exploit has been identified at time of analysis.
RustDesk Client through version 1.4.5 on Windows, macOS, and Linux uses weak password hashing and improper object prototype handling in its password security and configuration encryption modules, allowing local authenticated attackers to extract embedded sensitive data including passwords and machine identifiers. The vulnerability affects critical cryptographic functions including symmetric_crypt() and decrypt_str_or_original(), enabling attackers with local access and valid credentials to compromise encrypted credentials and system identifiers. No patch is currently available.
Unauthenticated attackers can upload arbitrary files to WordPress sites running the Drag and Drop Multiple File Upload - Contact Form 7 plugin through versions 1.3.7.3 due to insufficient file type validation when wildcard characters are configured in upload fields. Successful exploitation could enable remote code execution on the affected server. No patch is currently available.
Local file inclusion in axiomthemes Little Birdies plugin version 1.3.16 and earlier enables unauthenticated remote attackers to read arbitrary files from the server through improper input validation on file inclusion parameters. An attacker can exploit this vulnerability to access sensitive configuration files, source code, or other data without authentication. No patch is currently available for this vulnerability.
Local file inclusion in ThemeREX Verse PHP theme versions 1.7.0 and earlier allows unauthenticated attackers to read arbitrary files on the server through improper input validation on file inclusion functions. The vulnerability requires specific conditions for exploitation but carries high impact potential including confidentiality and integrity compromise. No patch is currently available.
Local file inclusion in AncoraThemes Midi through version 1.14 enables unauthenticated remote attackers to read arbitrary files on affected systems. The vulnerability stems from improper validation of file paths in PHP include/require statements, allowing attackers to traverse directories and access sensitive data. Currently no patch is available for this vulnerability.
AncoraThemes Notarius through version 1.9 contains a local file inclusion vulnerability in its PHP file handling that allows unauthenticated remote attackers to read arbitrary files from the affected server. The vulnerability stems from improper validation of filenames in include/require statements, enabling attackers to traverse the filesystem and access sensitive data. No patch is currently available for this high-severity flaw.
AncoraThemes Veil through version 1.9 contains a local file inclusion vulnerability in PHP that allows unauthenticated attackers to read arbitrary files on the affected server. The vulnerability stems from improper input validation on file include/require statements, enabling attackers to manipulate filename parameters to access sensitive system files. While no patch is currently available, the exploit requires specific conditions (high complexity) to successfully leverage.
Local and remote file inclusion in AncoraThemes Anderson through version 1.4.2 enables attackers to read arbitrary files or execute malicious code on affected systems. The vulnerability stems from improper validation of file paths in PHP include/require statements, allowing unauthenticated attackers to manipulate input parameters over the network. No patch is currently available for this high-severity issue affecting PHP-based installations.
Local file inclusion in ThemeREX Dr.Patterson plugin versions up to 1.3.2 enables unauthenticated attackers to read arbitrary files from the server through improper input validation on file inclusion parameters. The vulnerability allows information disclosure and potential code execution depending on server configuration and accessible files. No patch is currently available for this vulnerability.
Axiomthemes Nirvana version 2.6 and earlier contains a local file inclusion vulnerability in its PHP include/require handling that allows unauthenticated attackers to read arbitrary files from the server. The vulnerability stems from improper filename validation and could enable information disclosure or facilitate further compromise, though no patch is currently available. With a CVSS score of 8.1 and low exploitation likelihood (0.2% EPSS), organizations running affected versions should prioritize mitigation strategies until an official patch is released.
The Welldone WordPress theme through version 2.4 contains a local file inclusion vulnerability in its PHP include/require handling that enables unauthenticated remote attackers to read arbitrary files from the affected server. With a CVSS score of 8.1, this vulnerability allows full compromise of confidentiality and integrity without requiring user interaction. No patch is currently available, making immediate mitigation through other means necessary.
Remote attackers can include arbitrary local files in the smartSEO WordPress theme (≤2.9) via a PHP Local File Inclusion vulnerability, potentially exposing sensitive configuration data or enabling server-side code execution. Despite high CVSS (8.1), EPSS exploitation probability is low (0.15%, 36th percentile) with no confirmed active exploitation or CISA KEV listing. The vulnerability requires specific preconditions that increase attack complexity (AC:H), though exploitation succeeds without authentication or user interaction once conditions are met.
Local file inclusion in ThemeREX Muzicon WordPress theme versions ≤1.9.0 allows remote unauthenticated attackers to read arbitrary files from the web server filesystem and potentially execute PHP code. Despite a CVSS score of 8.1, real-world risk is moderated by high attack complexity (AC:H) and no confirmed active exploitation - EPSS probability is only 0.15% (36th percentile). The Patchstack report confirms the vulnerability but no public exploit code has been identified at time of analysis.
Local File Inclusion (LFI) in ThemeREX Save Life WordPress theme versions 1.2.13 and earlier enables remote unauthenticated attackers to read arbitrary files from the server filesystem and potentially achieve code execution by including uploaded or log files. Despite the network attack vector (AV:N), high attack complexity (AC:H) suggests successful exploitation requires specific server configurations or carefully crafted payloads. EPSS score of 0.15% (36th percentile) indicates low current exploitation probability, and no active exploitation is confirmed per CISA KEV or public exploit databases at time of analysis.
Local file inclusion in Artrium WordPress theme versions ≤1.0.14 allows remote unauthenticated attackers to read arbitrary server files and potentially execute PHP code through improper file inclusion controls. Despite a high CVSS 8.1 score, EPSS shows only 0.15% exploitation probability (36th percentile), suggesting limited real-world targeting. The vulnerability was disclosed by Patchstack's audit team with no confirmed active exploitation or public POC at time of analysis, though LFI vulnerabilities in WordPress themes are commonly targeted once proof-of-concept code becomes available.
Remote file inclusion vulnerability in ThemeREX WealthCo WordPress theme versions up to 2.18 allows unauthenticated remote attackers to include and execute arbitrary PHP files via manipulated filename parameters. Despite CVSS 8.1 rating, EPSS exploitation probability is low (0.15%, 36th percentile) with no CISA KEV listing or public exploit identified at time of analysis. Vulnerability stems from improper validation of file paths in PHP include/require statements, though attack complexity is rated High, suggesting specific conditions or chained exploitation required.
Local file inclusion in ThemeREX Marcell WordPress theme versions ≤1.2.14 allows remote attackers to read arbitrary files from the server filesystem and potentially execute malicious code. The vulnerability stems from improper validation of file paths in PHP include/require statements. Exploitation probability is low (EPSS 0.15%) with no confirmed active exploitation or public proof-of-concept at time of analysis. Discovered and reported by Patchstack's security audit team.
Local file inclusion in ThemeREX RexCoin WordPress theme versions up to 1.2.6 allows remote attackers to read arbitrary files and potentially achieve code execution without authentication. Despite the high CVSS score of 8.1, the low EPSS percentile (36%) and AC:H complexity suggest limited active exploitation. Patchstack audit team reported this vulnerability with proof-of-concept available, indicating realistic exploit feasibility against improperly configured installations.
Local file inclusion in ThemeREX Ozisti WordPress theme versions up to 1.1.10 enables remote unauthenticated attackers to read arbitrary files from the web server filesystem and potentially execute PHP code by including malicious local files. Despite the high CVSS score of 8.1, exploitation requires high complexity (AC:H) and EPSS indicates only 0.15% probability of exploitation in the wild (36th percentile), suggesting limited real-world targeting. No active exploitation confirmed by CISA KEV, though Patchstack has documented the vulnerability with security researchers.
Local File Inclusion in ThemeREX Sounder WordPress theme versions through 1.3.11 enables remote attackers to include and execute arbitrary local PHP files without authentication. Despite the CVE title referencing 'Remote File Inclusion', technical analysis and Patchstack classification confirm this is a Local File Inclusion (LFI) vulnerability. With EPSS at 0.15% (36th percentile), widespread exploitation is unlikely, but successful attacks achieve high impact across confidentiality, integrity, and availability. No active exploitation confirmed via CISA KEV at time of analysis.
Local file inclusion in ThemeREX Coleo WordPress theme (versions ≤1.1.7) allows remote attackers to read arbitrary files and potentially execute PHP code via crafted file path manipulation. Despite high CVSS 8.1, exploitation requires high attack complexity (AC:H), and EPSS score of 0.15% (36th percentile) suggests limited real-world exploitation activity. No CISA KEV listing indicates this is not confirmed as actively exploited, though Patchstack database inclusion suggests security researcher identification and likely proof-of-concept existence.
Local file inclusion (LFI) vulnerability in ThemeREX Gamezone WordPress theme versions up to 1.1.11 allows remote unauthenticated attackers to read arbitrary files from the web server, potentially exposing configuration files, credentials, and sensitive application data. The CVSS score of 8.1 reflects high complexity exploitation requiring specific conditions, while the low EPSS score (0.15%, 36th percentile) indicates minimal observed exploitation attempts in the wild. No active exploitation confirmed by CISA KEV at time of analysis.
PHP Local File Inclusion in ThemeREX Daiquiri WordPress theme versions ≤1.2.4 allows remote attackers to read arbitrary files or execute PHP code by exploiting improper filename control in include/require statements. Despite high CVSS (8.1), real-world risk is moderate: EPSS exploitation probability is low (0.15%, 36th percentile), no confirmed active exploitation exists, and attack complexity is high (AC:H). Patchstack audit identified this vulnerability, suggesting professional security review but no public exploit code at time of analysis.
Local file inclusion vulnerability in ThemeREX Aqualots WordPress theme versions up to 1.1.6 enables remote attackers to include arbitrary PHP files on the server without authentication. Despite the description's mention of 'remote file inclusion', the CVE is classified as CWE-98 (PHP Local File Inclusion) and tagged as LFI by Patchstack, indicating attackers can read sensitive files or execute local PHP code. EPSS exploitation probability is low (0.15%, 36th percentile) with no evidence of active exploitation or public POCs, though the high-complexity network attack vector suggests targeted exploitation scenarios.
Local file inclusion in ThemeREX Filmax WordPress theme versions ≤1.1.11 enables remote attackers to read arbitrary files from the web server and potentially execute malicious code. The vulnerability stems from improper filename validation in PHP include/require statements, categorized as CWE-98. Despite a CVSS score of 8.1, EPSS probability is low (0.15%, 36th percentile), suggesting targeted rather than widespread exploitation. Patchstack database identifies this as affecting information disclosure through LFI techniques, with no confirmed active exploitation or KEV listing at time of analysis.
Local file inclusion vulnerability in ThemeREX Run Gran WordPress theme versions through 2.0 allows remote attackers to read arbitrary files from the web server filesystem via crafted PHP include statements. Despite the moderate EPSS score (0.15%, 36th percentile), the high-complexity attack vector suggests exploitation requires specific knowledge of file paths or application structure. No active exploitation confirmed (not in CISA KEV), and no public proof-of-concept code identified at time of analysis. Patchstack has documented this vulnerability, indicating awareness within the WordPress security community.