Skip to main content

PHP

24729 CVEs product

Monthly

CVE-2026-22370 HIGH This Week

Axiomthemes Marveland versions up to 1.3.0 contain a local file inclusion vulnerability in PHP that allows unauthenticated attackers to read arbitrary files on the server through improper handling of include/require statements. An attacker can exploit this weakness over the network without user interaction to disclose sensitive information or potentially execute arbitrary code. No patch is currently available.

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-22369 HIGH This Week

Local file inclusion in AncoraThemes Ironfit through version 1.5 enables unauthenticated attackers to read arbitrary files from the server through improper handling of file inclusion parameters. The vulnerability grants high-impact access to sensitive data and potential system compromise without authentication or user interaction required. No patch is currently available for affected installations.

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-22368 HIGH This Week

Local file inclusion in Axiomthemes Redy versions up to 1.0.2 allows unauthenticated attackers to read arbitrary files from the affected server by manipulating include/require statements. An attacker can exploit this vulnerability over the network to disclose sensitive information such as configuration files or source code. No patch is currently available for this vulnerability.

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-22367 HIGH This Week

AncoraThemes Coworking plugin through version 1.6.1 contains a local file inclusion vulnerability in its PHP file handling that could allow attackers to read arbitrary files from the affected server. An unauthenticated remote attacker can exploit improper input validation on filename parameters to access sensitive system files and potentially execute arbitrary code. No patch is currently available for this vulnerability.

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-22366 HIGH This Week

Axiomthemes Jude through version 1.3.0 contains a local file inclusion vulnerability in its PHP include/require handling that allows unauthenticated remote attackers to read arbitrary files from the affected server. The vulnerability requires specific conditions to be met (high complexity) but results in complete compromise of confidentiality, integrity, and availability. No patch is currently available for this vulnerability.

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-22365 HIGH This Week

PHP Remote File Inclusion in Soleng WordPress theme.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-22364 HIGH This Week

Improper file inclusion validation in axiomthemes SevenTrees PHP plugin versions 1.0.2 and earlier enables unauthenticated attackers to include and execute arbitrary local files through remote requests. This remote file inclusion vulnerability allows attackers to execute malicious PHP code with full system privileges. Currently no patch is available and the vulnerability has low exploit probability.

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-22363 HIGH This Week

Axiom Themes Rhodos through version 1.3.3 contains a local file inclusion vulnerability in its PHP file handling that allows unauthenticated attackers to read arbitrary files from the server. The improper validation of include/require statements enables attackers to access sensitive application data and configuration files without authentication. Currently no patch is available for this vulnerability.

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-22362 HIGH This Week

Axiomthemes Photolia through version 1.0.3 contains a local file inclusion vulnerability in its PHP include/require handling that enables attackers to read arbitrary files from the affected server. An unauthenticated remote attacker can exploit this weakness over the network to access sensitive information without user interaction. No patch is currently available, making this a high-severity risk for active installations of this theme.

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-22361 HIGH This Week

PHP Local File Inclusion in axiomthemes A-Mart versions up to 1.0.2 enables unauthenticated remote attackers to read arbitrary files from the server through improper handling of include/require statements. An attacker can leverage this vulnerability to disclose sensitive configuration files, source code, or other confidential data accessible to the web server process. No patch is currently available for this vulnerability.

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-22356 HIGH This Week

Jetpack CRM versions 6.7.0 and earlier contain a local file inclusion vulnerability in their PHP code that allows attackers to manipulate file inclusion statements and access arbitrary files on the server. An unauthenticated attacker can exploit this through a user interaction to read sensitive files or potentially execute arbitrary code with high impact. No patch is currently available for this vulnerability.

PHP LFI
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-22344 HIGH This Week

Mikado-Themes FiveStar plugin through version 1.7 contains a local file inclusion vulnerability in its PHP file handling that allows unauthenticated attackers to read arbitrary files from the server. The vulnerability stems from improper validation of filename parameters in include/require statements, enabling attackers to access sensitive configuration files and other protected resources. No patch is currently available, though exploitation requires specific conditions to be met.

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-70831 CRITICAL Act Now

RCE in Smanga 3.2.7 via command injection in /php/path/rescan.php. EPSS 0.29%.

PHP RCE Smanga
NVD GitHub
CVSS 3.1
9.8
EPSS
0.3%
CVE-2025-69410 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Edge-Themes Belletrist belletrist allows PHP Local File Inclusion.This issue affects Belletrist: from n/a through <= 1.2. [CVSS 8.1 HIGH]

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-69409 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes PJ | Life & Business Coaching pj allows PHP Local File Inclusion.This issue affects PJ | Life & Business Coaching: from n/a through <= 3.0.0. [CVSS 8.1 HIGH]

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-69408 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes HealthFirst healthfirst allows PHP Local File Inclusion.This issue affects HealthFirst: from n/a through <= 1.0.1. [CVSS 8.1 HIGH]

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-69407 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Select-Themes Struktur struktur allows PHP Local File Inclusion.This issue affects Struktur: from n/a through <= 2.5.1. [CVSS 8.1 HIGH]

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-69406 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX FreightCo freightco allows PHP Local File Inclusion.This issue affects FreightCo: from n/a through <= 1.1.7. [CVSS 8.1 HIGH]

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-69402 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX R&F rf allows PHP Local File Inclusion.This issue affects R&F: from n/a through <= 1.5. [CVSS 8.1 HIGH]

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-69400 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Yokoo yokoo allows PHP Local File Inclusion.This issue affects Yokoo: from n/a through <= 1.1.11. [CVSS 8.1 HIGH]

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-69399 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Cobble cobble allows PHP Local File Inclusion.This issue affects Cobble: from n/a through <= 1.7. [CVSS 8.1 HIGH]

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-69398 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Plank plank allows PHP Local File Inclusion.This issue affects Plank: from n/a through <= 1.7. [CVSS 8.1 HIGH]

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-69397 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Tint tint allows PHP Local File Inclusion.This issue affects Tint: from n/a through <= 1.7. [CVSS 8.1 HIGH]

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-69396 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Splendour splendour allows PHP Local File Inclusion.This issue affects Splendour: from n/a through <= 1.23. [CVSS 8.1 HIGH]

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-69395 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Gable gable allows PHP Local File Inclusion.This issue affects Gable: from n/a through <= 1.5. [CVSS 8.1 HIGH]

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-69387 HIGH This Week

whatwouldjessedo Simple Retail Menus simple-retail-menus is affected by php remote file inclusion (CVSS 7.5).

PHP LFI
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-69386 HIGH This Week

realvirtualmx RVCFDI para Woocommerce rvcfdi-para-woocommerce is affected by cross-site scripting (xss) (CVSS 7.1).

WordPress XSS PHP
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-69383 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Agence web Eoxia - Montpellier WP shop wpshop allows PHP Local File Inclusion.This issue affects WP shop: from n/a through <= 2.6.1. [CVSS 7.5 HIGH]

PHP LFI
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-69381 HIGH This Week

vanquish WooCommerce Bulk Product Editor woocommerce-quick-product-editor is affected by missing authorization (CVSS 7.1).

WordPress PHP
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-69380 HIGH This Week

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in vanquish Upload Files Anywhere wp-upload-files-anywhere allows Path Traversal.This issue affects Upload Files Anywhere: from n/a through <= 2.8. [CVSS 7.5 HIGH]

WordPress Path Traversal PHP
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-69379 HIGH This Week

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in vanquish Upload Files Anywhere wp-upload-files-anywhere allows Path Traversal.This issue affects Upload Files Anywhere: from n/a through <= 2.8. [CVSS 8.6 HIGH]

WordPress Path Traversal PHP
NVD
CVSS 3.1
8.6
EPSS
0.1%
CVE-2025-69377 HIGH This Week

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in vanquish User Extra Fields wp-user-extra-fields allows Path Traversal.This issue affects User Extra Fields: from n/a through <= 17.0. [CVSS 7.7 HIGH]

WordPress Path Traversal PHP
NVD
CVSS 3.1
7.7
EPSS
0.1%
CVE-2025-69376 HIGH This Week

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in vanquish User Extra Fields wp-user-extra-fields allows Path Traversal.This issue affects User Extra Fields: from n/a through <= 17.0. [CVSS 8.6 HIGH]

WordPress Path Traversal PHP
NVD
CVSS 3.1
8.6
EPSS
0.1%
CVE-2025-69375 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in SolverWp Portfolio Builder swp-portfolio allows PHP Local File Inclusion.This issue affects Portfolio Builder: from n/a through <= 1.2.5. [CVSS 8.1 HIGH]

WordPress PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-69374 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in SolverWp Eleblog - Elementor Blog And Magazine Addons ele-blog allows PHP Local File Inclusion.This issue affects Eleblog - Elementor Blog And Magazine Addons: from n/a through <= 2.0.3. [CVSS 8.1 HIGH]

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-69373 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in beeteam368 VidoRev vidorev allows PHP Local File Inclusion.This issue affects VidoRev: from n/a through <= 2.9.9.9.9.9.7. [CVSS 7.5 HIGH]

PHP LFI Information Disclosure
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-69368 HIGH This Week

GT3themes SOHO - Photography WordPress Theme soho is affected by cross-site scripting (xss) (CVSS 7.1).

WordPress XSS PHP
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-69367 HIGH This Week

GT3themes Oyster - Photography WordPress Theme oyster is affected by cross-site scripting (xss) (CVSS 7.1).

WordPress XSS PHP
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-69328 HIGH This Week

magepeopleteam Booking and Rental Manager booking-and-rental-manager-for-woocommerce is affected by deserialization of untrusted data (CVSS 8.8).

WordPress Deserialization PHP
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2025-69326 HIGH This Week

Basix NEX-Forms nex-forms-express-wp-form-builder is affected by cross-site scripting (xss) (CVSS 7.1).

WordPress XSS PHP
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-69325 MEDIUM This Month

primersoftware Primer MyData for Woocommerce primer-mydata contains a security vulnerability (CVSS 5.3).

WordPress Path Traversal PHP
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-69324 HIGH This Week

Basix NEX-Forms nex-forms-express-wp-form-builder is affected by cross-site scripting (xss) (CVSS 7.1).

WordPress XSS PHP
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-69323 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in VeronaLabs Slimstat Analytics wp-slimstat allows Reflected XSS.This issue affects Slimstat Analytics: from n/a through <= 5.3.2. [CVSS 7.1 HIGH]

WordPress Industrial XSS PHP
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-69322 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in fuelthemes PeakShops peakshops allows PHP Local File Inclusion.This issue affects PeakShops: from n/a through < 1.5.9. [CVSS 8.1 HIGH]

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-68843 HIGH This Week

Bas Schuiling FeedWordPress Advanced Filters faf is affected by cross-site scripting (xss) (CVSS 7.1).

WordPress XSS PHP
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-68841 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Themepul TopperPack - Complete Elementor Addons, Theme &amp; CPT Builder topper-pack allows PHP Local File Inclusion.This issue affects TopperPack - Complete Elementor Addons, Theme &amp; CPT Builder: from n/a through <= 1.2.1. [CVSS 7.5 HIGH]

PHP LFI Information Disclosure
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-68552 HIGH This Week

WebCodingPlace WooCommerce Coming Soon Product with Countdown woo-coming-soon-product is affected by php remote file inclusion (CVSS 6.3).

WordPress PHP LFI Information Disclosure
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-68549 CRITICAL Act Now

Unrestricted file upload in Wiguard (wiguard) WordPress theme allows uploading web shells for remote code execution.

WordPress PHP RCE
NVD
CVSS 3.1
9.9
EPSS
0.0%
CVE-2025-68545 HIGH This Week

PHP Remote File Inclusion in Nika WordPress theme by thembay.

PHP LFI Information Disclosure
NVD
CVSS 3.1
8.1
EPSS
0.1%
CVE-2025-68543 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Diza diza allows PHP Local File Inclusion.This issue affects Diza: from n/a through <= 1.3.15. [CVSS 8.1 HIGH]

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-68539 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Fana fana allows PHP Local File Inclusion.This issue affects Fana: from n/a through <= 1.1.35. [CVSS 8.1 HIGH]

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-68536 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Zota zota allows PHP Local File Inclusion.This issue affects Zota: from n/a through <= 1.3.14. [CVSS 8.1 HIGH]

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-68501 HIGH This Week

Mollie Mollie Payments for WooCommerce mollie-payments-for-woocommerce is affected by cross-site scripting (xss) (CVSS 7.1).

WordPress XSS PHP
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-68024 MEDIUM This Month

Missing Authorization vulnerability in Addonify Addonify - WooCommerce Wishlist addonify-wishlist allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Addonify - WooCommerce Wishlist: from n/a through <= 2.0.15. [CVSS 6.5 MEDIUM]

WordPress PHP
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-67992 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in LoftOcean PatioTime patiotime allows PHP Local File Inclusion.This issue affects PatioTime: from n/a through < 2.1. [CVSS 8.1 HIGH]

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-67991 HIGH This Week

vanquish User Extra Fields wp-user-extra-fields is affected by cross-site scripting (xss) (CVSS 7.1).

WordPress XSS PHP
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2025-67988 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in LoftOcean CozyStay cozystay allows PHP Local File Inclusion.This issue affects CozyStay: from n/a through < 1.9.1. [CVSS 8.1 HIGH]

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-67982 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Urna urna allows PHP Local File Inclusion.This issue affects Urna: from n/a through <= 2.5.12. [CVSS 8.1 HIGH]

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-67981 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Besa besa allows PHP Local File Inclusion.This issue affects Besa: from n/a through <= 2.3.15. [CVSS 8.1 HIGH]

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-67980 HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Hara hara allows PHP Local File Inclusion.This issue affects Hara: from n/a through <= 1.2.17. [CVSS 8.1 HIGH]

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-60087 HIGH This Week

Nenad Obradovic Extensive VC Addons for WPBakery page builder extensive-vc-addon is affected by php remote file inclusion (CVSS 8.1).

PHP LFI
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2025-53237 HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Soflyy WP Wizard Cloak wp-wizard-cloak allows Reflected XSS.This issue affects WP Wizard Cloak: from n/a through <= 1.0.1. [CVSS 7.1 HIGH]

WordPress XSS PHP
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-26990 PHP HIGH POC PATCH This Week

SQL injection in LibreNMS versions 25.12.0 and below allows authenticated users to extract sensitive database information through time-based blind SQL injection in the address-search function. An attacker with valid credentials can manipulate the subnet prefix parameter to bypass query logic and infer data through conditional timing responses. Public exploit code exists for this vulnerability; upgrade to version 26.2.0 or later to remediate.

PHP MySQL SNMP SQLi Librenms
NVD GitHub
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-26988 PHP CRITICAL POC PATCH Act Now

SQL injection in LibreNMS 25.12.0 and below. PoC and patch available.

PHP MySQL SNMP SQLi Librenms
NVD GitHub
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-27343 HIGH This Week

PHP Local File Inclusion in Airtifact versions up to 1.2.91 permits authenticated attackers to read arbitrary files on the server through improper validation of include/require statements. With low privileges required and no user interaction necessary, an attacker can leverage this vulnerability to access sensitive configuration files or application source code. No patch is currently available for this vulnerability.

PHP LFI
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-27052 HIGH This Week

villatheme Sales Countdown Timer for WooCommerce and WordPress sctv-sales-countdown-timer is affected by php remote file inclusion (CVSS 7.5).

WordPress PHP LFI Information Disclosure
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-25326 HIGH This Week

cmsmasters CMSMasters Content Composer cmsmasters-content-composer is affected by php remote file inclusion (CVSS 7.5).

PHP LFI
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-40697 This Week

Reflected Cross-Site Scripting (XSS) vulnerability in '/index.php' in Lewe WebMeasure, which allows remote attackers to execute arbitrary code through the 'page' parameter.

PHP XSS
NVD
EPSS
0.4%
CVE-2026-2706 LOW POC Monitor

SQL injection in Patient Record Management System 1.0 via the comp_id parameter in /fecalysis_not.php enables authenticated remote attackers to read, modify, or delete database contents. Public exploit code exists for this vulnerability, and no patch is currently available. The attack requires valid credentials but no user interaction.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-2691 MEDIUM POC This Month

SQL injection in itsourcecode Event Management System 1.0 allows unauthenticated remote attackers to manipulate the ID parameter in /admin/manage_register.php, potentially leading to unauthorized data access, modification, or deletion. Public exploit code exists for this vulnerability, and no patch is currently available, creating significant risk for unpatched deployments.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-2690 MEDIUM POC This Month

SQL injection in itsourcecode Event Management System 1.0's admin login endpoint allows unauthenticated remote attackers to manipulate the Username parameter and execute arbitrary database queries. Public exploit code exists for this vulnerability, enabling attackers to potentially extract sensitive data or compromise system integrity. No patch is currently available for affected PHP installations.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-2689 MEDIUM POC This Month

SQL injection in itsourcecode Event Management System 1.0's booking management interface allows unauthenticated remote attackers to manipulate database queries via the ID parameter in /admin/manage_booking.php. Public exploit code exists for this vulnerability, enabling potential unauthorized data access and modification. No patch is currently available to address this high-severity flaw affecting PHP-based deployments.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-2504 MEDIUM This Month

The Dealia - Request a quote WordPress plugin fails to properly validate user permissions on AJAX endpoints, allowing authenticated users with Contributor-level access or higher to reset plugin configuration by exploiting an exposed admin nonce. An attacker with basic edit_posts capability can bypass the capability check and modify critical plugin settings without administrative privileges. The vulnerability affects all versions up to 1.0.6 and currently has no available patch.

WordPress PHP Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-0926 CRITICAL POC Act Now

Local File Inclusion in Prodigy Commerce WordPress plugin <= 3.2.9.

WordPress PHP LFI Information Disclosure RCE
NVD Exploit-DB VulDB
CVSS 3.1
9.8
EPSS
0.2%
CVE-2025-4521 HIGH This Week

The IDonate - Blood Donation, Request And Donor Management System plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the idonate_donor_profile() function in versions 2.1.5 to 2.1.9. [CVSS 8.8 HIGH]

WordPress Privilege Escalation PHP
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2025-15041 HIGH This Week

The BackWPup - WordPress Backup & Restore Plugin plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the save_site_option() function in all versions up to, and including, 5.6.2. [CVSS 7.2 HIGH]

WordPress Privilege Escalation PHP
NVD
CVSS 3.1
7.2
EPSS
0.0%
CVE-2025-14983 MEDIUM This Month

The Advanced Custom Fields: Font Awesome Field plugin for WordPress is vulnerable to Cross-Site Scripting in all versions up to, and including, 5.0.1 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.1%
CVE-2025-14864 MEDIUM This Month

The Virusdie - One-click website security plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.1.7. This is due to missing capability checks on the `vd_get_apikey` function which is hooked to `wp_ajax_virusdie_apikey`. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve the site's Virusdie API key, which could be used to access the site owner's Virusdie account and potentially compromis...

WordPress Information Disclosure PHP
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-14851 MEDIUM This Month

The YaMaps for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `yamap` shortcode parameters in all versions up to, and including, 0.6.40 due to insufficient input sanitization and output escaping on user supplied attributes. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-14452 HIGH This Week

The WP Customer Reviews plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'wpcr3_fname' parameter in all versions up to, and including, 3.7.5 due to insufficient input sanitization and output escaping. [CVSS 7.2 HIGH]

WordPress XSS PHP
NVD
CVSS 3.1
7.2
EPSS
0.1%
CVE-2025-14445 MEDIUM This Month

The Image Hotspot by DevVN plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'hotspot_content' custom field meta in all versions up to, and including, 1.2.9 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
CVSS 3.1
6.4
EPSS
0.0%
CVE-2025-14427 MEDIUM This Month

The Shield Security: Blocks Bots, Protects Users, and Prevents Security Breaches plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `MfaEmailDisable` action in all versions up to, and including, 21.0.9. [CVSS 4.3 MEDIUM]

WordPress PHP
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-14357 MEDIUM This Month

The Mega Store Woocommerce theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the setup_widgets() function in core/includes/importer/whizzie.php in all versions up to, and including, 5.9. [CVSS 5.3 MEDIUM]

WordPress PHP
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-14342 MEDIUM This Month

SEO Plugin by Squirrly SEO (WordPress plugin) versions up to 12.4.14. is affected by missing authorization (CVSS 4.3).

WordPress PHP
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-14294 MEDIUM This Month

The Razorpay for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the getCouponList() function in all versions up to, and including, 4.7.8. This is due to the checkAuthCredentials() permission callback always returning true, providing no actual authentication. This makes it possible for unauthenticated attackers to modify the billing and shipping contact information (email and phone) of any WooCommerce order by knowing or...

WordPress PHP
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-14270 LOW Monitor

OneClick Chat to Order (WordPress plugin) versions up to 1.0.9. is affected by missing authorization (CVSS 2.7).

WordPress PHP
NVD
CVSS 3.1
2.7
EPSS
0.0%
CVE-2025-14167 MEDIUM This Month

The Remove Post Type Slug plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.2. This is due to incorrect nonce validation logic that uses OR (||) instead of AND (&&), causing the validation to fail when the nonce field is not empty OR when verification fails, rather than when it's empty AND verification fails. This makes it possible for unauthenticated attackers to modify the plugin's post type slug removal settings via a forged request ...

WordPress CSRF PHP
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-14076 MEDIUM This Month

The iXML - Google XML sitemap generator plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'iXML_email' parameter in all versions up to, and including, 0.6 due to insufficient input sanitization and output escaping. [CVSS 6.1 MEDIUM]

WordPress XSS PHP
NVD
CVSS 3.1
6.1
EPSS
0.1%
CVE-2025-13930 MEDIUM This Month

The Checkout Field Manager (Checkout Manager) for WooCommerce plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 7.8.5. [CVSS 5.3 MEDIUM]

WordPress PHP
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-13864 MEDIUM This Month

The Breeze - WordPress Cache Plugin plugin for WordPress is vulnerable to unauthorized cache clearing in all versions up to, and including, 2.2.21. This is due to the REST API endpoint `/wp-json/breeze/v1/clear-all-cache` being registered with `permission_callback => '__return_true'` and authentication being disabled by default when the API is enabled. This makes it possible for unauthenticated attackers to clear all site caches (page cache, Varnish, and Cloudflare) via a simple POST request,...

WordPress PHP
NVD
CVSS 3.1
5.3
EPSS
0.1%
EPSS 0% CVSS 8.1
HIGH This Week

Axiomthemes Marveland versions up to 1.3.0 contain a local file inclusion vulnerability in PHP that allows unauthenticated attackers to read arbitrary files on the server through improper handling of include/require statements. An attacker can exploit this weakness over the network without user interaction to disclose sensitive information or potentially execute arbitrary code. No patch is currently available.

PHP LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Local file inclusion in AncoraThemes Ironfit through version 1.5 enables unauthenticated attackers to read arbitrary files from the server through improper handling of file inclusion parameters. The vulnerability grants high-impact access to sensitive data and potential system compromise without authentication or user interaction required. No patch is currently available for affected installations.

PHP LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Local file inclusion in Axiomthemes Redy versions up to 1.0.2 allows unauthenticated attackers to read arbitrary files from the affected server by manipulating include/require statements. An attacker can exploit this vulnerability over the network to disclose sensitive information such as configuration files or source code. No patch is currently available for this vulnerability.

PHP LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

AncoraThemes Coworking plugin through version 1.6.1 contains a local file inclusion vulnerability in its PHP file handling that could allow attackers to read arbitrary files from the affected server. An unauthenticated remote attacker can exploit improper input validation on filename parameters to access sensitive system files and potentially execute arbitrary code. No patch is currently available for this vulnerability.

PHP LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Axiomthemes Jude through version 1.3.0 contains a local file inclusion vulnerability in its PHP include/require handling that allows unauthenticated remote attackers to read arbitrary files from the affected server. The vulnerability requires specific conditions to be met (high complexity) but results in complete compromise of confidentiality, integrity, and availability. No patch is currently available for this vulnerability.

PHP LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

PHP Remote File Inclusion in Soleng WordPress theme.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper file inclusion validation in axiomthemes SevenTrees PHP plugin versions 1.0.2 and earlier enables unauthenticated attackers to include and execute arbitrary local files through remote requests. This remote file inclusion vulnerability allows attackers to execute malicious PHP code with full system privileges. Currently no patch is available and the vulnerability has low exploit probability.

PHP LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Axiom Themes Rhodos through version 1.3.3 contains a local file inclusion vulnerability in its PHP file handling that allows unauthenticated attackers to read arbitrary files from the server. The improper validation of include/require statements enables attackers to access sensitive application data and configuration files without authentication. Currently no patch is available for this vulnerability.

PHP LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Axiomthemes Photolia through version 1.0.3 contains a local file inclusion vulnerability in its PHP include/require handling that enables attackers to read arbitrary files from the affected server. An unauthenticated remote attacker can exploit this weakness over the network to access sensitive information without user interaction. No patch is currently available, making this a high-severity risk for active installations of this theme.

PHP LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

PHP Local File Inclusion in axiomthemes A-Mart versions up to 1.0.2 enables unauthenticated remote attackers to read arbitrary files from the server through improper handling of include/require statements. An attacker can leverage this vulnerability to disclose sensitive configuration files, source code, or other confidential data accessible to the web server process. No patch is currently available for this vulnerability.

PHP LFI
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Jetpack CRM versions 6.7.0 and earlier contain a local file inclusion vulnerability in their PHP code that allows attackers to manipulate file inclusion statements and access arbitrary files on the server. An unauthenticated attacker can exploit this through a user interaction to read sensitive files or potentially execute arbitrary code with high impact. No patch is currently available for this vulnerability.

PHP LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Mikado-Themes FiveStar plugin through version 1.7 contains a local file inclusion vulnerability in its PHP file handling that allows unauthenticated attackers to read arbitrary files from the server. The vulnerability stems from improper validation of filename parameters in include/require statements, enabling attackers to access sensitive configuration files and other protected resources. No patch is currently available, though exploitation requires specific conditions to be met.

PHP LFI
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

RCE in Smanga 3.2.7 via command injection in /php/path/rescan.php. EPSS 0.29%.

PHP RCE Smanga
NVD GitHub
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Edge-Themes Belletrist belletrist allows PHP Local File Inclusion.This issue affects Belletrist: from n/a through <= 1.2. [CVSS 8.1 HIGH]

PHP LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes PJ | Life & Business Coaching pj allows PHP Local File Inclusion.This issue affects PJ | Life & Business Coaching: from n/a through <= 3.0.0. [CVSS 8.1 HIGH]

PHP LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes HealthFirst healthfirst allows PHP Local File Inclusion.This issue affects HealthFirst: from n/a through <= 1.0.1. [CVSS 8.1 HIGH]

PHP LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Select-Themes Struktur struktur allows PHP Local File Inclusion.This issue affects Struktur: from n/a through <= 2.5.1. [CVSS 8.1 HIGH]

PHP LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX FreightCo freightco allows PHP Local File Inclusion.This issue affects FreightCo: from n/a through <= 1.1.7. [CVSS 8.1 HIGH]

PHP LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX R&F rf allows PHP Local File Inclusion.This issue affects R&F: from n/a through <= 1.5. [CVSS 8.1 HIGH]

PHP LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Yokoo yokoo allows PHP Local File Inclusion.This issue affects Yokoo: from n/a through <= 1.1.11. [CVSS 8.1 HIGH]

PHP LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Cobble cobble allows PHP Local File Inclusion.This issue affects Cobble: from n/a through <= 1.7. [CVSS 8.1 HIGH]

PHP LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Plank plank allows PHP Local File Inclusion.This issue affects Plank: from n/a through <= 1.7. [CVSS 8.1 HIGH]

PHP LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Tint tint allows PHP Local File Inclusion.This issue affects Tint: from n/a through <= 1.7. [CVSS 8.1 HIGH]

PHP LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Splendour splendour allows PHP Local File Inclusion.This issue affects Splendour: from n/a through <= 1.23. [CVSS 8.1 HIGH]

PHP LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Gable gable allows PHP Local File Inclusion.This issue affects Gable: from n/a through <= 1.5. [CVSS 8.1 HIGH]

PHP LFI
NVD
EPSS 0% CVSS 7.5
HIGH This Week

whatwouldjessedo Simple Retail Menus simple-retail-menus is affected by php remote file inclusion (CVSS 7.5).

PHP LFI
NVD
EPSS 0% CVSS 7.1
HIGH This Week

realvirtualmx RVCFDI para Woocommerce rvcfdi-para-woocommerce is affected by cross-site scripting (xss) (CVSS 7.1).

WordPress XSS PHP
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Agence web Eoxia - Montpellier WP shop wpshop allows PHP Local File Inclusion.This issue affects WP shop: from n/a through <= 2.6.1. [CVSS 7.5 HIGH]

PHP LFI
NVD
EPSS 0% CVSS 7.1
HIGH This Week

vanquish WooCommerce Bulk Product Editor woocommerce-quick-product-editor is affected by missing authorization (CVSS 7.1).

WordPress PHP
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in vanquish Upload Files Anywhere wp-upload-files-anywhere allows Path Traversal.This issue affects Upload Files Anywhere: from n/a through <= 2.8. [CVSS 7.5 HIGH]

WordPress Path Traversal PHP
NVD
EPSS 0% CVSS 8.6
HIGH This Week

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in vanquish Upload Files Anywhere wp-upload-files-anywhere allows Path Traversal.This issue affects Upload Files Anywhere: from n/a through <= 2.8. [CVSS 8.6 HIGH]

WordPress Path Traversal PHP
NVD
EPSS 0% CVSS 7.7
HIGH This Week

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in vanquish User Extra Fields wp-user-extra-fields allows Path Traversal.This issue affects User Extra Fields: from n/a through <= 17.0. [CVSS 7.7 HIGH]

WordPress Path Traversal PHP
NVD
EPSS 0% CVSS 8.6
HIGH This Week

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in vanquish User Extra Fields wp-user-extra-fields allows Path Traversal.This issue affects User Extra Fields: from n/a through <= 17.0. [CVSS 8.6 HIGH]

WordPress Path Traversal PHP
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in SolverWp Portfolio Builder swp-portfolio allows PHP Local File Inclusion.This issue affects Portfolio Builder: from n/a through <= 1.2.5. [CVSS 8.1 HIGH]

WordPress PHP LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in SolverWp Eleblog - Elementor Blog And Magazine Addons ele-blog allows PHP Local File Inclusion.This issue affects Eleblog - Elementor Blog And Magazine Addons: from n/a through <= 2.0.3. [CVSS 8.1 HIGH]

PHP LFI
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in beeteam368 VidoRev vidorev allows PHP Local File Inclusion.This issue affects VidoRev: from n/a through <= 2.9.9.9.9.9.7. [CVSS 7.5 HIGH]

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 7.1
HIGH This Week

GT3themes SOHO - Photography WordPress Theme soho is affected by cross-site scripting (xss) (CVSS 7.1).

WordPress XSS PHP
NVD
EPSS 0% CVSS 7.1
HIGH This Week

GT3themes Oyster - Photography WordPress Theme oyster is affected by cross-site scripting (xss) (CVSS 7.1).

WordPress XSS PHP
NVD
EPSS 0% CVSS 8.8
HIGH This Week

magepeopleteam Booking and Rental Manager booking-and-rental-manager-for-woocommerce is affected by deserialization of untrusted data (CVSS 8.8).

WordPress Deserialization PHP
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Basix NEX-Forms nex-forms-express-wp-form-builder is affected by cross-site scripting (xss) (CVSS 7.1).

WordPress XSS PHP
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

primersoftware Primer MyData for Woocommerce primer-mydata contains a security vulnerability (CVSS 5.3).

WordPress Path Traversal PHP
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Basix NEX-Forms nex-forms-express-wp-form-builder is affected by cross-site scripting (xss) (CVSS 7.1).

WordPress XSS PHP
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in VeronaLabs Slimstat Analytics wp-slimstat allows Reflected XSS.This issue affects Slimstat Analytics: from n/a through <= 5.3.2. [CVSS 7.1 HIGH]

WordPress Industrial XSS +1
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in fuelthemes PeakShops peakshops allows PHP Local File Inclusion.This issue affects PeakShops: from n/a through < 1.5.9. [CVSS 8.1 HIGH]

PHP LFI
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Bas Schuiling FeedWordPress Advanced Filters faf is affected by cross-site scripting (xss) (CVSS 7.1).

WordPress XSS PHP
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Themepul TopperPack - Complete Elementor Addons, Theme &amp; CPT Builder topper-pack allows PHP Local File Inclusion.This issue affects TopperPack - Complete Elementor Addons, Theme &amp; CPT Builder: from n/a through <= 1.2.1. [CVSS 7.5 HIGH]

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 7.5
HIGH This Week

WebCodingPlace WooCommerce Coming Soon Product with Countdown woo-coming-soon-product is affected by php remote file inclusion (CVSS 6.3).

WordPress PHP LFI +1
NVD
EPSS 0% CVSS 9.9
CRITICAL Act Now

Unrestricted file upload in Wiguard (wiguard) WordPress theme allows uploading web shells for remote code execution.

WordPress PHP RCE
NVD
EPSS 0% CVSS 8.1
HIGH This Week

PHP Remote File Inclusion in Nika WordPress theme by thembay.

PHP LFI Information Disclosure
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Diza diza allows PHP Local File Inclusion.This issue affects Diza: from n/a through <= 1.3.15. [CVSS 8.1 HIGH]

PHP LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Fana fana allows PHP Local File Inclusion.This issue affects Fana: from n/a through <= 1.1.35. [CVSS 8.1 HIGH]

PHP LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Zota zota allows PHP Local File Inclusion.This issue affects Zota: from n/a through <= 1.3.14. [CVSS 8.1 HIGH]

PHP LFI
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Mollie Mollie Payments for WooCommerce mollie-payments-for-woocommerce is affected by cross-site scripting (xss) (CVSS 7.1).

WordPress XSS PHP
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Missing Authorization vulnerability in Addonify Addonify - WooCommerce Wishlist addonify-wishlist allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Addonify - WooCommerce Wishlist: from n/a through <= 2.0.15. [CVSS 6.5 MEDIUM]

WordPress PHP
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in LoftOcean PatioTime patiotime allows PHP Local File Inclusion.This issue affects PatioTime: from n/a through < 2.1. [CVSS 8.1 HIGH]

PHP LFI
NVD
EPSS 0% CVSS 7.1
HIGH This Week

vanquish User Extra Fields wp-user-extra-fields is affected by cross-site scripting (xss) (CVSS 7.1).

WordPress XSS PHP
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in LoftOcean CozyStay cozystay allows PHP Local File Inclusion.This issue affects CozyStay: from n/a through < 1.9.1. [CVSS 8.1 HIGH]

PHP LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Urna urna allows PHP Local File Inclusion.This issue affects Urna: from n/a through <= 2.5.12. [CVSS 8.1 HIGH]

PHP LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Besa besa allows PHP Local File Inclusion.This issue affects Besa: from n/a through <= 2.3.15. [CVSS 8.1 HIGH]

PHP LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Hara hara allows PHP Local File Inclusion.This issue affects Hara: from n/a through <= 1.2.17. [CVSS 8.1 HIGH]

PHP LFI
NVD
EPSS 0% CVSS 8.1
HIGH This Week

Nenad Obradovic Extensive VC Addons for WPBakery page builder extensive-vc-addon is affected by php remote file inclusion (CVSS 8.1).

PHP LFI
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Soflyy WP Wizard Cloak wp-wizard-cloak allows Reflected XSS.This issue affects WP Wizard Cloak: from n/a through <= 1.0.1. [CVSS 7.1 HIGH]

WordPress XSS PHP
NVD
EPSS 0% CVSS 8.8
HIGH POC PATCH This Week

SQL injection in LibreNMS versions 25.12.0 and below allows authenticated users to extract sensitive database information through time-based blind SQL injection in the address-search function. An attacker with valid credentials can manipulate the subnet prefix parameter to bypass query logic and infer data through conditional timing responses. Public exploit code exists for this vulnerability; upgrade to version 26.2.0 or later to remediate.

PHP MySQL SNMP +2
NVD GitHub
EPSS 0% CVSS 9.1
CRITICAL POC PATCH Act Now

SQL injection in LibreNMS 25.12.0 and below. PoC and patch available.

PHP MySQL SNMP +2
NVD GitHub
EPSS 0% CVSS 7.5
HIGH This Week

PHP Local File Inclusion in Airtifact versions up to 1.2.91 permits authenticated attackers to read arbitrary files on the server through improper validation of include/require statements. With low privileges required and no user interaction necessary, an attacker can leverage this vulnerability to access sensitive configuration files or application source code. No patch is currently available for this vulnerability.

PHP LFI
NVD
EPSS 0% CVSS 7.5
HIGH This Week

villatheme Sales Countdown Timer for WooCommerce and WordPress sctv-sales-countdown-timer is affected by php remote file inclusion (CVSS 7.5).

WordPress PHP LFI +1
NVD VulDB
EPSS 0% CVSS 7.5
HIGH This Week

cmsmasters CMSMasters Content Composer cmsmasters-content-composer is affected by php remote file inclusion (CVSS 7.5).

PHP LFI
NVD
EPSS 0%
This Week

Reflected Cross-Site Scripting (XSS) vulnerability in '/index.php' in Lewe WebMeasure, which allows remote attackers to execute arbitrary code through the 'page' parameter.

PHP XSS
NVD
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in Patient Record Management System 1.0 via the comp_id parameter in /fecalysis_not.php enables authenticated remote attackers to read, modify, or delete database contents. Public exploit code exists for this vulnerability, and no patch is currently available. The attack requires valid credentials but no user interaction.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in itsourcecode Event Management System 1.0 allows unauthenticated remote attackers to manipulate the ID parameter in /admin/manage_register.php, potentially leading to unauthorized data access, modification, or deletion. Public exploit code exists for this vulnerability, and no patch is currently available, creating significant risk for unpatched deployments.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in itsourcecode Event Management System 1.0's admin login endpoint allows unauthenticated remote attackers to manipulate the Username parameter and execute arbitrary database queries. Public exploit code exists for this vulnerability, enabling attackers to potentially extract sensitive data or compromise system integrity. No patch is currently available for affected PHP installations.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in itsourcecode Event Management System 1.0's booking management interface allows unauthenticated remote attackers to manipulate database queries via the ID parameter in /admin/manage_booking.php. Public exploit code exists for this vulnerability, enabling potential unauthorized data access and modification. No patch is currently available to address this high-severity flaw affecting PHP-based deployments.

PHP SQLi
NVD GitHub VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

The Dealia - Request a quote WordPress plugin fails to properly validate user permissions on AJAX endpoints, allowing authenticated users with Contributor-level access or higher to reset plugin configuration by exploiting an exposed admin nonce. An attacker with basic edit_posts capability can bypass the capability check and modify critical plugin settings without administrative privileges. The vulnerability affects all versions up to 1.0.6 and currently has no available patch.

WordPress PHP Authentication Bypass
NVD
EPSS 0% CVSS 9.8
CRITICAL POC Act Now

Local File Inclusion in Prodigy Commerce WordPress plugin <= 3.2.9.

WordPress PHP LFI +2
NVD Exploit-DB VulDB
EPSS 0% CVSS 8.8
HIGH This Week

The IDonate - Blood Donation, Request And Donor Management System plugin for WordPress is vulnerable to Privilege Escalation due to a missing capability check on the idonate_donor_profile() function in versions 2.1.5 to 2.1.9. [CVSS 8.8 HIGH]

WordPress Privilege Escalation PHP
NVD
EPSS 0% CVSS 7.2
HIGH This Week

The BackWPup - WordPress Backup & Restore Plugin plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the save_site_option() function in all versions up to, and including, 5.6.2. [CVSS 7.2 HIGH]

WordPress Privilege Escalation PHP
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

The Advanced Custom Fields: Font Awesome Field plugin for WordPress is vulnerable to Cross-Site Scripting in all versions up to, and including, 5.0.1 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

The Virusdie - One-click website security plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.1.7. This is due to missing capability checks on the `vd_get_apikey` function which is hooked to `wp_ajax_virusdie_apikey`. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve the site's Virusdie API key, which could be used to access the site owner's Virusdie account and potentially compromis...

WordPress Information Disclosure PHP
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

The YaMaps for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `yamap` shortcode parameters in all versions up to, and including, 0.6.40 due to insufficient input sanitization and output escaping on user supplied attributes. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
EPSS 0% CVSS 7.2
HIGH This Week

The WP Customer Reviews plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'wpcr3_fname' parameter in all versions up to, and including, 3.7.5 due to insufficient input sanitization and output escaping. [CVSS 7.2 HIGH]

WordPress XSS PHP
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

The Image Hotspot by DevVN plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'hotspot_content' custom field meta in all versions up to, and including, 1.2.9 due to insufficient input sanitization and output escaping. [CVSS 6.4 MEDIUM]

WordPress XSS PHP
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

The Shield Security: Blocks Bots, Protects Users, and Prevents Security Breaches plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `MfaEmailDisable` action in all versions up to, and including, 21.0.9. [CVSS 4.3 MEDIUM]

WordPress PHP
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

The Mega Store Woocommerce theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the setup_widgets() function in core/includes/importer/whizzie.php in all versions up to, and including, 5.9. [CVSS 5.3 MEDIUM]

WordPress PHP
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

SEO Plugin by Squirrly SEO (WordPress plugin) versions up to 12.4.14. is affected by missing authorization (CVSS 4.3).

WordPress PHP
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

The Razorpay for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the getCouponList() function in all versions up to, and including, 4.7.8. This is due to the checkAuthCredentials() permission callback always returning true, providing no actual authentication. This makes it possible for unauthenticated attackers to modify the billing and shipping contact information (email and phone) of any WooCommerce order by knowing or...

WordPress PHP
NVD
EPSS 0% CVSS 2.7
LOW Monitor

OneClick Chat to Order (WordPress plugin) versions up to 1.0.9. is affected by missing authorization (CVSS 2.7).

WordPress PHP
NVD
EPSS 0% CVSS 4.3
MEDIUM This Month

The Remove Post Type Slug plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.2. This is due to incorrect nonce validation logic that uses OR (||) instead of AND (&&), causing the validation to fail when the nonce field is not empty OR when verification fails, rather than when it's empty AND verification fails. This makes it possible for unauthenticated attackers to modify the plugin's post type slug removal settings via a forged request ...

WordPress CSRF PHP
NVD
EPSS 0% CVSS 6.1
MEDIUM This Month

The iXML - Google XML sitemap generator plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'iXML_email' parameter in all versions up to, and including, 0.6 due to insufficient input sanitization and output escaping. [CVSS 6.1 MEDIUM]

WordPress XSS PHP
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

The Checkout Field Manager (Checkout Manager) for WooCommerce plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 7.8.5. [CVSS 5.3 MEDIUM]

WordPress PHP
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

The Breeze - WordPress Cache Plugin plugin for WordPress is vulnerable to unauthorized cache clearing in all versions up to, and including, 2.2.21. This is due to the REST API endpoint `/wp-json/breeze/v1/clear-all-cache` being registered with `permission_callback => '__return_true'` and authentication being disabled by default when the API is enabled. This makes it possible for unauthenticated attackers to clear all site caches (page cache, Varnish, and Cloudflare) via a simple POST request,...

WordPress PHP
NVD
Prev Page 35 of 275 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy