PHP
Monthly
Unauthenticated local file inclusion in the ThemeRex Gunslinger WordPress theme through version 1.7 allows remote attackers to coerce PHP into including arbitrary files from the server filesystem, leading to disclosure of sensitive files and potential remote code execution where attacker-influenced content can be staged. No public exploit identified at time of analysis, but the flaw is reachable without authentication and affects all installations running version 1.7 or earlier of the theme.
Unauthenticated local file inclusion in ThemeRex Skyward WordPress theme versions 1.10 and earlier allows remote attackers to include and execute arbitrary local PHP files on the server, enabling sensitive file disclosure and potential remote code execution. The flaw is reachable without authentication over the network and no public exploit has been identified at time of analysis, though Patchstack has catalogued the issue in their vulnerability database. CVSS rates the impact as 8.1 (High) reflecting full confidentiality, integrity, and availability compromise despite high attack complexity.
Unauthenticated Local File Inclusion in the ThemeREX Granola WordPress theme through version 1.13 allows remote attackers to coerce the PHP runtime into including arbitrary files via attacker-controlled path input. The flaw is reachable over the network without credentials or user interaction and can expose sensitive site files such as wp-config.php, potentially escalating to code execution if log-poisoning or session-file techniques are viable. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Local file inclusion in the ThemeRex Gamic WordPress theme versions 1.15 and earlier allows unauthenticated remote attackers to coerce the PHP application into including arbitrary files via crafted parameters. Successful exploitation can expose sensitive configuration data (including wp-config.php) and, depending on server configuration, may escalate to remote code execution through log poisoning or session-file inclusion. No public exploit identified at time of analysis, and the issue has not been listed in CISA KEV.
Unauthenticated local file inclusion in the ThemeREX Preservation WordPress theme versions 1.10 and earlier allows remote attackers to read arbitrary files from the underlying web server, with high complexity (AC:H) but no authentication required (PR:N). The flaw, reported by Patchstack and classified as CWE-98 (improper filename control for PHP include/require statements), can lead to disclosure of sensitive files such as wp-config.php and, depending on the inclusion path, potentially full code execution. No public exploit identified at time of analysis and no KEV listing.
PHP Object Injection in the Entrepreneur - Booking for Small Businesses WordPress theme through version 3.1.3 allows authenticated subscriber-level users to trigger unsafe deserialization, potentially leading to full site compromise. The flaw was disclosed via Patchstack and carries a CVSS 3.1 base score of 8.8 reflecting high impact on confidentiality, integrity, and availability. No public exploit identified at time of analysis.
Unauthenticated PHP Object Injection in the ThemeREX Plumbing WordPress theme versions 1.6 and earlier allows remote attackers to inject arbitrary PHP objects via untrusted deserialization, potentially leading to full site compromise when a suitable POP gadget chain is present. No public exploit identified at time of analysis, but the CVSS 9.8 rating and unauthenticated network attack vector make this a high-priority issue for any WordPress site running this theme.
Unauthenticated local file inclusion in the ThemeRex Fortius WordPress theme (versions 2.3.0 and earlier) allows remote attackers to include and disclose arbitrary local files on the server via a vulnerable PHP file/path parameter. The flaw maps to CWE-98 (improper control of filename for include/require) and can lead to source code disclosure, leakage of WordPress secrets in wp-config.php, and in some PHP setups remote code execution. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Unauthenticated local file inclusion in the ThemeRex Snow Club WordPress theme versions 1.1 and earlier allows remote attackers to include and execute arbitrary local files on the host, leading to sensitive file disclosure and potential remote code execution. The flaw is reported by Patchstack and maps to CWE-98 (PHP file inclusion); no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Unauthenticated Local File Inclusion affects the Dazzle WordPress theme (by ThemeRex) in versions up to and including 1.0.0, allowing remote attackers to read or potentially include arbitrary local files on the server. The flaw stems from improper control of filename parameters used in PHP include/require statements (CWE-98), and no public exploit has been identified at time of analysis. With a CVSS 8.1 reflecting high attack complexity but no authentication, the vulnerability is reachable by anonymous attackers but requires specific conditions to weaponize fully.
Unauthenticated local file inclusion in the ThemeREX LuxMed Medicine & Healthcare Doctor WordPress theme versions 1.2.2 and earlier allows remote attackers to include and execute arbitrary local PHP files on the server. The flaw is CWE-98 (improper control of filename for include/require) and carries CVSS 8.1 (high), though attack complexity is high; no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.
Unauthenticated PHP object injection in the ThemeREX Reisen WordPress theme versions 1.4.1 and earlier allows remote attackers to trigger deserialization of attacker-controlled data without authentication. Successful exploitation can lead to full site compromise via gadget chains commonly available in WordPress core or active plugins, with CVSS rated 9.8 critical. No public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.
Local File Inclusion in the Imba WordPress theme versions 1.5.0 and earlier allows remote unauthenticated attackers to read arbitrary files from the underlying server. The flaw is rooted in PHP file-inclusion handling (CWE-98) and has no public exploit identified at time of analysis, but its unauthenticated network reachability makes it a notable risk for sites still running the affected ThemeREX product.
Unauthenticated PHP object injection in the WP Activity Log WordPress plugin versions 5.6.3.1 and earlier allows remote attackers to deliver crafted serialized payloads that are deserialized by the plugin, enabling abuse of any POP (property-oriented programming) gadget chain present in WordPress core, other active plugins, or themes. With a CVSS 3.1 base of 9.8 (AV:N/AC:L/PR:N/UI:N) and no authentication required, successful exploitation typically yields remote code execution, arbitrary file operations, or database compromise on the affected site. No public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV, but the unauthenticated network-reachable nature makes it a high-priority patch for any site running the plugin.
Unauthenticated PHP Object Injection in Crocoblock JetEngine WordPress plugin versions 3.8.10 and earlier allows remote attackers to inject arbitrary PHP objects, potentially leading to full site compromise via gadget-chain abuse. The CVSS 9.8 score reflects network-reachable, no-authentication, no-interaction exploitation against a widely deployed commercial WordPress plugin. No public exploit identified at time of analysis, but the unsafe-deserialization class (CWE-502) historically yields fast weaponization once a usable POP chain is published.
Unauthenticated PHP Object Injection in the Thrive Apprentice WordPress plugin (versions prior to 10.8.10.2) allows remote attackers to inject arbitrary PHP objects that get deserialized by the application, potentially leading to remote code execution when a suitable POP gadget chain is present. The flaw is reachable without authentication and carries a CVSS 9.8 critical rating with full confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
PHP Object Injection in the JetEngine WordPress plugin (versions through 3.8.9.1) allows authenticated users with the Contributor role to inject crafted serialized objects that are deserialized by the plugin, potentially leading to code execution or other gadget-chain abuse on the host site. The flaw, reported by Patchstack and tracked under CWE-502, requires only the low-privileged Contributor role rather than admin access, which significantly broadens the attacker pool on multi-author WordPress installations. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Unauthenticated PHP Object Injection in the AI Lab WordPress theme versions prior to 5.4.2 enables remote attackers to deliver crafted serialized payloads to a vulnerable deserialization sink. With a CVSS 9.8 rating and no authentication required, successful exploitation can lead to arbitrary code execution, data theft, or full site takeover depending on which POP gadget chains are available in WordPress core or installed plugins. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
Unauthenticated PHP Object Injection affects the Mikado-Themes EasyMeals WordPress theme through version 1.5.1, allowing remote attackers to inject crafted serialized objects that are deserialized by vulnerable PHP code paths. Successful exploitation can lead to high-impact compromise of confidentiality, integrity, and availability on the underlying WordPress site, though no public exploit identified at time of analysis. The CVSS 8.1 score reflects high attack complexity, consistent with the typical need for a usable gadget chain in the host WordPress environment.
Unauthenticated PHP object injection in the Reina WordPress theme (versions 2.1 and earlier) by Edge Themes allows remote attackers to trigger insecure deserialization, potentially leading to arbitrary code execution, data tampering, or denial of service when a suitable PHP gadget chain is present in the WordPress instance. The flaw carries a CVSS 3.1 score of 8.1 (High) with no public exploit identified at time of analysis. The reference from Patchstack confirms the issue but no KEV listing or EPSS data is provided.
Unauthenticated local file inclusion in the Mikado-Themes ChapterOne WordPress theme (versions 1.7 and earlier) allows remote attackers to coerce the PHP application into including arbitrary local files via crafted requests. Successful exploitation can disclose sensitive files such as wp-config.php and, depending on server configuration, lead to PHP code execution by including attacker-influenced content. No public exploit identified at time of analysis, but the vulnerability is publicly cataloged by Patchstack.
Unauthenticated PHP object injection in the WooCommerce Product Filters WordPress plugin (versions prior to 2.0.6) allows remote attackers to deserialize attacker-controlled data and trigger PHP magic methods on existing application gadgets. With a CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) and CWE-502 root cause, successful exploitation can lead to remote code execution, arbitrary file operations, or full site takeover depending on available POP chains in WordPress core or co-installed plugins. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.
Local file inclusion in the Element Pack Pro WordPress plugin (versions 9.0.6 and earlier) allows authenticated contributors to read or include arbitrary server-side files via insufficient validation of a file path parameter, mapped to CWE-98 (improper control of filename for include/require). The flaw was reported through Patchstack and affects bdthemes' Element Pack Pro, a widely deployed Elementor add-on; no public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Unauthenticated local file inclusion in the Xtemos Hitek WordPress theme versions prior to 1.8.3 allows remote attackers to include and execute arbitrary local files on the server via crafted requests, mapped to CWE-98 (Improper Control of Filename for Include/Require Statement in PHP). With a CVSS 3.1 score of 8.1 and high attack complexity but no authentication required, successful exploitation can lead to source code disclosure, sensitive configuration exposure, and potential remote code execution. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.
Unauthenticated PHP Object Injection affects the Select Themes Mildhill WordPress theme in versions 1.5 and earlier, allowing remote attackers to inject crafted serialized PHP objects that the application deserializes without validation. Successful exploitation can yield high confidentiality, integrity, and availability impact on the underlying WordPress site, typically by chaining the injected object with a POP gadget present in the theme, WordPress core, or another installed plugin. No public exploit identified at time of analysis, and the issue is reported via Patchstack rather than the CISA KEV catalog.
Unauthenticated local file inclusion in the Malmö WordPress theme versions 2.2 and earlier allows remote attackers to include arbitrary local files via crafted requests, enabling disclosure of sensitive server-side content and potentially remote code execution. The flaw is reported by Patchstack and classified as CWE-98 (improper control of filename for include/require), with no public exploit identified at time of analysis. Affected sites are WordPress installations using the elated-themes Malmö theme.
Unauthenticated PHP Object Injection in the Zermatt WordPress theme versions 1.6.1 and earlier allows remote attackers to deliver malicious serialized PHP objects to a vulnerable unserialize() sink without prior authentication. Successful exploitation can lead to high impact on confidentiality, integrity, and availability when a suitable POP gadget chain is reachable in the WordPress installation. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
Unauthenticated local file inclusion in the Mikado Core WordPress plugin versions 1.6 and earlier allows remote attackers to include arbitrary local files via crafted HTTP requests, potentially exposing sensitive server contents and enabling code execution. CVSS 8.1 reflects high impact across confidentiality, integrity, and availability, though attack complexity is rated High. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
Unauthenticated Local File Inclusion in ThemeREX EcoBlue WordPress theme versions 1.15 and earlier enables remote attackers to include arbitrary local files on the server without credentials, potentially leading to source code disclosure and remote code execution via PHP file inclusion (CWE-98). No public exploit identified at time of analysis, but the unauthenticated network-reachable nature combined with WordPress's broad deployment surface makes this notable. EPSS data was not provided, and the issue is not listed in CISA KEV.
Unauthenticated Local File Inclusion in the ThemeREX AutoParts WordPress theme versions 1.5.8 and earlier allows remote attackers to include and execute arbitrary local files on the server. No public exploit identified at time of analysis, but the CWE-98 classification and PR:N CVSS vector make this a meaningful pre-authentication risk for any WordPress site running the theme. Successful exploitation typically leads to sensitive file disclosure (wp-config.php) and, when combined with log poisoning or uploaded content, full remote code execution.
Unauthenticated local file inclusion in the Themeum Right Way WordPress theme versions 4.0 and earlier allows remote attackers to include arbitrary local files and likely achieve code execution through PHP file inclusion (CWE-98). The flaw is network-reachable without credentials, though CVSS records high attack complexity (AC:H), and no public exploit has been identified at time of analysis. The advisory is sourced from Patchstack's WordPress vulnerability database.
Unauthenticated local file inclusion in the Reprizo WordPress theme by AxiomThemes (versions 1.0.8 and earlier) allows remote attackers to coerce the PHP include/require chain into loading arbitrary server-side files, leading to disclosure of sensitive configuration data and potential code execution if uploaded or log files can be referenced. No public exploit identified at time of analysis, but the issue is tracked by Patchstack as a high-severity flaw against a commercial WordPress theme.
Unauthenticated local file inclusion in the Promo WordPress theme through version 1.3.0 allows remote attackers to coerce the application into including arbitrary PHP files from the server, potentially leading to source code disclosure, sensitive file reads, or remote code execution where attacker-controlled files are reachable. The vulnerability is reported by Patchstack and affects axiomthemes' Promo theme; no public exploit identified at time of analysis and EPSS data was not provided. The CVSS 3.1 base score of 8.1 reflects high impact across confidentiality, integrity, and availability despite high attack complexity.
Unauthenticated local file inclusion in the ThemeREX Tipsy WordPress theme versions 1.1 and earlier allows remote attackers to coerce the PHP interpreter into including arbitrary files via attacker-controlled path parameters. Successful exploitation can disclose sensitive server-side files, leak configuration secrets such as wp-config.php database credentials, and - depending on environment - escalate to code execution by including log files, session files, or other writable artifacts. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.
Unauthenticated Local File Inclusion in the ThemeREX Resurs WordPress theme versions 1.3 and below allows remote attackers to include and execute arbitrary local files on the server. The flaw, tracked under CWE-98 (Improper Control of Filename for Include/Require), enables disclosure of sensitive files and potential code execution depending on server configuration. No public exploit identified at time of analysis, though Patchstack has confirmed the issue against the affected theme.
Unauthenticated Local File Inclusion in the ThemeREX Orpheus WordPress theme (versions <= 1.3) allows remote attackers to read arbitrary files on the server and potentially achieve code execution via PHP file inclusion. The flaw stems from improper control of filenames in an include/require statement (CWE-98), and while no public exploit has been identified at time of analysis, the CVSS 8.1 rating reflects high impact across confidentiality, integrity, and availability. Risk is somewhat tempered by the high attack complexity metric in the CVSS vector.
Unauthenticated local file inclusion in the Snowy WordPress theme (ThemeREX) versions up to and including 1.13 allows remote attackers to coerce the PHP runtime into including arbitrary files from the server filesystem. The flaw is tracked as CWE-98 (Improper Control of Filename for Include/Require), reported by Patchstack, and carries a CVSS 3.1 score of 8.1 (High) reflecting high-complexity but unauthenticated network exploitation. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Unauthenticated local file inclusion in the ThemeREX Quirky WordPress theme versions 1.23 and earlier allows remote attackers to include and disclose arbitrary local files on the server. The flaw stems from improper control of filename for include/require statements (CWE-98), which can escalate to remote code execution if attackers can plant or reach an includable PHP payload. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Unauthenticated local file inclusion in the Gat WordPress theme (versions 1.16 and earlier) allows remote attackers to include arbitrary local files on the server, potentially leading to disclosure of sensitive configuration data, credentials, or remote code execution if combined with uploadable content. No public exploit identified at time of analysis, but the CVSS 8.1 rating reflects high confidentiality, integrity, and availability impact. The vulnerability is reported by Patchstack and affects the ThemeRex Gat theme.
Unauthenticated local file inclusion in the ThemeREX Ingenioso WordPress theme through version 1.14.0 allows remote attackers to coerce the PHP application into including arbitrary server-side files, leading to disclosure of sensitive content and potential remote code execution where uploaded or log-poisoned files can be reached. The flaw is classified under CWE-98 (improper control of filename for include/require) and was disclosed via Patchstack with no public exploit identified at time of analysis. CVSS is rated 8.1 (High) with high attack complexity, reflecting that successful exploitation depends on identifying a reachable include path.
Unauthenticated local file inclusion in the AirSupply WordPress theme versions up to and including 2.0.0 allows remote attackers to coerce the PHP application into including arbitrary local files, exposing sensitive data and potentially leading to code execution. Reported by Patchstack and tracked under CWE-98 (improper PHP file inclusion), with no public exploit identified at time of analysis and no EPSS or KEV signal supplied in the input. The CVSS 3.1 vector (AV:N/AC:H/PR:N/UI:N) indicates network-reachable, unauthenticated exploitation that nevertheless requires meeting non-trivial conditions to succeed.
Unauthenticated PHP object injection in the ThemeREX Addons WordPress plugin (versions 2.36.1.1 and earlier) allows remote attackers to inject crafted serialized objects that are deserialized by the plugin, potentially leading to remote code execution, arbitrary file operations, or full site compromise when a suitable PHP gadget chain is present. The flaw is reachable without authentication and scores CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) with full confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, and the CVE is not currently listed in CISA KEV.
Unauthenticated local file inclusion in the ThemeRex HomeRoofer WordPress theme through version 2.11.0 allows remote attackers to include and read arbitrary local files on the server, potentially leading to source code disclosure, credential theft from wp-config.php, and in some PHP configurations remote code execution. The flaw is reachable without authentication over HTTP, and no public exploit has been identified at time of analysis though Patchstack has catalogued the issue in their WordPress vulnerability database. No CISA KEV listing or EPSS data was supplied in the source intelligence.
Unauthenticated Local File Inclusion affects the Joly WordPress theme by ThemeREX in versions up to and including 1.22.0, allowing remote attackers without credentials to coerce the PHP application into including arbitrary local files. Successful exploitation can disclose sensitive configuration (such as wp-config.php containing database credentials and auth keys) and, depending on server configuration, escalate to remote code execution via log poisoning or session file inclusion. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.
Unauthenticated local file inclusion in the ThemeREX Neuronet WordPress theme before version 1.14.0 allows remote attackers to coerce the PHP runtime into including arbitrary files via untrusted input reaching an include/require statement. The flaw is reachable without authentication or user interaction, but CVSS marks attack complexity as High, suggesting non-trivial preconditions for full exploitation. No public exploit identified at time of analysis, and the issue is not on the CISA KEV list.
Unauthenticated arbitrary file download in the Premium Age Verification / Restriction for WordPress plugin (versions ≤ 3.0.2) allows remote attackers to retrieve arbitrary files from the underlying server without any credentials or user interaction. The CVSS 3.1 score of 7.5 reflects high confidentiality impact with no integrity or availability impact, consistent with file disclosure rather than code execution. There is no public exploit identified at time of analysis and the issue is not present in CISA KEV, but Patchstack has confirmed the flaw against a default plugin installation.
Privilege escalation in the Contest Gallery WordPress plugin (versions ≤ 30.0.2) allows authenticated Contributor/Author-level users to overwrite the stored RegistryUserRole option to 'administrator', causing newly registered Google sign-in accounts to be promoted to Administrator. The flaw was disclosed by Wordfence and stems from a missing capability check in the option-saving handler; no public exploit identified at time of analysis.
PHP Object Injection in the Counter Box WordPress plugin (all versions through 2.0.13) allows authenticated administrators to deserialize attacker-controlled input via the plugin's import functionality, with deserialization triggered automatically on the post-import redirect and again when any imported item is opened for editing. The vulnerability carries no standalone impact - exploitation is entirely contingent on a Property-Oriented Programming (POP) chain being present in a separately installed plugin or theme, at which point an attacker could achieve arbitrary file deletion, sensitive data retrieval, or remote code execution. No public exploit is identified at time of analysis, and the CVSS AC:H and PR:H ratings reflect both the administrative access requirement and the environmental dependency on co-installed POP chain software.
Stored cross-site scripting in Teldat's Regesta Smart HD-PLC (TLDPH16D2, firmware 11.02.05.10.02) allows a privileged, authenticated attacker to inject arbitrary JavaScript into the device's 'Hostname' configuration field, which executes in the browser of any user who subsequently loads the `/upgrade/query.php?cmd=p+3%3Bversion` endpoint. The CVSS 4.0 score of 4.8 reflects meaningful constraints: high-privilege access (PR:H) is required to write the malicious configuration, and victim user interaction (UI:P) is needed to trigger execution. No public exploit identified at time of analysis and not listed in CISA KEV; a vendor patch is available.
Unauthenticated information disclosure in the Teldat Regesta Smart HD-PLC (model TLDPH16D2, firmware 11.02.05.10.02) exposes version and privilege data via a PHP-based upgrade query endpoint accessible over the network without any login or registration. An attacker sends a crafted HTTP request to /upgrade/query.php?cmd=p+3&3Bversion and receives sensitive system metadata in the response, violating CWE-201 by returning information that should be restricted. No active exploitation has been confirmed (not in CISA KEV), and the direct impact is limited to confidentiality, but the exposed data can enable targeted follow-on attacks against this HD-PLC networking device.
Authentication header injection in Caddy versions prior to 2.11.4 allows remote attackers with low privileges to bypass forward_auth identity protections and inject or override trusted HTTP_REMOTE_* CGI variables in downstream PHP/FastCGI applications. The flaw arises because forward_auth's copy_headers directive performs exact-name deletion of client-supplied headers (e.g., Remote-Groups), while the php_fastcgi module later normalizes hyphens to underscores when exporting CGI variables, allowing an underscore alias like Remote_Groups to survive and collide with the trusted variable. Publicly available exploit code exists via the vendor GHSA advisory PoC, though no public exploit identified at time of analysis indicates active exploitation in the wild.
Unauthenticated PHP object injection in Edge-Themes Valeska WordPress theme versions 1.2.2 and earlier allows remote attackers to trigger insecure deserialization, potentially leading to code execution, file manipulation, or full site compromise when suitable PHP magic-method gadgets are present in the WordPress stack. No public exploit identified at time of analysis, but Patchstack has catalogued the flaw and the high CVSS (8.1) reflects the serious confidentiality, integrity, and availability impact possible against affected installations.
Unauthenticated PHP Object Injection in the Behold WordPress theme (versions ≤1.5) by edge-themes allows remote attackers to deliver crafted serialized payloads that are deserialized by the theme without validation. Successful exploitation can lead to full compromise of the affected WordPress site through gadget-chain abuse, with high confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Unauthenticated PHP object injection in the Mikado Themes 'Esmée' WordPress theme (versions through 1.4) allows remote attackers to inject crafted serialized objects that are processed by unsafe deserialization. Exploitation depends on the presence of usable PHP gadget chains (often from WordPress core or co-installed plugins/themes), and no public exploit identified at time of analysis, but successful attacks can lead to file write, SQL manipulation, or remote code execution on the underlying site. The CVSS 3.1 base score is 8.1 with high attack complexity, reflecting the gadget-chain dependency rather than the network-reachable, unauthenticated entry point itself.
Unauthenticated PHP Object Injection in the Léonie WordPress theme (versions ≤ 1.2.1) by Elated Themes allows remote attackers to deserialize attacker-controlled data, potentially leading to arbitrary code execution, file manipulation, or full site compromise when a suitable POP gadget chain exists in the WordPress stack. Reported by Patchstack and tracked as EUVD-2026-37490, with no public exploit identified at time of analysis but a high CVSS score of 8.1 reflecting the severity of unauthenticated deserialization. No KEV listing is present.
Unauthenticated PHP Object Injection in the Mikado-Themes TechLink WordPress theme (versions up to and including 1.3) allows remote attackers to trigger insecure deserialization of attacker-controlled data. Successful exploitation can lead to full compromise of the underlying WordPress site, including arbitrary code execution, data theft, and site defacement, though the CVSS vector flags high attack complexity (AC:H). No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
Unauthenticated PHP object injection in the Roisin WordPress theme (versions up to and including 1.4) by elated-themes allows remote attackers to deliver crafted serialized payloads to vulnerable deserialization sinks, potentially leading to high-impact compromise of confidentiality, integrity, and availability. The CVSS 8.1 score reflects high attack complexity offset by the lack of any authentication or user interaction. No public exploit was identified at time of analysis, and the issue is tracked by Patchstack and ENISA (EUVD-2026-37488).
Unauthenticated PHP Object Injection in the Mikado-Themes Ashtanga WordPress theme (versions ≤ 1.2) allows remote attackers to deliver malicious serialized PHP objects to the application. When combined with a suitable POP (property-oriented programming) gadget chain present in WordPress core, other plugins, or themes, exploitation can lead to remote code execution, arbitrary file operations, or full site compromise. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Unauthenticated PHP object injection in the Mikado-Themes LuxeDrive WordPress theme through version 1.4 allows remote attackers to deliver crafted serialized payloads that, when combined with a suitable POP gadget chain, can lead to remote code execution, data tampering, or service disruption on the underlying WordPress site. No public exploit identified at time of analysis, and the CVSS attack complexity is High because successful exploitation typically depends on the presence of a usable gadget chain in WordPress core, other plugins, or themes installed alongside LuxeDrive. The flaw is tracked by Patchstack and EUVD as EUVD-2026-37486.
Unauthenticated PHP object injection in the Laurits WordPress theme through version 1.5.1 allows remote attackers to deserialize attacker-controlled data, potentially leading to code execution, data tampering, or denial of service when a suitable gadget chain is present in the WordPress stack. The flaw was disclosed via Patchstack and tracked as EUVD-2026-37485; no public exploit identified at time of analysis, though the high CVSS of 8.1 and CWE-502 classification mark it as a serious supply-chain risk for sites running this commercial Edge-Themes product.
PHP Object Injection in the Micdrop WordPress theme versions 1.3.1 and earlier allows remote unauthenticated attackers to trigger insecure deserialization, potentially leading to high impact on confidentiality, integrity, and availability of the underlying site. No public exploit identified at time of analysis, and the CVSS vector reflects high attack complexity, meaning successful exploitation likely depends on the presence of a usable PHP gadget chain in the site's installed plugins or core. The flaw is tracked as CWE-502 (Deserialization of Untrusted Data) and was reported by Patchstack.
PHP Object Injection in the Valiance WordPress theme (versions up to and including 1.2) by elated-themes allows attackers to pass attacker-controlled serialized data into a PHP unserialize() sink, enabling object injection that - when paired with a suitable gadget chain from WordPress core or another installed plugin - can lead to remote code execution, file manipulation, or data tampering. The Patchstack advisory labels the issue as unauthenticated, although the published CVSS vector lists PR:H, so the precise authentication boundary should be verified against the vendor advisory. There is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV.
PHP Object Injection in the Playroom WordPress theme (versions ≤ 1.4.1) by elated-themes allows remote attackers to inject crafted serialized objects that are deserialized by the application, potentially triggering POP-chain gadgets. The vulnerability is described as unauthenticated by Patchstack despite the CVSS vector listing PR:H, and no public exploit identified at time of analysis.
Unauthenticated local file inclusion in the Mr. SEO WordPress theme versions 2.0 and earlier allows remote attackers to include and execute arbitrary local PHP files on the server without authentication. The flaw, reported by Patchstack and tracked as CWE-98 (PHP Remote File Inclusion), enables information disclosure and potential remote code execution depending on what files are reachable on the host. No public exploit identified at time of analysis, though the theme's WordPress deployment context broadens the attack surface across affected sites.
Unauthenticated PHP object injection in the Santé WordPress theme through version 1.5.1 allows remote attackers to deserialize attacker-controlled data and potentially achieve remote code execution, data tampering, or denial of service when a suitable POP gadget chain is present. The flaw is reported by Patchstack and tracked as EUVD-2026-37480; no public exploit identified at time of analysis, and the CVSS 8.1 score reflects high attack complexity offset by network reach and no authentication. The Santé theme is a commercial Select Themes product, so exposure is limited to sites that have installed and activated this specific theme.
Unauthenticated PHP Object Injection in the NeoBeat WordPress theme (versions ≤1.7) allows remote attackers to inject crafted serialized objects that, when deserialized by the application, can be chained with available gadgets to compromise the site. No public exploit identified at time of analysis, but the CVSS 8.1 rating reflects high impact across confidentiality, integrity and availability if a usable gadget chain is present in the WordPress core or installed plugins.
Unauthenticated PHP Object Injection in the Fidalgo WordPress theme (versions ≤1.2.2) allows remote attackers to inject crafted serialized PHP objects that are deserialized by the theme, potentially leading to arbitrary code execution, data tampering, or service disruption depending on available gadget chains. No public exploit identified at time of analysis, but the unauthenticated network vector and CWE-502 classification make this a meaningful risk for WordPress sites running this commercial theme.
Unauthenticated local file inclusion in the Aperitif WordPress theme (versions up to and including 1.5) by elated-themes allows remote attackers to coerce the PHP include/require chain into loading attacker-controlled paths without credentials or user interaction. No public exploit identified at time of analysis, but the high CIA impact and unauthenticated network reach make it a meaningful supply-chain risk for sites using this commercial theme. The CVSS:3.1 score of 8.1 reflects high attack complexity, indicating the trigger likely requires a specific request pattern rather than a single trivial payload.
Local File Inclusion in the Getaway WordPress theme (versions before 1.8) by Select-Themes allows unauthenticated remote attackers to include arbitrary local PHP files via an unsanitized include/require parameter, leading to disclosure of sensitive files and potential code execution. The CWE-98 classification indicates improper control of filename used in PHP include/require, a pattern that frequently chains into RCE when log files, session files, or uploaded media can be referenced. No public exploit identified at time of analysis, and the issue is not in CISA KEV.
Unauthenticated PHP Object Injection in the Alloggio - Hotel Booking WordPress theme through version 2.1.2 allows remote attackers to inject crafted serialized objects that, when combined with a suitable gadget chain, can lead to high-impact compromise of the hosting WordPress site. The flaw was reported by Patchstack and is tracked as EUVD-2026-37474; no public exploit identified at time of analysis, and there is no evidence of active exploitation. CVSS 3.1 base score is 8.1 with high attack complexity, reflecting the need for a usable gadget chain in the WordPress environment.
Unauthenticated PHP object injection in the WordPress Elementra theme (versions ≤ 1.0.9) allows remote attackers to deliver crafted serialized payloads that trigger deserialization of untrusted data. With no public exploit identified at time of analysis, the CVSS 9.8 vector still indicates network-reachable, no-auth exploitation against any WordPress site running an affected Elementra build. Successful chaining with a POP gadget in WordPress core or other installed plugins typically yields remote code execution or full site compromise.
Unauthenticated Local File Inclusion in the Solene WordPress theme versions 3.4 and earlier allows remote attackers to read arbitrary server-side files and potentially execute PHP code via improperly controlled filename inclusion (CWE-98). The flaw is reachable over the network without credentials, and while CVSS:3.1 rates it 8.1 (High) with high attack complexity, no public exploit identified at time of analysis. Wide impact is plausible because Solene is a commercial WordPress theme distributed by Elated Themes and exposed on internet-facing sites.
Unauthenticated PHP object injection in the Kapee WordPress theme versions prior to 1.7.0 allows remote attackers to inject crafted serialized objects that, when combined with suitable gadget chains, can lead to high-impact compromise of confidentiality, integrity, and availability. The flaw was reported by Patchstack and a vendor patch is available; no public exploit identified at time of analysis, but the unauthenticated network vector makes this a meaningful priority for sites running this commercial WooCommerce theme.
Unauthenticated PHP Object Injection in the EmallShop WordPress theme (versions <= 2.4.21) allows remote attackers to inject crafted serialized PHP objects that are deserialized by the application, potentially leading to remote code execution, data tampering, or denial of service when a suitable gadget chain is present. The flaw was disclosed by Patchstack (EUVD-2026-37470) and carries CVSS 8.1 (AV:N/AC:H/PR:N/UI:N) - no public exploit identified at time of analysis and not listed in CISA KEV.
Unauthenticated local file inclusion in Softlab Core WordPress plugin versions before 1.2.11 allows remote attackers to read or include arbitrary local files on the server, potentially leading to sensitive information disclosure or remote code execution if attacker-controlled content can be reached. The flaw is reported by Patchstack and tagged as PHP/LFI affecting the WebGeniusLab Softlab Core plugin used in WordPress deployments. No public exploit identified at time of analysis, though the unauthenticated nature and high CVSS impact warrant prompt patching.
Unauthenticated Local File Inclusion in the Integrio Core WordPress plugin (versions prior to 1.2.8) by webgeniuslab allows remote attackers to coerce the PHP application into including arbitrary local files, leading to source code disclosure, sensitive file exposure, and potentially remote code execution when log poisoning or upload primitives are available. The CVSS vector (AV:N/AC:H/PR:N/UI:N) reflects network-reachable, unauthenticated exploitation with high attack complexity, and no public exploit identified at time of analysis. The flaw is tracked by Patchstack and ENISA EUVD (EUVD-2026-37466) with a vendor-released patch in version 1.2.8.
Unauthenticated Local File Inclusion in the Thegov Core WordPress plugin (versions prior to 2.0.23) allows remote attackers to coerce the application into including arbitrary files via a flaw classified as CWE-98 (PHP File Inclusion). Because the plugin powers the Thegov WordPress theme commonly used by government and political sites, successful exploitation can disclose sensitive configuration files such as wp-config.php and, depending on server state, escalate to PHP code execution. No public exploit identified at time of analysis, though Patchstack - the reporting party - has published a vendor advisory and a fixed release.
Unauthenticated PHP Object Injection in BoldThemes Nifty WordPress theme versions 1.4.1 and earlier allows remote attackers to inject arbitrary PHP objects through unsafe deserialization, potentially leading to remote code execution when a suitable gadget chain exists in the WordPress installation. No public exploit identified at time of analysis, but the unauthenticated network-reachable nature combined with CVSS 9.8 makes this a high-priority issue for any site running the affected theme. Reported by Patchstack and tracked as EUVD-2026-37464.
PHP Object Injection in the ThemeFusion Avada WordPress theme versions 3.15.3 and earlier allows authenticated users with Contributor-level privileges to trigger unsafe deserialization, potentially leading to remote code execution, data tampering, or service disruption on the underlying WordPress installation. No public exploit identified at time of analysis, but the low attack complexity and widespread deployment of Avada as a commercial WordPress theme make this a meaningful risk for multi-author sites.
Unauthenticated Local File Inclusion in the Truemag WordPress theme by Cactus Themes (versions up to and including 4.3.14.2) allows remote attackers to coerce the server into including arbitrary local PHP files without credentials. With CVSS 8.1 and full CIA impact (CWE-98), successful exploitation can lead to disclosure of sensitive files, configuration data, and potential code execution by including attacker-controlled or log-poisoned content, though no public exploit identified at time of analysis.
Unauthenticated local file inclusion in the Roneous WordPress theme (versions up to and including 2.1.5) allows remote attackers to coerce the application into including arbitrary files on the server, potentially exposing sensitive data such as wp-config.php credentials or, when combined with file upload primitives, achieving remote code execution. The flaw is reachable without authentication over the network, and no public exploit identified at time of analysis. The vulnerability is tracked by Patchstack and ENISA EUVD (EUVD-2025-210183).
Local File Inclusion in the ThemeREX ITactics WordPress theme versions 1.0 and earlier allows remote unauthenticated attackers to include arbitrary files from the underlying server, leading to disclosure of sensitive configuration data and potentially PHP code execution if attacker-controlled content can be staged on the host. Tracked by Patchstack and indexed in ENISA EUVD as EUVD-2025-210182, the issue carries a CVSS 8.1 (High) score with no public exploit identified at time of analysis.
Local File Inclusion in the Spike WordPress theme (versions ≤1.2) by ThemeREX allows remote unauthenticated attackers to coerce the PHP backend into including arbitrary local files via crafted filename parameters. Successful exploitation can disclose sensitive server-side files, configuration data, and credentials, and on misconfigured PHP installations may lead to code execution. No public exploit identified at time of analysis, but the issue is reported and tracked by Patchstack (WordPress vulnerability intelligence).
Unauthenticated Local File Inclusion in the ThemeREX Eros WordPress theme versions 1.3 and earlier allows remote attackers to read arbitrary files and potentially achieve PHP code execution via include/require paths reachable without authentication. No public exploit identified at time of analysis, but the flaw is reported by Patchstack and tracked as EUVD-2025-210180. WordPress themes with LFI sinks are a recurring target because they expose include() statements through AJAX or template loader endpoints.
Local File Inclusion in the Choreo WordPress theme (versions through 1.6) allows unauthenticated remote attackers to include and read arbitrary local files from the server, with potential for further escalation to code execution depending on writable file content. The flaw was disclosed by Patchstack and is tracked as EUVD-2025-210179; no public exploit identified at time of analysis, and the CVSS 3.1 base score of 8.1 reflects high impact across confidentiality, integrity, and availability.
Unauthenticated Local File Inclusion in the WineShop WordPress theme versions 3.17 and earlier allows remote attackers to include and execute arbitrary local files on the server via crafted requests. The flaw stems from improper control of filename for include/require (CWE-98) and carries a CVSS 8.1 (High) with full confidentiality, integrity, and availability impact, though no public exploit identified at time of analysis.
Unauthenticated local file inclusion in the ThemeRex Grecko WordPress theme versions 5.17 and earlier allows remote attackers to coerce the application into including arbitrary files from the server filesystem, potentially leading to sensitive file disclosure and PHP code execution where attacker-controlled content can be reached. The flaw is reachable without authentication over HTTP and was disclosed via Patchstack with no public exploit identified at time of analysis. CVSS is rated 8.1 with high attack complexity, indicating exploitation is feasible but not trivially automatable.
Unauthenticated local file inclusion in the ThemeRex Gita WordPress theme versions 1.11 and earlier allows remote attackers to include arbitrary local files via a PHP file-inclusion weakness (CWE-98), potentially exposing wp-config.php credentials and enabling further compromise. No public exploit identified at time of analysis, but the vulnerability is network-reachable without authentication and has been disclosed by Patchstack with a CVSS 3.1 base score of 8.1.
Unauthenticated local file inclusion in the Printo WordPress theme (versions ≤ 1.11 by ThemeRex) allows remote attackers to include arbitrary local files via a PHP file-inclusion sink (CWE-98), enabling disclosure of sensitive server-side files and potential remote code execution if attacker-controlled content can be reached on disk. No public exploit identified at time of analysis, though Patchstack has cataloged the issue and the CVSS 3.1 base score of 8.1 reflects high impact across confidentiality, integrity, and availability.
Unauthenticated local file inclusion in the Medeus WordPress theme versions 1.14 and earlier allows remote attackers to coerce the PHP backend into including arbitrary files, exposing sensitive configuration data such as wp-config.php and potentially enabling code execution if log poisoning or uploaded content can be referenced. The vulnerability is classified under CWE-98 (Improper Control of Filename for Include/Require), affects a ThemeREX product tracked by Patchstack as a WordPress theme issue, and no public exploit identified at time of analysis. Despite the CVSS 8.1 high rating, AC:H signals non-trivial exploitation requirements beyond a simple parameter swap.
Unauthenticated local file inclusion in the ThemeRex Gunslinger WordPress theme through version 1.7 allows remote attackers to coerce PHP into including arbitrary files from the server filesystem, leading to disclosure of sensitive files and potential remote code execution where attacker-influenced content can be staged. No public exploit identified at time of analysis, but the flaw is reachable without authentication and affects all installations running version 1.7 or earlier of the theme.
Unauthenticated local file inclusion in ThemeRex Skyward WordPress theme versions 1.10 and earlier allows remote attackers to include and execute arbitrary local PHP files on the server, enabling sensitive file disclosure and potential remote code execution. The flaw is reachable without authentication over the network and no public exploit has been identified at time of analysis, though Patchstack has catalogued the issue in their vulnerability database. CVSS rates the impact as 8.1 (High) reflecting full confidentiality, integrity, and availability compromise despite high attack complexity.
Unauthenticated Local File Inclusion in the ThemeREX Granola WordPress theme through version 1.13 allows remote attackers to coerce the PHP runtime into including arbitrary files via attacker-controlled path input. The flaw is reachable over the network without credentials or user interaction and can expose sensitive site files such as wp-config.php, potentially escalating to code execution if log-poisoning or session-file techniques are viable. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Local file inclusion in the ThemeRex Gamic WordPress theme versions 1.15 and earlier allows unauthenticated remote attackers to coerce the PHP application into including arbitrary files via crafted parameters. Successful exploitation can expose sensitive configuration data (including wp-config.php) and, depending on server configuration, may escalate to remote code execution through log poisoning or session-file inclusion. No public exploit identified at time of analysis, and the issue has not been listed in CISA KEV.
Unauthenticated local file inclusion in the ThemeREX Preservation WordPress theme versions 1.10 and earlier allows remote attackers to read arbitrary files from the underlying web server, with high complexity (AC:H) but no authentication required (PR:N). The flaw, reported by Patchstack and classified as CWE-98 (improper filename control for PHP include/require statements), can lead to disclosure of sensitive files such as wp-config.php and, depending on the inclusion path, potentially full code execution. No public exploit identified at time of analysis and no KEV listing.
PHP Object Injection in the Entrepreneur - Booking for Small Businesses WordPress theme through version 3.1.3 allows authenticated subscriber-level users to trigger unsafe deserialization, potentially leading to full site compromise. The flaw was disclosed via Patchstack and carries a CVSS 3.1 base score of 8.8 reflecting high impact on confidentiality, integrity, and availability. No public exploit identified at time of analysis.
Unauthenticated PHP Object Injection in the ThemeREX Plumbing WordPress theme versions 1.6 and earlier allows remote attackers to inject arbitrary PHP objects via untrusted deserialization, potentially leading to full site compromise when a suitable POP gadget chain is present. No public exploit identified at time of analysis, but the CVSS 9.8 rating and unauthenticated network attack vector make this a high-priority issue for any WordPress site running this theme.
Unauthenticated local file inclusion in the ThemeRex Fortius WordPress theme (versions 2.3.0 and earlier) allows remote attackers to include and disclose arbitrary local files on the server via a vulnerable PHP file/path parameter. The flaw maps to CWE-98 (improper control of filename for include/require) and can lead to source code disclosure, leakage of WordPress secrets in wp-config.php, and in some PHP setups remote code execution. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Unauthenticated local file inclusion in the ThemeRex Snow Club WordPress theme versions 1.1 and earlier allows remote attackers to include and execute arbitrary local files on the host, leading to sensitive file disclosure and potential remote code execution. The flaw is reported by Patchstack and maps to CWE-98 (PHP file inclusion); no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Unauthenticated Local File Inclusion affects the Dazzle WordPress theme (by ThemeRex) in versions up to and including 1.0.0, allowing remote attackers to read or potentially include arbitrary local files on the server. The flaw stems from improper control of filename parameters used in PHP include/require statements (CWE-98), and no public exploit has been identified at time of analysis. With a CVSS 8.1 reflecting high attack complexity but no authentication, the vulnerability is reachable by anonymous attackers but requires specific conditions to weaponize fully.
Unauthenticated local file inclusion in the ThemeREX LuxMed Medicine & Healthcare Doctor WordPress theme versions 1.2.2 and earlier allows remote attackers to include and execute arbitrary local PHP files on the server. The flaw is CWE-98 (improper control of filename for include/require) and carries CVSS 8.1 (high), though attack complexity is high; no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.
Unauthenticated PHP object injection in the ThemeREX Reisen WordPress theme versions 1.4.1 and earlier allows remote attackers to trigger deserialization of attacker-controlled data without authentication. Successful exploitation can lead to full site compromise via gadget chains commonly available in WordPress core or active plugins, with CVSS rated 9.8 critical. No public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.
Local File Inclusion in the Imba WordPress theme versions 1.5.0 and earlier allows remote unauthenticated attackers to read arbitrary files from the underlying server. The flaw is rooted in PHP file-inclusion handling (CWE-98) and has no public exploit identified at time of analysis, but its unauthenticated network reachability makes it a notable risk for sites still running the affected ThemeREX product.
Unauthenticated PHP object injection in the WP Activity Log WordPress plugin versions 5.6.3.1 and earlier allows remote attackers to deliver crafted serialized payloads that are deserialized by the plugin, enabling abuse of any POP (property-oriented programming) gadget chain present in WordPress core, other active plugins, or themes. With a CVSS 3.1 base of 9.8 (AV:N/AC:L/PR:N/UI:N) and no authentication required, successful exploitation typically yields remote code execution, arbitrary file operations, or database compromise on the affected site. No public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV, but the unauthenticated network-reachable nature makes it a high-priority patch for any site running the plugin.
Unauthenticated PHP Object Injection in Crocoblock JetEngine WordPress plugin versions 3.8.10 and earlier allows remote attackers to inject arbitrary PHP objects, potentially leading to full site compromise via gadget-chain abuse. The CVSS 9.8 score reflects network-reachable, no-authentication, no-interaction exploitation against a widely deployed commercial WordPress plugin. No public exploit identified at time of analysis, but the unsafe-deserialization class (CWE-502) historically yields fast weaponization once a usable POP chain is published.
Unauthenticated PHP Object Injection in the Thrive Apprentice WordPress plugin (versions prior to 10.8.10.2) allows remote attackers to inject arbitrary PHP objects that get deserialized by the application, potentially leading to remote code execution when a suitable POP gadget chain is present. The flaw is reachable without authentication and carries a CVSS 9.8 critical rating with full confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
PHP Object Injection in the JetEngine WordPress plugin (versions through 3.8.9.1) allows authenticated users with the Contributor role to inject crafted serialized objects that are deserialized by the plugin, potentially leading to code execution or other gadget-chain abuse on the host site. The flaw, reported by Patchstack and tracked under CWE-502, requires only the low-privileged Contributor role rather than admin access, which significantly broadens the attacker pool on multi-author WordPress installations. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Unauthenticated PHP Object Injection in the AI Lab WordPress theme versions prior to 5.4.2 enables remote attackers to deliver crafted serialized payloads to a vulnerable deserialization sink. With a CVSS 9.8 rating and no authentication required, successful exploitation can lead to arbitrary code execution, data theft, or full site takeover depending on which POP gadget chains are available in WordPress core or installed plugins. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
Unauthenticated PHP Object Injection affects the Mikado-Themes EasyMeals WordPress theme through version 1.5.1, allowing remote attackers to inject crafted serialized objects that are deserialized by vulnerable PHP code paths. Successful exploitation can lead to high-impact compromise of confidentiality, integrity, and availability on the underlying WordPress site, though no public exploit identified at time of analysis. The CVSS 8.1 score reflects high attack complexity, consistent with the typical need for a usable gadget chain in the host WordPress environment.
Unauthenticated PHP object injection in the Reina WordPress theme (versions 2.1 and earlier) by Edge Themes allows remote attackers to trigger insecure deserialization, potentially leading to arbitrary code execution, data tampering, or denial of service when a suitable PHP gadget chain is present in the WordPress instance. The flaw carries a CVSS 3.1 score of 8.1 (High) with no public exploit identified at time of analysis. The reference from Patchstack confirms the issue but no KEV listing or EPSS data is provided.
Unauthenticated local file inclusion in the Mikado-Themes ChapterOne WordPress theme (versions 1.7 and earlier) allows remote attackers to coerce the PHP application into including arbitrary local files via crafted requests. Successful exploitation can disclose sensitive files such as wp-config.php and, depending on server configuration, lead to PHP code execution by including attacker-influenced content. No public exploit identified at time of analysis, but the vulnerability is publicly cataloged by Patchstack.
Unauthenticated PHP object injection in the WooCommerce Product Filters WordPress plugin (versions prior to 2.0.6) allows remote attackers to deserialize attacker-controlled data and trigger PHP magic methods on existing application gadgets. With a CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) and CWE-502 root cause, successful exploitation can lead to remote code execution, arbitrary file operations, or full site takeover depending on available POP chains in WordPress core or co-installed plugins. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.
Local file inclusion in the Element Pack Pro WordPress plugin (versions 9.0.6 and earlier) allows authenticated contributors to read or include arbitrary server-side files via insufficient validation of a file path parameter, mapped to CWE-98 (improper control of filename for include/require). The flaw was reported through Patchstack and affects bdthemes' Element Pack Pro, a widely deployed Elementor add-on; no public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Unauthenticated local file inclusion in the Xtemos Hitek WordPress theme versions prior to 1.8.3 allows remote attackers to include and execute arbitrary local files on the server via crafted requests, mapped to CWE-98 (Improper Control of Filename for Include/Require Statement in PHP). With a CVSS 3.1 score of 8.1 and high attack complexity but no authentication required, successful exploitation can lead to source code disclosure, sensitive configuration exposure, and potential remote code execution. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.
Unauthenticated PHP Object Injection affects the Select Themes Mildhill WordPress theme in versions 1.5 and earlier, allowing remote attackers to inject crafted serialized PHP objects that the application deserializes without validation. Successful exploitation can yield high confidentiality, integrity, and availability impact on the underlying WordPress site, typically by chaining the injected object with a POP gadget present in the theme, WordPress core, or another installed plugin. No public exploit identified at time of analysis, and the issue is reported via Patchstack rather than the CISA KEV catalog.
Unauthenticated local file inclusion in the Malmö WordPress theme versions 2.2 and earlier allows remote attackers to include arbitrary local files via crafted requests, enabling disclosure of sensitive server-side content and potentially remote code execution. The flaw is reported by Patchstack and classified as CWE-98 (improper control of filename for include/require), with no public exploit identified at time of analysis. Affected sites are WordPress installations using the elated-themes Malmö theme.
Unauthenticated PHP Object Injection in the Zermatt WordPress theme versions 1.6.1 and earlier allows remote attackers to deliver malicious serialized PHP objects to a vulnerable unserialize() sink without prior authentication. Successful exploitation can lead to high impact on confidentiality, integrity, and availability when a suitable POP gadget chain is reachable in the WordPress installation. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
Unauthenticated local file inclusion in the Mikado Core WordPress plugin versions 1.6 and earlier allows remote attackers to include arbitrary local files via crafted HTTP requests, potentially exposing sensitive server contents and enabling code execution. CVSS 8.1 reflects high impact across confidentiality, integrity, and availability, though attack complexity is rated High. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
Unauthenticated Local File Inclusion in ThemeREX EcoBlue WordPress theme versions 1.15 and earlier enables remote attackers to include arbitrary local files on the server without credentials, potentially leading to source code disclosure and remote code execution via PHP file inclusion (CWE-98). No public exploit identified at time of analysis, but the unauthenticated network-reachable nature combined with WordPress's broad deployment surface makes this notable. EPSS data was not provided, and the issue is not listed in CISA KEV.
Unauthenticated Local File Inclusion in the ThemeREX AutoParts WordPress theme versions 1.5.8 and earlier allows remote attackers to include and execute arbitrary local files on the server. No public exploit identified at time of analysis, but the CWE-98 classification and PR:N CVSS vector make this a meaningful pre-authentication risk for any WordPress site running the theme. Successful exploitation typically leads to sensitive file disclosure (wp-config.php) and, when combined with log poisoning or uploaded content, full remote code execution.
Unauthenticated local file inclusion in the Themeum Right Way WordPress theme versions 4.0 and earlier allows remote attackers to include arbitrary local files and likely achieve code execution through PHP file inclusion (CWE-98). The flaw is network-reachable without credentials, though CVSS records high attack complexity (AC:H), and no public exploit has been identified at time of analysis. The advisory is sourced from Patchstack's WordPress vulnerability database.
Unauthenticated local file inclusion in the Reprizo WordPress theme by AxiomThemes (versions 1.0.8 and earlier) allows remote attackers to coerce the PHP include/require chain into loading arbitrary server-side files, leading to disclosure of sensitive configuration data and potential code execution if uploaded or log files can be referenced. No public exploit identified at time of analysis, but the issue is tracked by Patchstack as a high-severity flaw against a commercial WordPress theme.
Unauthenticated local file inclusion in the Promo WordPress theme through version 1.3.0 allows remote attackers to coerce the application into including arbitrary PHP files from the server, potentially leading to source code disclosure, sensitive file reads, or remote code execution where attacker-controlled files are reachable. The vulnerability is reported by Patchstack and affects axiomthemes' Promo theme; no public exploit identified at time of analysis and EPSS data was not provided. The CVSS 3.1 base score of 8.1 reflects high impact across confidentiality, integrity, and availability despite high attack complexity.
Unauthenticated local file inclusion in the ThemeREX Tipsy WordPress theme versions 1.1 and earlier allows remote attackers to coerce the PHP interpreter into including arbitrary files via attacker-controlled path parameters. Successful exploitation can disclose sensitive server-side files, leak configuration secrets such as wp-config.php database credentials, and - depending on environment - escalate to code execution by including log files, session files, or other writable artifacts. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.
Unauthenticated Local File Inclusion in the ThemeREX Resurs WordPress theme versions 1.3 and below allows remote attackers to include and execute arbitrary local files on the server. The flaw, tracked under CWE-98 (Improper Control of Filename for Include/Require), enables disclosure of sensitive files and potential code execution depending on server configuration. No public exploit identified at time of analysis, though Patchstack has confirmed the issue against the affected theme.
Unauthenticated Local File Inclusion in the ThemeREX Orpheus WordPress theme (versions <= 1.3) allows remote attackers to read arbitrary files on the server and potentially achieve code execution via PHP file inclusion. The flaw stems from improper control of filenames in an include/require statement (CWE-98), and while no public exploit has been identified at time of analysis, the CVSS 8.1 rating reflects high impact across confidentiality, integrity, and availability. Risk is somewhat tempered by the high attack complexity metric in the CVSS vector.
Unauthenticated local file inclusion in the Snowy WordPress theme (ThemeREX) versions up to and including 1.13 allows remote attackers to coerce the PHP runtime into including arbitrary files from the server filesystem. The flaw is tracked as CWE-98 (Improper Control of Filename for Include/Require), reported by Patchstack, and carries a CVSS 3.1 score of 8.1 (High) reflecting high-complexity but unauthenticated network exploitation. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Unauthenticated local file inclusion in the ThemeREX Quirky WordPress theme versions 1.23 and earlier allows remote attackers to include and disclose arbitrary local files on the server. The flaw stems from improper control of filename for include/require statements (CWE-98), which can escalate to remote code execution if attackers can plant or reach an includable PHP payload. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Unauthenticated local file inclusion in the Gat WordPress theme (versions 1.16 and earlier) allows remote attackers to include arbitrary local files on the server, potentially leading to disclosure of sensitive configuration data, credentials, or remote code execution if combined with uploadable content. No public exploit identified at time of analysis, but the CVSS 8.1 rating reflects high confidentiality, integrity, and availability impact. The vulnerability is reported by Patchstack and affects the ThemeRex Gat theme.
Unauthenticated local file inclusion in the ThemeREX Ingenioso WordPress theme through version 1.14.0 allows remote attackers to coerce the PHP application into including arbitrary server-side files, leading to disclosure of sensitive content and potential remote code execution where uploaded or log-poisoned files can be reached. The flaw is classified under CWE-98 (improper control of filename for include/require) and was disclosed via Patchstack with no public exploit identified at time of analysis. CVSS is rated 8.1 (High) with high attack complexity, reflecting that successful exploitation depends on identifying a reachable include path.
Unauthenticated local file inclusion in the AirSupply WordPress theme versions up to and including 2.0.0 allows remote attackers to coerce the PHP application into including arbitrary local files, exposing sensitive data and potentially leading to code execution. Reported by Patchstack and tracked under CWE-98 (improper PHP file inclusion), with no public exploit identified at time of analysis and no EPSS or KEV signal supplied in the input. The CVSS 3.1 vector (AV:N/AC:H/PR:N/UI:N) indicates network-reachable, unauthenticated exploitation that nevertheless requires meeting non-trivial conditions to succeed.
Unauthenticated PHP object injection in the ThemeREX Addons WordPress plugin (versions 2.36.1.1 and earlier) allows remote attackers to inject crafted serialized objects that are deserialized by the plugin, potentially leading to remote code execution, arbitrary file operations, or full site compromise when a suitable PHP gadget chain is present. The flaw is reachable without authentication and scores CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) with full confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, and the CVE is not currently listed in CISA KEV.
Unauthenticated local file inclusion in the ThemeRex HomeRoofer WordPress theme through version 2.11.0 allows remote attackers to include and read arbitrary local files on the server, potentially leading to source code disclosure, credential theft from wp-config.php, and in some PHP configurations remote code execution. The flaw is reachable without authentication over HTTP, and no public exploit has been identified at time of analysis though Patchstack has catalogued the issue in their WordPress vulnerability database. No CISA KEV listing or EPSS data was supplied in the source intelligence.
Unauthenticated Local File Inclusion affects the Joly WordPress theme by ThemeREX in versions up to and including 1.22.0, allowing remote attackers without credentials to coerce the PHP application into including arbitrary local files. Successful exploitation can disclose sensitive configuration (such as wp-config.php containing database credentials and auth keys) and, depending on server configuration, escalate to remote code execution via log poisoning or session file inclusion. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.
Unauthenticated local file inclusion in the ThemeREX Neuronet WordPress theme before version 1.14.0 allows remote attackers to coerce the PHP runtime into including arbitrary files via untrusted input reaching an include/require statement. The flaw is reachable without authentication or user interaction, but CVSS marks attack complexity as High, suggesting non-trivial preconditions for full exploitation. No public exploit identified at time of analysis, and the issue is not on the CISA KEV list.
Unauthenticated arbitrary file download in the Premium Age Verification / Restriction for WordPress plugin (versions ≤ 3.0.2) allows remote attackers to retrieve arbitrary files from the underlying server without any credentials or user interaction. The CVSS 3.1 score of 7.5 reflects high confidentiality impact with no integrity or availability impact, consistent with file disclosure rather than code execution. There is no public exploit identified at time of analysis and the issue is not present in CISA KEV, but Patchstack has confirmed the flaw against a default plugin installation.
Privilege escalation in the Contest Gallery WordPress plugin (versions ≤ 30.0.2) allows authenticated Contributor/Author-level users to overwrite the stored RegistryUserRole option to 'administrator', causing newly registered Google sign-in accounts to be promoted to Administrator. The flaw was disclosed by Wordfence and stems from a missing capability check in the option-saving handler; no public exploit identified at time of analysis.
PHP Object Injection in the Counter Box WordPress plugin (all versions through 2.0.13) allows authenticated administrators to deserialize attacker-controlled input via the plugin's import functionality, with deserialization triggered automatically on the post-import redirect and again when any imported item is opened for editing. The vulnerability carries no standalone impact - exploitation is entirely contingent on a Property-Oriented Programming (POP) chain being present in a separately installed plugin or theme, at which point an attacker could achieve arbitrary file deletion, sensitive data retrieval, or remote code execution. No public exploit is identified at time of analysis, and the CVSS AC:H and PR:H ratings reflect both the administrative access requirement and the environmental dependency on co-installed POP chain software.
Stored cross-site scripting in Teldat's Regesta Smart HD-PLC (TLDPH16D2, firmware 11.02.05.10.02) allows a privileged, authenticated attacker to inject arbitrary JavaScript into the device's 'Hostname' configuration field, which executes in the browser of any user who subsequently loads the `/upgrade/query.php?cmd=p+3%3Bversion` endpoint. The CVSS 4.0 score of 4.8 reflects meaningful constraints: high-privilege access (PR:H) is required to write the malicious configuration, and victim user interaction (UI:P) is needed to trigger execution. No public exploit identified at time of analysis and not listed in CISA KEV; a vendor patch is available.
Unauthenticated information disclosure in the Teldat Regesta Smart HD-PLC (model TLDPH16D2, firmware 11.02.05.10.02) exposes version and privilege data via a PHP-based upgrade query endpoint accessible over the network without any login or registration. An attacker sends a crafted HTTP request to /upgrade/query.php?cmd=p+3&3Bversion and receives sensitive system metadata in the response, violating CWE-201 by returning information that should be restricted. No active exploitation has been confirmed (not in CISA KEV), and the direct impact is limited to confidentiality, but the exposed data can enable targeted follow-on attacks against this HD-PLC networking device.
Authentication header injection in Caddy versions prior to 2.11.4 allows remote attackers with low privileges to bypass forward_auth identity protections and inject or override trusted HTTP_REMOTE_* CGI variables in downstream PHP/FastCGI applications. The flaw arises because forward_auth's copy_headers directive performs exact-name deletion of client-supplied headers (e.g., Remote-Groups), while the php_fastcgi module later normalizes hyphens to underscores when exporting CGI variables, allowing an underscore alias like Remote_Groups to survive and collide with the trusted variable. Publicly available exploit code exists via the vendor GHSA advisory PoC, though no public exploit identified at time of analysis indicates active exploitation in the wild.
Unauthenticated PHP object injection in Edge-Themes Valeska WordPress theme versions 1.2.2 and earlier allows remote attackers to trigger insecure deserialization, potentially leading to code execution, file manipulation, or full site compromise when suitable PHP magic-method gadgets are present in the WordPress stack. No public exploit identified at time of analysis, but Patchstack has catalogued the flaw and the high CVSS (8.1) reflects the serious confidentiality, integrity, and availability impact possible against affected installations.
Unauthenticated PHP Object Injection in the Behold WordPress theme (versions ≤1.5) by edge-themes allows remote attackers to deliver crafted serialized payloads that are deserialized by the theme without validation. Successful exploitation can lead to full compromise of the affected WordPress site through gadget-chain abuse, with high confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Unauthenticated PHP object injection in the Mikado Themes 'Esmée' WordPress theme (versions through 1.4) allows remote attackers to inject crafted serialized objects that are processed by unsafe deserialization. Exploitation depends on the presence of usable PHP gadget chains (often from WordPress core or co-installed plugins/themes), and no public exploit identified at time of analysis, but successful attacks can lead to file write, SQL manipulation, or remote code execution on the underlying site. The CVSS 3.1 base score is 8.1 with high attack complexity, reflecting the gadget-chain dependency rather than the network-reachable, unauthenticated entry point itself.
Unauthenticated PHP Object Injection in the Léonie WordPress theme (versions ≤ 1.2.1) by Elated Themes allows remote attackers to deserialize attacker-controlled data, potentially leading to arbitrary code execution, file manipulation, or full site compromise when a suitable POP gadget chain exists in the WordPress stack. Reported by Patchstack and tracked as EUVD-2026-37490, with no public exploit identified at time of analysis but a high CVSS score of 8.1 reflecting the severity of unauthenticated deserialization. No KEV listing is present.
Unauthenticated PHP Object Injection in the Mikado-Themes TechLink WordPress theme (versions up to and including 1.3) allows remote attackers to trigger insecure deserialization of attacker-controlled data. Successful exploitation can lead to full compromise of the underlying WordPress site, including arbitrary code execution, data theft, and site defacement, though the CVSS vector flags high attack complexity (AC:H). No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
Unauthenticated PHP object injection in the Roisin WordPress theme (versions up to and including 1.4) by elated-themes allows remote attackers to deliver crafted serialized payloads to vulnerable deserialization sinks, potentially leading to high-impact compromise of confidentiality, integrity, and availability. The CVSS 8.1 score reflects high attack complexity offset by the lack of any authentication or user interaction. No public exploit was identified at time of analysis, and the issue is tracked by Patchstack and ENISA (EUVD-2026-37488).
Unauthenticated PHP Object Injection in the Mikado-Themes Ashtanga WordPress theme (versions ≤ 1.2) allows remote attackers to deliver malicious serialized PHP objects to the application. When combined with a suitable POP (property-oriented programming) gadget chain present in WordPress core, other plugins, or themes, exploitation can lead to remote code execution, arbitrary file operations, or full site compromise. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Unauthenticated PHP object injection in the Mikado-Themes LuxeDrive WordPress theme through version 1.4 allows remote attackers to deliver crafted serialized payloads that, when combined with a suitable POP gadget chain, can lead to remote code execution, data tampering, or service disruption on the underlying WordPress site. No public exploit identified at time of analysis, and the CVSS attack complexity is High because successful exploitation typically depends on the presence of a usable gadget chain in WordPress core, other plugins, or themes installed alongside LuxeDrive. The flaw is tracked by Patchstack and EUVD as EUVD-2026-37486.
Unauthenticated PHP object injection in the Laurits WordPress theme through version 1.5.1 allows remote attackers to deserialize attacker-controlled data, potentially leading to code execution, data tampering, or denial of service when a suitable gadget chain is present in the WordPress stack. The flaw was disclosed via Patchstack and tracked as EUVD-2026-37485; no public exploit identified at time of analysis, though the high CVSS of 8.1 and CWE-502 classification mark it as a serious supply-chain risk for sites running this commercial Edge-Themes product.
PHP Object Injection in the Micdrop WordPress theme versions 1.3.1 and earlier allows remote unauthenticated attackers to trigger insecure deserialization, potentially leading to high impact on confidentiality, integrity, and availability of the underlying site. No public exploit identified at time of analysis, and the CVSS vector reflects high attack complexity, meaning successful exploitation likely depends on the presence of a usable PHP gadget chain in the site's installed plugins or core. The flaw is tracked as CWE-502 (Deserialization of Untrusted Data) and was reported by Patchstack.
PHP Object Injection in the Valiance WordPress theme (versions up to and including 1.2) by elated-themes allows attackers to pass attacker-controlled serialized data into a PHP unserialize() sink, enabling object injection that - when paired with a suitable gadget chain from WordPress core or another installed plugin - can lead to remote code execution, file manipulation, or data tampering. The Patchstack advisory labels the issue as unauthenticated, although the published CVSS vector lists PR:H, so the precise authentication boundary should be verified against the vendor advisory. There is no public exploit identified at time of analysis and the flaw is not listed in CISA KEV.
PHP Object Injection in the Playroom WordPress theme (versions ≤ 1.4.1) by elated-themes allows remote attackers to inject crafted serialized objects that are deserialized by the application, potentially triggering POP-chain gadgets. The vulnerability is described as unauthenticated by Patchstack despite the CVSS vector listing PR:H, and no public exploit identified at time of analysis.
Unauthenticated local file inclusion in the Mr. SEO WordPress theme versions 2.0 and earlier allows remote attackers to include and execute arbitrary local PHP files on the server without authentication. The flaw, reported by Patchstack and tracked as CWE-98 (PHP Remote File Inclusion), enables information disclosure and potential remote code execution depending on what files are reachable on the host. No public exploit identified at time of analysis, though the theme's WordPress deployment context broadens the attack surface across affected sites.
Unauthenticated PHP object injection in the Santé WordPress theme through version 1.5.1 allows remote attackers to deserialize attacker-controlled data and potentially achieve remote code execution, data tampering, or denial of service when a suitable POP gadget chain is present. The flaw is reported by Patchstack and tracked as EUVD-2026-37480; no public exploit identified at time of analysis, and the CVSS 8.1 score reflects high attack complexity offset by network reach and no authentication. The Santé theme is a commercial Select Themes product, so exposure is limited to sites that have installed and activated this specific theme.
Unauthenticated PHP Object Injection in the NeoBeat WordPress theme (versions ≤1.7) allows remote attackers to inject crafted serialized objects that, when deserialized by the application, can be chained with available gadgets to compromise the site. No public exploit identified at time of analysis, but the CVSS 8.1 rating reflects high impact across confidentiality, integrity and availability if a usable gadget chain is present in the WordPress core or installed plugins.
Unauthenticated PHP Object Injection in the Fidalgo WordPress theme (versions ≤1.2.2) allows remote attackers to inject crafted serialized PHP objects that are deserialized by the theme, potentially leading to arbitrary code execution, data tampering, or service disruption depending on available gadget chains. No public exploit identified at time of analysis, but the unauthenticated network vector and CWE-502 classification make this a meaningful risk for WordPress sites running this commercial theme.
Unauthenticated local file inclusion in the Aperitif WordPress theme (versions up to and including 1.5) by elated-themes allows remote attackers to coerce the PHP include/require chain into loading attacker-controlled paths without credentials or user interaction. No public exploit identified at time of analysis, but the high CIA impact and unauthenticated network reach make it a meaningful supply-chain risk for sites using this commercial theme. The CVSS:3.1 score of 8.1 reflects high attack complexity, indicating the trigger likely requires a specific request pattern rather than a single trivial payload.
Local File Inclusion in the Getaway WordPress theme (versions before 1.8) by Select-Themes allows unauthenticated remote attackers to include arbitrary local PHP files via an unsanitized include/require parameter, leading to disclosure of sensitive files and potential code execution. The CWE-98 classification indicates improper control of filename used in PHP include/require, a pattern that frequently chains into RCE when log files, session files, or uploaded media can be referenced. No public exploit identified at time of analysis, and the issue is not in CISA KEV.
Unauthenticated PHP Object Injection in the Alloggio - Hotel Booking WordPress theme through version 2.1.2 allows remote attackers to inject crafted serialized objects that, when combined with a suitable gadget chain, can lead to high-impact compromise of the hosting WordPress site. The flaw was reported by Patchstack and is tracked as EUVD-2026-37474; no public exploit identified at time of analysis, and there is no evidence of active exploitation. CVSS 3.1 base score is 8.1 with high attack complexity, reflecting the need for a usable gadget chain in the WordPress environment.
Unauthenticated PHP object injection in the WordPress Elementra theme (versions ≤ 1.0.9) allows remote attackers to deliver crafted serialized payloads that trigger deserialization of untrusted data. With no public exploit identified at time of analysis, the CVSS 9.8 vector still indicates network-reachable, no-auth exploitation against any WordPress site running an affected Elementra build. Successful chaining with a POP gadget in WordPress core or other installed plugins typically yields remote code execution or full site compromise.
Unauthenticated Local File Inclusion in the Solene WordPress theme versions 3.4 and earlier allows remote attackers to read arbitrary server-side files and potentially execute PHP code via improperly controlled filename inclusion (CWE-98). The flaw is reachable over the network without credentials, and while CVSS:3.1 rates it 8.1 (High) with high attack complexity, no public exploit identified at time of analysis. Wide impact is plausible because Solene is a commercial WordPress theme distributed by Elated Themes and exposed on internet-facing sites.
Unauthenticated PHP object injection in the Kapee WordPress theme versions prior to 1.7.0 allows remote attackers to inject crafted serialized objects that, when combined with suitable gadget chains, can lead to high-impact compromise of confidentiality, integrity, and availability. The flaw was reported by Patchstack and a vendor patch is available; no public exploit identified at time of analysis, but the unauthenticated network vector makes this a meaningful priority for sites running this commercial WooCommerce theme.
Unauthenticated PHP Object Injection in the EmallShop WordPress theme (versions <= 2.4.21) allows remote attackers to inject crafted serialized PHP objects that are deserialized by the application, potentially leading to remote code execution, data tampering, or denial of service when a suitable gadget chain is present. The flaw was disclosed by Patchstack (EUVD-2026-37470) and carries CVSS 8.1 (AV:N/AC:H/PR:N/UI:N) - no public exploit identified at time of analysis and not listed in CISA KEV.
Unauthenticated local file inclusion in Softlab Core WordPress plugin versions before 1.2.11 allows remote attackers to read or include arbitrary local files on the server, potentially leading to sensitive information disclosure or remote code execution if attacker-controlled content can be reached. The flaw is reported by Patchstack and tagged as PHP/LFI affecting the WebGeniusLab Softlab Core plugin used in WordPress deployments. No public exploit identified at time of analysis, though the unauthenticated nature and high CVSS impact warrant prompt patching.
Unauthenticated Local File Inclusion in the Integrio Core WordPress plugin (versions prior to 1.2.8) by webgeniuslab allows remote attackers to coerce the PHP application into including arbitrary local files, leading to source code disclosure, sensitive file exposure, and potentially remote code execution when log poisoning or upload primitives are available. The CVSS vector (AV:N/AC:H/PR:N/UI:N) reflects network-reachable, unauthenticated exploitation with high attack complexity, and no public exploit identified at time of analysis. The flaw is tracked by Patchstack and ENISA EUVD (EUVD-2026-37466) with a vendor-released patch in version 1.2.8.
Unauthenticated Local File Inclusion in the Thegov Core WordPress plugin (versions prior to 2.0.23) allows remote attackers to coerce the application into including arbitrary files via a flaw classified as CWE-98 (PHP File Inclusion). Because the plugin powers the Thegov WordPress theme commonly used by government and political sites, successful exploitation can disclose sensitive configuration files such as wp-config.php and, depending on server state, escalate to PHP code execution. No public exploit identified at time of analysis, though Patchstack - the reporting party - has published a vendor advisory and a fixed release.
Unauthenticated PHP Object Injection in BoldThemes Nifty WordPress theme versions 1.4.1 and earlier allows remote attackers to inject arbitrary PHP objects through unsafe deserialization, potentially leading to remote code execution when a suitable gadget chain exists in the WordPress installation. No public exploit identified at time of analysis, but the unauthenticated network-reachable nature combined with CVSS 9.8 makes this a high-priority issue for any site running the affected theme. Reported by Patchstack and tracked as EUVD-2026-37464.
PHP Object Injection in the ThemeFusion Avada WordPress theme versions 3.15.3 and earlier allows authenticated users with Contributor-level privileges to trigger unsafe deserialization, potentially leading to remote code execution, data tampering, or service disruption on the underlying WordPress installation. No public exploit identified at time of analysis, but the low attack complexity and widespread deployment of Avada as a commercial WordPress theme make this a meaningful risk for multi-author sites.
Unauthenticated Local File Inclusion in the Truemag WordPress theme by Cactus Themes (versions up to and including 4.3.14.2) allows remote attackers to coerce the server into including arbitrary local PHP files without credentials. With CVSS 8.1 and full CIA impact (CWE-98), successful exploitation can lead to disclosure of sensitive files, configuration data, and potential code execution by including attacker-controlled or log-poisoned content, though no public exploit identified at time of analysis.
Unauthenticated local file inclusion in the Roneous WordPress theme (versions up to and including 2.1.5) allows remote attackers to coerce the application into including arbitrary files on the server, potentially exposing sensitive data such as wp-config.php credentials or, when combined with file upload primitives, achieving remote code execution. The flaw is reachable without authentication over the network, and no public exploit identified at time of analysis. The vulnerability is tracked by Patchstack and ENISA EUVD (EUVD-2025-210183).
Local File Inclusion in the ThemeREX ITactics WordPress theme versions 1.0 and earlier allows remote unauthenticated attackers to include arbitrary files from the underlying server, leading to disclosure of sensitive configuration data and potentially PHP code execution if attacker-controlled content can be staged on the host. Tracked by Patchstack and indexed in ENISA EUVD as EUVD-2025-210182, the issue carries a CVSS 8.1 (High) score with no public exploit identified at time of analysis.
Local File Inclusion in the Spike WordPress theme (versions ≤1.2) by ThemeREX allows remote unauthenticated attackers to coerce the PHP backend into including arbitrary local files via crafted filename parameters. Successful exploitation can disclose sensitive server-side files, configuration data, and credentials, and on misconfigured PHP installations may lead to code execution. No public exploit identified at time of analysis, but the issue is reported and tracked by Patchstack (WordPress vulnerability intelligence).
Unauthenticated Local File Inclusion in the ThemeREX Eros WordPress theme versions 1.3 and earlier allows remote attackers to read arbitrary files and potentially achieve PHP code execution via include/require paths reachable without authentication. No public exploit identified at time of analysis, but the flaw is reported by Patchstack and tracked as EUVD-2025-210180. WordPress themes with LFI sinks are a recurring target because they expose include() statements through AJAX or template loader endpoints.
Local File Inclusion in the Choreo WordPress theme (versions through 1.6) allows unauthenticated remote attackers to include and read arbitrary local files from the server, with potential for further escalation to code execution depending on writable file content. The flaw was disclosed by Patchstack and is tracked as EUVD-2025-210179; no public exploit identified at time of analysis, and the CVSS 3.1 base score of 8.1 reflects high impact across confidentiality, integrity, and availability.
Unauthenticated Local File Inclusion in the WineShop WordPress theme versions 3.17 and earlier allows remote attackers to include and execute arbitrary local files on the server via crafted requests. The flaw stems from improper control of filename for include/require (CWE-98) and carries a CVSS 8.1 (High) with full confidentiality, integrity, and availability impact, though no public exploit identified at time of analysis.
Unauthenticated local file inclusion in the ThemeRex Grecko WordPress theme versions 5.17 and earlier allows remote attackers to coerce the application into including arbitrary files from the server filesystem, potentially leading to sensitive file disclosure and PHP code execution where attacker-controlled content can be reached. The flaw is reachable without authentication over HTTP and was disclosed via Patchstack with no public exploit identified at time of analysis. CVSS is rated 8.1 with high attack complexity, indicating exploitation is feasible but not trivially automatable.
Unauthenticated local file inclusion in the ThemeRex Gita WordPress theme versions 1.11 and earlier allows remote attackers to include arbitrary local files via a PHP file-inclusion weakness (CWE-98), potentially exposing wp-config.php credentials and enabling further compromise. No public exploit identified at time of analysis, but the vulnerability is network-reachable without authentication and has been disclosed by Patchstack with a CVSS 3.1 base score of 8.1.
Unauthenticated local file inclusion in the Printo WordPress theme (versions ≤ 1.11 by ThemeRex) allows remote attackers to include arbitrary local files via a PHP file-inclusion sink (CWE-98), enabling disclosure of sensitive server-side files and potential remote code execution if attacker-controlled content can be reached on disk. No public exploit identified at time of analysis, though Patchstack has cataloged the issue and the CVSS 3.1 base score of 8.1 reflects high impact across confidentiality, integrity, and availability.
Unauthenticated local file inclusion in the Medeus WordPress theme versions 1.14 and earlier allows remote attackers to coerce the PHP backend into including arbitrary files, exposing sensitive configuration data such as wp-config.php and potentially enabling code execution if log poisoning or uploaded content can be referenced. The vulnerability is classified under CWE-98 (Improper Control of Filename for Include/Require), affects a ThemeREX product tracked by Patchstack as a WordPress theme issue, and no public exploit identified at time of analysis. Despite the CVSS 8.1 high rating, AC:H signals non-trivial exploitation requirements beyond a simple parameter swap.