CVEs

31,844 total · page 192 of 637

CVE	Vendor / Product	Sev	Risk	CVSS	EPSS	Published	Description
CVE-2025-67966	WordPress Lawyer Directory	Hig	0.57	8.8	0.00	Jan 22, 2026	Incorrect Privilege Assignment vulnerability in e-plugins Lawyer Directory lawyer-directory allows Privilege Escalation.This issue affects Lawyer Directory: from n/a through <= 1.3.3.
CVE-2025-67964	WordPress Homey Core	Hig	0.46	7.1	0.00	Jan 22, 2026	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in favethemes Homey Core homey-core allows Reflected XSS.This issue affects Homey Core: from n/a through <= 2.4.3.
CVE-2025-67963	WordPress Movie Booking	Hig	0.56	8.6	0.01	Jan 22, 2026	Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in ovatheme Movie Booking movie-booking allows Path Traversal.This issue affects Movie Booking: from n/a through <= 1.1.5.
CVE-2025-67960	Purethemes WorkScout	Hig	0.46	7.1	0.00	Jan 22, 2026	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in purethemes WorkScout-Core workscout-core allows Reflected XSS.This issue affects WorkScout-Core: from n/a through <= 1.7.06.
CVE-2025-67959	Purethemes WorkScout	Hig	0.46	7.1	0.00	Jan 22, 2026	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in purethemes WorkScout workscout allows Reflected XSS.This issue affects WorkScout: from n/a through <= 4.1.07.
CVE-2025-67957	TangibleWP Listivo Core	Hig	0.53	8.1	0.01	Jan 22, 2026	Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in TangibleWP Listivo Core listivo-core allows PHP Local File Inclusion.This issue affects Listivo Core: from n/a through <= 2.3.77.
CVE-2025-67956	Wpeverest User Registration	Hig	0.53	8.2	0.00	Jan 22, 2026	Missing Authorization vulnerability in wpeverest User Registration user-registration allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects User Registration: from n/a through <= 4.4.6.
CVE-2025-67955	TangibleWP MyHome Core	Hig	0.49	7.5	0.00	Jan 22, 2026	Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in TangibleWP MyHome Core myhome-core allows PHP Local File Inclusion.This issue affects MyHome Core: from n/a through <= 4.1.0.
CVE-2025-67953	WordPress Booking Activities	Hig	0.53	8.1	0.00	Jan 22, 2026	Incorrect Privilege Assignment vulnerability in Booking Activities Team Booking Activities booking-activities allows Privilege Escalation.This issue affects Booking Activities: from n/a through <= 1.16.44.
CVE-2025-67952	Themegoods Grand Tour	Hig	0.46	7.1	0.00	Jan 22, 2026	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeGoods Grand Tour grandtour allows Reflected XSS.This issue affects Grand Tour: from n/a through < 5.6.2.
CVE-2025-67949	WordPress Hostiko	Hig	0.46	7.1	0.00	Jan 22, 2026	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in designingmedia Hostiko hostiko allows Reflected XSS.This issue affects Hostiko: from n/a through < 94.3.6.
CVE-2025-67947	WordPress Adforest Elementor	Hig	0.46	7.1	0.00	Jan 22, 2026	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in scriptsbundle AdForest Elementor adforest-elementor allows Reflected XSS.This issue affects AdForest Elementor: from n/a through <= 3.0.11.
CVE-2025-67946	AdForest AdForest	Hig	0.53	8.1	0.01	Jan 22, 2026	Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in scriptsbundle AdForest adforest allows PHP Local File Inclusion.This issue affects AdForest: from n/a through <= 6.0.11.
CVE-2025-67943	wphocus My auctions allegro	Hig	0.46	7.1	0.00	Jan 22, 2026	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wphocus My auctions allegro my-auctions-allegro-free-edition allows Reflected XSS.This issue affects My auctions allegro: from n/a through <= 3.6.32.
CVE-2025-67941	Elated-Themes The Aisle Core	Hig	0.53	8.1	0.01	Jan 22, 2026	Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes The Aisle theaisle allows PHP Local File Inclusion.This issue affects The Aisle: from n/a through < 2.9.1.
CVE-2025-67940	Qodeinteractive Powerlift	Hig	0.53	8.1	0.01	Jan 22, 2026	Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Powerlift powerlift allows PHP Local File Inclusion.This issue affects Powerlift: from n/a through < 3.2.1.
CVE-2025-67938	Mikado Themes Biagiotti	Hig	0.53	8.1	0.01	Jan 22, 2026	Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Biagiotti biagiotti allows PHP Local File Inclusion.This issue affects Biagiotti: from n/a through < 3.5.2.
CVE-2025-67923	WordPress Jetengine	Hig	0.46	7.1	0.00	Jan 22, 2026	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetEngine jet-engine allows Reflected XSS.This issue affects JetEngine: from n/a through <= 3.7.7.
CVE-2025-67620	Cleversoft Anon	Hig	0.46	7.1	0.00	Jan 22, 2026	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CleverSoft Anon anon2x allows Reflected XSS.This issue affects Anon: from n/a through <= 2.2.10.
CVE-2025-67619	designthemes Kids Heaven	Hig	0.57	8.8	0.01	Jan 22, 2026	Deserialization of Untrusted Data vulnerability in designthemes Kids Heaven kids-world allows Object Injection.This issue affects Kids Heaven: from n/a through <= 3.2.
CVE-2025-67616	BZOTheme Mella	Hig	0.53	8.1	0.01	Jan 22, 2026	Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in BZOTheme Mella mella allows PHP Local File Inclusion.This issue affects Mella: from n/a through <= 1.2.29.
CVE-2025-67615	bslthemes Myour	Hig	0.53	8.1	0.01	Jan 22, 2026	Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in bslthemes Myour myour allows PHP Local File Inclusion.This issue affects Myour: from n/a through <= 1.5.1.
CVE-2025-67614	foreverpinetree TheNa	Hig	0.46	7.1	0.00	Jan 22, 2026	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in foreverpinetree TheNa thena allows Reflected XSS.This issue affects TheNa: from n/a through <= 1.5.5.
CVE-2025-63017	fuelthemes Werkstatt	Hig	0.49	7.5	0.01	Jan 22, 2026	Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in fuelthemes WerkStatt Plugin werkstatt-plugin allows PHP Local File Inclusion.This issue affects WerkStatt Plugin: from n/a through <= 1.6.6.
CVE-2025-54003	Mikado Themes Depot	Hig	0.53	8.1	0.01	Jan 22, 2026	Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Depot depot allows PHP Local File Inclusion.This issue affects Depot: from n/a through <= 1.16.
CVE-2025-53240	adamlabs WordPress Photo Gallery	Hig	0.46	7.1	0.00	Jan 22, 2026	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in adamlabs WordPress Photo Gallery photo-gallery-portfolio allows Reflected XSS.This issue affects WordPress Photo Gallery: from n/a through <= 1.1.0.
CVE-2025-52762	WordPress Flexo Posts Manager	Hig	0.46	7.1	0.00	Jan 22, 2026	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in flexostudio flexo-posts-manager flexo-posts-manager allows Reflected XSS.This issue affects flexo-posts-manager: from n/a through <= 1.0001.
CVE-2025-52746	Detodas Com Restaurante	Hig	0.46	7.1	0.00	Jan 22, 2026	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ayecode Restaurante restaurante allows Reflected XSS.This issue affects Restaurante: from n/a through <= 3.0.7.
CVE-2025-50007	Jthemes xSmart	Hig	0.57	8.8	0.00	Jan 22, 2026	Incorrect Privilege Assignment vulnerability in Jthemes xSmart xsmart allows Privilege Escalation.This issue affects xSmart: from n/a through <= 1.2.9.4.
CVE-2025-50006	Jthemes xSmart	Hig	0.46	7.1	0.00	Jan 22, 2026	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jthemes xSmart xsmart allows Reflected XSS.This issue affects xSmart: from n/a through <= 1.2.9.4.
CVE-2025-50004	WordPress Jupiterx Core	Hig	0.57	8.8	0.01	Jan 22, 2026	Deserialization of Untrusted Data vulnerability in artbees JupiterX Core jupiterx-core allows Object Injection.This issue affects JupiterX Core: from n/a through <= 4.10.1.
CVE-2025-50003	Axiomthemes Amuli	Hig	0.53	8.1	0.01	Jan 22, 2026	Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Amuli amuli allows PHP Local File Inclusion.This issue affects Amuli: from n/a through <= 2.3.0.
CVE-2025-49994	ovatheme Athens	Hig	0.53	8.1	0.01	Jan 22, 2026	Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ovatheme Athens athens allows PHP Local File Inclusion.This issue affects Athens: from n/a through <= 1.1.6.
CVE-2025-49249	ApusTheme Drone	Hig	0.46	7.1	0.00	Jan 22, 2026	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ApusTheme Drone drone allows Reflected XSS.This issue affects Drone: from n/a through <= 1.40.
CVE-2025-49066	WordPress Accordion Slider Pro	Hig	0.46	7.1	0.00	Jan 22, 2026	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup Accordion Slider PRO accordion_slider_pro allows Reflected XSS.This issue affects Accordion Slider PRO: from n/a through <= 1.2.
CVE-2025-49050	kamleshyadav WP Lead Capturing Pages	Hig	0.55	8.5	0.00	Jan 22, 2026	Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in kamleshyadav WP Lead Capturing Pages wp-lead-capture allows Blind SQL Injection.This issue affects WP Lead Capturing Pages: from n/a through <= 2.5.
CVE-2025-49049	Digitalzoomstudio Video Gallery	Hig	0.55	8.5	0.00	Jan 22, 2026	Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ZoomIt DZS Video Gallery dzs-videogallery allows SQL Injection.This issue affects DZS Video Gallery: from n/a through <= 12.39.
CVE-2025-49046	LambertGroup xPromoter	Hig	0.46	7.1	0.00	Jan 22, 2026	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup xPromoter top_bar_promoter allows Reflected XSS.This issue affects xPromoter: from n/a through <= 1.3.4.
CVE-2025-49045	WordPress Super Interactive Maps	Hig	0.46	7.1	0.00	Jan 22, 2026	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in highwarden Super Interactive Maps super-interactive-maps allows Reflected XSS.This issue affects Super Interactive Maps: from n/a through <= 2.3.
CVE-2025-49043	LambertGroup Magic Responsive Slider and Carousel WordPress	Hig	0.46	7.1	0.00	Jan 22, 2026	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup Magic Responsive Slider and Carousel WordPress magic_carousel allows Reflected XSS.This issue affects Magic Responsive Slider and Carousel WordPress: from n/a…
CVE-2025-48094	WordPress Magic Slider	Hig	0.46	7.1	0.00	Jan 22, 2026	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup Magic Slider magic_slider allows Reflected XSS.This issue affects Magic Slider: from n/a through <= 2.2.
CVE-2025-47666	LambertGroup Image&Video FullScreen Background	Hig	0.46	7.1	0.00	Jan 22, 2026	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup Image&Video FullScreen Background lbg_fullscreen_fullwidth_slider allows Reflected XSS.This issue affects Image&Video FullScreen Background: from n/a through <=…
CVE-2025-47474	Ninetheme Anarkali	Hig	0.53	8.1	0.01	Jan 22, 2026	Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Ninetheme Anarkali anarkali allows PHP Local File Inclusion.This issue affects Anarkali: from n/a through <= 1.0.9.
CVE-2025-32123	LambertGroup HTML5 Video Player with Playlist & Multiple Skins	Hig	0.46	7.1	0.00	Jan 22, 2026	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup HTML5 Video Player with Playlist & Multiple Skins lbg-vp2-html5-rightside allows Reflected XSS.This issue affects HTML5 Video Player with Playlist & Multiple Skins:…
CVE-2025-27005	Socusoft Html5 Video Player	Hig	0.46	7.1	0.00	Jan 22, 2026	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup HTML5 Video Player lbg-vp2-html5-bottom allows Reflected XSS.This issue affects HTML5 Video Player: from n/a through <= 5.3.5.
CVE-2023-7335	Edusoho Edusoho	Hig	0.50	—	0.01	Jan 22, 2026	EduSoho versions prior to 22.4.7 contain an arbitrary file read vulnerability in the classroom-course-statistics export functionality. A remote, unauthenticated attacker can supply crafted path traversal sequences in the fileNames[] parameter to read arbitrary files from the…
CVE-2026-24009	Docling Project Docling Core	Hig	0.46	8.1	0.01	Jan 22, 2026	Docling Core (or docling-core) is a library that defines core data types and transformations in the document processing application Docling. A PyYAML-related Remote Code Execution (RCE) vulnerability, namely CVE-2020-14343, is exposed in docling-core starting in version 2.21.0…
CVE-2025-14295	Automated Logic WebCTRL	Hig	0.46	—	0.00	Jan 22, 2026	Storing Passwords in a Recoverable Format vulnerability in Automated Logic WebCTRL on Windows, Carrier i-Vu on Windows. Storing Passwords in a Recoverable Format vulnerability (CWE-257) in the Web session management component allows an attacker to access stored passwords in a…
CVE-2025-10856	Solvera Software Services Trade Inc. Teknoera	Hig	0.53	8.1	0.00	Jan 22, 2026	Unrestricted Upload of File with Dangerous Type vulnerability in Solvera Software Services Trade Inc. Teknoera allows File Content Injection. This issue affects Teknoera: through 01102025.
CVE-2025-10855	Solvera Software Services Trade Inc. Teknoera	Hig	0.49	7.5	0.00	Jan 22, 2026	Authorization Bypass Through User-Controlled Key vulnerability in Solvera Software Services Trade Inc. Teknoera allows Exploitation of Trusted Identifiers. This issue affects Teknoera: through 01102025.

CVE-2025-67966HigJan 22, 2026
WordPress
Lawyer Directory
risk 0.57cvss 8.8epss 0.00
Incorrect Privilege Assignment vulnerability in e-plugins Lawyer Directory lawyer-directory allows Privilege Escalation.This issue affects Lawyer Directory: from n/a through <= 1.3.3.
CVE-2025-67964HigJan 22, 2026
WordPress
Homey Core
risk 0.46cvss 7.1epss 0.00
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in favethemes Homey Core homey-core allows Reflected XSS.This issue affects Homey Core: from n/a through <= 2.4.3.
CVE-2025-67963HigJan 22, 2026
WordPress
Movie Booking
risk 0.56cvss 8.6epss 0.01
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in ovatheme Movie Booking movie-booking allows Path Traversal.This issue affects Movie Booking: from n/a through <= 1.1.5.
CVE-2025-67960HigJan 22, 2026
Purethemes
WorkScout
risk 0.46cvss 7.1epss 0.00
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in purethemes WorkScout-Core workscout-core allows Reflected XSS.This issue affects WorkScout-Core: from n/a through <= 1.7.06.
CVE-2025-67959HigJan 22, 2026
Purethemes
WorkScout
risk 0.46cvss 7.1epss 0.00
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in purethemes WorkScout workscout allows Reflected XSS.This issue affects WorkScout: from n/a through <= 4.1.07.
CVE-2025-67957HigJan 22, 2026
TangibleWP
Listivo Core
risk 0.53cvss 8.1epss 0.01
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in TangibleWP Listivo Core listivo-core allows PHP Local File Inclusion.This issue affects Listivo Core: from n/a through <= 2.3.77.
CVE-2025-67956HigJan 22, 2026
Wpeverest
User Registration
risk 0.53cvss 8.2epss 0.00
Missing Authorization vulnerability in wpeverest User Registration user-registration allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects User Registration: from n/a through <= 4.4.6.
CVE-2025-67955HigJan 22, 2026
TangibleWP
MyHome Core
risk 0.49cvss 7.5epss 0.00
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in TangibleWP MyHome Core myhome-core allows PHP Local File Inclusion.This issue affects MyHome Core: from n/a through <= 4.1.0.
CVE-2025-67953HigJan 22, 2026
WordPress
Booking Activities
risk 0.53cvss 8.1epss 0.00
Incorrect Privilege Assignment vulnerability in Booking Activities Team Booking Activities booking-activities allows Privilege Escalation.This issue affects Booking Activities: from n/a through <= 1.16.44.
CVE-2025-67952HigJan 22, 2026
Themegoods
Grand Tour
risk 0.46cvss 7.1epss 0.00
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeGoods Grand Tour grandtour allows Reflected XSS.This issue affects Grand Tour: from n/a through < 5.6.2.
CVE-2025-67949HigJan 22, 2026
WordPress
Hostiko
risk 0.46cvss 7.1epss 0.00
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in designingmedia Hostiko hostiko allows Reflected XSS.This issue affects Hostiko: from n/a through < 94.3.6.
CVE-2025-67947HigJan 22, 2026
WordPress
Adforest Elementor
risk 0.46cvss 7.1epss 0.00
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in scriptsbundle AdForest Elementor adforest-elementor allows Reflected XSS.This issue affects AdForest Elementor: from n/a through <= 3.0.11.
CVE-2025-67946HigJan 22, 2026
AdForest
AdForest
risk 0.53cvss 8.1epss 0.01
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in scriptsbundle AdForest adforest allows PHP Local File Inclusion.This issue affects AdForest: from n/a through <= 6.0.11.
CVE-2025-67943HigJan 22, 2026
wphocus
My auctions allegro
risk 0.46cvss 7.1epss 0.00
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wphocus My auctions allegro my-auctions-allegro-free-edition allows Reflected XSS.This issue affects My auctions allegro: from n/a through <= 3.6.32.
CVE-2025-67941HigJan 22, 2026
Elated-Themes
The Aisle Core
risk 0.53cvss 8.1epss 0.01
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Elated-Themes The Aisle theaisle allows PHP Local File Inclusion.This issue affects The Aisle: from n/a through < 2.9.1.
CVE-2025-67940HigJan 22, 2026
Qodeinteractive
Powerlift
risk 0.53cvss 8.1epss 0.01
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Powerlift powerlift allows PHP Local File Inclusion.This issue affects Powerlift: from n/a through < 3.2.1.
CVE-2025-67938HigJan 22, 2026
Mikado Themes
Biagiotti
risk 0.53cvss 8.1epss 0.01
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Biagiotti biagiotti allows PHP Local File Inclusion.This issue affects Biagiotti: from n/a through < 3.5.2.
CVE-2025-67923HigJan 22, 2026
WordPress
Jetengine
risk 0.46cvss 7.1epss 0.00
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetEngine jet-engine allows Reflected XSS.This issue affects JetEngine: from n/a through <= 3.7.7.
CVE-2025-67620HigJan 22, 2026
Cleversoft
Anon
risk 0.46cvss 7.1epss 0.00
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CleverSoft Anon anon2x allows Reflected XSS.This issue affects Anon: from n/a through <= 2.2.10.
CVE-2025-67619HigJan 22, 2026
designthemes
Kids Heaven
risk 0.57cvss 8.8epss 0.01
Deserialization of Untrusted Data vulnerability in designthemes Kids Heaven kids-world allows Object Injection.This issue affects Kids Heaven: from n/a through <= 3.2.
CVE-2025-67616HigJan 22, 2026
BZOTheme
Mella
risk 0.53cvss 8.1epss 0.01
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in BZOTheme Mella mella allows PHP Local File Inclusion.This issue affects Mella: from n/a through <= 1.2.29.
CVE-2025-67615HigJan 22, 2026
bslthemes
Myour
risk 0.53cvss 8.1epss 0.01
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in bslthemes Myour myour allows PHP Local File Inclusion.This issue affects Myour: from n/a through <= 1.5.1.
CVE-2025-67614HigJan 22, 2026
foreverpinetree
TheNa
risk 0.46cvss 7.1epss 0.00
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in foreverpinetree TheNa thena allows Reflected XSS.This issue affects TheNa: from n/a through <= 1.5.5.
CVE-2025-63017HigJan 22, 2026
fuelthemes
Werkstatt
risk 0.49cvss 7.5epss 0.01
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in fuelthemes WerkStatt Plugin werkstatt-plugin allows PHP Local File Inclusion.This issue affects WerkStatt Plugin: from n/a through <= 1.6.6.
CVE-2025-54003HigJan 22, 2026
Mikado Themes
Depot
risk 0.53cvss 8.1epss 0.01
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Depot depot allows PHP Local File Inclusion.This issue affects Depot: from n/a through <= 1.16.
CVE-2025-53240HigJan 22, 2026
adamlabs
WordPress Photo Gallery
risk 0.46cvss 7.1epss 0.00
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in adamlabs WordPress Photo Gallery photo-gallery-portfolio allows Reflected XSS.This issue affects WordPress Photo Gallery: from n/a through <= 1.1.0.
CVE-2025-52762HigJan 22, 2026
WordPress
Flexo Posts Manager
risk 0.46cvss 7.1epss 0.00
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in flexostudio flexo-posts-manager flexo-posts-manager allows Reflected XSS.This issue affects flexo-posts-manager: from n/a through <= 1.0001.
CVE-2025-52746HigJan 22, 2026
Detodas
Com Restaurante
risk 0.46cvss 7.1epss 0.00
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ayecode Restaurante restaurante allows Reflected XSS.This issue affects Restaurante: from n/a through <= 3.0.7.
CVE-2025-50007HigJan 22, 2026
Jthemes
xSmart
risk 0.57cvss 8.8epss 0.00
Incorrect Privilege Assignment vulnerability in Jthemes xSmart xsmart allows Privilege Escalation.This issue affects xSmart: from n/a through <= 1.2.9.4.
CVE-2025-50006HigJan 22, 2026
Jthemes
xSmart
risk 0.46cvss 7.1epss 0.00
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jthemes xSmart xsmart allows Reflected XSS.This issue affects xSmart: from n/a through <= 1.2.9.4.
CVE-2025-50004HigJan 22, 2026
WordPress
Jupiterx Core
risk 0.57cvss 8.8epss 0.01
Deserialization of Untrusted Data vulnerability in artbees JupiterX Core jupiterx-core allows Object Injection.This issue affects JupiterX Core: from n/a through <= 4.10.1.
CVE-2025-50003HigJan 22, 2026
Axiomthemes
Amuli
risk 0.53cvss 8.1epss 0.01
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Amuli amuli allows PHP Local File Inclusion.This issue affects Amuli: from n/a through <= 2.3.0.
CVE-2025-49994HigJan 22, 2026
ovatheme
Athens
risk 0.53cvss 8.1epss 0.01
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ovatheme Athens athens allows PHP Local File Inclusion.This issue affects Athens: from n/a through <= 1.1.6.
CVE-2025-49249HigJan 22, 2026
ApusTheme
Drone
risk 0.46cvss 7.1epss 0.00
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ApusTheme Drone drone allows Reflected XSS.This issue affects Drone: from n/a through <= 1.40.
CVE-2025-49066HigJan 22, 2026
WordPress
Accordion Slider Pro
risk 0.46cvss 7.1epss 0.00
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup Accordion Slider PRO accordion_slider_pro allows Reflected XSS.This issue affects Accordion Slider PRO: from n/a through <= 1.2.
CVE-2025-49050HigJan 22, 2026
kamleshyadav
WP Lead Capturing Pages
risk 0.55cvss 8.5epss 0.00
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in kamleshyadav WP Lead Capturing Pages wp-lead-capture allows Blind SQL Injection.This issue affects WP Lead Capturing Pages: from n/a through <= 2.5.
CVE-2025-49049HigJan 22, 2026
Digitalzoomstudio
Video Gallery
risk 0.55cvss 8.5epss 0.00
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ZoomIt DZS Video Gallery dzs-videogallery allows SQL Injection.This issue affects DZS Video Gallery: from n/a through <= 12.39.
CVE-2025-49046HigJan 22, 2026
LambertGroup
xPromoter
risk 0.46cvss 7.1epss 0.00
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup xPromoter top_bar_promoter allows Reflected XSS.This issue affects xPromoter: from n/a through <= 1.3.4.
CVE-2025-49045HigJan 22, 2026
WordPress
Super Interactive Maps
risk 0.46cvss 7.1epss 0.00
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in highwarden Super Interactive Maps super-interactive-maps allows Reflected XSS.This issue affects Super Interactive Maps: from n/a through <= 2.3.
CVE-2025-49043HigJan 22, 2026
LambertGroup
Magic Responsive Slider and Carousel WordPress
risk 0.46cvss 7.1epss 0.00
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup Magic Responsive Slider and Carousel WordPress magic_carousel allows Reflected XSS.This issue affects Magic Responsive Slider and Carousel WordPress: from n/a…
CVE-2025-48094HigJan 22, 2026
WordPress
Magic Slider
risk 0.46cvss 7.1epss 0.00
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup Magic Slider magic_slider allows Reflected XSS.This issue affects Magic Slider: from n/a through <= 2.2.
CVE-2025-47666HigJan 22, 2026
LambertGroup
Image&Video FullScreen Background
risk 0.46cvss 7.1epss 0.00
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup Image&Video FullScreen Background lbg_fullscreen_fullwidth_slider allows Reflected XSS.This issue affects Image&Video FullScreen Background: from n/a through <=…
CVE-2025-47474HigJan 22, 2026
Ninetheme
Anarkali
risk 0.53cvss 8.1epss 0.01
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Ninetheme Anarkali anarkali allows PHP Local File Inclusion.This issue affects Anarkali: from n/a through <= 1.0.9.
CVE-2025-32123HigJan 22, 2026
LambertGroup
HTML5 Video Player with Playlist & Multiple Skins
risk 0.46cvss 7.1epss 0.00
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup HTML5 Video Player with Playlist & Multiple Skins lbg-vp2-html5-rightside allows Reflected XSS.This issue affects HTML5 Video Player with Playlist & Multiple Skins:…
CVE-2025-27005HigJan 22, 2026
Socusoft
Html5 Video Player
risk 0.46cvss 7.1epss 0.00
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup HTML5 Video Player lbg-vp2-html5-bottom allows Reflected XSS.This issue affects HTML5 Video Player: from n/a through <= 5.3.5.
CVE-2023-7335HigJan 22, 2026
Edusoho
Edusoho
risk 0.50cvss —epss 0.01
EduSoho versions prior to 22.4.7 contain an arbitrary file read vulnerability in the classroom-course-statistics export functionality. A remote, unauthenticated attacker can supply crafted path traversal sequences in the fileNames[] parameter to read arbitrary files from the…
CVE-2026-24009HigJan 22, 2026
Docling Project
Docling Core
risk 0.46cvss 8.1epss 0.01
Docling Core (or docling-core) is a library that defines core data types and transformations in the document processing application Docling. A PyYAML-related Remote Code Execution (RCE) vulnerability, namely CVE-2020-14343, is exposed in docling-core starting in version 2.21.0…
CVE-2025-14295HigJan 22, 2026
Automated Logic
WebCTRL
risk 0.46cvss —epss 0.00
Storing Passwords in a Recoverable Format vulnerability in Automated Logic WebCTRL on Windows, Carrier i-Vu on Windows. Storing Passwords in a Recoverable Format vulnerability (CWE-257) in the Web session management component allows an attacker to access stored passwords in a…
CVE-2025-10856HigJan 22, 2026
Solvera Software Services Trade Inc.
Teknoera
risk 0.53cvss 8.1epss 0.00
Unrestricted Upload of File with Dangerous Type vulnerability in Solvera Software Services Trade Inc. Teknoera allows File Content Injection. This issue affects Teknoera: through 01102025.
CVE-2025-10855HigJan 22, 2026
Solvera Software Services Trade Inc.
Teknoera
risk 0.49cvss 7.5epss 0.00
Authorization Bypass Through User-Controlled Key vulnerability in Solvera Software Services Trade Inc. Teknoera allows Exploitation of Trusted Identifiers. This issue affects Teknoera: through 01102025.