8.1
CVE-2025-49363 - WordPress Kings & Queens theme <= 1.1.16 - Local File Inclusion vulnerability
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Kings & Queens kings-queens allows PHP Local File Inclusion.This issue affects Kings & Queens: from n/a through <= 1.1.16.
8.1
CVE-2025-49362 - WordPress Gracioza theme <= 1.0.15 - Local File Inclusion vulnerability
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Gracioza gracioza allows PHP Local File Inclusion.This issue affects Gracioza: from n/a through <= 1.0.15.
8.1
CVE-2025-49361 - WordPress Mamita theme <= 1.0.9 - Local File Inclusion vulnerability
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Mamita mamita allows PHP Local File Inclusion.This issue affects Mamita: from n/a through <= 1.0.9.
8.1
CVE-2025-49360 - WordPress Militarology theme <= 1.0.15 - Local File Inclusion vulnerability
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Militarology militarology allows PHP Local File Inclusion.This issue affects Militarology: from n/a through <= 1.0.15.
8.1
CVE-2025-49359 - WordPress ShieldGroup theme <= 2.13 - Local File Inclusion vulnerability
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes ShieldGroup shieldgroup allows PHP Local File Inclusion.This issue affects ShieldGroup: from n/a through <= 2.13.
6.5
CVE-2025-49041 - WordPress Get Cash plugin <= 3.2.3 - Broken Access Control vulnerability
Missing Authorization vulnerability in The African Boss Get Cash get-cash allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Get Cash: from n/a through <= 3.2.3.
8.5
CVE-2025-14314 - WordPress PopupKit plugin <= 2.1.5 - SQL Injection vulnerability
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Roxnor PopupKit popup-builder-block allows Blind SQL Injection.This issue affects PopupKit: from n/a through <= 2.1.5.
6.5
CVE-2025-10019 - WordPress Contact Form Email plugin <= 1.3.60 - Insecure Direct Object References (IDOR) vulnerabilβ¦
Authorization Bypass Through User-Controlled Key vulnerability in codepeople Contact Form Email contact-form-to-email allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Contact Form Email: from n/a through <= 1.3.60.
4.3
CVE-2025-13498 - Download Manager <= 3.3.32 - Missing Authorization to Authenticated (Subscriber+) Media Attachment β¦
The Download Manager plugin for WordPress is vulnerable to unauthorized access of sensitive information in all versions up to, and including, 3.3.32. This is due to missing authorization and capability checks on the `wpdm_media_access` AJAX action. This makes it possible for authenticated attackersβ¦
6.4
CVE-2025-12976 - Events Manager <= 7.2.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'events_liβ¦
The Events Manager β Calendar, Bookings, Tickets, and more! plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'events_list_grouped' shortcode in all versions up to, and including, 7.2.2.1 due to insufficient input sanitization and output escaping on user supplied atβ¦