8.1
CVE-2026-25458 - WordPress Moments theme <= 2.2 - Local File Inclusion vulnerability
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Select-Themes Moments moments allows PHP Local File Inclusion.This issue affects Moments: from n/a through <= 2.2.
8.1
CVE-2026-25457 - WordPress Mixtape theme <= 2.1 - Local File Inclusion vulnerability
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Select-Themes Mixtape mixtape allows PHP Local File Inclusion.This issue affects Mixtape: from n/a through <= 2.1.
7.3
CVE-2026-25456 - WordPress Automated FedEx live/manual rates with shipping labels plugin <= 5.1.9 - Broken Access Co…
Missing Authorization vulnerability in Aarsiv Groups Automated FedEx live/manual rates with shipping labels a2z-fedex-shipping allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Automated FedEx live/manual rates with shipping labels: from n/a through <= 5.1.9.
6.5
CVE-2026-25455 - WordPress Product Slider for WooCommerce plugin <= 1.13.61 - Broken Access Control vulnerability
Missing Authorization vulnerability in PickPlugins Product Slider for WooCommerce woocommerce-products-slider allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Product Slider for WooCommerce: from n/a through <= 1.13.61.
6.5
CVE-2026-25454 - WordPress The League theme <= 4.4.1 - Broken Access Control vulnerability
Missing Authorization vulnerability in MVPThemes The League the-league allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects The League: from n/a through <= 4.4.1.
7.1
CVE-2026-25452 - WordPress Remoji plugin <= 2.2 - Cross Site Scripting (XSS) vulnerability
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPDO Remoji remoji allows Stored XSS.This issue affects Remoji: from n/a through <= 2.2.
9.1
CVE-2026-25447 - WordPress Widget Wrangler plugin <= 2.3.9 - Remote Code Execution (RCE) vulnerability
Improper Control of Generation of Code ('Code Injection') vulnerability in Jonathan Daggerhart Widget Wrangler widget-wrangler allows Code Injection.This issue affects Widget Wrangler: from n/a through <= 2.3.9.
6.5
CVE-2026-25437 - WordPress GZSEO plugin <= 2.0.14 - Broken Access Control vulnerability
Missing Authorization vulnerability in سید Ù…Øمدامین هاشمی GZSEO gzseo allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects GZSEO: from n/a through <= 2.0.14.
7.1
CVE-2026-25435 - WordPress Booking calendar, Appointment Booking System plugin <= 3.2.36 - Cross Site Scripting (XSS…
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpdevart Booking calendar, Appointment Booking System booking-calendar allows Stored XSS.This issue affects Booking calendar, Appointment Booking System: from n/a through <= 3.2.36.
6.5
CVE-2026-25430 - WordPress Integration for Mailchimp and Contact Form 7, WPForms, Elementor, Ninja Forms plugin <= 1…
Missing Authorization vulnerability in CRM Perks Integration for Mailchimp and Contact Form 7, WPForms, Elementor, Ninja Forms cf7-mailchimp allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Integration for Mailchimp and Contact Form 7, WPForms, Elementor, N…