Filtered by vendor Wordpress Subscriptions
Total 13785 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2026-22477 2 Ancorathemes, Wordpress 2 Felizia, Wordpress 2026-04-22 8.1 High
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Felizia felizia allows PHP Local File Inclusion.This issue affects Felizia: from n/a through <= 1.3.4.
CVE-2026-22497 2 Ancorathemes, Wordpress 2 Jardi, Wordpress 2026-04-22 9.8 Critical
Deserialization of Untrusted Data vulnerability in AncoraThemes Jardi jardi allows Object Injection.This issue affects Jardi: from n/a through <= 1.7.2.
CVE-2026-28018 2 Themerex, Wordpress 2 Global Logistics, Wordpress 2026-04-22 8.1 High
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Global Logistics globallogistics allows PHP Local File Inclusion.This issue affects Global Logistics: from n/a through <= 3.20.
CVE-2026-27998 2 Themerex, Wordpress 2 Vixus, Wordpress 2026-04-22 8.1 High
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Vixus vixus allows PHP Local File Inclusion.This issue affects Vixus: from n/a through <= 1.0.16.
CVE-2026-28007 2 Themerex, Wordpress 2 Coinpress, Wordpress 2026-04-22 8.1 High
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Coinpress coinpress allows PHP Local File Inclusion.This issue affects Coinpress: from n/a through <= 1.0.14.
CVE-2026-28010 2 Themerex, Wordpress 2 Scientia, Wordpress 2026-04-22 8.1 High
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Scientia scientia allows PHP Local File Inclusion.This issue affects Scientia: from n/a through <= 1.2.4.
CVE-2026-28013 2 Themerex, Wordpress 2 Kratz, Wordpress 2026-04-22 8.1 High
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Kratz kratz allows PHP Local File Inclusion.This issue affects Kratz: from n/a through <= 1.0.12.
CVE-2026-28020 2 Themerex, Wordpress 2 Chroma, Wordpress 2026-04-22 8.1 High
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Chroma chroma allows PHP Local File Inclusion.This issue affects Chroma: from n/a through <= 1.11.
CVE-2026-27336 2 Ancorathemes, Wordpress 2 Consultor | Consulting, Accounting & Legal Counsel Wordpress Theme, Wordpress 2026-04-22 8.1 High
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Consultor | Consulting, Accounting & Legal Counsel WordPress Theme consultor allows PHP Local File Inclusion.This issue affects Consultor | Consulting, Accounting & Legal Counsel WordPress Theme: from n/a through <= 1.2.4.
CVE-2026-27995 2 Themerex, Wordpress 2 Justitia, Wordpress 2026-04-22 8.1 High
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Justitia justitia allows PHP Local File Inclusion.This issue affects Justitia: from n/a through <= 1.1.0.
CVE-2026-2583 2 Creativethemes, Wordpress 2 Blocksy, Wordpress 2026-04-22 6.4 Medium
The Blocksy theme for WordPress is vulnerable to Stored Cross-Site Scripting via the `blocksy_meta` metadata fields in all versions up to, and including, 2.1.30 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2026-28016 2 Themerex, Wordpress 2 Luxury Wine, Wordpress 2026-04-22 8.1 High
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Luxury Wine luxury-wine allows PHP Local File Inclusion.This issue affects Luxury Wine: from n/a through <= 1.1.14.
CVE-2026-3132 2 Jeweltheme, Wordpress 2 Master Addons For Elementor, Wordpress 2026-04-22 8.8 High
The Master Addons for Elementor Premium plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.1.3 via the 'JLTMA_Widget_Admin::render_preview'. This is due to missing capability check. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute code on the server.
CVE-2026-22424 2 Ancorathemes, Wordpress 2 Shaha, Wordpress 2026-04-22 8.1 High
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Shaha shaha allows PHP Local File Inclusion.This issue affects Shaha: from n/a through <= 1.1.2.
CVE-2026-22416 2 Ancorathemes, Wordpress 2 Fixteam, Wordpress 2026-04-22 8.1 High
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes FixTeam fixteam allows PHP Local File Inclusion.This issue affects FixTeam: from n/a through <= 1.5.0.
CVE-2026-22419 2 Ancorathemes, Wordpress 2 Honor, Wordpress 2026-04-22 8.1 High
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Honor honor allows PHP Local File Inclusion.This issue affects Honor: from n/a through <= 2.3.
CVE-2026-1651 2 Icegram, Wordpress 2 Email Subscribers & Newsletters – Email Marketing, Post Notifications & Newsletter Plugin For Wordpress, Wordpress 2026-04-22 6.5 Medium
The Email Subscribers by Icegram Express plugin for WordPress is vulnerable to SQL Injection via the 'workflow_ids' parameter in all versions up to, and including, 5.9.16 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
CVE-2026-22413 2 Mikado-themes, Wordpress 2 Malgré, Wordpress 2026-04-22 8.1 High
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes Malgré malgre allows PHP Local File Inclusion.This issue affects Malgré: from n/a through <= 1.0.3.
CVE-2026-2355 2 Joedolson, Wordpress 2 My Calendar – Accessible Event Manager, Wordpress 2026-04-22 6.4 Medium
The My Calendar – Accessible Event Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `template` attribute of the `[my_calendar_upcoming]` shortcode in all versions up to, and including, 3.7.3. This is due to the use of `stripcslashes()` on user-supplied shortcode attribute values in the `mc_draw_template()` function, which decodes C-style hex escape sequences (e.g., `\x3c` to `<`) at render time, bypassing WordPress's `wp_kses_post()` content sanitization that runs at save time. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVE-2026-27337 2 Ancorathemes, Wordpress 2 Chronicle - Lifestyle Magazine & Blog Wordpress Theme, Wordpress 2026-04-22 8.1 High
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Chronicle - Lifestyle Magazine & Blog WordPress Theme chronicle allows PHP Local File Inclusion.This issue affects Chronicle - Lifestyle Magazine & Blog WordPress Theme: from n/a through <= 1.0.