Search Results (1243 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2026-12923 2 Emarket-design, Wordpress 2 Video Gallery – Youtube Gallery, Playlist & Video Grid, Wordpress 2026-07-06 7.5 High
The Youtube Showcase plugin for WordPress is vulnerable to Arbitrary Function Call in versions up to and including 4.0.3. This is due to insufficient validation of the 'path' parameter in the emd_delete_file() AJAX handler in includes/common-functions.php. The user-supplied value is passed through sanitize_text_field(), has its trailing '_PLUGIN_DIR' substring stripped, and is then invoked as a PHP function name with no arguments via `$sess_name()`. The handler is gated only by a nonce — no current_user_can() check is present — and the nonce is emitted on any front-end page that renders a form shortcode containing file fields. This makes it possible for authenticated attackers, with Subscriber-level access and above, to invoke arbitrary zero-argument PHP functions (such as phpinfo, phpversion, get_defined_vars, error_get_last), resulting in sensitive information disclosure and potential further compromise depending on the functions available in the environment.
CVE-2026-27412 2 Stylemixthemes, Wordpress 2 Pearl - Corporate Business, Wordpress 2026-07-06 8.1 High
Unauthenticated Local File Inclusion in Pearl - Corporate Business <= 3.4.10 versions.
CVE-2026-57748 2 Shopify Help Center, Wordpress 2 Shopify, Wordpress 2026-07-06 7.5 High
Contributor Local File Inclusion in Shopify <= 1.0.0 versions.
CVE-2026-12194 1 Phpipam 1 Phpipam 2026-07-06 N/A
PHPIPAM is affected by an authenticated local file inclusion vulnerability that allows users with access to the API to execute/include arbitrary PHP files on the web server's file system. The API is not enabled by default on installations.
CVE-2026-5137 2 Rometheme, Wordpress 2 Rtmkit, Wordpress 2026-07-06 4.3 Medium
The RTMKit (rometheme-for-elementor) plugin for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 2.0.7 This is due to insufficient path validation on the 'template' parameter in the render_templates AJAX endpoint, which is used directly in a require/include statement without sanitization. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute files on the server ending in _templates.php, allowing the execution of any PHP code in those files.
CVE-2025-58902 2026-07-03 8.1 High
Unauthenticated Local File Inclusion in Lighthouse <= 1.2.12 versions.
CVE-2025-69133 2 Goodlayers, Wordpress 2 Tour Master, Wordpress 2026-07-02 7.5 High
Subscriber Local File Inclusion in Tourmaster <= 5.4.5 versions.
CVE-2026-42382 2026-07-02 8.1 High
Unauthenticated Local File Inclusion in Audrey <= 1.5 versions.
CVE-2026-57749 2026-07-02 7.5 High
Contributor Local File Inclusion in SportsPress Pro <= 2.7.29 versions.
CVE-2025-68063 2 Stylemixthemes, Wordpress 2 Splash - Sport Club Wordpress Theme For Basketball, Football, Hockey, Wordpress 2026-06-29 7.5 High
Contributor Local File Inclusion in Splash - Sport Club WordPress Theme for Basketball, Football, Hockey <= 4.4.3 versions.
CVE-2025-68064 2 Everthemess, Wordpress 2 Goya Core, Wordpress 2026-06-29 7.5 High
Contributor Local File Inclusion in Goya Core < 1.0.9.4 versions.
CVE-2026-57647 2 Bplugins, Wordpress 2 Panorama Viewer – 360 Degree Image + Video Viewer, Wordpress 2026-06-29 7.5 High
Contributor Local File Inclusion in Panorama Viewer – 360 Degree Image + Video Viewer <= 1.6.1 versions.
CVE-2025-69105 2 Themerex, Wordpress 2 Modernee, Wordpress 2026-06-26 8.1 High
Unauthenticated Local File Inclusion in Modernee <= 1.6.0 versions.
CVE-2025-69112 2 Themerex, Wordpress 2 Planty, Wordpress 2026-06-26 8.1 High
Unauthenticated Local File Inclusion in Planty <= 1.14.0 versions.
CVE-2025-69113 2 Themerex, Wordpress 2 Nexio, Wordpress 2026-06-26 8.1 High
Unauthenticated Local File Inclusion in Nexio <= 1.10.0 versions.
CVE-2025-69114 2 Themerex, Wordpress 2 Maxinet, Wordpress 2026-06-26 8.1 High
Unauthenticated Local File Inclusion in MaxiNet <= 1.2.10 versions.
CVE-2025-69116 2 Themerex, Wordpress 2 Iona, Wordpress 2026-06-26 8.1 High
Unauthenticated Local File Inclusion in Iona <= 1.0.8 versions.
CVE-2025-69118 2 Themerex, Wordpress 2 Copypress, Wordpress 2026-06-26 8.1 High
Unauthenticated Local File Inclusion in CopyPress <= 1.4.5 versions.
CVE-2025-69124 2 Themerex, Wordpress 2 Especio, Wordpress 2026-06-26 8.1 High
Unauthenticated Local File Inclusion in Especio <= 1.0 versions.
CVE-2025-69142 2 Themerex, Wordpress 2 Abelle, Wordpress 2026-06-26 8.1 High
Unauthenticated Local File Inclusion in Abelle <= 1.22 versions.