Search criteria
ⓘ
Use full-text search for keyword queries.
Combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by dates instead of relevance.
51 vulnerabilities by RadiusTheme
CVE-2026-25344 (GCVE-0-2026-25344)
Vulnerability from cvelistv5 – Published: 2026-03-25 16:14 – Updated: 2026-03-26 17:08
VLAI?
Title
WordPress Review Schema plugin <= 2.2.6 - Sensitive Data Exposure vulnerability
Summary
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in RadiusTheme Review Schema review-schema allows Retrieve Embedded Sensitive Data.This issue affects Review Schema: from n/a through <= 2.2.6.
Severity ?
6.5 (Medium)
CWE
- CWE-497 - Exposure of Sensitive System Information to an Unauthorized Control Sphere
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| RadiusTheme | Review Schema |
Affected:
n/a , ≤ <= 2.2.6
(custom)
|
Date Public ?
2026-03-25 17:12
Credits
Doan Dinh Van | Patchstack Bug Bounty Program
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-25344",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-26T17:08:55.299373Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-26T17:08:59.868Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "review-schema",
"product": "Review Schema",
"vendor": "RadiusTheme",
"versions": [
{
"changes": [
{
"at": "2.2.7",
"status": "unaffected"
}
],
"lessThanOrEqual": "\u003c= 2.2.6",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Doan Dinh Van | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-03-25T17:12:21.792Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in RadiusTheme Review Schema review-schema allows Retrieve Embedded Sensitive Data.\u003cp\u003eThis issue affects Review Schema: from n/a through \u003c= 2.2.6.\u003c/p\u003e"
}
],
"value": "Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in RadiusTheme Review Schema review-schema allows Retrieve Embedded Sensitive Data.This issue affects Review Schema: from n/a through \u003c= 2.2.6."
}
],
"impacts": [
{
"capecId": "CAPEC-37",
"descriptions": [
{
"lang": "en",
"value": "Retrieve Embedded Sensitive Data"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-497",
"description": "Exposure of Sensitive System Information to an Unauthorized Control Sphere",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-25T16:14:42.559Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/review-schema/vulnerability/wordpress-review-schema-plugin-2-2-6-sensitive-data-exposure-vulnerability?_s_id=cve"
}
],
"title": "WordPress Review Schema plugin \u003c= 2.2.6 - Sensitive Data Exposure vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2026-25344",
"datePublished": "2026-03-25T16:14:42.559Z",
"dateReserved": "2026-02-02T12:52:42.957Z",
"dateUpdated": "2026-03-26T17:08:59.868Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-25026 (GCVE-0-2026-25026)
Vulnerability from cvelistv5 – Published: 2026-03-25 16:14 – Updated: 2026-03-27 14:50
VLAI?
Title
WordPress Team plugin <= 5.0.11 - Broken Access Control vulnerability
Summary
Missing Authorization vulnerability in RadiusTheme Team tlp-team allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Team: from n/a through <= 5.0.11.
Severity ?
7.5 (High)
CWE
- CWE-862 - Missing Authorization
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| RadiusTheme | Team |
Affected:
n/a , ≤ <= 5.0.11
(custom)
|
Date Public ?
2026-03-25 17:12
Credits
Doan Dinh Van | Patchstack Bug Bounty Program
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-25026",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-27T14:50:14.326843Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-27T14:50:36.561Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "tlp-team",
"product": "Team",
"vendor": "RadiusTheme",
"versions": [
{
"changes": [
{
"at": "5.0.12",
"status": "unaffected"
}
],
"lessThanOrEqual": "\u003c= 5.0.11",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Doan Dinh Van | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-03-25T17:12:18.401Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Missing Authorization vulnerability in RadiusTheme Team tlp-team allows Exploiting Incorrectly Configured Access Control Security Levels.\u003cp\u003eThis issue affects Team: from n/a through \u003c= 5.0.11.\u003c/p\u003e"
}
],
"value": "Missing Authorization vulnerability in RadiusTheme Team tlp-team allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Team: from n/a through \u003c= 5.0.11."
}
],
"impacts": [
{
"capecId": "CAPEC-180",
"descriptions": [
{
"lang": "en",
"value": "Exploiting Incorrectly Configured Access Control Security Levels"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-25T16:14:37.824Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/tlp-team/vulnerability/wordpress-team-plugin-5-0-11-broken-access-control-vulnerability?_s_id=cve"
}
],
"title": "WordPress Team plugin \u003c= 5.0.11 - Broken Access Control vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2026-25026",
"datePublished": "2026-03-25T16:14:37.824Z",
"dateReserved": "2026-01-28T09:51:55.183Z",
"dateUpdated": "2026-03-27T14:50:36.561Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-32396 (GCVE-0-2026-32396)
Vulnerability from cvelistv5 – Published: 2026-03-13 11:42 – Updated: 2026-04-01 14:16
VLAI?
Title
WordPress Team plugin <= 5.0.13 - Broken Access Control vulnerability
Summary
Missing Authorization vulnerability in RadiusTheme Team tlp-team allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Team: from n/a through <= 5.0.13.
Severity ?
5.3 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| RadiusTheme | Team |
Affected:
0 , ≤ 5.0.13
(custom)
|
Date Public ?
2026-04-01 16:05
Credits
Nguyen Ba Khanh | Patchstack Bug Bounty Program
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-32396",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-13T20:27:39.635263Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-13T20:27:54.314Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "tlp-team",
"product": "Team",
"vendor": "RadiusTheme",
"versions": [
{
"changes": [
{
"at": "5.0.14",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.0.13",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Nguyen Ba Khanh | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:05:20.138Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Missing Authorization vulnerability in RadiusTheme Team tlp-team allows Exploiting Incorrectly Configured Access Control Security Levels.\u003cp\u003eThis issue affects Team: from n/a through \u003c= 5.0.13.\u003c/p\u003e"
}
],
"value": "Missing Authorization vulnerability in RadiusTheme Team tlp-team allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Team: from n/a through \u003c= 5.0.13."
}
],
"impacts": [
{
"capecId": "CAPEC-180",
"descriptions": [
{
"lang": "en",
"value": "Exploiting Incorrectly Configured Access Control Security Levels"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T14:16:08.629Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/tlp-team/vulnerability/wordpress-team-plugin-5-0-13-broken-access-control-vulnerability?_s_id=cve"
}
],
"title": "WordPress Team plugin \u003c= 5.0.13 - Broken Access Control vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2026-32396",
"datePublished": "2026-03-13T11:42:11.496Z",
"dateReserved": "2026-03-12T11:11:09.668Z",
"dateUpdated": "2026-04-01T14:16:08.629Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-32372 (GCVE-0-2026-32372)
Vulnerability from cvelistv5 – Published: 2026-03-13 11:42 – Updated: 2026-04-01 14:16
VLAI?
Title
WordPress ShopBuilder – Elementor WooCommerce Builder Addons plugin <= 3.2.4 - Sensitive Data Exposure vulnerability
Summary
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in RadiusTheme ShopBuilder – Elementor WooCommerce Builder Addons shopbuilder allows Retrieve Embedded Sensitive Data.This issue affects ShopBuilder – Elementor WooCommerce Builder Addons: from n/a through <= 3.2.4.
Severity ?
5.3 (Medium)
CWE
- CWE-497 - Exposure of Sensitive System Information to an Unauthorized Control Sphere
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| RadiusTheme | ShopBuilder – Elementor WooCommerce Builder Addons |
Affected:
0 , ≤ 3.2.4
(custom)
|
Date Public ?
2026-04-01 16:04
Credits
Bao - BlueRock | Patchstack Bug Bounty Program
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-32372",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-17T13:36:27.849027Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-17T13:36:40.124Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "shopbuilder",
"product": "ShopBuilder \u2013 Elementor WooCommerce Builder Addons",
"vendor": "RadiusTheme",
"versions": [
{
"changes": [
{
"at": "3.2.5",
"status": "unaffected"
}
],
"lessThanOrEqual": "3.2.4",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Bao - BlueRock | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:04:50.246Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in RadiusTheme ShopBuilder \u2013 Elementor WooCommerce Builder Addons shopbuilder allows Retrieve Embedded Sensitive Data.\u003cp\u003eThis issue affects ShopBuilder \u2013 Elementor WooCommerce Builder Addons: from n/a through \u003c= 3.2.4.\u003c/p\u003e"
}
],
"value": "Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in RadiusTheme ShopBuilder \u2013 Elementor WooCommerce Builder Addons shopbuilder allows Retrieve Embedded Sensitive Data.This issue affects ShopBuilder \u2013 Elementor WooCommerce Builder Addons: from n/a through \u003c= 3.2.4."
}
],
"impacts": [
{
"capecId": "CAPEC-37",
"descriptions": [
{
"lang": "en",
"value": "Retrieve Embedded Sensitive Data"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-497",
"description": "Exposure of Sensitive System Information to an Unauthorized Control Sphere",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T14:16:02.107Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/shopbuilder/vulnerability/wordpress-shopbuilder-elementor-woocommerce-builder-addons-plugin-3-2-4-sensitive-data-exposure-vulnerability?_s_id=cve"
}
],
"title": "WordPress ShopBuilder \u2013 Elementor WooCommerce Builder Addons plugin \u003c= 3.2.4 - Sensitive Data Exposure vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2026-32372",
"datePublished": "2026-03-13T11:42:06.960Z",
"dateReserved": "2026-03-12T11:10:59.411Z",
"dateUpdated": "2026-04-01T14:16:02.107Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-32369 (GCVE-0-2026-32369)
Vulnerability from cvelistv5 – Published: 2026-03-13 11:42 – Updated: 2026-04-01 14:16
VLAI?
Title
WordPress Medilink-Core plugin < 2.0.7 - Local File Inclusion vulnerability
Summary
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in RadiusTheme Medilink-Core medilink-core allows PHP Local File Inclusion.This issue affects Medilink-Core: from n/a through < 2.0.7.
Severity ?
7.5 (High)
CWE
- CWE-98 - Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| RadiusTheme | Medilink-Core |
Affected:
0 , ≤ 2.0.7
(custom)
|
Date Public ?
2026-04-01 16:04
Credits
João Pedro S Alcântara (Kinorth) | Patchstack Bug Bounty Program
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-32369",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-16T14:37:42.581696Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-16T14:38:07.480Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://themeforest.net",
"defaultStatus": "unaffected",
"packageName": "medilink-core",
"product": "Medilink-Core",
"vendor": "RadiusTheme",
"versions": [
{
"changes": [
{
"at": "2.0.7",
"status": "unaffected"
}
],
"lessThanOrEqual": "2.0.7",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jo\u00e3o Pedro S Alc\u00e2ntara (Kinorth) | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:04:49.683Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Control of Filename for Include/Require Statement in PHP Program (\u0027PHP Remote File Inclusion\u0027) vulnerability in RadiusTheme Medilink-Core medilink-core allows PHP Local File Inclusion.\u003cp\u003eThis issue affects Medilink-Core: from n/a through \u003c 2.0.7.\u003c/p\u003e"
}
],
"value": "Improper Control of Filename for Include/Require Statement in PHP Program (\u0027PHP Remote File Inclusion\u0027) vulnerability in RadiusTheme Medilink-Core medilink-core allows PHP Local File Inclusion.This issue affects Medilink-Core: from n/a through \u003c 2.0.7."
}
],
"impacts": [
{
"capecId": "CAPEC-252",
"descriptions": [
{
"lang": "en",
"value": "PHP Local File Inclusion"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-98",
"description": "Improper Control of Filename for Include/Require Statement in PHP Program (\u0027PHP Remote File Inclusion\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T14:16:00.656Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/medilink-core/vulnerability/wordpress-medilink-core-plugin-2-0-7-local-file-inclusion-vulnerability?_s_id=cve"
}
],
"title": "WordPress Medilink-Core plugin \u003c 2.0.7 - Local File Inclusion vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2026-32369",
"datePublished": "2026-03-13T11:42:06.431Z",
"dateReserved": "2026-03-12T11:10:59.411Z",
"dateUpdated": "2026-04-01T14:16:00.656Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-27383 (GCVE-0-2026-27383)
Vulnerability from cvelistv5 – Published: 2026-03-05 05:53 – Updated: 2026-04-01 14:15
VLAI?
Title
WordPress Metro theme <= 2.13 - Local File Inclusion vulnerability
Summary
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in RadiusTheme Metro metro allows PHP Local File Inclusion.This issue affects Metro: from n/a through <= 2.13.
Severity ?
8.1 (High)
CWE
- CWE-98 - Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| RadiusTheme | Metro |
Affected:
0 , ≤ 2.13
(custom)
|
Date Public ?
2026-04-01 16:05
Credits
João Pedro S Alcântara (Kinorth) | Patchstack Bug Bounty Program
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-27383",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-09T12:45:49.851272Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-09T12:48:16.825Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "metro",
"product": "Metro",
"vendor": "RadiusTheme",
"versions": [
{
"lessThanOrEqual": "2.13",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jo\u00e3o Pedro S Alc\u00e2ntara (Kinorth) | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:05:31.275Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Control of Filename for Include/Require Statement in PHP Program (\u0027PHP Remote File Inclusion\u0027) vulnerability in RadiusTheme Metro metro allows PHP Local File Inclusion.\u003cp\u003eThis issue affects Metro: from n/a through \u003c= 2.13.\u003c/p\u003e"
}
],
"value": "Improper Control of Filename for Include/Require Statement in PHP Program (\u0027PHP Remote File Inclusion\u0027) vulnerability in RadiusTheme Metro metro allows PHP Local File Inclusion.This issue affects Metro: from n/a through \u003c= 2.13."
}
],
"impacts": [
{
"capecId": "CAPEC-252",
"descriptions": [
{
"lang": "en",
"value": "PHP Local File Inclusion"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-98",
"description": "Improper Control of Filename for Include/Require Statement in PHP Program (\u0027PHP Remote File Inclusion\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T14:15:14.164Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Theme/metro/vulnerability/wordpress-metro-theme-2-13-local-file-inclusion-vulnerability?_s_id=cve"
}
],
"title": "WordPress Metro theme \u003c= 2.13 - Local File Inclusion vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2026-27383",
"datePublished": "2026-03-05T05:53:58.330Z",
"dateReserved": "2026-02-19T09:51:58.587Z",
"dateUpdated": "2026-04-01T14:15:14.164Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-27382 (GCVE-0-2026-27382)
Vulnerability from cvelistv5 – Published: 2026-03-05 05:53 – Updated: 2026-04-01 14:15
VLAI?
Title
WordPress Metro theme <= 2.13 - Reflected Cross Site Scripting (XSS) vulnerability
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in RadiusTheme Metro metro allows DOM-Based XSS.This issue affects Metro: from n/a through <= 2.13.
Severity ?
7.1 (High)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| RadiusTheme | Metro |
Affected:
0 , ≤ 2.13
(custom)
|
Date Public ?
2026-04-01 16:05
Credits
João Pedro S Alcântara (Kinorth) | Patchstack Bug Bounty Program
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-27382",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-09T15:53:56.394812Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-09T15:54:46.869Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "metro",
"product": "Metro",
"vendor": "RadiusTheme",
"versions": [
{
"lessThanOrEqual": "2.13",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jo\u00e3o Pedro S Alc\u00e2ntara (Kinorth) | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:05:31.044Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in RadiusTheme Metro metro allows DOM-Based XSS.\u003cp\u003eThis issue affects Metro: from n/a through \u003c= 2.13.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in RadiusTheme Metro metro allows DOM-Based XSS.This issue affects Metro: from n/a through \u003c= 2.13."
}
],
"impacts": [
{
"capecId": "CAPEC-588",
"descriptions": [
{
"lang": "en",
"value": "DOM-Based XSS"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T14:15:13.972Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Theme/metro/vulnerability/wordpress-metro-theme-2-13-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"title": "WordPress Metro theme \u003c= 2.13 - Reflected Cross Site Scripting (XSS) vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2026-27382",
"datePublished": "2026-03-05T05:53:58.133Z",
"dateReserved": "2026-02-19T09:51:58.586Z",
"dateUpdated": "2026-04-01T14:15:13.972Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-23546 (GCVE-0-2026-23546)
Vulnerability from cvelistv5 – Published: 2026-03-05 05:53 – Updated: 2026-04-01 14:14
VLAI?
Title
WordPress Classified Listing plugin <= 5.3.4 - Sensitive Data Exposure vulnerability
Summary
Insertion of Sensitive Information Into Sent Data vulnerability in RadiusTheme Classified Listing classified-listing allows Retrieve Embedded Sensitive Data.This issue affects Classified Listing: from n/a through <= 5.3.4.
Severity ?
6.5 (Medium)
CWE
- CWE-201 - Insertion of Sensitive Information Into Sent Data
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| RadiusTheme | Classified Listing |
Affected:
0 , ≤ 5.3.4
(custom)
|
Date Public ?
2026-04-01 16:04
Credits
daroo | Patchstack Bug Bounty Program
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-23546",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-09T19:45:39.140773Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-09T19:46:42.609Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "classified-listing",
"product": "Classified Listing",
"vendor": "RadiusTheme",
"versions": [
{
"changes": [
{
"at": "5.3.5",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.3.4",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "daroo | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:04:54.275Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Insertion of Sensitive Information Into Sent Data vulnerability in RadiusTheme Classified Listing classified-listing allows Retrieve Embedded Sensitive Data.\u003cp\u003eThis issue affects Classified Listing: from n/a through \u003c= 5.3.4.\u003c/p\u003e"
}
],
"value": "Insertion of Sensitive Information Into Sent Data vulnerability in RadiusTheme Classified Listing classified-listing allows Retrieve Embedded Sensitive Data.This issue affects Classified Listing: from n/a through \u003c= 5.3.4."
}
],
"impacts": [
{
"capecId": "CAPEC-37",
"descriptions": [
{
"lang": "en",
"value": "Retrieve Embedded Sensitive Data"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-201",
"description": "Insertion of Sensitive Information Into Sent Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T14:14:03.190Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/classified-listing/vulnerability/wordpress-classified-listing-plugin-5-3-4-sensitive-data-exposure-vulnerability?_s_id=cve"
}
],
"title": "WordPress Classified Listing plugin \u003c= 5.3.4 - Sensitive Data Exposure vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2026-23546",
"datePublished": "2026-03-05T05:53:48.361Z",
"dateReserved": "2026-01-14T08:36:07.869Z",
"dateUpdated": "2026-04-01T14:14:03.190Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-64282 (GCVE-0-2025-64282)
Vulnerability from cvelistv5 – Published: 2025-12-18 16:18 – Updated: 2026-04-01 16:00
VLAI?
Title
WordPress Radius Blocks plugin <= 2.2.1 - Insecure Direct Object References (IDOR) vulnerability
Summary
Authorization Bypass Through User-Controlled Key vulnerability in RadiusTheme Radius Blocks radius-blocks allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Radius Blocks: from n/a through <= 2.2.1.
Severity ?
No CVSS data available.
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| RadiusTheme | Radius Blocks |
Affected:
0 , ≤ 2.2.1
(custom)
|
Date Public ?
2026-04-01 16:43
Credits
Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-64282",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-18T17:11:48.493212Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-18T17:15:13.694Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "radius-blocks",
"product": "Radius Blocks",
"vendor": "RadiusTheme",
"versions": [
{
"lessThanOrEqual": "2.2.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:43:33.267Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Authorization Bypass Through User-Controlled Key vulnerability in RadiusTheme Radius Blocks radius-blocks allows Exploiting Incorrectly Configured Access Control Security Levels.\u003cp\u003eThis issue affects Radius Blocks: from n/a through \u003c= 2.2.1.\u003c/p\u003e"
}
],
"value": "Authorization Bypass Through User-Controlled Key vulnerability in RadiusTheme Radius Blocks radius-blocks allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Radius Blocks: from n/a through \u003c= 2.2.1."
}
],
"impacts": [
{
"capecId": "CAPEC-180",
"descriptions": [
{
"lang": "en",
"value": "Exploiting Incorrectly Configured Access Control Security Levels"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T16:00:22.128Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/radius-blocks/vulnerability/wordpress-radius-blocks-plugin-2-2-1-insecure-direct-object-references-idor-vulnerability?_s_id=cve"
}
],
"title": "WordPress Radius Blocks plugin \u003c= 2.2.1 - Insecure Direct Object References (IDOR) vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-64282",
"datePublished": "2025-12-18T16:18:54.393Z",
"dateReserved": "2025-10-29T03:29:08.849Z",
"dateUpdated": "2026-04-01T16:00:22.128Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-32657 (GCVE-0-2025-32657)
Vulnerability from cvelistv5 – Published: 2025-10-22 14:32 – Updated: 2026-04-01 14:07
VLAI?
Title
WordPress Testimonial Slider and Showcase Pro plugin <= 2.1.7 - Local File Inclusion vulnerability
Summary
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in RadiusTheme Testimonial Slider And Showcase Pro testimonial-slider-showcase-pro allows PHP Local File Inclusion.This issue affects Testimonial Slider And Showcase Pro: from n/a through <= 2.1.7.
Severity ?
7.5 (High)
CWE
- CWE-98 - Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| RadiusTheme | Testimonial Slider And Showcase Pro |
Affected:
0 , ≤ 2.1.7
(custom)
|
Date Public ?
2026-04-01 15:58
Credits
LVT-tholv2k | Patchstack Bug Bounty Program
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-32657",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-23T15:50:10.282403Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-23T15:50:12.427Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "testimonial-slider-showcase-pro",
"product": "Testimonial Slider And Showcase Pro",
"vendor": "RadiusTheme",
"versions": [
{
"lessThanOrEqual": "2.1.7",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "LVT-tholv2k | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T15:58:49.329Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Control of Filename for Include/Require Statement in PHP Program (\u0027PHP Remote File Inclusion\u0027) vulnerability in RadiusTheme Testimonial Slider And Showcase Pro testimonial-slider-showcase-pro allows PHP Local File Inclusion.\u003cp\u003eThis issue affects Testimonial Slider And Showcase Pro: from n/a through \u003c= 2.1.7.\u003c/p\u003e"
}
],
"value": "Improper Control of Filename for Include/Require Statement in PHP Program (\u0027PHP Remote File Inclusion\u0027) vulnerability in RadiusTheme Testimonial Slider And Showcase Pro testimonial-slider-showcase-pro allows PHP Local File Inclusion.This issue affects Testimonial Slider And Showcase Pro: from n/a through \u003c= 2.1.7."
}
],
"impacts": [
{
"capecId": "CAPEC-252",
"descriptions": [
{
"lang": "en",
"value": "PHP Local File Inclusion"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-98",
"description": "Improper Control of Filename for Include/Require Statement in PHP Program (\u0027PHP Remote File Inclusion\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T14:07:13.312Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/testimonial-slider-showcase-pro/vulnerability/wordpress-testimonial-slider-and-showcase-pro-plugin-2-1-7-local-file-inclusion-vulnerability?_s_id=cve"
}
],
"title": "WordPress Testimonial Slider and Showcase Pro plugin \u003c= 2.1.7 - Local File Inclusion vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-32657",
"datePublished": "2025-10-22T14:32:05.506Z",
"dateReserved": "2025-04-09T11:21:11.059Z",
"dateUpdated": "2026-04-01T14:07:13.312Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-57975 (GCVE-0-2025-57975)
Vulnerability from cvelistv5 – Published: 2025-09-22 18:24 – Updated: 2026-04-01 15:57
VLAI?
Title
WordPress Team Plugin <= 5.0.6 - Broken Access Control Vulnerability
Summary
Missing Authorization vulnerability in RadiusTheme Team tlp-team allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Team: from n/a through <= 5.0.6.
Severity ?
No CVSS data available.
CWE
- CWE-862 - Missing Authorization
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| RadiusTheme | Team |
Affected:
0 , ≤ 5.0.6
(custom)
|
Date Public ?
2026-04-01 16:43
Credits
Que Thanh Tuan | Patchstack Bug Bounty Program
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-57975",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-25T13:52:41.156826Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-25T13:52:46.829Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "tlp-team",
"product": "Team",
"vendor": "RadiusTheme",
"versions": [
{
"changes": [
{
"at": "5.0.7",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.0.6",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Que Thanh Tuan | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:43:10.469Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Missing Authorization vulnerability in RadiusTheme Team tlp-team allows Exploiting Incorrectly Configured Access Control Security Levels.\u003cp\u003eThis issue affects Team: from n/a through \u003c= 5.0.6.\u003c/p\u003e"
}
],
"value": "Missing Authorization vulnerability in RadiusTheme Team tlp-team allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Team: from n/a through \u003c= 5.0.6."
}
],
"impacts": [
{
"capecId": "CAPEC-180",
"descriptions": [
{
"lang": "en",
"value": "Exploiting Incorrectly Configured Access Control Security Levels"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T15:57:58.514Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/tlp-team/vulnerability/wordpress-team-plugin-5-0-6-broken-access-control-vulnerability?_s_id=cve"
}
],
"title": "WordPress Team Plugin \u003c= 5.0.6 - Broken Access Control Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-57975",
"datePublished": "2025-09-22T18:24:33.974Z",
"dateReserved": "2025-08-22T11:37:13.319Z",
"dateUpdated": "2026-04-01T15:57:58.514Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-58601 (GCVE-0-2025-58601)
Vulnerability from cvelistv5 – Published: 2025-09-03 14:36 – Updated: 2026-04-01 15:58
VLAI?
Title
WordPress Classified Listing Plugin <= 5.0.6 - Broken Access Control Vulnerability
Summary
Missing Authorization vulnerability in RadiusTheme Classified Listing classified-listing allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Classified Listing: from n/a through <= 5.0.6.
Severity ?
No CVSS data available.
CWE
- CWE-862 - Missing Authorization
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| RadiusTheme | Classified Listing |
Affected:
0 , ≤ 5.0.6
(custom)
|
Date Public ?
2026-04-01 16:43
Credits
Denver Jackson | Patchstack Bug Bounty Program
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-58601",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-03T17:38:41.271769Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-03T17:51:11.933Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "classified-listing",
"product": "Classified Listing",
"vendor": "RadiusTheme",
"versions": [
{
"changes": [
{
"at": "5.0.7",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.0.6",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Denver Jackson | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:43:10.724Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Missing Authorization vulnerability in RadiusTheme Classified Listing classified-listing allows Exploiting Incorrectly Configured Access Control Security Levels.\u003cp\u003eThis issue affects Classified Listing: from n/a through \u003c= 5.0.6.\u003c/p\u003e"
}
],
"value": "Missing Authorization vulnerability in RadiusTheme Classified Listing classified-listing allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Classified Listing: from n/a through \u003c= 5.0.6."
}
],
"impacts": [
{
"capecId": "CAPEC-180",
"descriptions": [
{
"lang": "en",
"value": "Exploiting Incorrectly Configured Access Control Security Levels"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T15:58:31.360Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/classified-listing/vulnerability/wordpress-classified-listing-plugin-5-0-6-broken-access-control-vulnerability?_s_id=cve"
}
],
"title": "WordPress Classified Listing Plugin \u003c= 5.0.6 - Broken Access Control Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-58601",
"datePublished": "2025-09-03T14:36:39.999Z",
"dateReserved": "2025-09-03T09:02:27.116Z",
"dateUpdated": "2026-04-01T15:58:31.360Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-53565 (GCVE-0-2025-53565)
Vulnerability from cvelistv5 – Published: 2025-08-20 08:03 – Updated: 2026-04-01 15:56
VLAI?
Title
WordPress Widget for Google Reviews <= 1.0.15 - Local File Inclusion Vulnerability
Summary
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in RadiusTheme Widget for Google Reviews business-reviews-wp allows PHP Local File Inclusion.This issue affects Widget for Google Reviews: from n/a through <= 1.0.15.
Severity ?
No CVSS data available.
CWE
- CWE-98 - Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| RadiusTheme | Widget for Google Reviews |
Affected:
0 , ≤ 1.0.15
(custom)
|
Date Public ?
2026-04-01 16:41
Credits
LVT-tholv2k | Patchstack Bug Bounty Program
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-53565",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-20T14:14:21.915320Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-20T14:15:15.947Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "business-reviews-wp",
"product": "Widget for Google Reviews",
"vendor": "RadiusTheme",
"versions": [
{
"changes": [
{
"at": "1.0.16",
"status": "unaffected"
}
],
"lessThanOrEqual": "1.0.15",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "LVT-tholv2k | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:41:56.727Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Control of Filename for Include/Require Statement in PHP Program (\u0027PHP Remote File Inclusion\u0027) vulnerability in RadiusTheme Widget for Google Reviews business-reviews-wp allows PHP Local File Inclusion.\u003cp\u003eThis issue affects Widget for Google Reviews: from n/a through \u003c= 1.0.15.\u003c/p\u003e"
}
],
"value": "Improper Control of Filename for Include/Require Statement in PHP Program (\u0027PHP Remote File Inclusion\u0027) vulnerability in RadiusTheme Widget for Google Reviews business-reviews-wp allows PHP Local File Inclusion.This issue affects Widget for Google Reviews: from n/a through \u003c= 1.0.15."
}
],
"impacts": [
{
"capecId": "CAPEC-252",
"descriptions": [
{
"lang": "en",
"value": "PHP Local File Inclusion"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-98",
"description": "Improper Control of Filename for Include/Require Statement in PHP Program (\u0027PHP Remote File Inclusion\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T15:56:58.700Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/business-reviews-wp/vulnerability/wordpress-widget-for-google-reviews-1-0-15-local-file-inclusion-vulnerability?_s_id=cve"
}
],
"title": "WordPress Widget for Google Reviews \u003c= 1.0.15 - Local File Inclusion Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-53565",
"datePublished": "2025-08-20T08:03:11.564Z",
"dateReserved": "2025-07-03T14:50:56.330Z",
"dateUpdated": "2026-04-01T15:56:58.700Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-54698 (GCVE-0-2025-54698)
Vulnerability from cvelistv5 – Published: 2025-08-14 10:34 – Updated: 2026-04-01 15:57
VLAI?
Title
WordPress Classified Listing Plugin plugin <= 5.0.0 - Content Injection Vulnerability
Summary
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in RadiusTheme Classified Listing classified-listing allows Code Injection.This issue affects Classified Listing: from n/a through <= 5.0.0.
Severity ?
No CVSS data available.
CWE
- CWE-80 - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| RadiusTheme | Classified Listing |
Affected:
0 , ≤ 5.0.0
(custom)
|
Date Public ?
2026-04-01 16:43
Credits
Denver Jackson | Patchstack Bug Bounty Program
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-54698",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-14T13:26:05.324387Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-14T13:26:09.654Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "classified-listing",
"product": "Classified Listing",
"vendor": "RadiusTheme",
"versions": [
{
"changes": [
{
"at": "5.0.1",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.0.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Denver Jackson | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:43:02.871Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in RadiusTheme Classified Listing classified-listing allows Code Injection.\u003cp\u003eThis issue affects Classified Listing: from n/a through \u003c= 5.0.0.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in RadiusTheme Classified Listing classified-listing allows Code Injection.This issue affects Classified Listing: from n/a through \u003c= 5.0.0."
}
],
"impacts": [
{
"capecId": "CAPEC-242",
"descriptions": [
{
"lang": "en",
"value": "Code Injection"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-80",
"description": "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T15:57:25.795Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/classified-listing/vulnerability/wordpress-classified-listing-plugin-plugin-5-0-0-content-injection-vulnerability?_s_id=cve"
}
],
"title": "WordPress Classified Listing Plugin plugin \u003c= 5.0.0 - Content Injection Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-54698",
"datePublished": "2025-08-14T10:34:54.692Z",
"dateReserved": "2025-07-28T10:56:09.192Z",
"dateUpdated": "2026-04-01T15:57:25.795Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-7327 (GCVE-0-2025-7327)
Vulnerability from cvelistv5 – Published: 2025-07-08 05:23 – Updated: 2026-04-08 16:49
VLAI?
Title
Widget for Google Reviews <= 1.0.15 - Authenticated (Subscriber+) Directory Traversal to Local File Inclusion
Summary
The Widget for Google Reviews plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 1.0.15 via the layout parameter. This makes it possible for authenticated attackers, with Subscriber-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. This is limited to just PHP files.
Severity ?
8.8 (High)
CWE
- CWE-98 - Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| techlabpro1 | Widget for Google Reviews |
Affected:
0 , ≤ 1.0.15
(semver)
|
Credits
Michael Mazzolini
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-7327",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-08T16:07:48.081689Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-08T16:08:01.283Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Widget for Google Reviews",
"vendor": "techlabpro1",
"versions": [
{
"lessThanOrEqual": "1.0.15",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Michael Mazzolini"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Widget for Google Reviews plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 1.0.15 via the layout parameter. This makes it possible for authenticated attackers, with Subscriber-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other \u201csafe\u201d file types can be uploaded and included. This is limited to just PHP files."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-98",
"description": "CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program (\u0027PHP Remote File Inclusion\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:49:50.382Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4681e56f-1dad-46a7-8ac7-1f543a383433?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3316262%40business-reviews-wp%2Ftrunk\u0026old=3201057%40business-reviews-wp%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2025-07-07T16:50:01.000Z",
"value": "Disclosed"
}
],
"title": "Widget for Google Reviews \u003c= 1.0.15 - Authenticated (Subscriber+) Directory Traversal to Local File Inclusion"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-7327",
"datePublished": "2025-07-08T05:23:35.381Z",
"dateReserved": "2025-07-07T16:48:43.437Z",
"dateUpdated": "2026-04-08T16:49:50.382Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-52715 (GCVE-0-2025-52715)
Vulnerability from cvelistv5 – Published: 2025-06-20 15:03 – Updated: 2026-04-01 15:56
VLAI?
Title
WordPress Classified Listing plugin <= 4.2.0 - Local File Inclusion Vulnerability
Summary
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in RadiusTheme Classified Listing classified-listing allows PHP Local File Inclusion.This issue affects Classified Listing: from n/a through <= 4.2.0.
Severity ?
No CVSS data available.
CWE
- CWE-98 - Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| RadiusTheme | Classified Listing |
Affected:
0 , ≤ 4.2.0
(custom)
|
Date Public ?
2026-04-01 16:41
Credits
LVT-tholv2k | Patchstack Bug Bounty Program
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-52715",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-23T16:14:27.826642Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-23T16:23:02.731Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "classified-listing",
"product": "Classified Listing",
"vendor": "RadiusTheme",
"versions": [
{
"changes": [
{
"at": "4.2.1",
"status": "unaffected"
}
],
"lessThanOrEqual": "4.2.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "LVT-tholv2k | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:41:32.078Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Control of Filename for Include/Require Statement in PHP Program (\u0027PHP Remote File Inclusion\u0027) vulnerability in RadiusTheme Classified Listing classified-listing allows PHP Local File Inclusion.\u003cp\u003eThis issue affects Classified Listing: from n/a through \u003c= 4.2.0.\u003c/p\u003e"
}
],
"value": "Improper Control of Filename for Include/Require Statement in PHP Program (\u0027PHP Remote File Inclusion\u0027) vulnerability in RadiusTheme Classified Listing classified-listing allows PHP Local File Inclusion.This issue affects Classified Listing: from n/a through \u003c= 4.2.0."
}
],
"impacts": [
{
"capecId": "CAPEC-252",
"descriptions": [
{
"lang": "en",
"value": "PHP Local File Inclusion"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-98",
"description": "Improper Control of Filename for Include/Require Statement in PHP Program (\u0027PHP Remote File Inclusion\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T15:56:09.316Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/classified-listing/vulnerability/wordpress-classified-listing-plugin-4-2-0-local-file-inclusion-vulnerability?_s_id=cve"
}
],
"title": "WordPress Classified Listing plugin \u003c= 4.2.0 - Local File Inclusion Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-52715",
"datePublished": "2025-06-20T15:03:36.841Z",
"dateReserved": "2025-06-19T10:02:14.560Z",
"dateUpdated": "2026-04-01T15:56:09.316Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-9236 (GCVE-0-2024-9236)
Vulnerability from cvelistv5 – Published: 2025-05-15 20:07 – Updated: 2025-05-17 02:57
VLAI?
Title
Team Members Showcase < 4.4.2 - Editor+ Stored XSS
Summary
The Team WordPress plugin before 4.4.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
Severity ?
4.8 (Medium)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Credits
Krugov Artyom
WPScan
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-9236",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-17T02:57:02.678489Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-17T02:57:37.151Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Team",
"vendor": "Unknown",
"versions": [
{
"lessThan": "4.4.2",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Krugov Artyom"
},
{
"lang": "en",
"type": "coordinator",
"value": "WPScan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Team WordPress plugin before 4.4.2 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-79 Cross-Site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-15T20:07:20.348Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description"
],
"url": "https://wpscan.com/vulnerability/fd06ba56-37dd-4c23-ae7c-ab8de40d1645/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Team Members Showcase \u003c 4.4.2 - Editor+ Stored XSS",
"x_generator": {
"engine": "WPScan CVE Generator"
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2024-9236",
"datePublished": "2025-05-15T20:07:20.348Z",
"dateReserved": "2024-09-26T18:52:43.164Z",
"dateUpdated": "2025-05-17T02:57:37.151Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-24745 (GCVE-0-2025-24745)
Vulnerability from cvelistv5 – Published: 2025-04-17 15:48 – Updated: 2026-04-01 15:44
VLAI?
Title
WordPress Classified Listing plugin <= 4.0.1 - Reflected Cross Site Scripting (XSS) vulnerability
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in RadiusTheme Classified Listing classified-listing allows Reflected XSS.This issue affects Classified Listing: from n/a through <= 4.0.1.
Severity ?
No CVSS data available.
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| RadiusTheme | Classified Listing |
Affected:
0 , ≤ 4.0.1
(custom)
|
Date Public ?
2026-04-01 16:34
Credits
Le Ngoc Anh | Patchstack Bug Bounty Program
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-24745",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-17T17:43:45.907088Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-17T18:18:30.712Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "classified-listing",
"product": "Classified Listing",
"vendor": "RadiusTheme",
"versions": [
{
"changes": [
{
"at": "4.0.2",
"status": "unaffected"
}
],
"lessThanOrEqual": "4.0.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Le Ngoc Anh | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:34:42.772Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in RadiusTheme Classified Listing classified-listing allows Reflected XSS.\u003cp\u003eThis issue affects Classified Listing: from n/a through \u003c= 4.0.1.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in RadiusTheme Classified Listing classified-listing allows Reflected XSS.This issue affects Classified Listing: from n/a through \u003c= 4.0.1."
}
],
"impacts": [
{
"capecId": "CAPEC-591",
"descriptions": [
{
"lang": "en",
"value": "Reflected XSS"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T15:44:41.002Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/classified-listing/vulnerability/wordpress-classified-listing-plugin-4-0-1-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"title": "WordPress Classified Listing plugin \u003c= 4.0.1 - Reflected Cross Site Scripting (XSS) vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-24745",
"datePublished": "2025-04-17T15:48:11.976Z",
"dateReserved": "2025-01-23T14:53:00.531Z",
"dateUpdated": "2026-04-01T15:44:41.002Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-32656 (GCVE-0-2025-32656)
Vulnerability from cvelistv5 – Published: 2025-04-11 08:43 – Updated: 2026-04-01 15:51
VLAI?
Title
WordPress Testimonial Slider and Showcase Pro plugin <= 2.3.15 - Local File Inclusion vulnerability
Summary
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in RadiusTheme Testimonial Slider And Showcase Pro testimonial-slider-showcase-pro allows PHP Local File Inclusion.This issue affects Testimonial Slider And Showcase Pro: from n/a through <= 2.3.15.
Severity ?
No CVSS data available.
CWE
- CWE-98 - Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| RadiusTheme | Testimonial Slider And Showcase Pro |
Affected:
0 , ≤ 2.3.15
(custom)
|
Date Public ?
2026-04-01 16:38
Credits
LVT-tholv2k | Patchstack Bug Bounty Program
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-32656",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-11T13:31:11.608622Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-11T13:31:22.540Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "testimonial-slider-showcase-pro",
"product": "Testimonial Slider And Showcase Pro",
"vendor": "RadiusTheme",
"versions": [
{
"lessThanOrEqual": "2.3.15",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "LVT-tholv2k | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:38:55.410Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Control of Filename for Include/Require Statement in PHP Program (\u0027PHP Remote File Inclusion\u0027) vulnerability in RadiusTheme Testimonial Slider And Showcase Pro testimonial-slider-showcase-pro allows PHP Local File Inclusion.\u003cp\u003eThis issue affects Testimonial Slider And Showcase Pro: from n/a through \u003c= 2.3.15.\u003c/p\u003e"
}
],
"value": "Improper Control of Filename for Include/Require Statement in PHP Program (\u0027PHP Remote File Inclusion\u0027) vulnerability in RadiusTheme Testimonial Slider And Showcase Pro testimonial-slider-showcase-pro allows PHP Local File Inclusion.This issue affects Testimonial Slider And Showcase Pro: from n/a through \u003c= 2.3.15."
}
],
"impacts": [
{
"capecId": "CAPEC-252",
"descriptions": [
{
"lang": "en",
"value": "PHP Local File Inclusion"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-98",
"description": "Improper Control of Filename for Include/Require Statement in PHP Program (\u0027PHP Remote File Inclusion\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T15:51:28.846Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/testimonial-slider-showcase-pro/vulnerability/wordpress-testimonial-slider-and-showcase-pro-plugin-2-3-15-local-file-inclusion-vulnerability?_s_id=cve"
}
],
"title": "WordPress Testimonial Slider and Showcase Pro plugin \u003c= 2.3.15 - Local File Inclusion vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-32656",
"datePublished": "2025-04-11T08:43:02.173Z",
"dateReserved": "2025-04-09T11:21:11.058Z",
"dateUpdated": "2026-04-01T15:51:28.846Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-32159 (GCVE-0-2025-32159)
Vulnerability from cvelistv5 – Published: 2025-04-04 15:58 – Updated: 2026-04-01 15:50
VLAI?
Title
WordPress Radius Blocks plugin <= 2.2.1 - Local File Inclusion vulnerability
Summary
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in RadiusTheme Radius Blocks radius-blocks allows PHP Local File Inclusion.This issue affects Radius Blocks: from n/a through <= 2.2.1.
Severity ?
No CVSS data available.
CWE
- CWE-98 - Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| RadiusTheme | Radius Blocks |
Affected:
0 , ≤ 2.2.1
(custom)
|
Date Public ?
2026-04-01 16:38
Credits
João Pedro S Alcântara (Kinorth) | Patchstack Bug Bounty Program
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-32159",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-04T19:53:09.717465Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-04T20:16:23.521Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "radius-blocks",
"product": "Radius Blocks",
"vendor": "RadiusTheme",
"versions": [
{
"lessThanOrEqual": "2.2.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jo\u00e3o Pedro S Alc\u00e2ntara (Kinorth) | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:38:20.096Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Control of Filename for Include/Require Statement in PHP Program (\u0027PHP Remote File Inclusion\u0027) vulnerability in RadiusTheme Radius Blocks radius-blocks allows PHP Local File Inclusion.\u003cp\u003eThis issue affects Radius Blocks: from n/a through \u003c= 2.2.1.\u003c/p\u003e"
}
],
"value": "Improper Control of Filename for Include/Require Statement in PHP Program (\u0027PHP Remote File Inclusion\u0027) vulnerability in RadiusTheme Radius Blocks radius-blocks allows PHP Local File Inclusion.This issue affects Radius Blocks: from n/a through \u003c= 2.2.1."
}
],
"impacts": [
{
"capecId": "CAPEC-252",
"descriptions": [
{
"lang": "en",
"value": "PHP Local File Inclusion"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-98",
"description": "Improper Control of Filename for Include/Require Statement in PHP Program (\u0027PHP Remote File Inclusion\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T15:50:17.213Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/radius-blocks/vulnerability/wordpress-radius-blocks-plugin-2-2-1-local-file-inclusion-vulnerability?_s_id=cve"
}
],
"title": "WordPress Radius Blocks plugin \u003c= 2.2.1 - Local File Inclusion vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-32159",
"datePublished": "2025-04-04T15:58:42.442Z",
"dateReserved": "2025-04-04T10:00:58.028Z",
"dateUpdated": "2026-04-01T15:50:17.213Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-30814 (GCVE-0-2025-30814)
Vulnerability from cvelistv5 – Published: 2025-03-27 10:55 – Updated: 2026-04-01 15:47
VLAI?
Title
WordPress The Post Grid plugin <= 7.7.17 - Local File Inclusion vulnerability
Summary
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in RadiusTheme The Post Grid the-post-grid allows PHP Local File Inclusion.This issue affects The Post Grid: from n/a through <= 7.7.17.
Severity ?
No CVSS data available.
CWE
- CWE-98 - Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| RadiusTheme | The Post Grid |
Affected:
0 , ≤ 7.7.17
(custom)
|
Date Public ?
2026-04-01 16:37
Credits
LVT-tholv2k | Patchstack Bug Bounty Program
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-30814",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-27T13:59:01.438408Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-27T14:03:16.053Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "the-post-grid",
"product": "The Post Grid",
"vendor": "RadiusTheme",
"versions": [
{
"changes": [
{
"at": "7.7.18",
"status": "unaffected"
}
],
"lessThanOrEqual": "7.7.17",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "LVT-tholv2k | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:37:14.648Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Control of Filename for Include/Require Statement in PHP Program (\u0027PHP Remote File Inclusion\u0027) vulnerability in RadiusTheme The Post Grid the-post-grid allows PHP Local File Inclusion.\u003cp\u003eThis issue affects The Post Grid: from n/a through \u003c= 7.7.17.\u003c/p\u003e"
}
],
"value": "Improper Control of Filename for Include/Require Statement in PHP Program (\u0027PHP Remote File Inclusion\u0027) vulnerability in RadiusTheme The Post Grid the-post-grid allows PHP Local File Inclusion.This issue affects The Post Grid: from n/a through \u003c= 7.7.17."
}
],
"impacts": [
{
"capecId": "CAPEC-252",
"descriptions": [
{
"lang": "en",
"value": "PHP Local File Inclusion"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-98",
"description": "Improper Control of Filename for Include/Require Statement in PHP Program (\u0027PHP Remote File Inclusion\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T15:47:37.412Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/the-post-grid/vulnerability/wordpress-the-post-grid-plugin-7-7-17-local-file-inclusion-vulnerability?_s_id=cve"
}
],
"title": "WordPress The Post Grid plugin \u003c= 7.7.17 - Local File Inclusion vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-30814",
"datePublished": "2025-03-27T10:55:03.204Z",
"dateReserved": "2025-03-26T09:20:32.696Z",
"dateUpdated": "2026-04-01T15:47:37.412Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-1063 (GCVE-0-2025-1063)
Vulnerability from cvelistv5 – Published: 2025-02-25 06:58 – Updated: 2026-04-08 17:30
VLAI?
Title
Classified Listing – Classified ads & Business Directory Plugin <= 4.0.4 - Unauthenticated Settings Exposure
Summary
The Classified Listing – Classified ads & Business Directory Plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.0.4 via the rtcl_taxonomy_settings_export function. This makes it possible for unauthenticated attackers to extract sensitive data including API keys and tokens.
Severity ?
5.3 (Medium)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| techlabpro1 | Classified Listing – AI-Powered Classified ads & Business Directory Plugin |
Affected:
0 , ≤ 4.0.4
(semver)
|
Credits
wesley
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-1063",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-25T14:32:32.605702Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-25T14:37:36.278Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Classified Listing \u2013 AI-Powered Classified ads \u0026 Business Directory Plugin",
"vendor": "techlabpro1",
"versions": [
{
"lessThanOrEqual": "4.0.4",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "wesley"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Classified Listing \u2013 Classified ads \u0026 Business Directory Plugin plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.0.4 via the rtcl_taxonomy_settings_export function. This makes it possible for unauthenticated attackers to extract sensitive data including API keys and tokens."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:30:16.994Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e701b771-59f2-4783-b0a1-bea4d6c3d245?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3241883/classified-listing"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-02-05T00:00:00.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-02-24T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "Classified Listing \u2013 Classified ads \u0026 Business Directory Plugin \u003c= 4.0.4 - Unauthenticated Settings Exposure"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-1063",
"datePublished": "2025-02-25T06:58:31.877Z",
"dateReserved": "2025-02-05T17:42:57.217Z",
"dateUpdated": "2026-04-08T17:30:16.994Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-24712 (GCVE-0-2025-24712)
Vulnerability from cvelistv5 – Published: 2025-01-24 17:25 – Updated: 2026-04-01 15:44
VLAI?
Title
WordPress Radius Blocks – WordPress Gutenberg Blocks Plugin <= 2.1.2 - Cross Site Request Forgery (CSRF) vulnerability
Summary
Cross-Site Request Forgery (CSRF) vulnerability in RadiusTheme Radius Blocks radius-blocks allows Cross Site Request Forgery.This issue affects Radius Blocks: from n/a through <= 2.1.2.
Severity ?
No CVSS data available.
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| RadiusTheme | Radius Blocks |
Affected:
0 , ≤ 2.1.2
(custom)
|
Date Public ?
2026-04-01 16:34
Credits
Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-24712",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-24T18:40:01.978512Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-24T18:40:10.225Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "radius-blocks",
"product": "Radius Blocks",
"vendor": "RadiusTheme",
"versions": [
{
"changes": [
{
"at": "2.2.0",
"status": "unaffected"
}
],
"lessThanOrEqual": "2.1.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Tran Nguyen Bao Khanh (VCI - VNPT Cyber Immunity) | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:34:38.791Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Cross-Site Request Forgery (CSRF) vulnerability in RadiusTheme Radius Blocks radius-blocks allows Cross Site Request Forgery.\u003cp\u003eThis issue affects Radius Blocks: from n/a through \u003c= 2.1.2.\u003c/p\u003e"
}
],
"value": "Cross-Site Request Forgery (CSRF) vulnerability in RadiusTheme Radius Blocks radius-blocks allows Cross Site Request Forgery.This issue affects Radius Blocks: from n/a through \u003c= 2.1.2."
}
],
"impacts": [
{
"capecId": "CAPEC-62",
"descriptions": [
{
"lang": "en",
"value": "Cross Site Request Forgery"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T15:44:34.884Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/radius-blocks/vulnerability/wordpress-radius-blocks-wordpress-gutenberg-blocks-plugin-2-1-2-cross-site-request-forgery-csrf-vulnerability?_s_id=cve"
}
],
"title": "WordPress Radius Blocks \u2013 WordPress Gutenberg Blocks Plugin \u003c= 2.1.2 - Cross Site Request Forgery (CSRF) vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-24712",
"datePublished": "2025-01-24T17:25:01.513Z",
"dateReserved": "2025-01-23T14:52:31.177Z",
"dateUpdated": "2026-04-01T15:44:34.884Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-54272 (GCVE-0-2024-54272)
Vulnerability from cvelistv5 – Published: 2024-12-13 14:24 – Updated: 2026-04-01 15:39
VLAI?
Title
WordPress Radius Blocks plugin <= 2.1.2 - Cross Site Scripting (XSS) vulnerability
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in RadiusTheme Radius Blocks radius-blocks allows Stored XSS.This issue affects Radius Blocks: from n/a through <= 2.1.2.
Severity ?
No CVSS data available.
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| RadiusTheme | Radius Blocks |
Affected:
0 , ≤ 2.1.2
(custom)
|
Date Public ?
2026-04-01 16:30
Credits
Gab | Patchstack Bug Bounty Program
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-54272",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-13T20:58:33.255301Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-13T20:59:00.675Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "radius-blocks",
"product": "Radius Blocks",
"vendor": "RadiusTheme",
"versions": [
{
"changes": [
{
"at": "2.2.0",
"status": "unaffected"
}
],
"lessThanOrEqual": "2.1.2",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Gab | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:30:39.456Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in RadiusTheme Radius Blocks radius-blocks allows Stored XSS.\u003cp\u003eThis issue affects Radius Blocks: from n/a through \u003c= 2.1.2.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in RadiusTheme Radius Blocks radius-blocks allows Stored XSS.This issue affects Radius Blocks: from n/a through \u003c= 2.1.2."
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "Stored XSS"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T15:39:38.302Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/radius-blocks/vulnerability/wordpress-radius-blocks-plugin-2-1-2-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"title": "WordPress Radius Blocks plugin \u003c= 2.1.2 - Cross Site Scripting (XSS) vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2024-54272",
"datePublished": "2024-12-13T14:24:47.741Z",
"dateReserved": "2024-12-02T12:04:05.094Z",
"dateUpdated": "2026-04-01T15:39:38.302Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-52386 (GCVE-0-2024-52386)
Vulnerability from cvelistv5 – Published: 2024-11-16 21:18 – Updated: 2026-04-01 15:38
VLAI?
Title
WordPress Classified Listing plugin <= 3.1.16 - Local File Inclusion vulnerability
Summary
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in RadiusTheme Classified Listing classified-listing allows PHP Local File Inclusion.This issue affects Classified Listing: from n/a through <= 3.1.16.
Severity ?
No CVSS data available.
CWE
- CWE-98 - Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| RadiusTheme | Classified Listing |
Affected:
0 , ≤ 3.1.16
(custom)
|
Date Public ?
2026-04-01 16:29
Credits
João Pedro S Alcântara (Kinorth) | Patchstack Bug Bounty Program
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-52386",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-18T15:40:46.046722Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-19T15:10:27.835Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "classified-listing",
"product": "Classified Listing",
"vendor": "RadiusTheme",
"versions": [
{
"changes": [
{
"at": "3.1.17",
"status": "unaffected"
}
],
"lessThanOrEqual": "3.1.16",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jo\u00e3o Pedro S Alc\u00e2ntara (Kinorth) | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:29:46.107Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Control of Filename for Include/Require Statement in PHP Program (\u0027PHP Remote File Inclusion\u0027) vulnerability in RadiusTheme Classified Listing classified-listing allows PHP Local File Inclusion.\u003cp\u003eThis issue affects Classified Listing: from n/a through \u003c= 3.1.16.\u003c/p\u003e"
}
],
"value": "Improper Control of Filename for Include/Require Statement in PHP Program (\u0027PHP Remote File Inclusion\u0027) vulnerability in RadiusTheme Classified Listing classified-listing allows PHP Local File Inclusion.This issue affects Classified Listing: from n/a through \u003c= 3.1.16."
}
],
"impacts": [
{
"capecId": "CAPEC-252",
"descriptions": [
{
"lang": "en",
"value": "PHP Local File Inclusion"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-98",
"description": "Improper Control of Filename for Include/Require Statement in PHP Program (\u0027PHP Remote File Inclusion\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T15:38:39.712Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/classified-listing/vulnerability/wordpress-classified-listing-plugin-3-1-15-1-local-file-inclusion-vulnerability?_s_id=cve"
}
],
"title": "WordPress Classified Listing plugin \u003c= 3.1.16 - Local File Inclusion vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2024-52386",
"datePublished": "2024-11-16T21:18:40.902Z",
"dateReserved": "2024-11-11T06:38:47.503Z",
"dateUpdated": "2026-04-01T15:38:39.712Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-37481 (GCVE-0-2024-37481)
Vulnerability from cvelistv5 – Published: 2024-11-01 14:18 – Updated: 2026-04-01 15:34
VLAI?
Title
WordPress The Post Grid plugin <= 7.7.4 - Broken Access Control vulnerability
Summary
Missing Authorization vulnerability in RadiusTheme The Post Grid the-post-grid.This issue affects The Post Grid: from n/a through <= 7.7.4.
Severity ?
No CVSS data available.
CWE
- CWE-862 - Missing Authorization
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| RadiusTheme | The Post Grid |
Affected:
0 , ≤ 7.7.4
(custom)
|
Date Public ?
2026-04-01 16:27
Credits
Rafie Muhammad | Patchstack Bug Bounty Program
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:radiustheme:the_post_grid:*:*:*:*:*:wordpress:*:*"
],
"defaultStatus": "unknown",
"product": "the_post_grid",
"vendor": "radiustheme",
"versions": [
{
"lessThanOrEqual": "7.7.4",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-37481",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-01T18:05:11.904983Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-01T18:05:16.214Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "the-post-grid",
"product": "The Post Grid",
"vendor": "RadiusTheme",
"versions": [
{
"changes": [
{
"at": "7.7.5",
"status": "unaffected"
}
],
"lessThanOrEqual": "7.7.4",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Rafie Muhammad | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:27:19.592Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Missing Authorization vulnerability in RadiusTheme The Post Grid the-post-grid.\u003cp\u003eThis issue affects The Post Grid: from n/a through \u003c= 7.7.4.\u003c/p\u003e"
}
],
"value": "Missing Authorization vulnerability in RadiusTheme The Post Grid the-post-grid.This issue affects The Post Grid: from n/a through \u003c= 7.7.4."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T15:34:30.086Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/the-post-grid/vulnerability/wordpress-the-post-grid-plugin-7-7-4-broken-access-control-vulnerability?_s_id=cve"
}
],
"title": "WordPress The Post Grid plugin \u003c= 7.7.4 - Broken Access Control vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2024-37481",
"datePublished": "2024-11-01T14:18:16.222Z",
"dateReserved": "2024-06-09T11:43:29.008Z",
"dateUpdated": "2026-04-01T15:34:30.086Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-37482 (GCVE-0-2024-37482)
Vulnerability from cvelistv5 – Published: 2024-11-01 14:18 – Updated: 2026-04-01 15:34
VLAI?
Title
WordPress The Post Grid plugin <= 7.7.4 - Broken Access Control vulnerability
Summary
Missing Authorization vulnerability in RadiusTheme The Post Grid the-post-grid.This issue affects The Post Grid: from n/a through <= 7.7.4.
Severity ?
No CVSS data available.
CWE
- CWE-862 - Missing Authorization
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| RadiusTheme | The Post Grid |
Affected:
0 , ≤ 7.7.4
(custom)
|
Date Public ?
2026-04-01 16:26
Credits
Rafie Muhammad | Patchstack Bug Bounty Program
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-37482",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-04T14:04:11.390985Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-04T14:08:25.907Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "the-post-grid",
"product": "The Post Grid",
"vendor": "RadiusTheme",
"versions": [
{
"changes": [
{
"at": "7.7.5",
"status": "unaffected"
}
],
"lessThanOrEqual": "7.7.4",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Rafie Muhammad | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:26:55.646Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Missing Authorization vulnerability in RadiusTheme The Post Grid the-post-grid.\u003cp\u003eThis issue affects The Post Grid: from n/a through \u003c= 7.7.4.\u003c/p\u003e"
}
],
"value": "Missing Authorization vulnerability in RadiusTheme The Post Grid the-post-grid.This issue affects The Post Grid: from n/a through \u003c= 7.7.4."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T15:34:30.259Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/the-post-grid/vulnerability/wordpress-the-post-grid-plugin-7-7-4-broken-access-control-vulnerability-2?_s_id=cve"
}
],
"title": "WordPress The Post Grid plugin \u003c= 7.7.4 - Broken Access Control vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2024-37482",
"datePublished": "2024-11-01T14:18:15.613Z",
"dateReserved": "2024-06-09T11:43:29.008Z",
"dateUpdated": "2026-04-01T15:34:30.259Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-37483 (GCVE-0-2024-37483)
Vulnerability from cvelistv5 – Published: 2024-11-01 14:18 – Updated: 2026-04-01 15:34
VLAI?
Title
WordPress The Post Grid plugin <= 7.7.4 - Broken Access Control vulnerability
Summary
Missing Authorization vulnerability in RadiusTheme The Post Grid the-post-grid.This issue affects The Post Grid: from n/a through <= 7.7.4.
Severity ?
No CVSS data available.
CWE
- CWE-862 - Missing Authorization
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| RadiusTheme | The Post Grid |
Affected:
0 , ≤ 7.7.4
(custom)
|
Date Public ?
2026-04-01 16:26
Credits
Rafie Muhammad | Patchstack Bug Bounty Program
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-37483",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-01T18:19:37.905285Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-01T18:19:45.603Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "the-post-grid",
"product": "The Post Grid",
"vendor": "RadiusTheme",
"versions": [
{
"changes": [
{
"at": "7.7.5",
"status": "unaffected"
}
],
"lessThanOrEqual": "7.7.4",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Rafie Muhammad | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:26:55.706Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Missing Authorization vulnerability in RadiusTheme The Post Grid the-post-grid.\u003cp\u003eThis issue affects The Post Grid: from n/a through \u003c= 7.7.4.\u003c/p\u003e"
}
],
"value": "Missing Authorization vulnerability in RadiusTheme The Post Grid the-post-grid.This issue affects The Post Grid: from n/a through \u003c= 7.7.4."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T15:34:30.425Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/the-post-grid/vulnerability/wordpress-the-post-grid-plugin-7-7-4-broken-access-control-vulnerability-3?_s_id=cve"
}
],
"title": "WordPress The Post Grid plugin \u003c= 7.7.4 - Broken Access Control vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2024-37483",
"datePublished": "2024-11-01T14:18:14.962Z",
"dateReserved": "2024-06-09T11:43:29.008Z",
"dateUpdated": "2026-04-01T15:34:30.425Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-3635 (GCVE-0-2024-3635)
Vulnerability from cvelistv5 – Published: 2024-09-30 06:00 – Updated: 2024-09-30 20:22
VLAI?
Title
The Post Grid < 7.5.0 - Editor+ Stored XSS via Grid Creation
Summary
The Post Grid WordPress plugin before 7.5.0 does not sanitise and escape some of its Grid settings, which could allow high privilege users such as Editor and above to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).
Severity ?
4.8 (Medium)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Unknown | The Post Grid |
Affected:
0 , < 7.5.0
(semver)
|
Credits
Dmitrii Ignatyev
WPScan
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:post_grid_team_by_radiustheme:the_post_grid:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "the_post_grid",
"vendor": "post_grid_team_by_radiustheme",
"versions": [
{
"lessThan": "7.5.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-3635",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-30T20:19:25.454706Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-30T20:22:55.127Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "The Post Grid",
"vendor": "Unknown",
"versions": [
{
"lessThan": "7.5.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Dmitrii Ignatyev"
},
{
"lang": "en",
"type": "coordinator",
"value": "WPScan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Post Grid WordPress plugin before 7.5.0 does not sanitise and escape some of its Grid settings, which could allow high privilege users such as Editor and above to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-79 Cross-Site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-30T06:00:05.591Z",
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan"
},
"references": [
{
"tags": [
"exploit",
"vdb-entry",
"technical-description"
],
"url": "https://wpscan.com/vulnerability/63cbe5f4-fe0f-499f-a964-cf4fbedcfa25/"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "The Post Grid \u003c 7.5.0 - Editor+ Stored XSS via Grid Creation",
"x_generator": {
"engine": "WPScan CVE Generator"
}
}
},
"cveMetadata": {
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"cveId": "CVE-2024-3635",
"datePublished": "2024-09-30T06:00:05.591Z",
"dateReserved": "2024-04-10T20:01:28.109Z",
"dateUpdated": "2024-09-30T20:22:55.127Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-7888 (GCVE-0-2024-7888)
Vulnerability from cvelistv5 – Published: 2024-09-13 06:47 – Updated: 2026-04-08 16:50
VLAI?
Title
Classified Listing – Classified ads & Business Directory Plugin <= 3.1.7 - Missing Authorization
Summary
The Classified Listing – Classified ads & Business Directory Plugin plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several functions like export_forms(), import_forms(), update_fb_options(), and many more in all versions up to, and including, 3.1.7. This makes it possible for authenticated attackers, with subscriber-level access and above, to modify forms and various other settings.
Severity ?
6.3 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| techlabpro1 | Classified Listing – AI-Powered Classified ads & Business Directory Plugin |
Affected:
0 , ≤ 3.1.7
(semver)
|
Credits
Lucio Sá
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-7888",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-13T13:39:35.703881Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-13T13:39:49.847Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Classified Listing \u2013 AI-Powered Classified ads \u0026 Business Directory Plugin",
"vendor": "techlabpro1",
"versions": [
{
"lessThanOrEqual": "3.1.7",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Lucio S\u00e1"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Classified Listing \u2013 Classified ads \u0026 Business Directory Plugin plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several functions like export_forms(), import_forms(), update_fb_options(), and many more in all versions up to, and including, 3.1.7. This makes it possible for authenticated attackers, with subscriber-level access and above, to modify forms and various other settings."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:50:27.216Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/494d2e69-0759-419a-a603-e8870c157e49?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/classified-listing/tags/3.1.6/app/Controllers/Ajax/FormBuilderAdminAjax.php"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3150743/classified-listing/trunk/app/Controllers/Ajax/FormBuilderAdminAjax.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-09-12T18:35:01.000Z",
"value": "Disclosed"
}
],
"title": "Classified Listing \u2013 Classified ads \u0026 Business Directory Plugin \u003c= 3.1.7 - Missing Authorization"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-7888",
"datePublished": "2024-09-13T06:47:26.961Z",
"dateReserved": "2024-08-16T16:01:37.031Z",
"dateUpdated": "2026-04-08T16:50:27.216Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}