Pencidesign Soledad vulnerabilities
17 known vulnerabilities affecting pencidesign/soledad.
Total CVEs
17
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL2HIGH7MEDIUM8
Vulnerabilities
Page 1 of 1
CVE-2025-64188P2CRITICALCVSS 9.8≤ 8.6.92025-12-18
CVE-2025-64188 [CRITICAL] CWE-266 CVE-2025-64188: Incorrect Privilege Assignment vulnerability in PenciDesign Soledad soledad allows Privilege Escalat
Incorrect Privilege Assignment vulnerability in PenciDesign Soledad soledad allows Privilege Escalation.This issue affects Soledad: from n/a through <= 8.6.9.
nvd
CVE-2025-8142P3HIGHCVSS 8.8≤ 8.6.72025-08-16
CVE-2025-8142 [HIGH] CWE-98 CVE-2025-8142: The Soledad theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and inc
The Soledad theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 8.6.7 via the 'header_layout' parameter. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files.
nvd
CVE-2023-49826P3CRITICALCVSS 9.8fixed in 8.4.22023-12-21
CVE-2023-49826 [CRITICAL] CWE-502 CVE-2023-49826: Deserialization of Untrusted Data vulnerability in PenciDesign Soledad – Multipurpose, Newspaper, Bl
Deserialization of Untrusted Data vulnerability in PenciDesign Soledad – Multipurpose, Newspaper, Blog & WooCommerce WordPress Theme.This issue affects Soledad – Multipurpose, Newspaper, Blog & WooCommerce WordPress Theme: from n/a through 8.4.1.
nvd
CVE-2025-8105P3HIGHCVSS 7.3≤ 8.6.72025-08-16
CVE-2025-8105 [HIGH] CWE-94 CVE-2025-8105: The The Soledad theme for WordPress is vulnerable to arbitrary shortcode execution in all versions u
The The Soledad theme for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 8.6.7. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
nvd
CVE-2024-11289P3HIGHCVSS 8.1≤ 8.5.92024-12-06
CVE-2024-11289 [HIGH] CWE-98 CVE-2024-11289: The Soledad theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and inc
The Soledad theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 8.5.9 via several functions like penci_archive_more_post_ajax_func, penci_more_post_ajax_func, and penci_more_featured_post_ajax_func. This makes it possible for unauthenticated attackers to include and execute PHP files on the server, allowing t
nvd
CVE-2023-49825P3HIGHCVSS 8.1fixed in 8.4.22023-12-20
CVE-2023-49825 [HIGH] CWE-89 CVE-2023-49825: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability i
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in PenciDesign Soledad – Multipurpose, Newspaper, Blog & WooCommerce WordPress Theme.This issue affects Soledad – Multipurpose, Newspaper, Blog & WooCommerce WordPress Theme: from n/a through 8.4.1.
nvd
CVE-2025-68066P3HIGHCVSS 7.5≤ 8.7.02025-12-16
CVE-2025-68066 [HIGH] CWE-98 CVE-2025-68066: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusio
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in PenciDesign Soledad soledad allows PHP Local File Inclusion.This issue affects Soledad: from n/a through <= 8.7.0.
nvd
CVE-2025-59588P3HIGHCVSS 7.5≤ 8.6.82025-09-22
CVE-2025-59588 [HIGH] CWE-98 CVE-2025-59588: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusio
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in PenciDesign Soledad soledad allows PHP Local File Inclusion.This issue affects Soledad: from n/a through <= 8.6.8.
nvd
CVE-2024-31367P3HIGHCVSS 7.1fixed in 8.4.6≥ n/a, ≤ 8.4.22024-04-09
CVE-2024-31367 [HIGH] CWE-862 CVE-2024-31367: Missing Authorization vulnerability in PenciDesign Soledad.This issue affects Soledad: from n/a thro
Missing Authorization vulnerability in PenciDesign Soledad.This issue affects Soledad: from n/a through 8.4.2.
nvd
CVE-2024-31368P4MEDIUMCVSS 6.5fixed in 8.4.6≥ n/a, ≤ 8.4.22024-04-09
CVE-2024-31368 [MEDIUM] CWE-862 CVE-2024-31368: Missing Authorization vulnerability in PenciDesign Soledad.This issue affects Soledad: from n/a thro
Missing Authorization vulnerability in PenciDesign Soledad.This issue affects Soledad: from n/a through 8.4.2.
nvd
CVE-2025-8143P4MEDIUMCVSS 6.4≤ 8.6.72025-08-16
CVE-2025-8143 [MEDIUM] CWE-79 CVE-2025-8143: The Soledad theme for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘pcsml_smartlis
The Soledad theme for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘pcsml_smartlists_h’ parameter in all versions up to, and including, 8.6.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages
nvd
CVE-2026-27069P4MEDIUMCVSS 6.5≤ 8.7.22026-02-19
CVE-2026-27069 [MEDIUM] CWE-79 CVE-2026-27069: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability i
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PenciDesign Soledad soledad allows DOM-Based XSS.This issue affects Soledad: from n/a through <= 8.7.2.
nvd
CVE-2025-59589P4MEDIUMCVSS 6.5≤ 8.6.82025-09-22
CVE-2025-59589 [MEDIUM] CWE-79 CVE-2025-59589: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability i
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PenciDesign Soledad soledad allows DOM-Based XSS.This issue affects Soledad: from n/a through <= 8.6.8.
nvd
CVE-2022-3209P4MEDIUMCVSS 6.1fixed in 8.2.52022-10-10
CVE-2022-3209 [MEDIUM] CWE-79 CVE-2022-3209: The soledad WordPress theme before 8.2.5 does not sanitise the {id,datafilter[type],...} parameters
The soledad WordPress theme before 8.2.5 does not sanitise the {id,datafilter[type],...} parameters in its penci_more_slist_post_ajax AJAX action, leading to a Reflected Cross-Site Scripting (XSS) vulnerability.
nvd
CVE-2023-49827P4MEDIUMCVSS 6.1fixed in 8.4.22023-12-14
CVE-2023-49827 [MEDIUM] CWE-79 CVE-2023-49827: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability i
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PenciDesign Soledad – Multipurpose, Newspaper, Blog & WooCommerce WordPress Theme allows Reflected XSS.This issue affects Soledad – Multipurpose, Newspaper, Blog & WooCommerce WordPress Theme: from n/a through 8.4.1.
nvd
CVE-2022-41788P4MEDIUMCVSS 5.4fixed in 8.2.6≤ 8.2.52022-11-18
CVE-2022-41788 [MEDIUM] CWE-79 CVE-2022-41788: Auth. (subscriber+) Cross-Site Scripting (XSS) vulnerability in Soledad premium theme <= 8.2.5 on Wo
Auth. (subscriber+) Cross-Site Scripting (XSS) vulnerability in Soledad premium theme <= 8.2.5 on WordPress.
nvd
CVE-2024-31369P4MEDIUMCVSS 5.4fixed in 8.4.6≥ n/a, ≤ 8.4.22024-04-09
CVE-2024-31369 [MEDIUM] CWE-352 CVE-2024-31369: Cross-Site Request Forgery (CSRF) vulnerability in PenciDesign Soledad.This issue affects Soledad: f
Cross-Site Request Forgery (CSRF) vulnerability in PenciDesign Soledad.This issue affects Soledad: from n/a through 8.4.2.
nvd