diff --git a/lib/common/models/wp_theme/vulnerable.rb b/lib/common/models/wp_theme/vulnerable.rb
index 9156b98b..47e45741 100644
--- a/lib/common/models/wp_theme/vulnerable.rb
+++ b/lib/common/models/wp_theme/vulnerable.rb
@@ -2,6 +2,8 @@
 
 class WpTheme < WpItem
   module Vulnerable
+
+    # @return [ String ] The path to the file containing vulnerabilities
     def vulns_file
       unless @vulns_file
         @vulns_file = THEMES_VULNS_FILE
@@ -9,8 +11,10 @@ class WpTheme < WpItem
       @vulns_file
     end
 
+    # @return [ String ]
     def vulns_xpath
       "//theme[@name='#{@name}']/vulnerability"
     end
+
   end
 end
diff --git a/spec/lib/common/models/wp_theme_spec.rb b/spec/lib/common/models/wp_theme_spec.rb
index 9d2a3fde..54b3c03c 100644
--- a/spec/lib/common/models/wp_theme_spec.rb
+++ b/spec/lib/common/models/wp_theme_spec.rb
@@ -4,6 +4,12 @@ require 'spec_helper'
 
 describe WpTheme do
   it_behaves_like 'WpTheme::Versionable'
+  it_behaves_like 'WpTheme::Vulnerable'
+  it_behaves_like 'WpItem::Vulnerable' do
+    let(:options)        { { name: 'the-oracle' } }
+    let(:vulns_file)     { MODELS_FIXTURES + '/wp_theme/vulnerable/themes_vulns.xml' }
+    let(:expected_vulns) { Vulnerabilities.new << Vulnerability.new('I see you', 'FPD', ['http://ref.com']) }
+  end
 
   subject(:wp_theme)  { WpTheme.new(uri, options) }
   let(:uri)           { URI.parse('http://example.com/') }
diff --git a/spec/samples/common/models/wp_theme/vulnerable/themes_vulns.xml b/spec/samples/common/models/wp_theme/vulnerable/themes_vulns.xml
new file mode 100644
index 00000000..4401e5f4
--- /dev/null
+++ b/spec/samples/common/models/wp_theme/vulnerable/themes_vulns.xml
@@ -0,0 +1,19 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<vulnerabilities>
+  <theme name="not-this-one">
+    <vulnerability>
+      <title>I should not appear in the results</title>
+      <reference>http://some-ref.com</reference>
+      <type>SQLI</type>
+    </vulnerability>
+  </theme>
+
+  <theme name="the-oracle">
+    <vulnerability>
+      <title>I see you</title>
+      <reference>http://ref.com</reference>
+      <type>FPD</type>
+    </vulnerability>
+  </theme>
+</vulnerabilities>
diff --git a/spec/shared_examples/wp_theme_vulnerable.rb b/spec/shared_examples/wp_theme_vulnerable.rb
new file mode 100644
index 00000000..59e1343f
--- /dev/null
+++ b/spec/shared_examples/wp_theme_vulnerable.rb
@@ -0,0 +1,26 @@
+# encoding: UTF-8
+
+shared_examples 'WpTheme::Vulnerable' do
+
+  describe '#vulns_file' do
+    after { subject.vulns_file.should == @expected }
+
+    context 'when :vulns_file is no set' do
+      it 'returns the default one' do
+        @expected = THEMES_VULNS_FILE
+      end
+    end
+
+    context 'when the :vulns_file is already set' do
+      it 'returns it' do
+        @expected          = 'test.xml'
+        subject.vulns_file = @expected
+      end
+    end
+  end
+
+  describe '#vulns_xpath' do
+    its(:vulns_xpath) { should == "//theme[@name='theme-name']/vulnerability" }
+  end
+
+end