Themify Security Vulnerabilities

CVE-2023-46148

Missing Authorization vulnerability in Themify Themify Ultra.This issue affects Themify Ultra: from n/a through...

CVE-2023-46146

Missing Authorization vulnerability in Themify Themify Ultra.This issue affects Themify Ultra: from n/a through...

CVE-2024-6027

The Themify – WooCommerce Product Filter plugin for WordPress is vulnerable to time-based SQL Injection via the ‘conditions’ parameter in all versions up to, and including, 1.4.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL...

CVE-2024-31366

Missing Authorization vulnerability in Themify Post Type Builder (PTB).This issue affects Post Type Builder (PTB): from n/a through...

CVE-2024-31365

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themify Post Type Builder (PTB) allows Reflected XSS.This issue affects Post Type Builder (PTB): from n/a through...

CVE-2024-30440

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themify Themify Event Post allows Stored XSS.This issue affects Themify Event Post: from n/a through...

CVE-2023-46145

Improper Privilege Management vulnerability in Themify Themify Ultra allows Privilege Escalation.This issue affects Themify Ultra: from n/a through...

CVE-2024-24872

Cross-Site Request Forgery (CSRF) vulnerability in Themify Themify Builder.This issue affects Themify Builder: from n/a through...

CVE-2023-51693

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themify Icons allows Stored XSS.This issue affects Themify Icons: from n/a through...

CVE-2023-46149

Unrestricted Upload of File with Dangerous Type vulnerability in Themify Themify Ultra.This issue affects Themify Ultra: from n/a through...

CVE-2023-46147

Deserialization of Untrusted Data vulnerability in Themify Themify Ultra.This issue affects Themify Ultra: from n/a through...

CVE-2022-4464

Themify Portfolio Post WordPress plugin before 1.2.1 does not validate and escapes some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as a contributor to perform Stored Cross-Site Scripting attacks, which could be used against high.....

CVE-2023-2654

The Conditional Menus WordPress plugin before 1.2.1 does not escape a parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as...

CVE-2023-0362

Themify Portfolio Post WordPress plugin before 1.2.2 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting...

CVE-2022-4787

Themify Shortcodes WordPress plugin before 2.0.8 does not validate and escape one of its shortcode attributes, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting...

CVE-2022-32970

Auth. (editor+) Stored Cross-Site Scripting (XSS) vulnerability in Themify Themify Portfolio Post plugin <= 1.2.4...

CVE-2022-1532

Themify WordPress plugin before 1.3.8 does not sanitise and escape the page parameter before outputting it back in an attribute in an admin page, leading to a Reflected Cross-Site...

CVE-2022-1047

The Themify Post Type Builder Search Addon WordPress plugin before 1.4.0 does not properly escape the current page URL before reusing it in a HTML attribute, leading to a reflected cross site scripting...

CVE-2022-0200

Themify Portfolio Post WordPress plugin before 1.1.7 does not sanitise and escape the num_of_pages parameter before outputting it back the response of the themify_create_popup_page_pagination AJAX action (available to any authenticated user), leading to a Reflected Cross-Site...

CVE-2013-20002

Elemin allows remote attackers to upload and execute arbitrary PHP code via the Themify framework (before 1.2.2) wp-content/themes/elemin/themify/themify-ajax.php...

CVE-2021-24129

Unvalidated input and lack of output encoding in the Themify Portfolio Post WordPress plugin, versions before 1.1.6, lead to Stored Cross-Site Scripting (XSS) vulnerabilities allowing low-privileged users (Contributor+) to inject arbitrary JavaScript code or HTML in posts where the Themify Custom.....