15 matches found
CVE-2024-1323
CVE-2024-1323 affects Orbit Fox by ThemeIsle (WordPress). Stored XSS via the Post Type Grid Widget Title in versions up to 2.10.30 occurs due to insufficient input sanitization and output escaping of user attributes. Exploitation requires authentication at Contributor+ level; attacker could injec...
CVE-2024-1047
CVE-2024-1047 concerns Orbit Fox by ThemeIsle (WordPress) with a vulnerability in register_reference() causing unauthorized modification of data. The issue exists in all versions up to and including 2.10.28 due to a missing capability check, enabling unauthenticated attackers to update the connec...
CVE-2024-1162
CVE-2024-1162 overview (Orbit Fox, ThemeIsle, WordPress) : The Orbit Fox plugin (ThemeIsle) for WordPress is vulnerable to Cross-Site Forgery via a missing/incorrect nonce validation in the register_reference() function, affecting versions up to and including 2.10.29. This CSRF flaw can allow una...
CVE-2025-0311
The CVE concerns the WordPress Orbit Fox by ThemeIsle plugin. Affected component: the Pricing Table widget in versions up to and including 2.10.43. Root cause: insufficient input sanitization and output escaping on user-supplied widget attributes. Impact: Stored Cross-Site Scripting that authenti...
CVE-2024-7778
CVE-2024-7778 affects Orbit Fox by ThemeIsle for WordPress. It is a Stored XSS via SVG file uploads in all versions up to and including 2.10.36 due to insufficient input sanitization and output escaping. Exploitation requires authenticated access at Author level or higher, and injected scripts ex...
CVE-2021-24157
The CVE-2021-24157 issue affects Orbit Fox by ThemeIsle WordPress plugin. Affected component: the header/footer script injection feature in Orbit Fox; root cause: no validation of user capabilities (unfiltered_html) before saving script tags, enablingAuthenticated users with lower privileges to i...
CVE-2024-2126
The CVE-2024-2126 entry concerns Orbit Fox by ThemeIsle (WordPress plugin). A Stored Cross-Site Scripting (XSS) flaw exists in the Registration Form Widget across all versions up to and including 2.10.32, caused by insufficient input sanitization and output escaping. Exploitation requires authent...
CVE-2024-1497
The CVE-2024-1497 entry concerns the Orbit Fox by ThemeIsle WordPress plugin. A Stored Cross-Site Scripting (XSS) vulnerability exists in the addr2_width attribute of the form widget, across all versions up to and including 2.10.30, caused by insufficient input sanitization and output escaping. E...
CVE-2024-13183
The CVE-2024-13183 entry refers to the Orbit Fox by ThemeIsle WordPress plugin. A Stored Cross-Site Scripting (Stored XSS) flaw exists in the title_tag parameter across all versions up to and including 2.10.43, caused by insufficient input sanitization and output escaping. Exploitation requires a...
CVE-2024-2484
CVE-2024-2484 affects Orbit Fox by ThemeIsle for WordPress; stored XSS via Services and Post Type Grid widgets in all versions
CVE-2021-24158
CVE-2021-24158 affects Orbit Fox by ThemeIsle (WordPress plugin). Vulnerability: a registration form feature integrated with Elementor and Beaver Builder allows a lower-privileged user to supply the user_role parameter and set the default role for new registrations, despite the field being hidden...
CVE-2024-0508
The CVE-2024-0508 entry concerns Orbit Fox by ThemeIsle for WordPress, with a Stored Cross-Site Scripting vulnerability in the Pricing Table Elementor Widget present in all versions up to and including 2.10.27. The issue stems from insufficient input sanitization and output escaping on user-suppl...
CVE-2025-22659
CVE-2025-22659 concerns the WordPress Orbit Fox plugin by ThemeIsle (
CVE-2024-1499
CVE-2024-1499 affects Orbit Fox by ThemeIsle (WordPress plugin) up to version 2.10.30, with Stored XSS in the Pricing Table widget via the $settings['title_tags'] field caused by insufficient input sanitization and output escaping. Exploitation is possible by authenticated users with contributor ...
CVE-2023-6781
The CVE-2023-6781 entry affects Orbit Fox by ThemeIsle (WordPress plugin) up to version 2.10.26, due to insufficient input sanitization and output escaping in custom fields, enabling stored XSS for authenticated users with contributor+ permissions. The issue is fixed in 2.10.27; upgrade to that v...