CVE-2024-24872

CVE-2024-24872 affects the WordPress plugin Themify Builder up to version 7.0.5, with a Cross-Site Request Forgery (CSRF) vulnerability in the builder workflow. The issue can enable unauthorized actions on an authenticated user’s session. The CVE is mitigated by upgrading to Themify Builder 7.0.6...

CVE-2024-3032

The CVE-2024-3032 entry concerns the WordPress Themify Builder plugin prior to version 7.5.8, which contains an open redirect vulnerability. The issue stems from not validating the tb_redirect_fail parameter before redirecting the user to its value, enabling redirection to an attacker-controlled ...

CVE-2024-56216

The CVE-2024-56216 entry concerns a PHP Remote File Inclusion vulnerability in the WordPress Themify Builder plugin (affected: versions up to 7.6.3) that enables PHP Local File Inclusion via improper control of include/require filename. Root cause: insecure handling of file paths in include/requi...

CVE-2024-9385

The CVE-2024-9385 entry concerns Themify Builder for WordPress (versions up to and including 7.6.2). It is a Reflected Cross-Site Scripting (XSS) vulnerability caused by improper escaping of URLs when using add_query_arg, enabling unauthenticated attackers to inject scripts via crafted links. Pub...

CVE-2024-52423

CVE-2024-52423 is a Stored XSS vulnerability in the WordPress plugin Themify Builder. The issue arises from improper neutralization of input during web page generation, enabling an attacker to inject scripts. Affected product: Themify Builder; affected versions include 7.6.3 (and earlier per the ...

CVE-2024-7836

CVE-2024-7836 affects the WordPress plugin Themify Builder: all versions up to and including 7.6.1 are vulnerable to unauthorized post duplication due to missing checks in the duplicate_page_ajaxify function. This allows authenticated attackers with Contributor-level access and above to duplicate...