Filtered by vendor Themehunk
Subscriptions
Total
12 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2024-8434 | 1 Themehunk | 1 Mega Menu | 2024-12-17 | 4.3 Medium |
The Easy Mega Menu Plugin for WordPress – ThemeHunk plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several functions hooked via AJAX in all versions up to, and including, 1.0.9. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform actions like updating plugin settings. | ||||
CVE-2024-9707 | 1 Themehunk | 1 Hunk Companion | 2024-11-25 | 9.8 Critical |
The Hunk Companion plugin for WordPress is vulnerable to unauthorized plugin installation/activation due to a missing capability check on the /wp-json/hc/v1/themehunk-import REST API endpoint in all versions up to, and including, 1.8.4. This makes it possible for unauthenticated attackers to install and activate arbitrary plugins which can be leveraged to achieve remote code execution if another vulnerable plugin is installed and activated. | ||||
CVE-2023-27431 | 1 Themehunk | 1 Big Store | 2024-11-21 | 4.3 Medium |
Cross-Site Request Forgery (CSRF) vulnerability in ThemeHunk Big Store theme <= 1.9.3 versions. | ||||
CVE-2022-2405 | 1 Themehunk | 1 Wp Popup Builder | 2024-11-21 | 4.3 Medium |
The WP Popup Builder WordPress plugin before 1.2.9 does not have authorisation and CSRF check in an AJAX action, allowing any authenticated users, such as subscribers to delete arbitrary Popup | ||||
CVE-2022-2404 | 1 Themehunk | 1 Wp Popup Builder | 2024-11-21 | 6.1 Medium |
The WP Popup Builder WordPress plugin before 1.2.9 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting | ||||
CVE-2022-23180 | 1 Themehunk | 1 Contact Form \& Lead Form Elementor Builder | 2024-11-21 | 4.3 Medium |
The Contact Form & Lead Form Elementor Builder WordPress plugin before 1.7.4 doesn't have authorisation and nonce checks, which could allow any authenticated users, such as subscriber to update and change various settings | ||||
CVE-2022-23179 | 1 Themehunk | 1 Contact Form \& Lead Form Elementor Builder | 2024-11-21 | 4.8 Medium |
The Contact Form & Lead Form Elementor Builder WordPress plugin before 1.7.0 does not escape some of its form fields before outputting them in attributes, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed | ||||
CVE-2021-24967 | 1 Themehunk | 1 Contact Form \& Lead Form Elementor Builder | 2024-11-21 | 6.1 Medium |
The Contact Form & Lead Form Elementor Builder WordPress plugin before 1.6.4 does not sanitise and escape some lead values, which could allow unauthenticated users to perform Cross-Site Scripting attacks against logged in admin viewing the inserted Leads | ||||
CVE-2024-10673 | 1 Themehunk | 1 Top Store | 2024-11-12 | 8.8 High |
The Top Store theme for WordPress is vulnerable to unauthorized arbitrary plugin installation due to a missing capability check on the top_store_install_and_activate_callback() function in all versions up to, and including, 1.5.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to install arbitrary plugins which can contain other exploitable vulnerabilities to elevate privileges and gain remote code execution. | ||||
CVE-2024-10674 | 1 Themehunk | 1 Th Shop Mania | 2024-11-12 | 8.8 High |
The Th Shop Mania theme for WordPress is vulnerable to unauthorized arbitrary plugin installation due to a missing capability check on the th_shop_mania_install_and_activate_callback() function in all versions up to, and including, 1.4.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install arbitrary plugins which can be leveraged to exploit other vulnerabilities and achieve remote code execution and privilege escalation. | ||||
CVE-2024-9061 | 1 Themehunk | 1 Wp Popup Builder | 2024-10-30 | 7.3 High |
The The WP Popup Builder – Popup Forms and Marketing Lead Generation plugin for WordPress is vulnerable to arbitrary shortcode execution via the wp_ajax_nopriv_shortcode_Api_Add AJAX action in all versions up to, and including, 1.3.5. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. NOTE: This vulnerability was partially fixed in version 1.3.5 with a nonce check, which effectively prevented access to the affected function. However, version 1.3.6 incorporates the correct authorization check to prevent unauthorized access. | ||||
CVE-2024-44049 | 1 Themehunk | 1 Gutenberg Blocks | 2024-09-24 | 6.5 Medium |
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in ThemeHunk Gutenberg Blocks – Unlimited blocks For Gutenberg allows Stored XSS.This issue affects Gutenberg Blocks – Unlimited blocks For Gutenberg: from n/a through 1.2.7. |
Page 1 of 1.