DesignThemes — Vulnerabilities & Security Advisories 38

Browse all 38 CVE security advisories affecting DesignThemes. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Designthemes operates primarily as a provider of web templates and themes for content management systems, targeting developers and businesses seeking pre-built digital infrastructure. Security audits have identified thirty-eight distinct Common Vulnerabilities and Exposures (CVEs) associated with its products, indicating a pattern of insufficient input validation and access control mechanisms. The most prevalent vulnerability classes include Remote Code Execution (RCE), Cross-Site Scripting (XSS), and Privilege Escalation, often stemming from outdated dependencies or hardcoded credentials within the theme files. These flaws typically allow attackers to execute arbitrary commands, steal session data, or bypass administrative restrictions. While no single catastrophic data breach has been publicly attributed solely to designthemes, the high volume of CVEs suggests systemic issues in their code review processes. Users are advised to apply patches immediately and restrict file permissions to mitigate the risk of exploitation.

CVEs 38

CVE ID	Title	CVSS	Severity	Published
CVE-2026-27983	WordPress LMS Elementor Pro plugin <= 1.0.4 - Privilege Escalation vulnerability — LMS Elementor ProCWE-266	9.8	Critical	2026-03-05
CVE-2026-27390	WordPress WeDesignTech Ultimate Booking Addon plugin <= 1.0.1 - Account Takeover vulnerability — WeDesignTech Ultimate Booking AddonCWE-288	8.8	High	2026-03-05
CVE-2026-27388	WordPress DesignThemes Booking Manager plugin <= 2.0 - Broken Access Control vulnerability — DesignThemes Booking ManagerCWE-862	7.5	High	2026-03-05
CVE-2026-27385	WordPress DesignThemes Portfolio plugin <= 1.3 - Reflected Cross Site Scripting (XSS) vulnerability — DesignThemes PortfolioCWE-79	7.1	High	2026-03-05
CVE-2026-27386	WordPress DesignThemes Directory Addon plugin <= 1.8 - Broken Access Control vulnerability — DesignThemes Directory AddonCWE-862	7.5	High	2026-03-05
CVE-2026-27389	WordPress WeDesignTech Ultimate Booking Addon plugin <= 1.0.1 - Account Takeover vulnerability — WeDesignTech Ultimate Booking AddonCWE-288	9.8	Critical	2026-03-05
CVE-2026-22473	WordPress Dental Clinic theme <= 3.7 - PHP Object Injection vulnerability — Dental ClinicCWE-502	8.8	High	2026-03-05
CVE-2025-69302	WordPress DesignThemes Core Features plugin <= 2.3 - Reflected Cross Site Scripting (XSS) vulnerability — DesignThemes Core FeaturesCWE-79	7.1	High	2026-02-20
CVE-2025-69095	WordPress Reservation Plugin plugin <= 1.7 - Settings Change vulnerability — Reservation PluginCWE-862	6.5	Medium	2026-01-22
CVE-2025-69002	WordPress OneLife theme <= 3.9 - PHP Object Injection vulnerability — OneLifeCWE-502	8.8	High	2026-01-22
CVE-2025-68899	WordPress Vivagh theme <= 2.4 - PHP Object Injection vulnerability — VivaghCWE-502	8.8	High	2026-01-22
CVE-2025-67619	WordPress Kids Heaven theme <= 3.2 - PHP Object Injection vulnerability — Kids HeavenCWE-502	8.8	High	2026-01-22
CVE-2025-68980	WordPress WeDesignTech Portfolio plugin <= 1.0.2 - Broken Access Control vulnerability — WeDesignTech PortfolioCWE-862	5.3	Medium	2025-12-30
CVE-2025-68982	WordPress DesignThemes LMS Addon plugin <= 2.6 - Broken Access Control vulnerability — DesignThemes LMS AddonCWE-862	5.3	Medium	2025-12-30
CVE-2025-68981	WordPress HomeFix Elementor Portfolio plugin <= 1.0.1 - Broken Access Control vulnerability — HomeFix Elementor PortfolioCWE-862	5.3	Medium	2025-12-30
CVE-2025-68977	WordPress DesignThemes Portfolio Addon plugin <= 1.5 - Cross Site Scripting (XSS) vulnerability — DesignThemes Portfolio AddonCWE-79	6.5	Medium	2025-12-30
CVE-2025-68978	WordPress DesignThemes Core plugin <= 1.6 - Cross Site Scripting (XSS) vulnerability — DesignThemes CoreCWE-79	6.5	Medium	2025-12-30
CVE-2025-64221	WordPress Reservation Plugin plugin <= 1.6 - Cross Site Scripting (XSS) vulnerability — Reservation PluginCWE-79	7.1	High	2025-12-18
CVE-2025-13542	DesignThemes LMS <= 1.0.4 - Unauthenticated Privilege Escalation — DesignThemes LMSCWE-269	9.8	Critical	2025-12-02
CVE-2025-60234	WordPress Single Property theme <= 2.8 - PHP Object Injection vulnerability — Single PropertyCWE-502	8.8	High	2025-10-22
CVE-2025-60228	WordPress Knowledge Base theme <= 2.9 - PHP Object Injection vulnerability — Knowledge BaseCWE-502	8.8	High	2025-10-22
CVE-2025-60212	WordPress VEDA Theme <= 4.2 - PHP Object Injection Vulnerability — VEDACWE-502	8.8	High	2025-10-22
CVE-2025-60215	WordPress Kriya theme <= 3.4 - PHP Object Injection Vulnerability — KriyaCWE-502	8.8	High	2025-10-22
CVE-2025-53423	WordPress Triss theme <= 2.6 - Cross Site Scripting (XSS) vulnerability — TrissCWE-79	7.1	High	2025-10-22
CVE-2025-31634	WordPress Insurance theme <= 3.5 - PHP Object Injection Vulnerability — InsuranceCWE-502	8.8	High	2025-10-22
CVE-2025-32283	WordPress Solar Energy theme <= 3.5 - PHP Object Injection Vulnerability — Solar EnergyCWE-502	8.8	High	2025-10-22
CVE-2025-31072	WordPress Ofiz - Business Consulting Theme plugin <= 2.0 - Cross Site Scripting (XSS) Vulnerability — Ofiz - WordPress Business Consulting ThemeCWE-79	7.1	High	2025-07-16
CVE-2025-31422	WordPress Visual Art \| Gallery WordPress Theme <= 2.4 - PHP Object Injection Vulnerability — Visual Art \| Gallery WordPress ThemeCWE-502	8.8	High	2025-07-16
CVE-2025-31427	WordPress Invico - WordPress Consulting Business Theme <= 1.9 - Cross Site Scripting (XSS) Vulnerability — Invico - WordPress Consulting Business ThemeCWE-79	7.1	High	2025-07-16
CVE-2025-52828	WordPress Red Art theme <= 3.8 - PHP Object Injection Vulnerability — Red ArtCWE-502	8.8	High	2025-07-04

This page lists every published CVE security advisory associated with DesignThemes. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.

Goal Reached Thanks to every supporter — we hit 100%!

DesignThemes — Vulnerabilities & Security Advisories 38