Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

ExtendThemes — Vulnerabilities & Security Advisories 28

Browse all 28 CVE security advisories affecting ExtendThemes. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Extendthemes operates as a developer of WordPress themes and plugins, primarily targeting e-commerce and business websites. Security audits reveal a concerning pattern of vulnerabilities, with 28 Common Vulnerabilities and Exposures (CVEs) currently on record. These flaws predominantly involve cross-site scripting (XSS) and remote code execution (RCE), often stemming from insufficient input validation and improper sanitization of user-supplied data. Several incidents highlight critical privilege escalation risks, allowing unauthorized users to gain administrative access or execute arbitrary commands on affected servers. The high volume of disclosed CVEs suggests systemic weaknesses in the development lifecycle, particularly regarding secure coding practices and rigorous testing protocols. While specific major data breaches directly attributed to Extendthemes are not widely publicized, the frequency of these technical vulnerabilities poses significant operational risks for site administrators relying on their software.

Top products by ExtendThemes: Colibri Page Builder Kubio AI Page Builder Materialis Colibri WP Highlight Mesmerize Vireo
CVE IDTitleCVSSSeverityPublished
CVE-2026-5427 Kubio AI Page Builder <= 2.7.2 - Missing Authorization to Authenticated (Contributor+) Limited File Upload via Kubio Block Attributes — Kubio AI Page BuilderCWE-862 5.3 Medium2026-04-17
CVE-2025-62751 WordPress Vireo theme <= 1.0.24 - Broken Access Control vulnerability — VireoCWE-862 4.3 Medium2025-12-31
CVE-2025-11747 Colibri Page Builder <= 1.0.345 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode — Colibri Page BuilderCWE-79 6.4 Medium2025-12-19
CVE-2025-11376 Colibri Page Builder <= 1.0.335 - Authenticated (Contributor+) Stored Cross-Site Scripting — Colibri Page BuilderCWE-79 6.4 Medium2025-12-13
CVE-2025-9560 Colibri Page Builder <= 1.0.334 - Authenticated (Contributor+) Stored Cross-Site Scripting via colibri_newsletter Shortcode — Colibri Page BuilderCWE-79 6.4 Medium2025-10-11
CVE-2025-8487 Kubio AI Page Builder <= 2.6.3 - Missing Authorization to Authenticated (Subscriber+) Limited Plugin Installation — Kubio AI Page BuilderCWE-862 5.4 Medium2025-09-19
CVE-2025-2294 Kubio AI Page Builder <= 2.5.1 - Unauthenticated Local File Inclusion — Kubio AI Page BuilderCWE-22 9.8 Critical2025-03-28
CVE-2024-13516 Kubio AI Page Builder <= 2.3.5 - Reflected Cross-Site Scripting — Kubio AI Page BuilderCWE-79 6.1 Medium2025-01-18
CVE-2024-37458 WordPress Highlight theme <= 1.0.29 - Cross Site Request Forgery (CSRF) vulnerability — HighlightCWE-352 4.3 Medium2025-01-02
CVE-2024-37431 WordPress Mesmerize theme <= 1.6.120 - Cross Site Request Forgery (CSRF) vulnerability — MesmerizeCWE-352 4.3 Medium2025-01-02
CVE-2024-5020 Multiple Plugins <= (Various Versions) - Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via FancyBox JavaScript Library — Colibri Page BuilderCWE-79 6.4 Medium2024-12-04
CVE-2024-39661 WordPress Kubio AI Page Builder plugin <= 2.2.4 - Authenticated Cross Site Scripting (XSS) vulnerability — Kubio AI Page BuilderCWE-79 6.5 Medium2024-08-01
CVE-2023-3204 Materialis <= 1.1.24 - Missing Authorization to Limited Arbitrary Options Update — MaterialisCWE-862 6.5 Medium2024-06-20
CVE-2024-4451 Colibri Page Builder <= 1.0.276 - Authenticated (Contributor+) Stored Cross-Site Scripting via colibri_video_player Shortcode — Colibri Page BuilderCWE-79 6.4 Medium2024-06-07
CVE-2024-5038 Colibri Page Builder <= 1.0.276 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode — Colibri Page BuilderCWE-79 6.4 Medium2024-06-06
CVE-2024-3340 Colibri Page Builder <= 1.0.272 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'colibri-gallery-slideshow' Shortcode — Colibri Page BuilderCWE-79 5.4 Medium2024-05-02
CVE-2024-3337 Colibri Page Builder <= 1.0.272 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'colibri_breadcrumb_element' Shortcode — Colibri Page BuilderCWE-79 6.4 Medium2024-05-02
CVE-2024-3338 Colibri Page Builder <= 1.0.262 - Authenticated (Author+) Stored Cross-Site Scripting — Colibri Page BuilderCWE-79 4.4 Medium2024-05-02
CVE-2024-2839 Colibri Page Builder <= 1.0.263 - Authenticated (Contributor+) Stored Cross-Site Scripting — Colibri Page BuilderCWE-79 6.4 Medium2024-04-02
CVE-2024-28004 WordPress Colibri Page Builder plugin <= 1.0.248 - Broken Access Control vulnerability — Colibri Page BuilderCWE-862 5.4 Medium2024-03-28
CVE-2024-1870 Colibri Page Builder <= 1.0.260 - Missing Authorization — Colibri Page BuilderCWE-862 4.3 Medium2024-03-09
CVE-2024-1360 Colibri WP <= 1.0.94 - Cross-Site Request Forgery to Limited Plugin Installation — Colibri WPCWE-352 4.3 Medium2024-02-23
CVE-2024-1362 Colibri Page Builder <= 1.0.253 - Cross-Site Request Fogery via cp_shortcode_refresh — Colibri Page BuilderCWE-352 4.3 Medium2024-02-23
CVE-2024-1361 Colibri Page Builder <= 1.0.253 - Cross-Site Request Fogery via extend_builder — Colibri Page BuilderCWE-352 4.3 Medium2024-02-23
CVE-2023-6988 Colibri Page Builder <= 1.0.239 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode — Colibri Page BuilderCWE-79 6.4 Medium2024-01-11
CVE-2023-50833 WordPress Colibri Page Builder Plugin <= 1.0.239 is vulnerable to Cross Site Scripting (XSS) — Colibri Page BuilderCWE-79 6.5 Medium2023-12-21
CVE-2023-2188 Colibri Page Builder <= 1.0.227 - Authenticated (Administrator+) SQL Injection via post_id — Colibri Page BuilderCWE-89 7.2 High2023-08-31
CVE-2019-25142 Mesmerize <= 1.6.89 & Materialis <= 1.0.172 - Authenticated Arbitrary Options Update — MaterialisCWE-862 8.8 High2023-06-07

This page lists every published CVE security advisory associated with ExtendThemes. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.