Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

Hashthemes — Vulnerabilities & Security Advisories 26

Browse all 26 CVE security advisories affecting Hashthemes. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Hashthemes operates as a prominent developer and distributor of premium WordPress themes and plugins, catering primarily to web designers and agencies seeking pre-built, customizable website templates. Their extensive portfolio has attracted significant attention from security researchers due to the high volume of vulnerabilities discovered in their products. Historically, common flaw classes include Cross-Site Scripting (XSS), SQL Injection, and Remote Code Execution (RCE), often stemming from insufficient input validation and improper sanitization of user-supplied data. Privilege escalation vulnerabilities have also been frequently reported, allowing lower-privileged users to gain administrative access. While the company generally responds to reported issues, the sheer number of recorded CVEs highlights systemic challenges in their development lifecycle. These incidents underscore the risks associated with using third-party, commercially distributed WordPress assets that may not undergo rigorous security auditing prior to release.

Top products by Hashthemes: Easy Elementor Addons Hash Elements Hash Form – Drag & Drop Form Builder Total Smart Blocks Hashthemes Demo Importer Viral News Viral Mag Square Hash Form Easy Elementor Addons – Addons Pack for Elementor Page Builder Mini Ajax Cart for WooCommerce
CVE IDTitleCVSSSeverityPublished
CVE-2026-5077 Total <= 2.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Post Title in Blog Section Image alt Attribute — TotalCWE-79 5.4 Medium2026-05-02
CVE-2026-6370 WordPress Mini Ajax Cart for WooCommerce plugin <= 1.3.4 - Cross Site Scripting (XSS) vulnerability — Mini Ajax Cart for WooCommerceCWE-79 5.9 Medium2026-04-15
CVE-2025-9045 Easy Elementor Addons <= 2.2.9 - Authenticated (Contributor+) Stored Cross-Site Scripting — Easy Elementor Addons – Addons Pack for Elementor Page BuilderCWE-79 6.4 Medium2025-10-03
CVE-2025-58973 WordPress Easy Elementor Addons Plugin <= 2.2.8 - Local File Inclusion Vulnerability — Easy Elementor AddonsCWE-98 7.5 High2025-09-22
CVE-2025-59561 WordPress Smart Blocks Plugin <= 2.4 - Broken Access Control Vulnerability — Smart BlocksCWE-862 4.3 Medium2025-09-22
CVE-2025-54712 WordPress Easy Elementor Addons Plugin <= 2.2.7 - Broken Access Control Vulnerability — Easy Elementor AddonsCWE-862 4.3 Medium2025-08-14
CVE-2025-54704 WordPress Easy Elementor Addons plugin <= 2.2.6 - Cross Site Scripting (XSS) Vulnerability — Easy Elementor AddonsCWE-79 6.5 Medium2025-08-14
CVE-2025-48295 WordPress Easy Elementor Addons plugin <= 2.2.5 - Cross Site Scripting (XSS) Vulnerability — Easy Elementor AddonsCWE-79 6.5 Medium2025-07-16
CVE-2025-47468 WordPress Hash Form plugin <= 1.2.8 - Cross Site Request Forgery (CSRF) Vulnerability — Hash FormCWE-352 4.3 Medium2025-05-07
CVE-2025-26912 WordPress Easy Elementor Addons plugin <= 2.1.6 - Cross Site Scripting (XSS) vulnerability — Easy Elementor AddonsCWE-79 6.5 Medium2025-02-25
CVE-2025-26761 WordPress Easy Elementor Addons plugin <= 2.1.5 - Cross Site Scripting (XSS) vulnerability — Easy Elementor AddonsCWE-79 6.5 Medium2025-02-16
CVE-2025-22296 WordPress Hash Elements plugin <= 1.5.0 - Cross Site Scripting (XSS) vulnerability — Hash ElementsCWE-79 6.5 Medium2025-01-07
CVE-2023-27456 WordPress Total theme <= 2.1.19 - Authenticated Arbitrary Plugin Activation — TotalCWE-862 4.3 Medium2024-12-13
CVE-2023-28990 WordPress Viral Mag theme <= 1.0.9 - Authenticated Arbitrary Plugin Activation Vulnerability — Viral MagCWE-862 4.3 Medium2024-12-13
CVE-2024-12201 Hash Form <= 1.2.1 - Missing Authorization to Authenticated (Contributor+) Form Style Creation — Hash Form – Drag & Drop Form BuilderCWE-862 4.3 Medium2024-12-12
CVE-2023-30486 WordPress Square theme <= 2.0.0 - Broken Access Control — SquareCWE-862 4.3 Medium2024-12-09
CVE-2024-10802 Hash Elements <= 1.4.7 - Missing Authorization to Unauthenticated Draft Post Title Exposure — Hash ElementsCWE-862 5.3 Medium2024-11-13
CVE-2024-49270 WordPress Smart Blocks plugin <= 2.0 - Cross Site Scripting (XSS) vulnerability — Smart BlocksCWE-79 6.5 Medium2024-10-16
CVE-2024-9417 Hash Form - Drag & Drop Form Builder <= 1.1.9 - Unauthenticated Limited File Upload — Hash Form – Drag & Drop Form BuilderCWE-434 6.1 Medium2024-10-05
CVE-2024-5084 Hash Form – Drag & Drop Form Builder <= 1.1.0 - Unauthenticated Arbitrary File Upload to Remote Code Execution — Hash Form – Drag & Drop Form BuilderCWE-434 9.8 Critical2024-05-23
CVE-2024-5085 Hash Form – Drag & Drop Form Builder <= 1.1.0 - Unauthenticated PHP Object Injection — Hash Form – Drag & Drop Form BuilderCWE-502 8.1 High2024-05-23
CVE-2024-5177 Hash Elements <= 1.3.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via url Parameter in Multiple Widgets — Hash ElementsCWE-79 6.4 Medium2024-05-23
CVE-2024-30426 WordPress Hash Elements plugin <= 1.3.3 - Cross Site Scripting (XSS) vulnerability — Hash ElementsCWE-79 6.5 Medium2024-03-29
CVE-2023-33923 Broken Access Control leading to Arbitrary Plugin Activation in multiple HashThemes themes — Viral NewsCWE-862 4.3 Medium2024-03-25
CVE-2024-1771 Total <= 2.1.59 - Missing Authorization to Authenticated (Subscriber+) Sections Update — TotalCWE-862 4.3 Medium2024-03-06
CVE-2021-39333 Hashthemes Demo Importer <= 1.1.1 Improper Access Control Allowing Content Deletion — Hashthemes Demo ImporterCWE-284 8.1 High2021-11-01

This page lists every published CVE security advisory associated with Hashthemes. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.