Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

NooTheme — Vulnerabilities & Security Advisories 31

Browse all 31 CVE security advisories affecting NooTheme. AI-powered Chinese analysis, POCs, and references for each vulnerability.

NooTheme operates as a developer of WordPress themes and plugins, primarily targeting e-commerce and business websites. Security audits have identified thirty-one distinct Common Vulnerabilities and Exposures (CVEs) associated with its software ecosystem, indicating a persistent pattern of insecure coding practices. The most prevalent vulnerability classes include Remote Code Execution (RCE), Cross-Site Scripting (XSS), and SQL Injection, often stemming from insufficient input validation and improper sanitization of user-supplied data. Additionally, several instances of broken access control and privilege escalation have been documented, allowing unauthorized users to manipulate administrative functions or access restricted resources. These flaws frequently arise from outdated dependencies and lack of rigorous security testing during the development lifecycle. While NooTheme has released patches for critical issues, the high volume of recorded CVEs suggests systemic weaknesses in their security architecture, posing significant risks to organizations relying on their products for web infrastructure.

Top products by NooTheme: Jobmonster CitiLights Organici Library Jobica Core Noo Timetable Yogi - Health Beauty & Yoga WeMusic Visionary Core Job Listings Yogi Realty Portal – Agent Realty Portal Jobmonster Elementor Addon
CVE IDTitleCVSSSeverityPublished
CVE-2026-27049 WordPress Jobica Core plugin <= 1.4.2 - Account Takeover vulnerability — Jobica CoreCWE-288 9.8 Critical2026-03-25
CVE-2026-25340 WordPress Jobmonster theme < 4.8.4 - SQL Injection vulnerability — JobmonsterCWE-89 9.3 Critical2026-03-25
CVE-2026-24981 WordPress Visionary Core plugin <= 1.4.9 - PHP Object Injection vulnerability — Visionary CoreCWE-502 8.8 High2026-03-25
CVE-2026-24980 WordPress Visionary Core plugin <= 1.4.9 - Reflected Cross Site Scripting (XSS) vulnerability — Visionary CoreCWE-79 7.1 High2026-03-25
CVE-2026-24977 WordPress Organici Library plugin <= 2.1.2 - SQL Injection vulnerability — Organici LibraryCWE-89 8.5 High2026-03-25
CVE-2026-24975 WordPress Organici Library plugin <= 2.1.2 - Reflected Cross Site Scripting (XSS) vulnerability — Organici LibraryCWE-79 7.1 High2026-03-25
CVE-2026-24978 WordPress Jobica Core plugin <= 1.4.1 - PHP Object Injection vulnerability — Jobica CoreCWE-502 8.8 High2026-03-25
CVE-2026-24979 WordPress Jobica Core plugin <= 1.4.1 - Reflected Cross Site Scripting (XSS) vulnerability — Jobica CoreCWE-79 7.1 High2026-03-25
CVE-2026-24976 WordPress Organici Library plugin <= 2.1.2 - PHP Object Injection vulnerability — Organici LibraryCWE-502 8.8 High2026-03-25
CVE-2026-24973 WordPress CitiLights theme <= 3.7.1 - Reflected Cross Site Scripting (XSS) vulnerability — CitiLightsCWE-79 7.1 High2026-03-25
CVE-2026-24974 WordPress CitiLights theme <= 3.7.1 - PHP Object Injection vulnerability — CitiLightsCWE-502 8.8 High2026-03-25
CVE-2026-25367 WordPress CitiLights theme < 3.7.2 - Broken Access Control vulnerability — CitiLightsCWE-862 5.3 Medium2026-02-19
CVE-2025-67524 WordPress Jobmonster Elementor Addon plugin <= 1.1.4 - Local File Inclusion vulnerability — Jobmonster Elementor AddonCWE-98 7.5 High2025-12-09
CVE-2025-67522 WordPress Jobmonster theme <= 4.8.2 - Local File Inclusion vulnerability — JobmonsterCWE-98 7.5 High2025-12-09
CVE-2025-11985 Realty Portal <= 0.4.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Options Update — Realty PortalCWE-862 8.8 High2025-11-21
CVE-2025-54737 WordPress Jobmonster theme <= 4.7.8 - Cross Site Scripting (XSS) vulnerability — JobmonsterCWE-79 7.1 High2025-11-06
CVE-2025-54719 WordPress Yogi - Health Beauty & Yoga Theme <= 2.9.2 - Deserialization of untrusted data Vulnerability — Yogi - Health Beauty & YogaCWE-502 8.8 High2025-11-06
CVE-2025-54718 WordPress Yogi - Health Beauty & Yoga theme <= 2.9.2 - Cross Site Scripting (XSS) vulnerability — Yogi - Health Beauty & YogaCWE-79 7.1 High2025-11-06
CVE-2025-53586 WordPress WeMusic Theme <= 1.9.1 - PHP Object Injection Vulnerability — WeMusicCWE-502 8.8 High2025-11-06
CVE-2025-53585 WordPress WeMusic theme <= 1.9.1 - Cross Site Scripting (XSS) vulnerability — WeMusicCWE-79 7.1 High2025-11-06
CVE-2025-54738 WordPress Jobmonster Theme <= 4.7.9 - Broken Authentication Vulnerability — JobmonsterCWE-288 9.8 Critical2025-08-28
CVE-2025-57888 WordPress Jobmonster Theme <= 4.8.0 - Sensitive Data Exposure Vulnerability — JobmonsterCWE-497 5.3 Medium2025-08-22
CVE-2025-57887 WordPress Jobmonster Theme <= 4.8.0 - Cross Site Scripting (XSS) Vulnerability — JobmonsterCWE-79 6.5 Medium2025-08-22
CVE-2025-53201 WordPress Jobmonster theme <= 4.7.8 - Cross Site Scripting (XSS) vulnerability — JobmonsterCWE-79 7.1 High2025-08-20
CVE-2025-6190 Realty Portal – Agent <= 0.3.9 - Missing Authorization to Authenticated (Subscriber+) Privilege Escalation via rp_user_profile() Function — Realty Portal – AgentCWE-862 8.8 High2025-07-23
CVE-2025-24779 WordPress Yogi theme < 2.9.3 - PHP Object Injection Vulnerability — YogiCWE-502 8.8 High2025-07-16
CVE-2025-3918 Job Listings 0.1 - 0.1.1 - Unauthenticated Privilege Escalation via register_action Function — Job ListingsCWE-285 9.8 Critical2025-05-03
CVE-2024-37928 WordPress Jobmonster theme <= 4.7.0 - Unauthenticated Arbitrary File Deletion vulnerability — JobmonsterCWE-22 8.6 High2024-07-12
CVE-2024-37927 WordPress Jobmonster theme <= 4.7.5 - Unauthenticated Privilege Escalation vulnerability — JobmonsterCWE-266 9.8 Critical2024-07-12
CVE-2022-45821 WordPress NOO Timetable Plugin <= 2.1.3 is vulnerable to Cross Site Scripting (XSS) — Noo TimetableCWE-79 6.5 Medium2023-08-08

This page lists every published CVE security advisory associated with NooTheme. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.