Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

ThemeIsle — Vulnerabilities & Security Advisories 86

Browse all 86 CVE security advisories affecting ThemeIsle. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Themeisle operates as a developer of WordPress plugins and themes, primarily offering free and premium tools for site optimization, SEO, and design. Its extensive portfolio has historically been associated with a significant volume of security vulnerabilities, currently totaling 86 recorded CVEs. These flaws predominantly involve cross-site scripting (XSS), SQL injection, and unauthenticated remote code execution (RCE), often stemming from insufficient input validation and weak access controls within plugin code. Notable incidents include critical RCE vulnerabilities in popular plugins like OceanWP and Zakra, which allowed attackers to execute arbitrary commands on compromised servers. The high frequency of these issues highlights systemic challenges in maintaining rigorous security standards across a large, diverse suite of open-source and commercial web components, necessitating frequent updates and strict adherence to secure coding practices to mitigate risks for end-users.

Top products by ThemeIsle: Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More Multiple Page Generator Plugin – MPG RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator Otter Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE Redirection for Contact Form 7 Visualizer: Tables and Charts Manager for WordPress PPOM for WooCommerce PPOM – Product Addons & Custom Fields for WooCommerce Menu Icons by ThemeIsle Visualizer Auto Featured Image (Auto Post Thumbnail) Woody Code Snippets – Insert PHP, CSS, JS, and Header/Footer Scripts Otter - Gutenberg Block Orbit Fox by ThemeIsle Hestia Woody ad snippets Disable Admin Notices – Hide Dashboard Notifications Robin Image Optimizer – Unlimited Image Optimization & WebP Converter Stripe Payment Forms by WP Full Pay – Accept Credit Card Payments, Donations & Subscriptions WP Full Stripe Free Cyrlitera AI Chatbot for WordPress – Hyve Lite Google Maps Plugin by Intergeo Disable Admin Notices individually MPG Otter Blocks PRO Cloud Templates & Patterns collection LightStart – Maintenance Mode, Coming Soon and Landing Page Builder
CVE IDTitleCVSSSeverityPublished
CVE-2026-2892 Otter Blocks <= 3.1.4 - Improper Authorization to Unauthenticated Purchase Verification Bypass via Forged Cookie — Otter Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSECWE-285 7.5 High2026-04-30
CVE-2026-25366 WordPress Woody ad snippets plugin <= 2.7.1 - Remote Code Execution (RCE) vulnerability — Woody ad snippetsCWE-94 9.9 Critical2026-03-25
CVE-2026-2410 Disable Admin Notices – Hide Dashboard Notifications <= 1.4.2 - Cross-Site Request Forgery to Plugin Settings Update — Disable Admin Notices – Hide Dashboard NotificationsCWE-352 4.3 Medium2026-02-25
CVE-2026-1319 Robin Image Optimizer <= 2.0.2 - Authenticated (Author+) Stored Cross-Site Scripting via Image Alternative Text Field — Robin Image Optimizer – Unlimited Image Optimization & WebP ConverterCWE-79 6.4 Medium2026-02-05
CVE-2026-1755 Menu Icons by ThemeIsle <= 0.13.20 - Authenticated (Author+) Stored Cross-Site Scripting — Menu Icons by ThemeIsleCWE-79 6.4 Medium2026-02-03
CVE-2025-14800 Redirection for Contact Form 7 <= 3.2.7 - Unauthenticated Arbitrary File Copy via move_file_to_upload — Redirection for Contact Form 7CWE-434 8.1 High2025-12-21
CVE-2025-13794 Auto Featured Image <= 4.2.1 - Missing Authorization to Authenticated (Contributor+) Post Thumbnail Modification — Auto Featured Image (Auto Post Thumbnail)CWE-862 4.3 Medium2025-12-16
CVE-2025-11467 RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator <= 5.1.1 - Unauthenticated Blind Server-Side Request Forgery — RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds AggregatorCWE-918 5.8 Medium2025-12-11
CVE-2025-12483 Visualizer: Tables and Charts Manager for WordPress <= 3.11.12 - Authenticated (Contributor+) SQL Injection — Visualizer: Tables and Charts Manager for WordPressCWE-89 6.5 Medium2025-12-02
CVE-2025-66069 WordPress PPOM for WooCommerce plugin <= 33.0.16 - Broken Access Control vulnerability — PPOM for WooCommerceCWE-862 4.3 Medium2025-11-21
CVE-2025-12045 Orbit Fox Companion <= 3.0.2 - Authenticated (Author+) Stored Cross-Site Scripting via Post Taxonomy — Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & MoreCWE-79 6.4 Medium2025-11-04
CVE-2025-9322 Stripe Payment Forms <= 8.3.1 - Unauthenticated SQL Injection — Stripe Payment Forms by WP Full Pay – Accept Credit Card Payments, Donations & SubscriptionsCWE-89 7.5 High2025-10-25
CVE-2025-11128 Feedzy RSS Feeds Lite <= 5.1.0 - Authenticated (Subscriber+) Server-Side Request Forgery — RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds AggregatorCWE-918 5.0 Medium2025-10-23
CVE-2025-11691 PPOM – Product Addons & Custom Fields for WooCommerce <= 33.0.15 - Unauthenticated SQL Injection — PPOM – Product Addons & Custom Fields for WooCommerceCWE-89 7.5 High2025-10-18
CVE-2025-11391 PPOM – Product Addons & Custom Fields for WooCommerce <= 33.0.15 - Unauthenticated Arbitrary File Upload — PPOM – Product Addons & Custom Fields for WooCommerceCWE-434 9.8 Critical2025-10-18
CVE-2025-9562 Redirection for Contact Form 7 <= 3.2.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via qs_date Shortcode — Redirection for Contact Form 7CWE-79 6.4 Medium2025-10-18
CVE-2025-58789 WordPress WP Full Stripe Free Plugin <= 8.2.5 - SQL Injection Vulnerability — WP Full Stripe FreeCWE-89 7.6 High2025-09-05
CVE-2025-58593 WordPress Orbit Fox by ThemeIsle Plugin <= 3.0.0 - Cross Site Scripting (XSS) Vulnerability — Orbit Fox by ThemeIsleCWE-79 6.5 Medium2025-09-03
CVE-2025-55715 WordPress Otter - Gutenberg Block Plugin <= 3.1.0 - Sensitive Data Exposure Vulnerability — Otter - Gutenberg BlockCWE-201 7.5 High2025-08-20
CVE-2025-8141 Redirection for Contact Form 7 <= 3.2.4 - Unauthenticated Arbitrary File Deletion — Redirection for Contact Form 7CWE-22 8.8 High2025-08-20
CVE-2025-8289 Redirection for Contact Form 7 <= 3.2.4 - Unauthenticated PHP Object Injection via PHAR Deserialization — Redirection for Contact Form 7CWE-502 7.5 High2025-08-20
CVE-2025-8145 Redirection for Contact Form 7 <= 3.2.4 - Unauthenticated PHP Object Injection — Redirection for Contact Form 7CWE-502 8.8 High2025-08-20
CVE-2025-53986 WordPress Hestia theme <= 3.2.10 - Broken Access Control Vulnerability — HestiaCWE-862 5.3 Medium2025-07-16
CVE-2025-53254 WordPress Cyrlitera plugin <= 1.3.0 - Cross Site Request Forgery (CSRF) vulnerability — CyrliteraCWE-352 4.3 Medium2025-06-27
CVE-2025-22659 WordPress Orbit Fox by ThemeIsle plugin <= 2.10.44 - Cross Site Scripting (XSS) vulnerability — Orbit Fox by ThemeIsleCWE-79 6.5 Medium2025-03-27
CVE-2025-1065 Visualizer: Tables and Charts Manager for WordPress <= 3.11.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Import Data From File — Visualizer: Tables and Charts Manager for WordPressCWE-79 6.4 Medium2025-02-19
CVE-2024-10705 Multiple Page Generator Plugin – MPG <= 4.0.5 - Authenticated (Editor+) Server-Side Request Forgery via fileUrl — Multiple Page Generator Plugin – MPGCWE-918 5.4 Medium2025-01-26
CVE-2025-24666 WordPress Hyve Lite plugin <= 1.2.2 - Cross Site Scripting (XSS) vulnerability — AI Chatbot for WordPress – Hyve LiteCWE-79 5.9 Medium2025-01-24
CVE-2025-24668 WordPress PPOM for WooCommerce plugin <= 33.0.8 - Cross Site Scripting (XSS) vulnerability — PPOM for WooCommerceCWE-79 5.9 Medium2025-01-24
CVE-2024-13183 Orbit Fox by ThemeIsle <= 2.10.43 - Authenticated (Contributor+) Stored Cross-Site Scripting via title_tag Parameter — Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & MoreCWE-79 6.4 Medium2025-01-10

This page lists every published CVE security advisory associated with ThemeIsle. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.