Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

hasthemes — Vulnerabilities & Security Advisories 25

Browse all 25 CVE security advisories affecting hasthemes. AI-powered Chinese analysis, POCs, and references for each vulnerability.

HasThemes operates as a digital marketplace specializing in WordPress themes and plugins, catering primarily to web developers and small business owners seeking pre-built website solutions. Security audits reveal a concerning pattern of vulnerabilities, with twenty-five Common Vulnerabilities and Exposures (CVEs) currently documented. These flaws predominantly involve Cross-Site Scripting (XSS), SQL injection, and Remote Code Execution (RCE), often stemming from inadequate input validation and insufficient sanitization of user-supplied data. Additionally, several instances of broken access control and privilege escalation have been identified, allowing unauthorized users to manipulate administrative functions. While specific major public incidents remain largely confined to individual site compromises rather than widespread infrastructure breaches, the high volume of disclosed CVEs indicates systemic weaknesses in the development lifecycle. This trend highlights the critical need for rigorous security testing and code review processes within the theme development ecosystem to mitigate risks for end-users relying on these platforms.

Top products by hasthemes: ShopLentor HT Easy GA4 ( Google Analytics 4 ) HT Feed HT Mega – Absolute Addons For Elementor WC Builder WC Builder – WooCommerce Page Builder for WPBakery WP Plugin Manager Swatchly – WooCommerce Variation Swatches for Products (product attributes: Image swatch, Color swatches, Label swatches) WP Templata Free WooCommerce Theme 99fy Extension HT Builder – WordPress Theme Builder for Elementor HT Mega Extensions For CF7 HashBar – WordPress Notification Bar Swatchly HT Menu JustTables Extensions For CF7 (Contact form 7 Database, Conditional Fields and Redirection) Really Simple Google Tag Manager
CVE IDTitleCVSSSeverityPublished
CVE-2025-68533 WordPress WC Builder plugin <= 1.2.0 - Cross Site Scripting (XSS) vulnerability — WC BuilderCWE-79 6.5 Medium2025-12-24
CVE-2025-14054 WC Builder <= 1.2.0 - Authenticated (Shop Manager+) Stored Cross-Site Scripting via 'heading_color' Shortcode Attribute — WC Builder – WooCommerce Page Builder for WPBakeryCWE-79 4.4 Medium2025-12-21
CVE-2025-64271 WordPress WP Plugin Manager plugin <= 1.4.7 - Cross Site Request Forgery (CSRF) vulnerability — WP Plugin ManagerCWE-352 4.3 Medium2025-11-13
CVE-2025-2719 Swatchly – WooCommerce Variation Swatches for Products (product attributes: Image swatch, Color swatches, Label swatches) 1.2.8 - 1.4.0 - Missing Authorization to Authenticated (Subscriber+) Limited Options Update — Swatchly – WooCommerce Variation Swatches for Products (product attributes: Image swatch, Color swatches, Label swatches)CWE-862 6.5 Medium2025-04-10
CVE-2025-26917 WordPress WP Templata plugin <= 1.0.7 - Reflected Cross Site Scripting (XSS) vulnerability — WP TemplataCWE-79 7.1 High2025-03-03
CVE-2025-22801 WordPress Free WooCommerce Theme 99fy Extension plugin <= 1.2.8 - Cross Site Scripting (XSS) vulnerability — Free WooCommerce Theme 99fy ExtensionCWE-79 6.5 Medium2025-01-09
CVE-2024-51682 WordPress HT Builder – WordPress Theme Builder for Elementor plugin <= 1.3.0 - Stored Cross Site Scripting (XSS) vulnerability — HT Builder – WordPress Theme Builder for ElementorCWE-79 6.5 Medium2024-11-04
CVE-2024-35699 WordPress HT Feed plugin <= 1.2.8 - Cross Site Scripting (XSS) vulnerability — HT FeedCWE-79 6.5 Medium2024-06-08
CVE-2024-34767 WordPress ShopLentor plugin <= 2.8.7 - Cross Site Scripting (XSS) vulnerability — ShopLentorCWE-79 6.5 Medium2024-06-03
CVE-2023-37999 WordPress HT Mega Absolute Addons for Elementor plugin <= 2.2.0 - Unauthenticated Privilege Escalation vulnerability — HT MegaCWE-269 9.8 Critical2024-05-17
CVE-2024-29926 WordPress WC Builder plugin <= 1.0.18 - Cross Site Scripting (XSS) vulnerability — WC BuilderCWE-79 6.5 Medium2024-03-27
CVE-2024-29094 WordPress HT Easy GA4 plugin <= 1.1.7 - Cross Site Scripting (XSS) vulnerability — HT Easy GA4 ( Google Analytics 4 )CWE-79 7.1 High2024-03-19
CVE-2024-29102 WordPress Extensions For CF7 plugin <= 3.0.6 - Unauthenticated Cross Site Scripting (XSS) vulnerability — Extensions For CF7CWE-79 7.1 High2024-03-19
CVE-2023-51529 WordPress HT Mega Plugin <= 2.3.3 is vulnerable to Cross Site Request Forgery (CSRF) — HT Mega – Absolute Addons For ElementorCWE-352 4.3 Medium2024-02-29
CVE-2023-50901 WordPress HT Mega Plugin <= 2.3.8 is vulnerable to Cross Site Scripting (XSS) — HT Mega – Absolute Addons For ElementorCWE-79 7.1 High2023-12-29
CVE-2023-51372 WordPress HashBar – WordPress Notification Bar Plugin <= 1.4.1 is vulnerable to Cross Site Scripting (XSS) — HashBar – WordPress Notification BarCWE-79 5.9 Medium2023-12-29
CVE-2022-47172 WordPress WooLentor Plugin <= 2.6.2 is vulnerable to Cross Site Request Forgery (CSRF) — ShopLentorCWE-352 4.3 Medium2023-07-17
CVE-2023-23791 WordPress HT Menu Plugin <= 1.2.1 is vulnerable to Cross Site Request Forgery (CSRF) — HT MenuCWE-352 4.3 Medium2023-07-11
CVE-2023-23803 WordPress JustTables – WooCommerce Product Table Plugin <= 1.4.9 is vulnerable to Cross Site Request Forgery (CSRF) — JustTablesCWE-352 4.3 Medium2023-07-11
CVE-2023-23792 WordPress Swatchly – WooCommerce Variation Swatches for Products Plugin <= 1.2.0 is vulnerable to Cross Site Request Forgery (CSRF) — SwatchlyCWE-352 4.3 Medium2023-07-11
CVE-2023-23804 WordPress HT Feed Plugin <= 1.2.7 is vulnerable to Cross Site Request Forgery (CSRF) — HT FeedCWE-352 4.3 Medium2023-07-10
CVE-2023-23802 WordPress HT Easy GA4 ( Google Analytics 4 ) Plugin <= 1.0.6 is vulnerable to Cross Site Request Forgery (CSRF) — HT Easy GA4 ( Google Analytics 4 )CWE-352 4.3 Medium2023-06-15
CVE-2023-23801 WordPress Really Simple Google Tag Manager Plugin <= 1.0.6 is vulnerable to Cross Site Request Forgery (CSRF) — Really Simple Google Tag ManagerCWE-352 4.3 Medium2023-04-06
CVE-2022-46798 WordPress WooLentor Plugin <= 2.5.1 is vulnerable to Cross Site Request Forgery (CSRF) — ShopLentorCWE-352 5.4 Medium2023-03-01
CVE-2023-23899 WordPress Extensions For CF7 Plugin <= 2.0.8 is vulnerable to Cross Site Request Forgery (CSRF) — Extensions For CF7 (Contact form 7 Database, Conditional Fields and Redirection)CWE-352 4.3 Medium2023-02-17

This page lists every published CVE security advisory associated with hasthemes. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.