Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

spicethemes — Vulnerabilities & Security Advisories 11

Browse all 11 CVE security advisories affecting spicethemes. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Spicethemes develops WordPress themes and plugins for website building, with 11 CVEs recorded. Historically, vulnerabilities have included cross-site scripting (XSS), remote code execution (RCE), and privilege escalation, often stemming from insufficient input validation and improper access controls. Security assessments reveal inconsistent sanitization of user-supplied data and inadequate permission checks in administrative functions. While no major public incidents have been documented, the pattern of vulnerabilities suggests ongoing challenges in secure coding practices. Users should implement strict input validation and keep installations updated to mitigate risks associated with these common flaw types.

Top products by spicethemes: NewsBlogger Spice Starter Sites Newscrunch Spice Blocks Carousel, Recent Post Slider and Banner Slider SpicePress
CVE IDTitleCVSSSeverityPublished
CVE-2026-39621 WordPress SpicePress theme <= 2.3.2.5 - CSRF to Arbitrary Plugin Installation vulnerability — SpicePressCWE-352 8.8 High2026-04-08
CVE-2025-12821 NewsBlogger <= 0.2.5.6 - 0.2.6.1 - Cross-Site Request Forgery to Arbitrary Plugin Installation — NewsBloggerCWE-352 8.8 High2026-02-19
CVE-2025-48130 WordPress Spice Blocks plugin <= 2.0.7.4 - Arbitrary File Download vulnerability — Spice BlocksCWE-22 7.5 High2025-06-09
CVE-2025-1304 NewsBlogger <= 0.2.5.1 - Authenticated (Subscriber+) Arbitrary File Upload — NewsBloggerCWE-862 8.8 High2025-05-01
CVE-2025-1305 NewsBlogger <= 0.2.5.4 - Cross-Site Request Forgery to Arbitrary Plugin Installation — NewsBloggerCWE-352 8.8 High2025-05-01
CVE-2025-39532 WordPress Spice Blocks plugin <= 2.0.7.7 - Broken Access Control vulnerability — Spice BlocksCWE-862 7.5 High2025-04-17
CVE-2025-1307 Newscrunch <= 1.8.4 - Authenticated (Subscriber+) Arbitrary File Upload — NewscrunchCWE-862 9.8 Critical2025-03-04
CVE-2025-1306 Newscrunch <= 1.8.4 - Cross-Site Request Forgery to Arbitrary File Upload — NewscrunchCWE-352 8.8 High2025-03-04
CVE-2024-8430 Spice Starter Sites <= 1.2.5 - Missing Authorization to Unauthenticated Demo Content Import — Spice Starter SitesCWE-862 5.3 Medium2024-10-01
CVE-2024-44003 WordPress Spice Starter Sites plugin <= 1.2.5 - Cross Site Scripting (XSS) vulnerability — Spice Starter SitesCWE-79 7.1 High2024-09-17
CVE-2023-5362 Carousel, Recent Post Slider and Banner Slider <= 2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode — Carousel, Recent Post Slider and Banner SliderCWE-79 6.4 Medium2023-10-30

This page lists every published CVE security advisory associated with spicethemes. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.