Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

themefic — Vulnerabilities & Security Advisories 36

Browse all 36 CVE security advisories affecting themefic. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Themefic operates as a provider of WordPress themes and plugins, primarily targeting small to medium-sized businesses seeking pre-designed web templates. Security audits reveal a concerning pattern of thirty-six recorded Common Vulnerabilities and Exposures (CVEs), indicating systemic weaknesses in code quality and input validation. Historically, the platform has been susceptible to critical vulnerability classes, including Remote Code Execution (RCE), Cross-Site Scripting (XSS), and SQL Injection. These flaws often stem from insufficient sanitization of user inputs and improper handling of file uploads, allowing attackers to execute arbitrary commands or steal session data. Additionally, instances of privilege escalation have been documented, enabling unauthorized users to gain administrative access. While specific major incidents involving widespread data breaches are not prominently detailed in public records, the high volume of CVEs suggests a persistent need for rigorous security patching and code review processes to mitigate ongoing risks for dependent websites.

Top products by themefic: Ultimate Addons for Contact Form 7 Tourfic Hydra Booking Ultra Addons for Contact Form 7 Tourfic – Travel Booking, Hotel Booking & Car Rental WordPress Plugin Instantio BEAF Travelfic Toolkit Hydra Booking — Appointment Scheduling & Booking Calendar Hydra Booking – All in One Appointment Booking System | Appointment Scheduling, Booking Calendar & WooCommerce Bookings
CVE IDTitleCVSSSeverityPublished
CVE-2026-39571 WordPress Instantio plugin <= 3.3.30 - Sensitive Data Exposure vulnerability — InstantioCWE-497 5.3 Medium2026-04-08
CVE-2026-39543 WordPress Tourfic plugin <= 2.21.4 - Broken Access Control vulnerability — TourficCWE-862 5.3 Medium2026-04-08
CVE-2026-39541 WordPress Hydra Booking plugin <= 1.1.38 - Cross Site Scripting (XSS) vulnerability — Hydra BookingCWE-79 5.9 Medium2026-04-08
CVE-2026-32460 WordPress Ultimate Addons for Contact Form 7 plugin <= 3.5.36 - Cross Site Scripting (XSS) vulnerability — Ultimate Addons for Contact Form 7CWE-79 6.5 Medium2026-03-13
CVE-2026-24940 WordPress Travelfic Toolkit plugin <= 1.3.3 - Broken Access Control vulnerability — Travelfic ToolkitCWE-862 4.3 Medium2026-02-03
CVE-2026-24945 WordPress Ultimate Addons for Contact Form 7 plugin <= 3.5.34 - Broken Access Control vulnerability — Ultimate Addons for Contact Form 7CWE-862 5.3 Medium2026-02-03
CVE-2025-68027 WordPress Hydra Booking plugin <= 1.1.32 - Privilege Escalation vulnerability — Hydra BookingCWE-266 7.3 High2026-01-22
CVE-2025-68055 WordPress Hydra Booking plugin <= 1.1.32 - SQL Injection vulnerability — Hydra BookingCWE-89 8.5 High2025-12-16
CVE-2025-14356 Ultra Addons for Contact Form 7 <= 3.5.33 - Missing Authorization to Authenticated (Subscriber+) to Generate Form Submission PDF — Ultra Addons for Contact Form 7CWE-639 4.3 Medium2025-12-12
CVE-2025-12788 Hydra Booking – All in One Appointment Booking System | Appointment Scheduling, Booking Calendar & WooCommerce Bookings <= 1.1.27 - Missing Payment Verification to Unauthenticated Payment Bypass — Hydra Booking — Appointment Scheduling & Booking CalendarCWE-602 5.3 Medium2025-11-11
CVE-2025-12787 Hydra Booking – All in One Appointment Booking System | Appointment Scheduling, Booking Calendar & WooCommerce Bookings <= 1.1.27 - Unauthenticated Arbitrary Booking Cancellation via Weak Hash Generation — Hydra Booking — Appointment Scheduling & Booking CalendarCWE-330 5.3 Medium2025-11-11
CVE-2025-49377 WordPress Hydra Booking plugin <= 1.1.9 - Broken Access Control vulnerability — Hydra BookingCWE-862 6.3 Medium2025-10-22
CVE-2025-49378 WordPress Hydra Booking plugin <= 1.1.10 - SQL Injection vulnerability — Hydra BookingCWE-89 8.5 High2025-10-22
CVE-2024-8860 Tourfic <= 2.14.5 - Missing Authorization in Multiple Functions — Tourfic – Travel Booking, Hotel Booking & Car Rental WordPress PluginCWE-862 4.3 Medium2025-08-26
CVE-2025-7689 Hydra Booking 1.1.0 - 1.1.18 - Missing Authorization to Authenticated (Subscriber+) Privilege Escalation via tfhb_reset_password_callback Function — Hydra Booking – All in One Appointment Booking System | Appointment Scheduling, Booking Calendar & WooCommerce BookingsCWE-862 8.8 High2025-07-29
CVE-2025-6756 Ultra Addons for Contact Form 7 <= 3.5.21 - Authenticated (Contributor+) Stored Cross-Site Scripting via UACF7_CUSTOM_FIELDS Shortcode — Ultra Addons for Contact Form 7CWE-79 6.4 Medium2025-07-01
CVE-2025-6212 Ultra Addons for Contact Form 7 3.5.11 - 3.5.19 - Unauthenticated Stored Cross-Site Scripting via Database module — Ultra Addons for Contact Form 7CWE-79 7.2 High2025-06-26
CVE-2025-6220 Ultimate Addons for Contact Form 7 <= 3.5.12 - Authenticated (Administrator+) Arbitrary File Upload via 'save_options' — Ultra Addons for Contact Form 7CWE-434 7.2 High2025-06-18
CVE-2025-49323 WordPress Hydra Booking plugin <= 1.1.10 - SQL Injection Vulnerability — Hydra BookingCWE-89 8.5 High2025-06-06
CVE-2025-47550 WordPress Instantio plugin <= 3.3.16 - Arbitrary File Upload Vulnerability — InstantioCWE-434 6.6 Medium2025-05-07
CVE-2025-47549 WordPress BEAF plugin <= 4.6.10 - Arbitrary File Upload Vulnerability — BEAFCWE-434 9.1 Critical2025-05-07
CVE-2025-24581 WordPress Instantio plugin <= 3.3.7 - Settings Change vulnerability — InstantioCWE-862 6.5 Medium2025-04-17
CVE-2025-39585 WordPress Travelfic Toolkit plugin <= 1.2.1 - Cross Site Scripting (XSS) Vulnerability — Travelfic ToolkitCWE-79 6.5 Medium2025-04-16
CVE-2025-24650 WordPress Tourfic plugin <= 2.15.3 - Arbitrary File Upload vulnerability — TourficCWE-434 9.1 Critical2025-01-24
CVE-2023-47693 WordPress Ultimate Addons for Contact Form 7 plugin <= 3.2.6 - Broken Access Control vulnerability — Ultimate Addons for Contact Form 7CWE-862 7.5 High2025-01-02
CVE-2024-12032 Tourfic – Ultimate Hotel Booking, Travel Booking & Apartment Booking WordPress Plugin | WooCommerce Booking <= 2.15.3 - Authenticated (Subscriber+) SQL Injection — Tourfic – Travel Booking, Hotel Booking & Car Rental WordPress PluginCWE-89 6.5 Medium2024-12-25
CVE-2024-8319 Tourfic <= 2.11.20 - Cross-Site Request Forgery in Multiple Functions — Tourfic – Travel Booking, Hotel Booking & Car Rental WordPress PluginCWE-352 4.3 Medium2024-08-30
CVE-2024-32433 WordPress BEAF plugin <= 4.5.4 - Cross Site Request Forgery (CSRF) vulnerability — BEAFCWE-352 4.3 Medium2024-04-15
CVE-2024-29134 WordPress Tourfic plugin <= 2.11.8 - Cross Site Scripting (XSS) vulnerability — TourficCWE-79 6.5 Medium2024-03-19
CVE-2024-29135 WordPress Tourfic plugin <= 2.11.15 - Arbitrary File Upload vulnerability — TourficCWE-434 9.9 Critical2024-03-19

This page lists every published CVE security advisory associated with themefic. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.