Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

themehunk — Vulnerabilities & Security Advisories 31

Browse all 31 CVE security advisories affecting themehunk. AI-powered Chinese analysis, POCs, and references for each vulnerability.

ThemeHunk operates as a commercial provider of WordPress themes and plugins, primarily targeting small-to-medium businesses seeking pre-designed web templates. Security audits reveal a concerning pattern of vulnerabilities, with thirty-one Common Vulnerabilities and Exposures (CVEs) currently documented. The most prevalent issues involve Cross-Site Scripting (XSS) and SQL Injection, stemming from inadequate input sanitization and improper output escaping in user-facing forms. Additionally, several instances of Remote Code Execution (RCE) and privilege escalation have been identified, often resulting from weak authentication mechanisms or insecure file upload handlers. These flaws allow attackers to compromise site integrity, steal user data, or gain administrative control. The high volume of recorded CVEs suggests systemic weaknesses in the development lifecycle, highlighting a critical need for rigorous code review and security testing before deployment.

Top products by themehunk: Lead Form Builder & Contact Form Vayu Blocks – Website Builder for the Block Editor Advance WordPress Search Plugin Contact Form & Lead Form Elementor Builder Vayu Blocks – Gutenberg Blocks for WordPress & WooCommerce Easy Mega Menu for WordPress – ThemeHunk Gutenberg Blocks Big Store Hunk Companion WP Popup Builder – Popup Forms and Marketing Lead Generation Top Store Th Shop Mania TH Variation Swatches Variation Swatches for WooCommerce Zita Site Builder ThemeHunk Zita WP Popup Builder Wishlist for WooCommerce Oneline Lite
CVE IDTitleCVSSSeverityPublished
CVE-2026-32532 WordPress Contact Form & Lead Form Elementor Builder plugin <= 2.0.1 - Cross Site Scripting (XSS) vulnerability — Contact Form & Lead Form Elementor BuilderCWE-79 7.1 High2026-03-25
CVE-2026-25438 WordPress Gutenberg Blocks – Unlimited blocks For Gutenberg plugin <= 1.2.8 - Reflected Cross Site Scripting (XSS) vulnerability — Gutenberg BlocksCWE-79 7.1 High2026-03-19
CVE-2026-1454 Responsive Contact Form Builder & Lead Generation Plugin <= 2.0.1 - Unauthenticated Stored Cross-Site Scripting — Lead Form Builder & Contact FormCWE-79 7.2 High2026-03-11
CVE-2025-68046 WordPress Contact Form & Lead Form Elementor Builder plugin <= 2.0.1 - Sensitive Data Exposure vulnerability — Contact Form & Lead Form Elementor BuilderCWE-497 6.5 Medium2026-01-22
CVE-2025-69344 WordPress Oneline Lite theme <= 6.6 - Broken Access Control vulnerability — Oneline LiteCWE-862 4.3 Medium2026-01-07
CVE-2025-12040 Wishlist for WooCommerce <= 1.1.3 - Insecure Direct Object Reference to Unauthenticated Wishlist Manipulation — Wishlist for WooCommerceCWE-639 6.5 Medium2025-11-25
CVE-2025-62902 WordPress WP Popup Builder plugin <= 1.3.8 - Sensitive Data Exposure vulnerability — WP Popup BuilderCWE-497 5.3 Medium2025-10-27
CVE-2025-9378 Vayu Blocks <= 1.3.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Block Attributes — Vayu Blocks – Website Builder for the Block EditorCWE-79 6.4 Medium2025-09-03
CVE-2025-52816 WordPress Zita theme <= 1.6.5 - Local File Inclusion Vulnerability — ZitaCWE-98 8.1 High2025-06-27
CVE-2025-30990 WordPress ThemeHunk plugin <= 1.2.0 - Broken Access Control vulnerability — ThemeHunkCWE-862 4.3 Medium2025-06-06
CVE-2025-4420 Vayu Blocks <= 1.3.1 - Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting via containerWidth Parameter — Vayu Blocks – Website Builder for the Block EditorCWE-79 6.4 Medium2025-06-03
CVE-2025-2568 Vayu Blocks – Gutenberg Blocks for WordPress & WooCommerce 1.0.4 - 1.2.1 - Missing Authorization to Unauthenticated Limited Arbitrary Options Update — Vayu Blocks – Gutenberg Blocks for WordPress & WooCommerceCWE-862 5.3 Medium2025-04-08
CVE-2025-22644 WordPress Vayu Blocks – Gutenberg Blocks plugin <= 1.4.7 - Cross Site Scripting (XSS) vulnerability — Vayu Blocks – Gutenberg Blocks for WordPress & WooCommerceCWE-79 6.5 Medium2025-03-27
CVE-2025-30881 WordPress Big Store theme <= 2.0.8 - Broken Access Control vulnerability — Big StoreCWE-862 4.3 Medium2025-03-27
CVE-2024-13511 Variation Swatches for WooCommerce 1.0.8 - 1.3.2 - Cross-Site Request Forgery to Plugin Settings Reset — Variation Swatches for WooCommerceCWE-352 4.3 Medium2025-01-23
CVE-2024-54369 WordPress Zita Site Builder plugin <= 1.0.2 - Arbitrary Plugin Installation and Activation vulnerability — Zita Site BuilderCWE-862 9.1 Critical2024-12-16
CVE-2024-10124 Vayu Blocks – Gutenberg Blocks for WordPress & WooCommerce <= 1.1.1 - Missing Authorization to Unauthenticated Arbitrary Plugin Installation/Activation — Vayu Blocks – Website Builder for the Block EditorCWE-284 9.8 Critical2024-12-12
CVE-2023-28688 WordPress TH Variation Swatches plugin <= 1.2.7 - Cross-Site Request Forgery (CSRF) vulnerability — TH Variation SwatchesCWE-352 5.4 Medium2024-12-09
CVE-2024-10674 Th Shop Mania <= 1.4.9 - Authenticated (Subscriber+) Arbitrary Plugin Installation/Activation — Th Shop ManiaCWE-862 8.8 High2024-11-09
CVE-2024-10673 Top Store <= 1.5.4 - Authenticated (Subscriber+) Arbitrary Plugin Installation/Activation — Top StoreCWE-862 8.8 High2024-11-09
CVE-2024-9061 WP Popup Builder – Popup Forms and Marketing Lead Generation <= 1.3.5 - Unauthenticated Arbitrary Shortcode Execution via wp_ajax_nopriv_shortcode_Api_Add — WP Popup Builder – Popup Forms and Marketing Lead GenerationCWE-94 7.3 High2024-10-16
CVE-2024-9707 Hunk Companion <= 1.8.4 - Missing Authorization to Unauthenticated Arbitrary Plugin Installation/Activation — Hunk CompanionCWE-862 9.8 Critical2024-10-11
CVE-2024-8433 Easy Mega Menu Plugin for WordPress – ThemeHunk <= 1.1.0 - Authenticated (Subscriber+) Stored Cross-Site Scripting — Easy Mega Menu for WordPress – ThemeHunkCWE-79 6.4 Medium2024-10-08
CVE-2024-8434 Easy Mega Menu Plugin for WordPress – ThemeHunk <= 1.0.9 - Missing Authorization to Authenticated (Subscriber+) Settings Updates — Easy Mega Menu for WordPress – ThemeHunkCWE-862 4.3 Medium2024-09-25
CVE-2024-44049 WordPress Gutenberg Blocks – Unlimited blocks For Gutenberg plugin <= 1.2.8 - Authenticated Cross Site Scripting (XSS) vulnerability — Gutenberg BlocksCWE-79 6.5 Medium2024-09-17
CVE-2024-4261 Responsive Contact Form Builder & Lead Generation Plugin <= 1.9.1 - Authenticated (Subscriber+) Arbitrary Shortcode Execution — Lead Form Builder & Contact FormCWE-94 5.4 Medium2024-05-22
CVE-2022-40218 WordPress TH Advance Product Search plugin <= 1.1.4 - Unauthenticated Plugin Settings Change vulnerability — Advance WordPress Search PluginCWE-862 6.5 Medium2024-05-08
CVE-2024-1415 Responsive Contact Form Builder & Lead Generation Plugin <= 1.8.9 - Cross-Site Request Forgery — Lead Form Builder & Contact FormCWE-352 4.3 Medium2024-05-02
CVE-2024-1416 Responsive Contact Form Builder & Lead Generation Plugin <= 1.8.9 - Missing Authorization — Lead Form Builder & Contact FormCWE-352 4.3 Medium2024-05-02
CVE-2022-38057 WordPress TH Advance Product Search plugin <= 1.2.1 - Unauthenticated Plugin Settings Reset vulnerability — Advance WordPress Search PluginCWE-862 6.5 Medium2024-03-25

This page lists every published CVE security advisory associated with themehunk. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.