Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%

themeisle — Vulnerabilities & Security Advisories 101

Browse all 101 CVE security advisories affecting themeisle. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Themeisle operates as a developer of WordPress plugins and themes, primarily offering free and premium tools for site optimization, SEO, and design. Its extensive portfolio has historically been associated with a significant volume of security vulnerabilities, currently totaling 86 recorded CVEs. These flaws predominantly involve cross-site scripting (XSS), SQL injection, and unauthenticated remote code execution (RCE), often stemming from insufficient input validation and weak access controls within plugin code. Notable incidents include critical RCE vulnerabilities in popular plugins like OceanWP and Zakra, which allowed attackers to execute arbitrary commands on compromised servers. The high frequency of these issues highlights systemic challenges in maintaining rigorous security standards across a large, diverse suite of open-source and commercial web components, necessitating frequent updates and strict adherence to secure coding practices to mitigate risks for end-users.

CVE IDTitleCVSSSeverityPublished
CVE-2026-13252 RSS Aggregator by Feedzy <= 5.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'aspectRatio' Attribute — RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds AggregatorCWE-79 6.4 Medium2026-07-02
CVE-2026-13468 Visualizer <= 4.0.3 - Missing Authorization to Unauthenticated Sensitive Information Disclosure via /visualizer/v1/action/{chart}/{type}/ REST Endpoint — Visualizer – Tables & Charts Manager with Built-in AI GeneratorCWE-862 7.5 High2026-07-01
CVE-2026-12432 Stripe Payment Forms by WP Full Pay <= 8.4.3 - Missing Authorization to Unauthenticated Payment Record Manipulation via 'paymentIntentId' Parameter — Stripe Payment Forms by WP Full Pay – Accept Credit Card Payments, Donations & SubscriptionsCWE-862 5.3 Medium2026-06-27
CVE-2026-57618 WordPress Neve PRO theme <= 3.1.2 - Cross Site Scripting (XSS) vulnerability — Neve PROCWE-79 6.5 Medium2026-06-26
CVE-2026-56050 WordPress PPOM for WooCommerce plugin <= 33.0.18 - Broken Access Control vulnerability — PPOM for WooCommerceCWE-284 6.5 Medium2026-06-25
CVE-2026-11358 Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More <= 3.0.6 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'menu-item-icon' Parameter — Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & MoreCWE-79 4.4 Medium2026-06-18
CVE-2026-42378 WordPress WP Full Stripe Free plugin <= 8.4.1 - Broken Authentication vulnerability — WP Full Stripe FreeCWE-288 6.5 Medium2026-06-15
CVE-2026-39507 WordPress Social Slider Feed plugin <= 2.3.2 - Cross Site Scripting (XSS) vulnerability — Social Slider FeedCWE-79 7.1 High2026-06-15
CVE-2026-23970 WordPress Redirection for Contact Form 7 plugin <= 3.2.8 - Cross Site Scripting (XSS) vulnerability — Redirection for Contact Form 7CWE-79 7.1 High2026-06-15
CVE-2017-20251 WordPress Insert PHP Plugin 4.7.0 PHP Code Injection via REST API — Woody Code SnippetsCWE-94 9.8 Critical2026-06-09
CVE-2026-8976 RSS Aggregator by Feedzy <= 5.1.7 - Missing Authorization to Authenticated (Contributor+) Import Job Creation, Execution, Purge, Log Clearing, and Information Disclosure via Multiple AJAX Sub-Actions — RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds AggregatorCWE-862 4.3 Medium2026-06-05
CVE-2025-53209 WordPress Masteriyo LMS PRO plugin <= 2.20.0 - Privilege Escalation Vulnerability — Masteriyo LMS PROCWE-266 9.8 Critical2026-06-02
CVE-2026-8689 Visualizer: Tables and Charts Manager for WordPress <= 3.11.14 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Chart Creation and Modification via renderChartPages() and uploadData() Functions — Visualizer: Tables and Charts Manager for WordPressCWE-862 4.3 Medium2026-05-28
CVE-2026-42749 WordPress Disable Comments for Any Post Types (Remove comments) plugin <= 1.3.0 - Broken Authentication vulnerability — Disable Comments for Any Post Types (Remove comments)CWE-288 7.1 High2026-05-27
CVE-2026-24573 WordPress Visualizer plugin < 4.0.0 - Cross Site Scripting (XSS) vulnerability — VisualizerCWE-79 6.5 Medium2026-05-20
CVE-2026-2892 Otter Blocks <= 3.1.4 - Improper Authorization to Unauthenticated Purchase Verification Bypass via Forged Cookie — Otter Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSECWE-285 7.5 High2026-04-30
CVE-2026-25366 WordPress Woody ad snippets plugin <= 2.7.1 - Remote Code Execution (RCE) vulnerability — Woody ad snippetsCWE-94 9.9 Critical2026-03-25
CVE-2026-2410 Disable Admin Notices – Hide Dashboard Notifications <= 1.4.2 - Cross-Site Request Forgery to Plugin Settings Update — Disable Admin Notices – Hide Dashboard NotificationsCWE-352 4.3 Medium2026-02-25
CVE-2026-1319 Robin Image Optimizer <= 2.0.2 - Authenticated (Author+) Stored Cross-Site Scripting via Image Alternative Text Field — Robin Image Optimizer – Unlimited Image Optimization & WebP ConverterCWE-79 6.4 Medium2026-02-05
CVE-2026-1755 Menu Icons by ThemeIsle <= 0.13.20 - Authenticated (Author+) Stored Cross-Site Scripting — Menu Icons by ThemeIsleCWE-79 6.4 Medium2026-02-03
CVE-2025-14800 Redirection for Contact Form 7 <= 3.2.7 - Unauthenticated Arbitrary File Copy via move_file_to_upload — Redirection for Contact Form 7CWE-434 8.1 High2025-12-21
CVE-2025-13794 Auto Featured Image <= 4.2.1 - Missing Authorization to Authenticated (Contributor+) Post Thumbnail Modification — Auto Featured Image (Auto Post Thumbnail)CWE-862 4.3 Medium2025-12-16
CVE-2025-11467 RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator <= 5.1.1 - Unauthenticated Blind Server-Side Request Forgery — RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds AggregatorCWE-918 5.8 Medium2025-12-11
CVE-2025-12483 Visualizer: Tables and Charts Manager for WordPress <= 3.11.12 - Authenticated (Contributor+) SQL Injection — Visualizer: Tables and Charts Manager for WordPressCWE-89 6.5 Medium2025-12-02
CVE-2025-66069 WordPress PPOM for WooCommerce plugin <= 33.0.16 - Broken Access Control vulnerability — PPOM for WooCommerceCWE-862 4.3 Medium2025-11-21
CVE-2025-12045 Orbit Fox Companion <= 3.0.2 - Authenticated (Author+) Stored Cross-Site Scripting via Post Taxonomy — Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & MoreCWE-79 6.4 Medium2025-11-04
CVE-2025-9322 Stripe Payment Forms <= 8.3.1 - Unauthenticated SQL Injection — Stripe Payment Forms by WP Full Pay – Accept Credit Card Payments, Donations & SubscriptionsCWE-89 7.5 High2025-10-25
CVE-2025-11128 Feedzy RSS Feeds Lite <= 5.1.0 - Authenticated (Subscriber+) Server-Side Request Forgery — RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds AggregatorCWE-918 5.0 Medium2025-10-23
CVE-2025-11691 PPOM – Product Addons & Custom Fields for WooCommerce <= 33.0.15 - Unauthenticated SQL Injection — PPOM – Product Addons & Custom Fields for WooCommerceCWE-89 7.5 High2025-10-18
CVE-2025-11391 PPOM – Product Addons & Custom Fields for WooCommerce <= 33.0.15 - Unauthenticated Arbitrary File Upload — PPOM – Product Addons & Custom Fields for WooCommerceCWE-434 9.8 Critical2025-10-18

This page lists every published CVE security advisory associated with themeisle. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.