Themify

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2023-46149 1Themify 1Ultra Apr 28, 2026 Dec 20, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 Unrestricted Upload of File with Dangerous Type vulnerability in Themify Themify Ultra.This issue affects Themify Ultra: from n/a through 7.3.5.
CVE-2023-46147 1Themify 1Ultra Apr 28, 2026 Dec 20, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 Deserialization of Untrusted Data vulnerability in Themify Themify Ultra.This issue affects Themify Ultra: from n/a through 7.3.5.
CVE-2023-2654 1Themify 1Conditional Menus Dec 12, 2024 Jun 19, 2023 N/A· v4 6.1 MEDIUM· v3 N/A· v2 The Conditional Menus WordPress plugin before 1.2.1 does not escape a parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such...Show more The Conditional Menus WordPress plugin before 1.2.1 does not escape a parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as adminShow less
CVE-2022-32970 1Themify 1Portfolio Post Nov 21, 2024 May 10, 2023 N/A· v4 5.4 MEDIUM· v3 N/A· v2 Auth. (editor+) Stored Cross-Site Scripting (XSS) vulnerability in Themify Themify Portfolio Post plugin <= 1.2.4 versions.
CVE-2023-0362 1Themify 1Portfolio Post Mar 21, 2025 Feb 13, 2023 N/A· v4 5.4 MEDIUM· v3 N/A· v2 Themify Portfolio Post WordPress plugin before 1.2.2 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the...Show more Themify Portfolio Post WordPress plugin before 1.2.2 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.Show less
CVE-2022-4787 1Themify 1Shortcodes Mar 27, 2025 Jan 30, 2023 N/A· v4 5.4 MEDIUM· v3 N/A· v2 Themify Shortcodes WordPress plugin before 2.0.8 does not validate and escape one of its shortcode attributes, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attack.
CVE-2022-4464 1Themify 1Portfolio Post Apr 8, 2025 Jan 16, 2023 N/A· v4 5.4 MEDIUM· v3 N/A· v2 Themify Portfolio Post WordPress plugin before 1.2.1 does not validate and escapes some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as a contributor to...Show more Themify Portfolio Post WordPress plugin before 1.2.1 does not validate and escapes some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as a contributor to perform Stored Cross-Site Scripting attacks, which could be used against high privileged users such as admin.Show less
CVE-2022-1532 1Themify 1Woocommerce Product Filter Nov 21, 2024 Jun 13, 2022 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 Themify WordPress plugin before 1.3.8 does not sanitise and escape the page parameter before outputting it back in an attribute in an admin page, leading to a Reflected Cross-Site Scripting
CVE-2022-1047 1Themify 1Post Type Builder Search Addon Nov 21, 2024 May 9, 2022 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 The Themify Post Type Builder Search Addon WordPress plugin before 1.4.0 does not properly escape the current page URL before reusing it in a HTML attribute, leading to a reflected cross site scripting vulnerability.
CVE-2022-0200 1Themify 1Portfolio Post Nov 21, 2024 Feb 14, 2022 N/A· v4 5.4 MEDIUM· v3 3.5 LOW· v2 Themify Portfolio Post WordPress plugin before 1.1.7 does not sanitise and escape the num_of_pages parameter before outputting it back the response of the themify_create_popup_page_pagination AJAX action (available to an...Show more Themify Portfolio Post WordPress plugin before 1.1.7 does not sanitise and escape the num_of_pages parameter before outputting it back the response of the themify_create_popup_page_pagination AJAX action (available to any authenticated user), leading to a Reflected Cross-Site ScriptingShow less
CVE-2013-20002 1Themify 1Framework Nov 21, 2024 Jun 17, 2021 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Elemin allows remote attackers to upload and execute arbitrary PHP code via the Themify framework (before 1.2.2) wp-content/themes/elemin/themify/themify-ajax.php file.
CVE-2021-24129 1Themify 1Portfolio Post Nov 21, 2024 Mar 18, 2021 N/A· v4 5.4 MEDIUM· v3 3.5 LOW· v2 Unvalidated input and lack of output encoding in the Themify Portfolio Post WordPress plugin, versions before 1.1.6, lead to Stored Cross-Site Scripting (XSS) vulnerabilities allowing low-privileged users (Contributor+)...Show more Unvalidated input and lack of output encoding in the Themify Portfolio Post WordPress plugin, versions before 1.1.6, lead to Stored Cross-Site Scripting (XSS) vulnerabilities allowing low-privileged users (Contributor+) to inject arbitrary JavaScript code or HTML in posts where the Themify Custom Panel is embedded, which could lead to privilege escalation.Show less

Previous 12