CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-13319 – Themify Builder <= 7.6.5 - Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2024-13319
21 Jan 2025 — The Themify Builder plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 7.6.5. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. • https://plugins.trac.wordpress.org/changeset/3224684/themify-builder/trunk/themify/themify-admin.php • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-56216 – WordPress Themify Builder plugin <= 7.6.3 - Local File Inclusion vulnerability
https://notcve.org/view.php?id=CVE-2024-56216
19 Dec 2024 — Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Themify Themify Builder allows PHP Local File Inclusion.This issue affects Themify Builder: from n/a through 7.6.3. Vulnerabilidad de control inadecuado del nombre de archivo para la declaración Include/Require en el programa PHP ('Inclusión de archivo remoto PHP') en Themify Themify Builder permite la inclusión de archivos locales PHP. Este problema afecta a Themify Builder: desde n/a ha... • https://patchstack.com/database/wordpress/plugin/themify-builder/vulnerability/wordpress-themify-builder-plugin-7-6-3-local-file-inclusion-vulnerability?_s_id=cve • CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-52423 – WordPress Themify Builder plugin <= 7.6.3 - Cross Site Scripting (XSS) vulnerability
https://notcve.org/view.php?id=CVE-2024-52423
13 Nov 2024 — Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Themify Themify Builder allows Stored XSS.This issue affects Themify Builder: from n/a through 7.6.3. Vulnerabilidad de neutralización incorrecta de la entrada durante la generación de páginas web (XSS o 'Cross-site Scripting') en Themify Themify Builder permite XSS almacenado. Este problema afecta a Themify Builder: desde n/a hasta 7.6.3. The Themify Builder plugin for WordPress is vulnerable to Sto... • https://patchstack.com/database/vulnerability/themify-builder/wordpress-themify-builder-plugin-7-6-3-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-9385 – Themify Builder <= 7.6.2 - Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2024-9385
04 Oct 2024 — The Themify Builder plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 7.6.2. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. • https://plugins.trac.wordpress.org/browser/themify-builder/tags/7.6.2/classes/class-themify-builder-model.php#L1121 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-7836 – Themify Builder <= 7.6.1 - Missing Authorization to Authenticated (Contributor+) Post Duplication
https://notcve.org/view.php?id=CVE-2024-7836
21 Aug 2024 — The Themify Builder plugin for WordPress is vulnerable to unauthorized post duplication due to missing checks on the duplicate_page_ajaxify function in all versions up to, and including, 7.6.1. This makes it possible for authenticated attackers, with Contributor-level access and above, to duplicate and view private or draft posts created by other users that otherwise shouldn't be accessible to them. • https://plugins.trac.wordpress.org/browser/themify-builder/tags/7.6.1/classes/class-builder-duplicate-page.php#L41 • CWE-863: Incorrect Authorization •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2024-3032 – Themify Builder < 7.5.8 - Open Redirect
https://notcve.org/view.php?id=CVE-2024-3032
23 May 2024 — Themify Builder WordPress plugin before 7.5.8 does not validate a parameter before redirecting the user to its value, leading to an Open Redirect issue El complemento Themify Builder de WordPress anterior a 7.5.8 no valida un parámetro antes de redirigir al usuario a su valor, lo que genera un problema de Open Redirect The Themify Builder plugin for WordPress is vulnerable to Open Redirect in all versions up to, and including, 7.5.7. This is due to insufficient validation on the redirect url supplied via th... • https://wpscan.com/vulnerability/d130a60c-c36b-4994-9b0e-e52cd7f99387 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-24872 – WordPress Themify Builder Plugin <= 7.0.5 is vulnerable to Cross Site Request Forgery (CSRF)
https://notcve.org/view.php?id=CVE-2024-24872
05 Feb 2024 — Cross-Site Request Forgery (CSRF) vulnerability in Themify Themify Builder.This issue affects Themify Builder: from n/a through 7.0.5. Vulnerabilidad de Cross-Site Request Forgery (CSRF) en Themify Themify Builder. Este problema afecta a Themify Builder: desde n/a hasta 7.0.5. The Themify Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 7.0.5. This is due to missing or incorrect nonce validation on the cache_menu() function. • https://patchstack.com/database/vulnerability/themify-builder/wordpress-themify-builder-plugin-7-0-5-cross-site-request-forgery-csrf-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •