Vulnerabilities (CVE)

Filtered by vendor Themehunk Subscribe
Total 9 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2024-9061 1 Themehunk 1 Wp Popup Builder 2024-10-30 N/A 9.8 CRITICAL
The The WP Popup Builder – Popup Forms and Marketing Lead Generation plugin for WordPress is vulnerable to arbitrary shortcode execution via the wp_ajax_nopriv_shortcode_Api_Add AJAX action in all versions up to, and including, 1.3.5. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. NOTE: This vulnerability was partially fixed in version 1.3.5 with a nonce check, which effectively prevented access to the affected function. However, version 1.3.6 incorporates the correct authorization check to prevent unauthorized access.
CVE-2024-8434 1 Themehunk 1 Easy Mega Menu Plugin 2024-10-02 N/A 4.3 MEDIUM
The Easy Mega Menu Plugin for WordPress – ThemeHunk plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several functions hooked via AJAX in all versions up to, and including, 1.0.9. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform actions like updating plugin settings.
CVE-2024-44049 1 Themehunk 1 Gutenberg Blocks 2024-09-24 N/A 5.4 MEDIUM
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in ThemeHunk Gutenberg Blocks – Unlimited blocks For Gutenberg allows Stored XSS.This issue affects Gutenberg Blocks – Unlimited blocks For Gutenberg: from n/a through 1.2.7.
CVE-2022-23179 1 Themehunk 1 Contact Form \& Lead Form Elementor Builder 2024-02-28 N/A 4.8 MEDIUM
The Contact Form & Lead Form Elementor Builder WordPress plugin before 1.7.0 does not escape some of its form fields before outputting them in attributes, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed
CVE-2023-27431 1 Themehunk 1 Big Store 2024-02-28 N/A 8.8 HIGH
Cross-Site Request Forgery (CSRF) vulnerability in ThemeHunk Big Store theme <= 1.9.3 versions.
CVE-2022-23180 1 Themehunk 1 Contact Form \& Lead Form Elementor Builder 2024-02-28 N/A 4.3 MEDIUM
The Contact Form & Lead Form Elementor Builder WordPress plugin before 1.7.4 doesn't have authorisation and nonce checks, which could allow any authenticated users, such as subscriber to update and change various settings
CVE-2022-2404 1 Themehunk 1 Wp Popup Builder 2024-02-28 N/A 6.1 MEDIUM
The WP Popup Builder WordPress plugin before 1.2.9 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting
CVE-2022-2405 1 Themehunk 1 Wp Popup Builder 2024-02-28 N/A 4.3 MEDIUM
The WP Popup Builder WordPress plugin before 1.2.9 does not have authorisation and CSRF check in an AJAX action, allowing any authenticated users, such as subscribers to delete arbitrary Popup
CVE-2021-24967 1 Themehunk 1 Contact Form \& Lead Form Elementor Builder 2024-02-28 4.3 MEDIUM 6.1 MEDIUM
The Contact Form & Lead Form Elementor Builder WordPress plugin before 1.6.4 does not sanitise and escape some lead values, which could allow unauthenticated users to perform Cross-Site Scripting attacks against logged in admin viewing the inserted Leads