汇总 themehunk 相关全部产品的 CVE 与安全漏洞情报,包括 CVSS、EPSS、公开时间与漏洞情报数据。
已披露问题常与 跨站脚本、CSRF与文件包含 相关,可能在 软件部署与生产负载 场景中带来 会话劫持与文件覆盖 等暴露风险。
相关漏洞数据主要来源于公开漏洞披露与安全公告,可用于评估历史漏洞暴露面与修复优先级。
| CVE | 摘要 | 来源 | 最高 CVSS | EPSS % | 公开时间 | 更新时间 |
|---|---|---|---|---|---|---|
| CVE-2025-62902 | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in ThemeHunk WP Popup Builder wp-popup-builder allows Retrieve Embedded Sensitive Data.This issue affects WP Popup Builder: from n/a through <= 1.3.8. | [email protected] | 5.3 | 0.04% | 2025-10-27 | 2026-04-27 |
| CVE-2025-52816 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in themehunk Zita zita allows PHP Local File Inclusion.This issue affects Zita: from n/a through <= 1.6.5. | [email protected] | 8.1 | 0.55% | 2025-06-27 | 2026-04-23 |
| CVE-2025-30990 | Missing Authorization vulnerability in ThemeHunk ThemeHunk themehunk-megamenu-plus allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ThemeHunk: from n/a through <= 1.2.0. | [email protected] | 4.3 | 0.16% | 2025-06-06 | 2026-04-23 |
| CVE-2024-10475 | The Responsive Contact Form Builder & Lead Generation Plugin WordPress plugin before 1.9.8 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | [email protected] | 4.8 | 0.17% | 2025-05-15 | 2025-06-09 |
| CVE-2025-22644 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeHunk Vayu Blocks – Gutenberg Blocks for WordPress & WooCommerce vayu-blocks allows Stored XSS.This issue affects Vayu Blocks – Gutenberg Blocks for WordPress & WooCommerce: from n/a through <= 1.4.7. | [email protected] | 6.5 | 0.07% | 2025-03-27 | 2026-04-23 |
| CVE-2025-30881 | Missing Authorization vulnerability in themehunk Big Store big-store allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Big Store: from n/a through <= 2.0.8. | [email protected] | 4.3 | 0.14% | 2025-03-27 | 2026-04-23 |
| CVE-2024-11972 | The Hunk Companion WordPress plugin before 1.9.0 does not correctly authorize some REST API endpoints, allowing unauthenticated requests to install and activate arbitrary Hunk Companion WordPress plugin before 1.9.0 from the WordPress.org repo, including vulnerable Hunk Companion WordPress plugin before 1.9.0 that have been closed. | [email protected] | 9.8 | 91.88% | 2024-12-31 | 2025-05-17 |
| CVE-2023-28688 | Cross-Site Request Forgery (CSRF) vulnerability in ThemeHunk TH Variation Swatches allows Cross Site Request Forgery.This issue affects TH Variation Swatches: from n/a through 1.2.7. | [email protected] | 5.4 | 0.05% | 2024-12-09 | 2026-01-09 |
| CVE-2024-9061 | The The WP Popup Builder – Popup Forms and Marketing Lead Generation plugin for WordPress is vulnerable to arbitrary shortcode execution via the wp_ajax_nopriv_shortcode_Api_Add AJAX action in all versions up to, and including, 1.3.5. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. NOTE: This vulnerability was partially fixed i | [email protected] | 7.3 | 89.00% | 2024-10-16 | 2024-10-30 |
| CVE-2024-9707 | The Hunk Companion plugin for WordPress is vulnerable to unauthorized plugin installation/activation due to a missing capability check on the /wp-json/hc/v1/themehunk-import REST API endpoint in all versions up to, and including, 1.8.4. This makes it possible for unauthenticated attackers to install and activate arbitrary plugins which can be leveraged to achieve remote code execution if another vulnerable plugin is installed and activated. | [email protected] | 9.8 | 90.28% | 2024-10-11 | 2024-11-25 |
| CVE-2024-8434 | The Easy Mega Menu Plugin for WordPress – ThemeHunk plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several functions hooked via AJAX in all versions up to, and including, 1.0.9. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform actions like updating plugin settings. | [email protected] | 4.3 | 0.17% | 2024-09-25 | 2024-12-17 |
| CVE-2024-44049 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeHunk Gutenberg Blocks unlimited-blocks.This issue affects Gutenberg Blocks: from n/a through <= 1.2.8. | [email protected] | 6.5 | 0.27% | 2024-09-17 | 2026-04-23 |
| CVE-2022-40218 | Missing Authorization vulnerability in ThemeHunk Advance WordPress Search Plugin.This issue affects Advance WordPress Search Plugin: from n/a through 1.1.4. | [email protected] | 6.5 | 0.46% | 2024-05-08 | 2026-01-09 |
| CVE-2024-3637 | The Responsive Contact Form Builder & Lead Generation Plugin WordPress plugin through 1.8.9 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | [email protected] | 6.1 | 0.40% | 2024-05-03 | 2025-05-08 |
| CVE-2022-38057 | Missing Authorization vulnerability in ThemeHunk Advance WordPress Search Plugin.This issue affects Advance WordPress Search Plugin: from n/a through 1.2.1. | [email protected] | 6.5 | 0.11% | 2024-03-25 | 2026-04-28 |
| CVE-2022-23180 | The Contact Form & Lead Form Elementor Builder WordPress plugin before 1.7.4 doesn't have authorisation and nonce checks, which could allow any authenticated users, such as subscriber to update and change various settings | [email protected] | 4.3 | 0.10% | 2024-01-16 | 2025-06-16 |
| CVE-2022-23179 | The Contact Form & Lead Form Elementor Builder WordPress plugin before 1.7.0 does not escape some of its form fields before outputting them in attributes, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed | [email protected] | 4.8 | 0.18% | 2024-01-16 | 2025-05-09 |
| CVE-2023-27431 | Cross-Site Request Forgery (CSRF) vulnerability in ThemeHunk Big Store theme <= 1.9.3 versions. | [email protected] | 4.3 | 0.06% | 2023-11-12 | 2024-11-21 |
| CVE-2022-2405 | The WP Popup Builder WordPress plugin before 1.2.9 does not have authorisation and CSRF check in an AJAX action, allowing any authenticated users, such as subscribers to delete arbitrary Popup | [email protected] | 4.3 | 0.06% | 2022-09-26 | 2025-05-21 |
| CVE-2022-2404 | The WP Popup Builder WordPress plugin before 1.2.9 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting | [email protected] | 6.1 | 0.22% | 2022-09-26 | 2025-05-21 |