彙總 themehunk 相關全部產品的 CVE 與安全漏洞情報,包括 CVSS、EPSS、公開時間與漏洞情報資料。
已披露問題常與 跨站腳本、CSRF與檔案包含 相關,可能在 軟體部署與生產負載 場景中帶來 工作階段劫持與檔案覆寫 等暴露風險。
相關漏洞資料主要來源於公開漏洞披露與安全公告,可用於評估歷史漏洞暴露面與修補優先順序。
| CVE | 摘要 | 來源 | 最高 CVSS | EPSS % | 公開時間 | 更新時間 |
|---|---|---|---|---|---|---|
| CVE-2025-62902 | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in ThemeHunk WP Popup Builder wp-popup-builder allows Retrieve Embedded Sensitive Data.This issue affects WP Popup Builder: from n/a through <= 1.3.8. | [email protected] | 5.3 | 0.04% | 2025-10-27 | 2026-04-27 |
| CVE-2025-52816 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in themehunk Zita zita allows PHP Local File Inclusion.This issue affects Zita: from n/a through <= 1.6.5. | [email protected] | 8.1 | 0.55% | 2025-06-27 | 2026-04-23 |
| CVE-2025-30990 | Missing Authorization vulnerability in ThemeHunk ThemeHunk themehunk-megamenu-plus allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ThemeHunk: from n/a through <= 1.2.0. | [email protected] | 4.3 | 0.16% | 2025-06-06 | 2026-04-23 |
| CVE-2024-10475 | The Responsive Contact Form Builder & Lead Generation Plugin WordPress plugin before 1.9.8 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). | [email protected] | 4.8 | 0.17% | 2025-05-15 | 2025-06-09 |
| CVE-2025-22644 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeHunk Vayu Blocks – Gutenberg Blocks for WordPress & WooCommerce vayu-blocks allows Stored XSS.This issue affects Vayu Blocks – Gutenberg Blocks for WordPress & WooCommerce: from n/a through <= 1.4.7. | [email protected] | 6.5 | 0.07% | 2025-03-27 | 2026-04-23 |
| CVE-2025-30881 | Missing Authorization vulnerability in themehunk Big Store big-store allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Big Store: from n/a through <= 2.0.8. | [email protected] | 4.3 | 0.14% | 2025-03-27 | 2026-04-23 |
| CVE-2024-11972 | The Hunk Companion WordPress plugin before 1.9.0 does not correctly authorize some REST API endpoints, allowing unauthenticated requests to install and activate arbitrary Hunk Companion WordPress plugin before 1.9.0 from the WordPress.org repo, including vulnerable Hunk Companion WordPress plugin before 1.9.0 that have been closed. | [email protected] | 9.8 | 91.88% | 2024-12-31 | 2025-05-17 |
| CVE-2023-28688 | Cross-Site Request Forgery (CSRF) vulnerability in ThemeHunk TH Variation Swatches allows Cross Site Request Forgery.This issue affects TH Variation Swatches: from n/a through 1.2.7. | [email protected] | 5.4 | 0.05% | 2024-12-09 | 2026-01-09 |
| CVE-2024-9061 | The The WP Popup Builder – Popup Forms and Marketing Lead Generation plugin for WordPress is vulnerable to arbitrary shortcode execution via the wp_ajax_nopriv_shortcode_Api_Add AJAX action in all versions up to, and including, 1.3.5. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. NOTE: This vulnerability was partially fixed i | [email protected] | 7.3 | 89.00% | 2024-10-16 | 2024-10-30 |
| CVE-2024-9707 | The Hunk Companion plugin for WordPress is vulnerable to unauthorized plugin installation/activation due to a missing capability check on the /wp-json/hc/v1/themehunk-import REST API endpoint in all versions up to, and including, 1.8.4. This makes it possible for unauthenticated attackers to install and activate arbitrary plugins which can be leveraged to achieve remote code execution if another vulnerable plugin is installed and activated. | [email protected] | 9.8 | 90.28% | 2024-10-11 | 2024-11-25 |
| CVE-2024-8434 | The Easy Mega Menu Plugin for WordPress – ThemeHunk plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several functions hooked via AJAX in all versions up to, and including, 1.0.9. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform actions like updating plugin settings. | [email protected] | 4.3 | 0.17% | 2024-09-25 | 2024-12-17 |
| CVE-2024-44049 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeHunk Gutenberg Blocks unlimited-blocks.This issue affects Gutenberg Blocks: from n/a through <= 1.2.8. | [email protected] | 6.5 | 0.27% | 2024-09-17 | 2026-04-23 |
| CVE-2022-40218 | Missing Authorization vulnerability in ThemeHunk Advance WordPress Search Plugin.This issue affects Advance WordPress Search Plugin: from n/a through 1.1.4. | [email protected] | 6.5 | 0.46% | 2024-05-08 | 2026-01-09 |
| CVE-2024-3637 | The Responsive Contact Form Builder & Lead Generation Plugin WordPress plugin through 1.8.9 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup) | [email protected] | 6.1 | 0.40% | 2024-05-03 | 2025-05-08 |
| CVE-2022-38057 | Missing Authorization vulnerability in ThemeHunk Advance WordPress Search Plugin.This issue affects Advance WordPress Search Plugin: from n/a through 1.2.1. | [email protected] | 6.5 | 0.11% | 2024-03-25 | 2026-04-28 |
| CVE-2022-23180 | The Contact Form & Lead Form Elementor Builder WordPress plugin before 1.7.4 doesn't have authorisation and nonce checks, which could allow any authenticated users, such as subscriber to update and change various settings | [email protected] | 4.3 | 0.10% | 2024-01-16 | 2025-06-16 |
| CVE-2022-23179 | The Contact Form & Lead Form Elementor Builder WordPress plugin before 1.7.0 does not escape some of its form fields before outputting them in attributes, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed | [email protected] | 4.8 | 0.18% | 2024-01-16 | 2025-05-09 |
| CVE-2023-27431 | Cross-Site Request Forgery (CSRF) vulnerability in ThemeHunk Big Store theme <= 1.9.3 versions. | [email protected] | 4.3 | 0.06% | 2023-11-12 | 2024-11-21 |
| CVE-2022-2405 | The WP Popup Builder WordPress plugin before 1.2.9 does not have authorisation and CSRF check in an AJAX action, allowing any authenticated users, such as subscribers to delete arbitrary Popup | [email protected] | 4.3 | 0.06% | 2022-09-26 | 2025-05-21 |
| CVE-2022-2404 | The WP Popup Builder WordPress plugin before 1.2.9 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting | [email protected] | 6.1 | 0.22% | 2022-09-26 | 2025-05-21 |