ReportizFlow
Filtered by vendor Themefic
Subscriptions
Total
35 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-39594 | 2 Themefic, Wordpress | 2 Ultra Addons For Wpforms, Wordpress | 2026-06-24 | 6.4 Medium |
| Subscriber Broken Access Control in Ultra Addons for WPForms <= 1.0.11 versions. | ||||
| CVE-2026-42675 | 2 Themefic, Wordpress | 2 Hydra Booking, Wordpress | 2026-06-01 | 7.3 High |
| Missing Authorization vulnerability in Themefic Hydra Booking allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Hydra Booking: from n/a through 1.1.41. | ||||
| CVE-2024-29135 | 1 Themefic | 1 Tourfic | 2026-04-29 | 9.9 Critical |
| Unrestricted Upload of File with Dangerous Type vulnerability in Themefic Tourfic tourfic.This issue affects Tourfic: from n/a through <= 2.11.15. | ||||
| CVE-2023-47693 | 2 Themefic, Wordpress | 2 Ultimate Addons For Contact Form 7, Wordpress | 2026-04-29 | 7.5 High |
| Missing Authorization vulnerability in Themefic Ultimate Addons for Contact Form 7 ultimate-addons-for-contact-form-7 allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ultimate Addons for Contact Form 7: from n/a through <= 3.2.6. | ||||
| CVE-2023-49766 | 1 Themefic | 1 Ultimate Addons For Contact Form 7 | 2026-04-28 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themefic Ultimate Addons for Contact Form 7 allows Stored XSS.This issue affects Ultimate Addons for Contact Form 7: from n/a through 3.2.0. | ||||
| CVE-2023-30495 | 1 Themefic | 1 Ultimate Addons For Contact Form 7 | 2026-04-28 | 8.5 High |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Themefic Ultimate Addons for Contact Form 7.This issue affects Ultimate Addons for Contact Form 7: from n/a through 3.1.23. | ||||
| CVE-2025-49378 | 2 Themefic, Wordpress | 2 Hydra Booking, Wordpress | 2026-04-27 | 8.5 High |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Themefic Hydra Booking hydra-booking allows SQL Injection.This issue affects Hydra Booking: from n/a through <= 1.1.10. | ||||
| CVE-2025-68055 | 2 Themefic, Wordpress | 2 Hydra Booking, Wordpress | 2026-04-27 | 8.5 High |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Themefic Hydra Booking hydra-booking allows SQL Injection.This issue affects Hydra Booking: from n/a through <= 1.1.32. | ||||
| CVE-2026-39541 | 2 Themefic, Wordpress | 2 Hydra Booking, Wordpress | 2026-04-24 | 5.9 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themefic Hydra Booking hydra-booking allows Stored XSS.This issue affects Hydra Booking: from n/a through <= 1.1.38. | ||||
| CVE-2026-39543 | 2 Themefic, Wordpress | 2 Tourfic, Wordpress | 2026-04-24 | 5.3 Medium |
| Missing Authorization vulnerability in Themefic Tourfic tourfic allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Tourfic: from n/a through <= 2.21.4. | ||||
| CVE-2026-39571 | 2 Themefic, Wordpress | 2 Instantio, Wordpress | 2026-04-24 | 5.3 Medium |
| Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Themefic Instantio instantio allows Retrieve Embedded Sensitive Data.This issue affects Instantio: from n/a through <= 3.3.30. | ||||
| CVE-2025-49377 | 2 Themefic, Wordpress | 2 Hydra Booking, Wordpress | 2026-04-23 | 6.3 Medium |
| Missing Authorization vulnerability in Themefic Hydra Booking hydra-booking allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Hydra Booking: from n/a through <= 1.1.9. | ||||
| CVE-2025-47550 | 1 Themefic | 1 Instantio | 2026-04-23 | 6.6 Medium |
| Unrestricted Upload of File with Dangerous Type vulnerability in Themefic Instantio instantio allows Upload a Web Shell to a Web Server.This issue affects Instantio: from n/a through <= 3.3.16. | ||||
| CVE-2025-47549 | 1 Themefic | 1 Ultimate Before After Image Slider \& Gallery | 2026-04-23 | 9.1 Critical |
| Unrestricted Upload of File with Dangerous Type vulnerability in Themefic BEAF beaf-before-and-after-gallery allows Upload a Web Shell to a Web Server.This issue affects BEAF: from n/a through <= 4.6.10. | ||||
| CVE-2025-24650 | 1 Themefic | 1 Tourfic | 2026-04-23 | 9.1 Critical |
| Unrestricted Upload of File with Dangerous Type vulnerability in Themefic Tourfic tourfic allows Upload a Web Shell to a Web Server.This issue affects Tourfic: from n/a through <= 2.15.3. | ||||
| CVE-2024-29137 | 1 Themefic | 1 Tourfic | 2026-04-23 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themefic Tourfic tourfic.This issue affects Tourfic: from n/a through <= 2.11.7. | ||||
| CVE-2024-29136 | 1 Themefic | 1 Tourfic | 2026-04-23 | 8.5 High |
| Deserialization of Untrusted Data vulnerability in Themefic Tourfic tourfic.This issue affects Tourfic: from n/a through <= 2.11.17. | ||||
| CVE-2024-29134 | 1 Themefic | 1 Tourfic | 2026-04-23 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themefic Tourfic tourfic.This issue affects Tourfic: from n/a through <= 2.11.8. | ||||
| CVE-2026-32460 | 2 Themefic, Wordpress | 2 Ultimate Addons For Contact Form 7, Wordpress | 2026-04-23 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themefic Ultimate Addons for Contact Form 7 ultimate-addons-for-contact-form-7 allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ultimate Addons for Contact Form 7: from n/a through <= 3.5.36. | ||||
| CVE-2025-12787 | 2 Themefic, Wordpress | 2 Hydra Booking, Wordpress | 2026-04-22 | 5.3 Medium |
| The Hydra Booking — Appointment Scheduling & Booking Calendar plugin for WordPress is vulnerable to unauthorized booking cancellation in all versions up to, and including, 1.1.27. This is due to the plugin's "tfhb_meeting_form_submit_callback" function using insufficiently random values to generate booking cancellation tokens, combined with a globally shared nonce. This makes it possible for unauthenticated attackers to cancel arbitrary bookings via brute force attacks against the tfhb_meeting_form_cencel AJAX endpoint. | ||||