Vulnerabilities and security researches forthemeisle-companion themeisle-companion

Direction: descending

Jun 19, 2026

Orbit Fox by ThemeIsle # CVE-2026-11358

CVE, Research URL: CVE-2026-11358
Home page URL: Security reports for Orbit Fox by ThemeIsle
Application: Orbit Fox by ThemeIsle
Date: Jun 18, 2026
Research Description: The Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.0.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Affected versions: max 3.0.7.
Status: vulnerable

Jun 16, 2026

Orbit Fox by ThemeIsle # 303da80fba9a122881aae989a8bb29211f7fc1df

CVE, Research URL: 303da80fba9a122881aae989a8bb29211f7fc1df
Home page URL: Security reports for Orbit Fox by ThemeIsle
Application: Orbit Fox by ThemeIsle
Date: Jan 15, 2024
Research Description: Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More [themeisle-companion] < 2.10.28 Orbit Fox by ThemeIsle <= 2.10.27 - Authenticated(Contributor+) Stored Cross-site Scripting via Pricing Table Elementor Widget The Orbit Fox by ThemeIsle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Pricing Table Elementor Widget in all versions up to, and including, 2.10.27 due to insufficient input sanitization and output escaping on the user supplied link URL. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: max 2.10.28.
Status: vulnerable

Orbit Fox by ThemeIsle # 655ce056f5c45d9d82efb41be6b110200c64c282

CVE, Research URL: 655ce056f5c45d9d82efb41be6b110200c64c282
Home page URL: Security reports for Orbit Fox by ThemeIsle
Application: Orbit Fox by ThemeIsle
Date: Nov 12, 2018
Research Description: Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More [themeisle-companion] < 2.6.4 Orbit Fox by ThemeIsle <= 2.6.3 - Improper REST Capabilities Checks The Orbit Fox by ThemeIsle plugin for WordPress is vulnerable to authorization bypass due to missing capability checks on several REST API endpoints in versions up to, and including, 2.6.3. This makes it possible for unauthenticated attackers to perform unauthorized actions such as uploading arbitrary files that can be used for remote code execution.
Affected versions: max 2.6.4.
Status: vulnerable

Orbit Fox by ThemeIsle # fbec1cb8181da969b166e5a3fd0b0f934be88faa

CVE, Research URL: fbec1cb8181da969b166e5a3fd0b0f934be88faa
Home page URL: Security reports for Orbit Fox by ThemeIsle
Application: Orbit Fox by ThemeIsle
Date: Apr 27, 2023
Research Description: Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More [themeisle-companion] < 2.10.24 WordPress Orbit Fox by ThemeIsle Plugin < 2.10.24 is vulnerable to Server Side Request Forgery (SSRF) Update the WordPress Orbit Fox by ThemeIsle plugin to the latest available version (at least 2.10.24). An unknown person discovered and reported this Server Side Request Forgery (SSRF) vulnerability in WordPress Orbit Fox by ThemeIsle Plugin. This could allow a malicious actor to cause a website to execute website requests to an arbitrary domain of the attacker. This could allow a malicious actor to find sensitive information of other services running on the system. This vulnerability has been fixed in version 2.10.24.
Affected versions: max 2.10.24.
Status: vulnerable

Orbit Fox by ThemeIsle # 014073fa-7949-49e8-996f-2f84dab94ba9

CVE, Research URL: 014073fa-7949-49e8-996f-2f84dab94ba9
Home page URL: Security reports for Orbit Fox by ThemeIsle
Application: Orbit Fox by ThemeIsle
Date: -
Research Description: Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More [themeisle-companion] < 2.6.4 Orbit Fox by ThemeIsle <= 2.6.3 -Does not properly Authenticate REST API Calls Orbit Fox by Themeisle (aka Themeisle Companion) version <= 2.6.3 does not properly authenticate REST API calls allowing unauthenticated users to execute several API calls. In some cases one of these calls can be used to upload arbitrary files which can lead to remote code execution.
Affected versions: max 2.6.4.
Status: vulnerable

Orbit Fox by ThemeIsle # db149824d0fdd7d641ab15288dacde4cbbae282d

CVE, Research URL: db149824d0fdd7d641ab15288dacde4cbbae282d
Home page URL: Security reports for Orbit Fox by ThemeIsle
Application: Orbit Fox by ThemeIsle
Date: Jan 12, 2021
Research Description: Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More [themeisle-companion] < 2.10.3 WordPress Orbit Fox by ThemeIsle plugin <= 2.10.2 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability Authenticated Stored Cross-Site Scripting (XSS) vulnerability found by Chloe Chamberland in WordPress Orbit Fox by ThemeIsle plugin (versions <= 2.10.2).
Affected versions: max 2.10.3.
Status: vulnerable

Orbit Fox by ThemeIsle # 7fb22b41edaedc5ff499c2742876a5396e1b7b37

CVE, Research URL: 7fb22b41edaedc5ff499c2742876a5396e1b7b37
Home page URL: Security reports for Orbit Fox by ThemeIsle
Application: Orbit Fox by ThemeIsle
Date: Jan 12, 2021
Research Description: Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More [themeisle-companion] < 2.10.3 WordPress Orbit Fox by ThemeIsle plugin <= 2.10.2 - Authenticated Privilege Escalation vulnerability Authenticated Privilege Escalation vulnerability found by Chloe Chamberland in WordPress Orbit Fox by ThemeIsle plugin (versions <= 2.10.2).
Affected versions: max 2.10.3.
Status: vulnerable

Dec 04, 2025

Orbit Fox by ThemeIsle # CVE-2025-10874

CVE, Research URL: CVE-2025-10874
Home page URL: Security reports for Orbit Fox by ThemeIsle
Application: Orbit Fox by ThemeIsle
Date: Oct 24, 2025
Research Description: The Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More WordPress plugin before 3.0.2 does not limit URLs which may be used for the stock photo import feature, allowing the user to specify arbitrary URLs. This leads to a server-side request forgery as the user may force the server to access any URL of their choosing.
Affected versions: max 3.0.2.
Status: vulnerable

Orbit Fox by ThemeIsle # CVE-2025-12045

CVE, Research URL: CVE-2025-12045
Home page URL: Security reports for Orbit Fox by ThemeIsle
Application: Orbit Fox by ThemeIsle
Date: Nov 04, 2025
Research Description: The Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the category and tag 'name' parameters in all versions up to, and including, 3.0.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: max 3.0.3.
Status: vulnerable

Sep 05, 2025

Orbit Fox by ThemeIsle # CVE-2025-58593

CVE, Research URL: CVE-2025-58593
Home page URL: Security reports for Orbit Fox by ThemeIsle
Application: Orbit Fox by ThemeIsle
Date: Sep 03, 2025
Research Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themeisle Orbit Fox by ThemeIsle themeisle-companion allows Stored XSS.This issue affects Orbit Fox by ThemeIsle: from n/a through <= 3.0.0.
Affected versions: max 3.0.1.
Status: vulnerable

May 07, 2025

Orbit Fox by ThemeIsle # CVE-2024-13183

CVE, Research URL: CVE-2024-13183
Home page URL: Security reports for Orbit Fox by ThemeIsle
Application: Orbit Fox by ThemeIsle
Date: Jan 10, 2025
Research Description: The Orbit Fox by ThemeIsle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘title_tag’ parameter in all versions up to, and including, 2.10.43 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: max 2.10.44.
Status: vulnerable

Feb 19, 2025

Orbit Fox by ThemeIsle # CVE-2025-22659

CVE, Research URL: CVE-2025-22659
Home page URL: Security reports for Orbit Fox by ThemeIsle
Application: Orbit Fox by ThemeIsle
Date: Mar 27, 2025
Research Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themeisle Orbit Fox by ThemeIsle themeisle-companion allows Stored XSS.This issue affects Orbit Fox by ThemeIsle: from n/a through <= 2.10.44.
Affected versions: max 2.10.45.
Status: vulnerable

Jan 11, 2025

Orbit Fox by ThemeIsle # CVE-2025-0311

CVE, Research URL: CVE-2025-0311
Home page URL: Security reports for Orbit Fox by ThemeIsle
Application: Orbit Fox by ThemeIsle
Date: Jan 10, 2025
Research Description: The Orbit Fox by ThemeIsle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Pricing Table widget in all versions up to, and including, 2.10.43 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: max 2.10.44.
Status: vulnerable

Aug 22, 2024

Orbit Fox by ThemeIsle # CVE-2024-7778

CVE, Research URL: CVE-2024-7778
Home page URL: Security reports for Orbit Fox by ThemeIsle
Application: Orbit Fox by ThemeIsle
Date: Aug 22, 2024
Research Description: The Orbit Fox by ThemeIsle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 2.10.36 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
Affected versions: max 2.10.37.
Status: vulnerable

Jun 24, 2024

Orbit Fox by ThemeIsle # CVE-2024-2484

CVE, Research URL: CVE-2024-2484
Home page URL: Security reports for Orbit Fox by ThemeIsle
Application: Orbit Fox by ThemeIsle
Date: Jun 22, 2024
Research Description: The Orbit Fox by ThemeIsle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Services and Post Type Grid widgets in all versions up to, and including, 2.10.34 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: max 2.10.35.
Status: vulnerable

Jun 07, 2024

Orbit Fox by ThemeIsle # CVE-2023-2287

CVE, Research URL: CVE-2023-2287
Home page URL: Security reports for Orbit Fox by ThemeIsle
Application: Orbit Fox by ThemeIsle
Date: May 30, 2023
Research Description: The Orbit Fox by ThemeIsle WordPress plugin before 2.10.24 does not limit URLs which may be used for the stock photo import feature, allowing the user to specify arbitrary URLs. This leads to a server-side request forgery as the user may force the server to access any URL of their choosing.
Affected versions: max 2.10.24.
Status: vulnerable

Orbit Fox by ThemeIsle # CVE-2023-6781

CVE, Research URL: CVE-2023-6781
Home page URL: Security reports for Orbit Fox by ThemeIsle
Application: Orbit Fox by ThemeIsle
Date: Jan 11, 2024
Research Description: The Orbit Fox by ThemeIsle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's custom fields in all versions up to, and including, 2.10.26 due to insufficient input sanitization and output escaping on user supplied values. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: max 2.10.27.
Status: vulnerable

Orbit Fox by ThemeIsle # CVE-2024-0508

CVE, Research URL: CVE-2024-0508
Home page URL: Security reports for Orbit Fox by ThemeIsle
Application: Orbit Fox by ThemeIsle
Date: Feb 06, 2024
Research Description: The Orbit Fox by ThemeIsle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Pricing Table Elementor Widget in all versions up to, and including, 2.10.27 due to insufficient input sanitization and output escaping on the user supplied link URL. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: max 2.10.28.
Status: vulnerable

Orbit Fox by ThemeIsle # CVE-2021-24158

CVE, Research URL: CVE-2021-24158
Home page URL: Security reports for Orbit Fox by ThemeIsle
Application: Orbit Fox by ThemeIsle
Date: Apr 06, 2021
Research Description: Orbit Fox by ThemeIsle has a feature to add a registration form to both the Elementor and Beaver Builder page builders functionality. As part of the registration form, administrators can choose which role to set as the default for users upon registration. This field is hidden from view for lower-level users, however, they can still supply the user_role parameter to update the default role for registration.
Affected versions: max 2.10.3.
Status: vulnerable

Orbit Fox by ThemeIsle # CVE-2024-1047

CVE, Research URL: CVE-2024-1047
Home page URL: Security reports for Orbit Fox by ThemeIsle
Application: Orbit Fox by ThemeIsle
Date: Feb 02, 2024
Research Description: Multiple plugins and/or themes for WordPress with the ThemeIsle SDK are vulnerable to unauthorized modification of data due to a missing capability check on the register_reference() function in various versions. This makes it possible for unauthenticated attackers to update options values that allow ThemeIsle to track promotional activities via utm_source.
Affected versions: max 2.10.29.
Status: vulnerable

Orbit Fox by ThemeIsle # CVE-2021-24157

CVE, Research URL: CVE-2021-24157
Home page URL: Security reports for Orbit Fox by ThemeIsle
Application: Orbit Fox by ThemeIsle
Date: Apr 06, 2021
Research Description: Orbit Fox by ThemeIsle has a feature to add custom scripts to the header and footer of a page or post. There were no checks to verify that a user had the unfiltered_html capability prior to saving the script tags, thus allowing lower-level users to inject scripts that could potentially be malicious.
Affected versions: max 2.10.3.
Status: vulnerable

Orbit Fox by ThemeIsle # CVE-2024-1323

CVE, Research URL: CVE-2024-1323
Home page URL: Security reports for Orbit Fox by ThemeIsle
Application: Orbit Fox by ThemeIsle
Date: Feb 27, 2024
Research Description: The Orbit Fox by ThemeIsle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Post Type Grid Widget Title in all versions up to, and including, 2.10.30 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: max 2.10.32.
Status: vulnerable

Orbit Fox by ThemeIsle # CVE-2024-1497

CVE, Research URL: CVE-2024-1497
Home page URL: Security reports for Orbit Fox by ThemeIsle
Application: Orbit Fox by ThemeIsle
Date: Mar 13, 2024
Research Description: The Orbit Fox by ThemeIsle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the form widget addr2_width attribute in all versions up to, and including, 2.10.30 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access or higher, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: max 2.10.31.
Status: vulnerable

Orbit Fox by ThemeIsle # CVE-2024-2126

CVE, Research URL: CVE-2024-2126
Home page URL: Security reports for Orbit Fox by ThemeIsle
Application: Orbit Fox by ThemeIsle
Date: Mar 13, 2024
Research Description: The Orbit Fox by ThemeIsle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Registration Form widget in all versions up to, and including, 2.10.32 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: max 2.10.33.
Status: vulnerable

Orbit Fox by ThemeIsle # CVE-2024-1162

CVE, Research URL: CVE-2024-1162
Home page URL: Security reports for Orbit Fox by ThemeIsle
Application: Orbit Fox by ThemeIsle
Date: Feb 02, 2024
Research Description: The Orbit Fox by ThemeIsle plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.10.29. This is due to missing or incorrect nonce validation on the register_reference() function. This makes it possible for unauthenticated attackers to update the connected API keys via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Affected versions: max 2.10.30.
Status: vulnerable

Orbit Fox by ThemeIsle # CVE-2024-1499

CVE, Research URL: CVE-2024-1499
Home page URL: Security reports for Orbit Fox by ThemeIsle
Application: Orbit Fox by ThemeIsle
Date: Mar 13, 2024
Research Description: The Orbit Fox by ThemeIsle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Pricing Table widget in the $settings['title_tags'] parameter in all versions up to, and including, 2.10.30 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access or above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: max 2.10.31.
Status: vulnerable