Vulnerabilities and security researches forthemify-builder themify-builder

Jun 07, 2024

CVE, Research URL: CVE-2024-24872
Home page URL: Security reports for Themify Builder
Application: Themify Builder
Date: Feb 21, 2024
Research Description: Cross-Site Request Forgery (CSRF) vulnerability in Themify Themify Builder.This issue affects Themify Builder: from n/a through 7.0.5.
Affected versions: Min -, max -.
Status: vulnerable

CVE, Research URL: 6698970fb3222b076e45d37df7e3fb6bdae4fb73
Home page URL: Security reports for Themify Builder
Application: Themify Builder
Date: Oct 04, 2021
Research Description: Themify Builder [themify-builder] < 5.3.2 Themify Builder <= 5.3.1 - Reflected Cross-Site Scripting The Themify Builder plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the multiple parameters in versions up to, and including, 5.3.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Affected versions: Min -, max -.
Status: vulnerable

Jun 15, 2024

CVE, Research URL: CVE-2024-3032
Home page URL: Security reports for Themify Builder
Application: Themify Builder
Date: Jun 13, 2024
Research Description: Themify Builder WordPress plugin before 7.5.8 does not validate a parameter before redirecting the user to its value, leading to an Open Redirect issue
Affected versions: Min -, max -.
Status: vulnerable

Aug 22, 2024

CVE, Research URL: CVE-2024-7836
Home page URL: Security reports for Themify Builder
Application: Themify Builder
Date: Aug 22, 2024
Research Description: The Themify Builder plugin for WordPress is vulnerable to unauthorized post duplication due to missing checks on the duplicate_page_ajaxify function in all versions up to, and including, 7.6.1. This makes it possible for authenticated attackers, with Contributor-level access and above, to duplicate and view private or draft posts created by other users that otherwise shouldn't be accessible to them.
Affected versions: Min -, max -.
Status: vulnerable

Oct 06, 2024

CVE, Research URL: CVE-2024-9385
Home page URL: Security reports for Themify Builder
Application: Themify Builder
Date: Oct 05, 2024
Research Description: The Themify Builder plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 7.6.2. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Affected versions: Min -, max -.
Status: vulnerable

Nov 16, 2024

CVE, Research URL: CVE-2024-52423
Home page URL: Security reports for Themify Builder
Application: Themify Builder
Date: Nov 18, 2024
Research Description: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Themify Themify Builder allows Stored XSS.This issue affects Themify Builder: from n/a through 7.6.3.
Affected versions: Min -, max -.
Status: vulnerable

Dec 23, 2024

CVE, Research URL: CVE-2024-56216
Home page URL: Security reports for Themify Builder
Application: Themify Builder
Date: Dec 31, 2024
Research Description: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Themify Themify Builder allows PHP Local File Inclusion.This issue affects Themify Builder: from n/a through 7.6.3.
Affected versions: Min -, max -.
Status: vulnerable

Jan 23, 2025

CVE, Research URL: CVE-2024-13319
Home page URL: Security reports for Themify Builder
Application: Themify Builder
Date: Jan 22, 2025
Research Description: The Themify Builder plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 7.6.5. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Affected versions: Min -, max -.
Status: vulnerable

Aug 23, 2025

CVE, Research URL: CVE-2025-49396
Home page URL: Security reports for Themify Builder
Application: Themify Builder
Date: Aug 20, 2025
Research Description: Missing Authorization vulnerability in themifyme Themify Builder allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Themify Builder: from n/a through 7.6.7.
Affected versions: Min -, max -.
Status: vulnerable