themehunk CVE Vulnerabilities & Metrics

Focus on themehunk vulnerabilities and metrics.

Last updated: 16 Jan 2026, 23:25 UTC

About themehunk Security Exposure

This page consolidates all known Common Vulnerabilities and Exposures (CVEs) associated with themehunk. We track both calendar-based metrics (using fixed periods) and rolling metrics (using gliding windows) to give you a comprehensive view of security trends and risk evolution. Use these insights to assess risk and plan your patching strategy.

For a broader perspective on cybersecurity threats, explore the comprehensive list of CVEs by vendor and product. Stay updated on critical vulnerabilities affecting major software and hardware providers.

Global CVE Overview

Total themehunk CVEs: 18
Earliest CVE date: 27 Dec 2021, 11:15 UTC
Latest CVE date: 27 Oct 2025, 02:15 UTC

Latest CVE reference: CVE-2025-62902

Rolling Stats

30-day Count (Rolling): 0
365-day Count (Rolling): 6

Calendar-based Variation

Calendar-based Variation compares a fixed calendar period (e.g., this month versus the same month last year), while Rolling Growth Rate uses a continuous window (e.g., last 30 days versus the previous 30 days) to capture trends independent of calendar boundaries.

Variations & Growth

Month Variation (Calendar): 0%
Year Variation (Calendar): 0.0%

Month Growth Rate (30-day Rolling): 0.0%
Year Growth Rate (365-day Rolling): 0.0%

Monthly CVE Trends (current vs previous Year)

Annual CVE Trends (Last 20 Years)

Critical themehunk CVEs (CVSS ≥ 9) Over 20 Years

CVSS Stats

Average CVSS: 0.24

Max CVSS: 4.3

Critical CVEs (≥9): 0

CVSS Range vs. Count

Range	Count
0.0-3.9	17
4.0-6.9	1
7.0-8.9	0
9.0-10.0	0

CVSS Distribution Chart

Top 5 Highest CVSS themehunk CVEs

These are the five CVEs with the highest CVSS scores for themehunk, sorted by severity first and recency.

CVE-2021-24967 themehunk Published on 27 Dec 2021, 11:15 UTC (CVSS: 4.3)
The Contact Form & Lead Form Elementor Builder WordPress plugin before 1.6.4 does not sanitise and escape some lead values, which could allow unauthenticated users to perform Cross-Site Scripting attacks against logged in admin viewing the inserted Leads
CVE-2025-62902 themehunk Published on 27 Oct 2025, 02:15 UTC (CVSS: 0)
Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in ThemeHunk WP Popup Builder wp-popup-builder allows Retrieve Embedded Sensitive Data.This issue affects WP Popup Builder: from n/a through <= 1.3.6.
CVE-2025-52816 themehunk Published on 27 Jun 2025, 12:15 UTC (CVSS: 0)
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in themehunk Zita allows PHP Local File Inclusion. This issue affects Zita: from n/a through 1.6.5.
CVE-2025-30990 themehunk Published on 06 Jun 2025, 13:15 UTC (CVSS: 0)
Missing Authorization vulnerability in ThemeHunk ThemeHunk allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects ThemeHunk: from n/a through 1.1.1.
CVE-2024-10475 themehunk Published on 15 May 2025, 20:15 UTC (CVSS: 0)
The Responsive Contact Form Builder & Lead Generation Plugin WordPress plugin before 1.9.8 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

All CVEs for themehunk

CVE-2025-62902 themehunk vulnerability CVSS: 0 27 Oct 2025, 02:15 UTC

Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in ThemeHunk WP Popup Builder wp-popup-builder allows Retrieve Embedded Sensitive Data.This issue affects WP Popup Builder: from n/a through <= 1.3.6.

CVE-2025-52816 themehunk vulnerability CVSS: 0 27 Jun 2025, 12:15 UTC

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in themehunk Zita allows PHP Local File Inclusion. This issue affects Zita: from n/a through 1.6.5.

CVE-2025-30990 themehunk vulnerability CVSS: 0 06 Jun 2025, 13:15 UTC

Missing Authorization vulnerability in ThemeHunk ThemeHunk allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects ThemeHunk: from n/a through 1.1.1.

CVE-2024-10475 themehunk vulnerability CVSS: 0 15 May 2025, 20:15 UTC

The Responsive Contact Form Builder & Lead Generation Plugin WordPress plugin before 1.9.8 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

CVE-2025-22644 themehunk vulnerability CVSS: 0 27 Mar 2025, 15:15 UTC

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeHunk Vayu Blocks – Gutenberg Blocks for WordPress & WooCommerce allows Stored XSS.This issue affects Vayu Blocks – Gutenberg Blocks for WordPress & WooCommerce: from n/a through 1.2.1.

CVE-2025-30881 themehunk vulnerability CVSS: 0 27 Mar 2025, 11:15 UTC

Missing Authorization vulnerability in ThemeHunk Big Store allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Big Store: from n/a through 2.0.8.

CVE-2024-11972 themehunk vulnerability CVSS: 0 31 Dec 2024, 06:15 UTC

The Hunk Companion WordPress plugin before 1.9.0 does not correctly authorize some REST API endpoints, allowing unauthenticated requests to install and activate arbitrary Hunk Companion WordPress plugin before 1.9.0 from the WordPress.org repo, including vulnerable Hunk Companion WordPress plugin before 1.9.0 that have been closed.

CVE-2023-28688 themehunk vulnerability CVSS: 0 09 Dec 2024, 13:15 UTC

Cross-Site Request Forgery (CSRF) vulnerability in ThemeHunk TH Variation Swatches allows Cross Site Request Forgery.This issue affects TH Variation Swatches: from n/a through 1.2.7.

CVE-2024-9061 themehunk vulnerability CVSS: 0 16 Oct 2024, 08:15 UTC

The The WP Popup Builder – Popup Forms and Marketing Lead Generation plugin for WordPress is vulnerable to arbitrary shortcode execution via the wp_ajax_nopriv_shortcode_Api_Add AJAX action in all versions up to, and including, 1.3.5. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. NOTE: This vulnerability was partially fixed in version 1.3.5 with a nonce check, which effectively prevented access to the affected function. However, version 1.3.6 incorporates the correct authorization check to prevent unauthorized access.

CVE-2024-8434 themehunk vulnerability CVSS: 0 25 Sep 2024, 03:15 UTC

The Easy Mega Menu Plugin for WordPress – ThemeHunk plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on several functions hooked via AJAX in all versions up to, and including, 1.0.9. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform actions like updating plugin settings.

CVE-2022-40218 themehunk vulnerability CVSS: 0 08 May 2024, 12:15 UTC

Missing Authorization vulnerability in ThemeHunk Advance WordPress Search Plugin.This issue affects Advance WordPress Search Plugin: from n/a through 1.1.4.

CVE-2024-3637 themehunk vulnerability CVSS: 0 03 May 2024, 06:15 UTC

The Responsive Contact Form Builder & Lead Generation Plugin WordPress plugin through 1.8.9 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

CVE-2022-23180 themehunk vulnerability CVSS: 0 16 Jan 2024, 16:15 UTC

The Contact Form & Lead Form Elementor Builder WordPress plugin before 1.7.4 doesn't have authorisation and nonce checks, which could allow any authenticated users, such as subscriber to update and change various settings

CVE-2022-23179 themehunk vulnerability CVSS: 0 16 Jan 2024, 16:15 UTC

The Contact Form & Lead Form Elementor Builder WordPress plugin before 1.7.0 does not escape some of its form fields before outputting them in attributes, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed

CVE-2023-27431 themehunk vulnerability CVSS: 0 12 Nov 2023, 23:15 UTC

Cross-Site Request Forgery (CSRF) vulnerability in ThemeHunk Big Store theme <= 1.9.3 versions.

CVE-2022-2405 themehunk vulnerability CVSS: 0 26 Sep 2022, 13:15 UTC

The WP Popup Builder WordPress plugin before 1.2.9 does not have authorisation and CSRF check in an AJAX action, allowing any authenticated users, such as subscribers to delete arbitrary Popup

CVE-2022-2404 themehunk vulnerability CVSS: 0 26 Sep 2022, 13:15 UTC

The WP Popup Builder WordPress plugin before 1.2.9 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting

CVE-2021-24967 themehunk vulnerability CVSS: 4.3 27 Dec 2021, 11:15 UTC

The Contact Form & Lead Form Elementor Builder WordPress plugin before 1.6.4 does not sanitise and escape some lead values, which could allow unauthenticated users to perform Cross-Site Scripting attacks against logged in admin viewing the inserted Leads