themify CVE Vulnerabilities & Metrics

Focus on themify vulnerabilities and metrics.

Last updated: 08 Mar 2025, 23:25 UTC

About themify Security Exposure

This page consolidates all known Common Vulnerabilities and Exposures (CVEs) associated with themify. We track both calendar-based metrics (using fixed periods) and rolling metrics (using gliding windows) to give you a comprehensive view of security trends and risk evolution. Use these insights to assess risk and plan your patching strategy.

For a broader perspective on cybersecurity threats, explore the comprehensive list of CVEs by vendor and product. Stay updated on critical vulnerabilities affecting major software and hardware providers.

Global CVE Overview

Total themify CVEs: 14
Earliest CVE date: 18 Mar 2021, 15:15 UTC
Latest CVE date: 22 Jan 2025, 08:15 UTC

Latest CVE reference: CVE-2024-13319

Rolling Stats

30-day Count (Rolling): 0
365-day Count (Rolling): 4

Calendar-based Variation

Calendar-based Variation compares a fixed calendar period (e.g., this month versus the same month last year), while Rolling Growth Rate uses a continuous window (e.g., last 30 days versus the previous 30 days) to capture trends independent of calendar boundaries.

Variations & Growth

Month Variation (Calendar): -100.0%
Year Variation (Calendar): 0.0%

Month Growth Rate (30-day Rolling): -100.0%
Year Growth Rate (365-day Rolling): 0.0%

Monthly CVE Trends (current vs previous Year)

Annual CVE Trends (Last 20 Years)

Critical themify CVEs (CVSS ≥ 9) Over 20 Years

CVSS Stats

Average CVSS: 1.34

Max CVSS: 7.5

Critical CVEs (≥9): 0

CVSS Range vs. Count

Range	Count
0.0-3.9	12
4.0-6.9	1
7.0-8.9	1
9.0-10.0	0

CVSS Distribution Chart

Top 5 Highest CVSS themify CVEs

These are the five CVEs with the highest CVSS scores for themify, sorted by severity first and recency.

CVE-2013-20002 themify Published on 17 Jun 2021, 16:15 UTC (CVSS: 7.5)
Elemin allows remote attackers to upload and execute arbitrary PHP code via the Themify framework (before 1.2.2) wp-content/themes/elemin/themify/themify-ajax.php file.
CVE-2022-1532 themify Published on 13 Jun 2022, 13:15 UTC (CVSS: 4.3)
Themify WordPress plugin before 1.3.8 does not sanitise and escape the page parameter before outputting it back in an attribute in an admin page, leading to a Reflected Cross-Site Scripting
CVE-2022-0200 themify Published on 14 Feb 2022, 12:15 UTC (CVSS: 3.5)
Themify Portfolio Post WordPress plugin before 1.1.7 does not sanitise and escape the num_of_pages parameter before outputting it back the response of the themify_create_popup_page_pagination AJAX action (available to any authenticated user), leading to a Reflected Cross-Site Scripting
CVE-2021-24129 themify Published on 18 Mar 2021, 15:15 UTC (CVSS: 3.5)
Unvalidated input and lack of output encoding in the Themify Portfolio Post WordPress plugin, versions before 1.1.6, lead to Stored Cross-Site Scripting (XSS) vulnerabilities allowing low-privileged users (Contributor+) to inject arbitrary JavaScript code or HTML in posts where the Themify Custom Panel is embedded, which could lead to privilege escalation.
CVE-2024-13319 themify Published on 22 Jan 2025, 08:15 UTC (CVSS: 0)
The Themify Builder plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 7.6.5. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

All CVEs for themify

CVE-2024-13319 themify vulnerability CVSS: 0 22 Jan 2025, 08:15 UTC

The Themify Builder plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 7.6.5. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

CVE-2024-56216 themify vulnerability CVSS: 0 31 Dec 2024, 10:15 UTC

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Themify Themify Builder allows PHP Local File Inclusion.This issue affects Themify Builder: from n/a through 7.6.3.

CVE-2024-9385 themify vulnerability CVSS: 0 05 Oct 2024, 02:15 UTC

The Themify Builder plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 7.6.2. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

CVE-2023-46146 themify vulnerability CVSS: 0 19 Jun 2024, 12:15 UTC

Missing Authorization vulnerability in Themify Themify Ultra.This issue affects Themify Ultra: from n/a through 7.3.5.

CVE-2024-24872 themify vulnerability CVSS: 0 21 Feb 2024, 07:15 UTC

Cross-Site Request Forgery (CSRF) vulnerability in Themify Themify Builder.This issue affects Themify Builder: from n/a through 7.0.5.

CVE-2023-46149 themify vulnerability CVSS: 0 20 Dec 2023, 19:15 UTC

Unrestricted Upload of File with Dangerous Type vulnerability in Themify Themify Ultra.This issue affects Themify Ultra: from n/a through 7.3.5.

CVE-2023-46147 themify vulnerability CVSS: 0 20 Dec 2023, 14:15 UTC

Deserialization of Untrusted Data vulnerability in Themify Themify Ultra.This issue affects Themify Ultra: from n/a through 7.3.5.

CVE-2022-32970 themify vulnerability CVSS: 0 10 May 2023, 09:15 UTC

Auth. (editor+) Stored Cross-Site Scripting (XSS) vulnerability in Themify Themify Portfolio Post plugin <= 1.2.4 versions.

CVE-2023-0362 themify vulnerability CVSS: 0 13 Feb 2023, 15:15 UTC

Themify Portfolio Post WordPress plugin before 1.2.2 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.

CVE-2022-4464 themify vulnerability CVSS: 0 16 Jan 2023, 16:15 UTC

Themify Portfolio Post WordPress plugin before 1.2.1 does not validate and escapes some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as a contributor to perform Stored Cross-Site Scripting attacks, which could be used against high privileged users such as admin.

CVE-2022-1532 themify vulnerability CVSS: 4.3 13 Jun 2022, 13:15 UTC

Themify WordPress plugin before 1.3.8 does not sanitise and escape the page parameter before outputting it back in an attribute in an admin page, leading to a Reflected Cross-Site Scripting

CVE-2022-0200 themify vulnerability CVSS: 3.5 14 Feb 2022, 12:15 UTC

Themify Portfolio Post WordPress plugin before 1.1.7 does not sanitise and escape the num_of_pages parameter before outputting it back the response of the themify_create_popup_page_pagination AJAX action (available to any authenticated user), leading to a Reflected Cross-Site Scripting

CVE-2013-20002 themify vulnerability CVSS: 7.5 17 Jun 2021, 16:15 UTC

Elemin allows remote attackers to upload and execute arbitrary PHP code via the Themify framework (before 1.2.2) wp-content/themes/elemin/themify/themify-ajax.php file.

CVE-2021-24129 themify vulnerability CVSS: 3.5 18 Mar 2021, 15:15 UTC

Unvalidated input and lack of output encoding in the Themify Portfolio Post WordPress plugin, versions before 1.1.6, lead to Stored Cross-Site Scripting (XSS) vulnerabilities allowing low-privileged users (Contributor+) to inject arbitrary JavaScript code or HTML in posts where the Themify Custom Panel is embedded, which could lead to privilege escalation.