Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

Themefic — Vulnerabilities & Security Advisories 36

Browse all 36 CVE security advisories affecting Themefic. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Top products by Themefic:Ultimate Addons for Contact Form 7TourficHydra BookingUltra Addons for Contact Form 7Tourfic – Travel Booking, Hotel Booking & Car Rental WordPress PluginInstantioBEAFTravelfic ToolkitHydra Booking — Appointment Scheduling & Booking CalendarHydra Booking – All in One Appointment Booking System | Appointment Scheduling, Booking Calendar & WooCommerce Bookings
CVE IDTitleCVSSSeverityPublished
CVE-2026-39571 WordPress Instantio plugin <= 3.3.30 - Sensitive Data Exposure vulnerability — InstantioCWE-497 7.5AIHighAI2026-04-08
CVE-2026-39543 WordPress Tourfic plugin <= 2.21.4 - Broken Access Control vulnerability — TourficCWE-862 9.1AICriticalAI2026-04-08
CVE-2026-39541 WordPress Hydra Booking plugin <= 1.1.38 - Cross Site Scripting (XSS) vulnerability — Hydra BookingCWE-79 5.4AIMediumAI2026-04-08
CVE-2026-32460 WordPress Ultimate Addons for Contact Form 7 plugin <= 3.5.36 - Cross Site Scripting (XSS) vulnerability — Ultimate Addons for Contact Form 7CWE-79 6.1 -2026-03-13
CVE-2026-24940 WordPress Travelfic Toolkit plugin <= 1.3.3 - Broken Access Control vulnerability — Travelfic ToolkitCWE-862 8.1AIHighAI2026-02-03
CVE-2026-24945 WordPress Ultimate Addons for Contact Form 7 plugin <= 3.5.34 - Broken Access Control vulnerability — Ultimate Addons for Contact Form 7CWE-862 9.1AICriticalAI2026-02-03
CVE-2025-68027 WordPress Hydra Booking plugin <= 1.1.32 - Privilege Escalation vulnerability — Hydra BookingCWE-266 8.8AIHighAI2026-01-22
CVE-2025-68055 WordPress Hydra Booking plugin <= 1.1.32 - SQL Injection vulnerability — Hydra BookingCWE-89 8.5 High2025-12-16
CVE-2025-14356 Ultra Addons for Contact Form 7 <= 3.5.33 - Missing Authorization to Authenticated (Subscriber+) to Generate Form Submission PDF — Ultra Addons for Contact Form 7CWE-639 4.3 Medium2025-12-12
CVE-2025-12788 Hydra Booking – All in One Appointment Booking System | Appointment Scheduling, Booking Calendar & WooCommerce Bookings <= 1.1.27 - Missing Payment Verification to Unauthenticated Payment Bypass — Hydra Booking — Appointment Scheduling & Booking CalendarCWE-602 5.3 Medium2025-11-11
CVE-2025-12787 Hydra Booking – All in One Appointment Booking System | Appointment Scheduling, Booking Calendar & WooCommerce Bookings <= 1.1.27 - Unauthenticated Arbitrary Booking Cancellation via Weak Hash Generation — Hydra Booking — Appointment Scheduling & Booking CalendarCWE-330 5.3 Medium2025-11-11
CVE-2025-49377 WordPress Hydra Booking plugin <= 1.1.9 - Broken Access Control vulnerability — Hydra BookingCWE-862 6.3 Medium2025-10-22
CVE-2025-49378 WordPress Hydra Booking plugin <= 1.1.10 - SQL Injection vulnerability — Hydra BookingCWE-89 8.5 High2025-10-22
CVE-2024-8860 Tourfic <= 2.14.5 - Missing Authorization in Multiple Functions — Tourfic – Travel Booking, Hotel Booking & Car Rental WordPress PluginCWE-862 4.3 Medium2025-08-26
CVE-2025-7689 Hydra Booking 1.1.0 - 1.1.18 - Missing Authorization to Authenticated (Subscriber+) Privilege Escalation via tfhb_reset_password_callback Function — Hydra Booking – All in One Appointment Booking System | Appointment Scheduling, Booking Calendar & WooCommerce BookingsCWE-862 8.8 High2025-07-29
CVE-2025-6756 Ultra Addons for Contact Form 7 <= 3.5.21 - Authenticated (Contributor+) Stored Cross-Site Scripting via UACF7_CUSTOM_FIELDS Shortcode — Ultra Addons for Contact Form 7CWE-79 6.4 Medium2025-07-01
CVE-2025-6212 Ultra Addons for Contact Form 7 3.5.11 - 3.5.19 - Unauthenticated Stored Cross-Site Scripting via Database module — Ultra Addons for Contact Form 7CWE-79 7.2 High2025-06-26
CVE-2025-6220 Ultimate Addons for Contact Form 7 <= 3.5.12 - Authenticated (Administrator+) Arbitrary File Upload via 'save_options' — Ultra Addons for Contact Form 7CWE-434 7.2 High2025-06-18
CVE-2025-49323 WordPress Hydra Booking plugin <= 1.1.10 - SQL Injection Vulnerability — Hydra BookingCWE-89 8.5 High2025-06-06
CVE-2025-47550 WordPress Instantio plugin <= 3.3.16 - Arbitrary File Upload Vulnerability — InstantioCWE-434 6.6 Medium2025-05-07
CVE-2025-47549 WordPress BEAF plugin <= 4.6.10 - Arbitrary File Upload Vulnerability — BEAFCWE-434 9.1 Critical2025-05-07
CVE-2025-24581 WordPress Instantio plugin <= 3.3.7 - Settings Change vulnerability — InstantioCWE-862 6.5 Medium2025-04-17
CVE-2025-39585 WordPress Travelfic Toolkit plugin <= 1.2.1 - Cross Site Scripting (XSS) Vulnerability — Travelfic ToolkitCWE-79 6.5 Medium2025-04-16
CVE-2025-24650 WordPress Tourfic plugin <= 2.15.3 - Arbitrary File Upload vulnerability — TourficCWE-434 9.1 Critical2025-01-24
CVE-2023-47693 WordPress Ultimate Addons for Contact Form 7 plugin <= 3.2.6 - Broken Access Control vulnerability — Ultimate Addons for Contact Form 7CWE-862 8.2 -2025-01-02
CVE-2024-12032 Tourfic – Ultimate Hotel Booking, Travel Booking & Apartment Booking WordPress Plugin | WooCommerce Booking <= 2.15.3 - Authenticated (Subscriber+) SQL Injection — Tourfic – Travel Booking, Hotel Booking & Car Rental WordPress PluginCWE-89 6.5 Medium2024-12-25
CVE-2024-8319 Tourfic <= 2.11.20 - Cross-Site Request Forgery in Multiple Functions — Tourfic – Travel Booking, Hotel Booking & Car Rental WordPress PluginCWE-352 4.3 Medium2024-08-30
CVE-2024-32433 WordPress BEAF plugin <= 4.5.4 - Cross Site Request Forgery (CSRF) vulnerability — BEAFCWE-352 4.3 Medium2024-04-15
CVE-2024-29134 WordPress Tourfic plugin <= 2.11.8 - Cross Site Scripting (XSS) vulnerability — TourficCWE-79 6.5 Medium2024-03-19
CVE-2024-29135 WordPress Tourfic plugin <= 2.11.15 - Arbitrary File Upload vulnerability — TourficCWE-434 8.8AIHighAI2024-03-19

This page lists every published CVE security advisory associated with Themefic. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.