G5theme
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in any G5theme product.
RSS Feeds for G5theme security vulnerabilities
Create a CVE RSS feed including security vulnerabilities found in G5theme products with stack.watch. Just hit watch, then grab your custom RSS feed url.
Products by G5theme Sorted by Most Security Vulnerabilities since 2018
By the Year
In 2026 there have been 8 vulnerabilities in G5theme with an average score of 6.5 out of ten. Last year, in 2025 G5theme had 8 security vulnerabilities published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in G5theme in 2026 could surpass last years number. However, the average CVE base score of the vulnerabilities in 2026 is greater by 0.06.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 8 | 6.48 |
| 2025 | 8 | 6.42 |
| 2024 | 8 | 5.63 |
| 2023 | 4 | 6.95 |
| 2022 | 1 | 5.40 |
It may take a day or so for new G5theme vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent G5theme Security Vulnerabilities
| CVE | Date | Vulnerability | Products |
|---|---|---|---|
| CVE-2026-39714 | Apr 08, 2026 |
Missing Authorization in G5Plus April <=6.8 (g5plus-april)Missing Authorization vulnerability in G5Theme G5Plus April g5plus-april allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects G5Plus April: from n/a through <= 6.8. |
G5plus April
|
| CVE-2026-39668 | Apr 08, 2026 |
Book Previewer for WooCommerce <=1.0.6 Missing AuthZ in Book-Previewer PluginMissing Authorization vulnerability in g5theme Book Previewer for Woocommerce book-previewer-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Book Previewer for Woocommerce: from n/a through <= 1.0.6. |
Book Previewer For Woocommerce
|
| CVE-2026-27087 | Mar 25, 2026 |
Wolverine Framework <=1.9 Reflected XSS via wolverine-frameworkImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in G5Theme Wolverine Framework wolverine-framework allows Reflected XSS.This issue affects Wolverine Framework: from n/a through <= 1.9. |
Wolverine Framework
|
| CVE-2026-27088 | Mar 25, 2026 |
Reflected XSS in Darna Framework <=2.9Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in G5Theme Darna Framework darna-framework allows Reflected XSS.This issue affects Darna Framework: from n/a through <= 2.9. |
Darna Framework
|
| CVE-2026-22520 | Mar 25, 2026 |
Reflected XSS in G5Theme Handmade Framework (handmade-framework <=3.9)Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in G5Theme Handmade Framework handmade-framework allows Reflected XSS.This issue affects Handmade Framework: from n/a through <= 3.9. |
Handmade Framework
|
| CVE-2025-69096 | Mar 25, 2026 |
G5Theme Zorka <=1.5.7 Reflected XSS in Zorka ThemeImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in G5Theme Zorka zorka allows Reflected XSS.This issue affects Zorka: from n/a through <= 1.5.7. |
Zorka
|
| CVE-2026-22521 | Jan 08, 2026 |
G5Theme Handmade Framework 3.9 LFI via Improper Include ControlImproper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in G5Theme Handmade Framework allows PHP Local File Inclusion.This issue affects Handmade Framework: from n/a through 3.9. |
|
| CVE-2026-0676 | Jan 08, 2026 |
Missing Auth CVE-2026-0676 in G5Theme Zorka <=1.5.7Missing Authorization vulnerability in G5Theme Zorka zorka allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Zorka: from n/a through <= 1.5.7. |
Zorka
|
| CVE-2025-68071 | Dec 16, 2025 |
Essential Real Estate <=5.2.2 Authorization Bypass via UserControlled KeyAuthorization Bypass Through User-Controlled Key vulnerability in g5theme Essential Real Estate essential-real-estate allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Essential Real Estate: from n/a through <= 5.2.9. |
Essential Real Estate
|
| CVE-2025-66127 | Dec 16, 2025 |
Missing Auth in g5theme Essential Real Estate <=5.2.2 ExploitMissing Authorization vulnerability in g5theme Essential Real Estate essential-real-estate allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Essential Real Estate: from n/a through <= 5.2.9. |
Essential Real Estate
|
| CVE-2025-53352 | Oct 22, 2025 |
G5Theme Grid Plus <=3.3 Reflected XSS in grid-plusImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in G5Theme Grid Plus grid-plus allows Reflected XSS.This issue affects Grid Plus: from n/a through <= 3.3. |
Grid Plus
|
| CVE-2024-13418 | May 02, 2025 |
WordPress Plugin/Theme: Arbitrary Upload via ajaxUploadFonts (CVE-2024-13418)Multiple plugins and/or themes for WordPress are vulnerable to Arbitrary File Uploads due to a missing capability check on the ajaxUploadFonts() function in various versions. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files that can make remote code execution possible. This issue was escalated to Envato over two months from the date of this disclosure and the issue, while partially patched, is still vulnerable. |
|
| CVE-2024-13420 | May 02, 2025 |
WordPress GSF Plugins Missing Cap Check on AJAX ActionsMultiple plugins and/or themes for WordPress are vulnerable to unauthorized access due to a missing capability check on several AJAX actions like 'gsf_reset_section_options', 'gsf_reset_section_options', 'gsf_create_preset_options' and more in various versions. This makes it possible for authenticated attackers, with Subscriber-level access and above, to reset and modify some of the plugin/theme settings. This issue was escalated to Envato over two months from the date of this disclosure and the issues, while partially patched, are still vulnerable. |
|
| CVE-2024-13419 | May 02, 2025 |
WordPress Smart Framework Stored XSS via Missing Capability CheckMultiple plugins and/or themes for WordPress using Smart Framework are vulnerable to Stored Cross-Site Scripting due to a missing capability check on the saveOptions() and importThemeOptions() functions in various versions. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the plugin's settings which includes custom JavaScript that is enabled site-wide. This issue was escalated to Envato over two months from the date of this disclosure and the issue is still vulnerable. |
|
| CVE-2025-30849 | Apr 01, 2025 |
PHP LFI in Essential Real Estate <=5.2.0Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in g5theme Essential Real Estate essential-real-estate allows PHP Local File Inclusion.This issue affects Essential Real Estate: from n/a through <= 5.2.0. |
Essential Real Estate
|
| CVE-2025-24698 | Jan 24, 2025 |
CSRF in G5Theme Essential Real Estate until 5.1.8Cross-Site Request Forgery (CSRF) vulnerability in g5theme Essential Real Estate essential-real-estate allows Cross Site Request Forgery.This issue affects Essential Real Estate: from n/a through <= 5.1.8. |
Essential Real Estate
|
| CVE-2023-34014 | Dec 13, 2024 |
Grid Plus <=1.3.2 Unauth Access Control BypassMissing Authorization vulnerability in G5Theme Grid Plus allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Grid Plus: from n/a through 1.3.2. |
Grid Plus
|
| CVE-2024-12329 | Dec 12, 2024 |
Essential Real Estate Plugin: Unauthorized Data Access VulnerabilityThe Essential Real Estate plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on several pages/post types in all versions up to, and including, 5.1.6. This makes it possible for authenticated attackers, with Contributor-level access and above, to access invoices and transaction logs |
Essential Real Estate
|
| CVE-2024-10910 | Dec 12, 2024 |
The Grid Plus Plugin for WordPress: Arbitrary Shortcode Execution VulnerabilityThe The Grid Plus Unlimited grid layout plugin for WordPress is vulnerable to arbitrary shortcode execution via grid_plus_load_by_category AJAX action in all versions up to, and including, 1.3.5. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. |
|
| CVE-2024-10329 | Nov 05, 2024 |
Ultimate Bootstrap Elements Sensitive Data ExposureThe Ultimate Bootstrap Elements for Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.4.6 via the 'ube_get_page_templates' function. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive data including the contents of templates that are private. |
|
| CVE-2024-4274 | Jun 04, 2024 |
WordPress Essential Real Estate: Authenticated Attachment Deletion (4.4.2)The Essential Real Estate plugin for WordPress is vulnerable to unauthorized loss of data due to insufficient validation on the remove_property_attachment_ajax() function in all versions up to, and including, 4.4.2. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete arbitrary attachments. |
Essential Real Estate
|
| CVE-2024-4273 | Jun 04, 2024 |
WordPress Essential Real Estate 4.4.2: Stored XSS via ere_property_map scThe Essential Real Estate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'ere_property_map' shortcode in all versions up to, and including, 4.4.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. |
Essential Real Estate
|
| CVE-2024-2132 | Apr 06, 2024 |
WordPress Store XSS in Ultimate Bootstrap Elements Elementor 1.4.0 Image WidgetThe Ultimate Bootstrap Elements for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Image Widget in all versions up to, and including, 1.4.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. |
|
| CVE-2024-1398 | Mar 02, 2024 |
WordPress Plugin Ultimate Bootstrap Elements <1.3.6 XSS via heading tagsThe Ultimate Bootstrap Elements for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the heading_title_tag and heading_sub_title_tag parameters in all versions up to, and including, 1.3.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. |
|
| CVE-2023-6827 | Dec 15, 2023 |
Arbitr. File Upload in Essential Real Estate WP Plugin v4.3.5The Essential Real Estate plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation on the 'ajaxUploadFonts' function in versions up to, and including, 4.3.5. This makes it possible for authenticated attackers with subscriber-level capabilities or above, to upload arbitrary files on the affected site's server which may make remote code execution possible. CVE-2023-6140 appears to be a duplicate of this issue. |
Essential Real Estate
|
| CVE-2023-5250 | Oct 30, 2023 |
Grid Plus WP Plugin 1.3.2 LFI via Shortcode Attribute PHP Code ExecutionThe Grid Plus plugin for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 1.3.3 via a shortcode attribute. This allows subscriber-level, and above, attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where PHP files with arbitrary content can be uploaded and included. |
Grid Plus
|
| CVE-2023-5251 | Oct 30, 2023 |
Grid Plus WP Plugin 1.3.2: Auth Mod/Del via missing cap checkThe Grid Plus plugin for WordPress is vulnerable to unauthorized modification of data and loss of data due to a missing capability check on the 'grid_plus_save_layout_callback' and 'grid_plus_delete_callback' functions in versions up to, and including, 1.3.2. This makes it possible for authenticated attackers with subscriber privileges or above, to add, update or delete grid layout. CVE-2023-34014 appears to be a duplicate of this issue. |
Grid Plus
|
| CVE-2023-46209 | Oct 27, 2023 |
Unauth XSS in G5Theme Grid Plus <=1.3.2 (WP plugin)Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in G5Theme Grid Plus Unlimited grid plugin <= 1.3.2 versions. |
Grid Plus
|
| CVE-2022-3933 | Dec 12, 2022 |
Essential Real Estate WP Plugin XSS via Unsanitized Admin Params <3.9.6The Essential Real Estate WordPress plugin before 3.9.6 does not sanitize and escapes some parameters, which could allow users with a role as low as Admin to perform Cross-Site Scripting attacks. |
Essential Real Estate
|