Themify Builder
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Themify Builder.
By the Year
In 2026 there have been 0 vulnerabilities in Themify Builder. Builder did not have any published security vulnerabilities last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 0 | 0.00 |
| 2025 | 0 | 0.00 |
| 2024 | 6 | 6.36 |
It may take a day or so for new Builder vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Themify Builder Security Vulnerabilities
Themify Builder PHP Remote File Inclusion Vulnerability
CVE-2024-56216
- December 31, 2024
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in themifyme Themify Builder themify-builder allows PHP Local File Inclusion.This issue affects Themify Builder: from n/a through <= 7.6.3.
Remote file include
Stored XSS in Themify Builder <=7.6.3 (CVE-2024-52423)
CVE-2024-52423
6.5 - Medium
- November 18, 2024
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in themifyme Themify Builder themify-builder allows Stored XSS.This issue affects Themify Builder: from n/a through <= 7.6.5.
XSS
Themify Builder <7.6.2 XSS via add_query_arg in URL
CVE-2024-9385
6.1 - Medium
- October 05, 2024
The Themify Builder plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 7.6.2. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
XSS
Themify Builder 7.6.1 Auth Post Duplication via duplicate_page_ajaxify
CVE-2024-7836
4.3 - Medium
- August 22, 2024
The Themify Builder plugin for WordPress is vulnerable to unauthorized post duplication due to missing checks on the duplicate_page_ajaxify function in all versions up to, and including, 7.6.1. This makes it possible for authenticated attackers, with Contributor-level access and above, to duplicate and view private or draft posts created by other users that otherwise shouldn't be accessible to them.
AuthZ
Open Redirect Vulnerability in Themify Builder WP plug < 7.5.8
CVE-2024-3032
6.1 - Medium
- June 13, 2024
Themify Builder WordPress plugin before 7.5.8 does not validate a parameter before redirecting the user to its value, leading to an Open Redirect issue
Open Redirect
CSRF in Themify Builder (v7.0.5) Vulnerable to CrossSite Request Forgery
CVE-2024-24872
8.8 - High
- February 21, 2024
Cross-Site Request Forgery (CSRF) vulnerability in Themify Themify Builder.This issue affects Themify Builder: from n/a through 7.0.5.
Session Riding
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Themify Builder or by Themify? Click the Watch button to subscribe.
