Themify Builder
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Themify Builder.
By the Year
In 2026 there have been 0 vulnerabilities in Themify Builder. Last year, in 2025 Themify Builder had 3 security vulnerabilities published. Right now, Themify Builder is on track to have less security vulnerabilities in 2026 than it did last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 0 | 0.00 |
| 2025 | 3 | 6.25 |
| 2024 | 3 | 6.40 |
It may take a day or so for new Themify Builder vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Themify Builder Security Vulnerabilities
WP XSS via Themify Builder 7.6.9 (Stored)
CVE-2025-9353
6.4 - Medium
- September 24, 2025
The Themify Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via several parameters in all versions up to, and including, 7.6.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability was partially patched in version 7.6.9.
XSS
Missing Auth in Themify Builder <7.6.7 (IRAC)
CVE-2025-49396
- August 20, 2025
Missing Authorization vulnerability in themifyme Themify Builder allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Themify Builder: from n/a through 7.6.7.
AuthZ
Themify Builder WP Plugin XSS Reflected v<=7.6.5
CVE-2024-13319
6.1 - Medium
- January 22, 2025
The Themify Builder plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 7.6.5. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
XSS
Themify Builder 7.6.1 Auth Post Duplication via duplicate_page_ajaxify
CVE-2024-7836
4.3 - Medium
- August 22, 2024
The Themify Builder plugin for WordPress is vulnerable to unauthorized post duplication due to missing checks on the duplicate_page_ajaxify function in all versions up to, and including, 7.6.1. This makes it possible for authenticated attackers, with Contributor-level access and above, to duplicate and view private or draft posts created by other users that otherwise shouldn't be accessible to them.
AuthZ
Open Redirect Vulnerability in Themify Builder WP plug < 7.5.8
CVE-2024-3032
6.1 - Medium
- June 13, 2024
Themify Builder WordPress plugin before 7.5.8 does not validate a parameter before redirecting the user to its value, leading to an Open Redirect issue
Open Redirect
CSRF in Themify Builder (v7.0.5) Vulnerable to CrossSite Request Forgery
CVE-2024-24872
8.8 - High
- February 21, 2024
Cross-Site Request Forgery (CSRF) vulnerability in Themify Themify Builder.This issue affects Themify Builder: from n/a through 7.0.5.
Session Riding
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Themify Builder or by Themify? Click the Watch button to subscribe.
