Search criteria

6 vulnerabilities by blossomthemes

CVE-2024-5647 (GCVE-0-2024-5647)

Vulnerability from cvelistv5 – Published: 2025-07-03 09:22 – Updated: 2026-04-08 17:27
VLAI?
Title
Multiple Plugins <= (Various Versions) - Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via Magnific Popups JavaScript Library
Summary
Multiple plugins for WordPress are vulnerable to Stored Cross-Site Scripting via the plugin's bundled Magnific Popups library (version 1.1.0) in various versions due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. NOTE: This vulnerability was fixed in the upstream library (Magnific Popups version 1.2.0) by disabling the loading of HTML within certain fields by default.
CWE
  • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
Impacted products
Vendor Product Version
blossomthemes BlossomThemes Social Feed Affected: 0 , ≤ 2.0.5 (semver)
Create a notification for this product.
    sayful Carousel Slider Affected: 0 , ≤ 2.2.14 (semver)
Create a notification for this product.
    divisupreme Supreme Modules Lite – Divi Theme, Extra Theme and Divi Builder Affected: 0 , ≤ 2.5.52 (semver)
Create a notification for this product.
    robosoft Robo Gallery – Photo & Image Slider Affected: 0 , ≤ 3.2.22 (semver)
Create a notification for this product.
    gutentor Gutentor – Gutenberg Blocks – Page Builder for Gutenberg Editor Affected: 0 , ≤ 3.4.9 (semver)
Create a notification for this product.
    oceanwp OceanWP Affected: 0 , ≤ 3.6.0 (semver)
Create a notification for this product.
    thehappymonster Happy Addons for Elementor Affected: 0 , ≤ 3.12.2 (semver)
Create a notification for this product.
    badhonrocks Divi Torque Lite – Divi Theme, Divi Builder & Extra Theme Affected: 0 , ≤ 4.0.5 (semver)
Create a notification for this product.
    Elegant Themes Divi Builder Affected: 0 , ≤ 4.27.1 (semver)
Create a notification for this product.
    Elegant Themes Divi Affected: 0 , ≤ 4.27.1 (semver)
Create a notification for this product.
    Elegant Themes Divi Extra Affected: 0 , ≤ 4.27.1 (semver)
Create a notification for this product.
    boldthemes Bold Page Builder Affected: 0 , ≤ 5.1.2 (semver)
Create a notification for this product.
    wpdevteam Essential Addons for Elementor – Popular Elementor Templates & Widgets Affected: 0 , ≤ 6.0.4 (semver)
Create a notification for this product.
    gn_themes WP Shortcodes Plugin — Shortcodes Ultimate Affected: 0 , ≤ 7.4.2 (semver)
Create a notification for this product.
Credits
Craig Smith
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-5647",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-07-03T12:59:42.727059Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-07-03T13:17:30.817Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "BlossomThemes Social Feed",
          "vendor": "blossomthemes",
          "versions": [
            {
              "lessThanOrEqual": "2.0.5",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Carousel Slider",
          "vendor": "sayful",
          "versions": [
            {
              "lessThanOrEqual": "2.2.14",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Supreme Modules Lite \u2013 Divi Theme, Extra Theme and Divi Builder",
          "vendor": "divisupreme",
          "versions": [
            {
              "lessThanOrEqual": "2.5.52",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Robo Gallery \u2013 Photo \u0026 Image Slider",
          "vendor": "robosoft",
          "versions": [
            {
              "lessThanOrEqual": "3.2.22",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Gutentor \u2013 Gutenberg Blocks \u2013 Page Builder for Gutenberg Editor",
          "vendor": "gutentor",
          "versions": [
            {
              "lessThanOrEqual": "3.4.9",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "OceanWP",
          "vendor": "oceanwp",
          "versions": [
            {
              "lessThanOrEqual": "3.6.0",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Happy Addons for Elementor",
          "vendor": "thehappymonster",
          "versions": [
            {
              "lessThanOrEqual": "3.12.2",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Divi Torque Lite \u2013 Divi Theme, Divi Builder \u0026 Extra Theme",
          "vendor": "badhonrocks",
          "versions": [
            {
              "lessThanOrEqual": "4.0.5",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Divi Builder",
          "vendor": "Elegant Themes",
          "versions": [
            {
              "lessThanOrEqual": "4.27.1",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Divi",
          "vendor": "Elegant Themes",
          "versions": [
            {
              "lessThanOrEqual": "4.27.1",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Divi Extra",
          "vendor": "Elegant Themes",
          "versions": [
            {
              "lessThanOrEqual": "4.27.1",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Bold Page Builder",
          "vendor": "boldthemes",
          "versions": [
            {
              "lessThanOrEqual": "5.1.2",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Essential Addons for Elementor \u2013 Popular Elementor Templates \u0026 Widgets",
          "vendor": "wpdevteam",
          "versions": [
            {
              "lessThanOrEqual": "6.0.4",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "WP Shortcodes Plugin \u2014 Shortcodes Ultimate",
          "vendor": "gn_themes",
          "versions": [
            {
              "lessThanOrEqual": "7.4.2",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Craig Smith"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Multiple plugins for WordPress are vulnerable to Stored Cross-Site Scripting via the plugin\u0027s bundled Magnific Popups library (version 1.1.0) in various versions due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. NOTE: This vulnerability was fixed in the upstream library (Magnific Popups version 1.2.0) by disabling the loading of HTML within certain fields by default."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 6.4,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-08T17:27:25.153Z",
        "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "shortName": "Wordfence"
      },
      "references": [
        {
          "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/dae80fc2-3076-4a32-876d-5df1c62de9bd?source=cve"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/shortcodes-ultimate/trunk/vendor/magnific-popup/magnific-popup.js"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/essential-addons-for-elementor-lite/trunk/assets/front-end/js/lib-view/magnific-popup/jquery.magnific-popup.js"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/bold-page-builder/trunk/content_elements_misc/js/jquery.magnific-popup.js"
        },
        {
          "url": "https://plugins.trac.wordpress.org/changeset/3154460/happy-elementor-addons"
        },
        {
          "url": "https://plugins.trac.wordpress.org/changeset/3153781/bold-page-builder"
        },
        {
          "url": "https://plugins.trac.wordpress.org/browser/robo-gallery/trunk/js/robo_gallery.js#L56"
        },
        {
          "url": "https://www.elegantthemes.com/api/changelog/divi.txt"
        },
        {
          "url": "https://www.elegantthemes.com/api/changelog/extra.txt"
        },
        {
          "url": "https://www.elegantthemes.com/api/changelog/divi-builder.txt"
        },
        {
          "url": "https://themes.trac.wordpress.org/changeset/244604/oceanwp"
        },
        {
          "url": "https://plugins.trac.wordpress.org/changeset/3153700/essential-addons-for-elementor-lite"
        },
        {
          "url": "https://plugins.trac.wordpress.org/changeset/3184626/addons-for-divi"
        },
        {
          "url": "https://plugins.trac.wordpress.org/changeset/3201991/robo-gallery"
        },
        {
          "url": "https://plugins.trac.wordpress.org/changeset/3166204/carousel-slider"
        },
        {
          "url": "https://github.com/dimsemenov/Magnific-Popup/releases/tag/1.2.0"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2024-06-05T00:00:00.000Z",
          "value": "Vendor Notified"
        },
        {
          "lang": "en",
          "time": "2025-07-02T00:00:00.000Z",
          "value": "Disclosed"
        }
      ],
      "title": "Multiple Plugins \u003c= (Various Versions) - Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via Magnific Popups JavaScript Library"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
    "assignerShortName": "Wordfence",
    "cveId": "CVE-2024-5647",
    "datePublished": "2025-07-03T09:22:19.308Z",
    "dateReserved": "2024-06-04T21:31:54.009Z",
    "dateUpdated": "2026-04-08T17:27:25.153Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-37412 (GCVE-0-2024-37412)

Vulnerability from cvelistv5 – Published: 2025-01-02 12:00 – Updated: 2026-04-28 16:09
VLAI?
Title
WordPress Blossom Shop theme <= 1.1.7 - Cross Site Request Forgery (CSRF) vulnerability
Summary
Cross-Site Request Forgery (CSRF) vulnerability in blossomthemes Blossom Shop blossom-shop allows Cross Site Request Forgery.This issue affects Blossom Shop: from n/a through <= 1.1.7.
CWE
  • CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
Impacted products
Vendor Product Version
blossomthemes Blossom Shop Affected: 0 , ≤ 1.1.7 (custom)
Create a notification for this product.
Credits
Dhabaleshwar Das | Patchstack Bug Bounty Program
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-37412",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-01-02T14:46:04.898020Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-01-02T14:52:06.447Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://wordpress.org/plugins",
          "defaultStatus": "unaffected",
          "packageName": "blossom-shop",
          "product": "Blossom Shop",
          "vendor": "blossomthemes",
          "versions": [
            {
              "changes": [
                {
                  "at": "1.1.8",
                  "status": "unaffected"
                }
              ],
              "lessThanOrEqual": "1.1.7",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Dhabaleshwar Das | Patchstack Bug Bounty Program"
        }
      ],
      "datePublic": "2026-04-01T16:26:25.990Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Cross-Site Request Forgery (CSRF) vulnerability in blossomthemes Blossom Shop blossom-shop allows Cross Site Request Forgery.\u003cp\u003eThis issue affects Blossom Shop: from n/a through \u003c= 1.1.7.\u003c/p\u003e"
            }
          ],
          "value": "Cross-Site Request Forgery (CSRF) vulnerability in blossomthemes Blossom Shop blossom-shop allows Cross Site Request Forgery.This issue affects Blossom Shop: from n/a through \u003c= 1.1.7."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-62",
          "descriptions": [
            {
              "lang": "en",
              "value": "Cross Site Request Forgery"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-352",
              "description": "Cross-Site Request Forgery (CSRF)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-28T16:09:57.964Z",
        "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "shortName": "Patchstack"
      },
      "references": [
        {
          "tags": [
            "vdb-entry"
          ],
          "url": "https://patchstack.com/database/Wordpress/Theme/blossom-shop/vulnerability/wordpress-blossom-shop-theme-1-1-7-cross-site-request-forgery-csrf-vulnerability?_s_id=cve"
        }
      ],
      "title": "WordPress Blossom Shop theme \u003c= 1.1.7 - Cross Site Request Forgery (CSRF) vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
    "assignerShortName": "Patchstack",
    "cveId": "CVE-2024-37412",
    "datePublished": "2025-01-02T12:00:47.258Z",
    "dateReserved": "2024-06-09T08:51:13.011Z",
    "dateUpdated": "2026-04-28T16:09:57.964Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-37243 (GCVE-0-2024-37243)

Vulnerability from cvelistv5 – Published: 2025-01-02 12:00 – Updated: 2026-04-28 16:09
VLAI?
Title
WordPress Vandana Lite theme <= 1.1.9 - Cross Site Request Forgery (CSRF) vulnerability
Summary
Cross-Site Request Forgery (CSRF) vulnerability in blossomthemes Vandana Lite vandana-lite allows Cross Site Request Forgery.This issue affects Vandana Lite: from n/a through <= 1.1.9.
CWE
  • CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
Impacted products
Vendor Product Version
blossomthemes Vandana Lite Affected: 0 , ≤ 1.1.9 (custom)
Create a notification for this product.
Credits
Dhabaleshwar Das | Patchstack Bug Bounty Program
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-37243",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-01-02T14:46:23.071387Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-01-02T14:52:06.794Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://wordpress.org/plugins",
          "defaultStatus": "unaffected",
          "packageName": "vandana-lite",
          "product": "Vandana Lite",
          "vendor": "blossomthemes",
          "versions": [
            {
              "changes": [
                {
                  "at": "1.2.0",
                  "status": "unaffected"
                }
              ],
              "lessThanOrEqual": "1.1.9",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Dhabaleshwar Das | Patchstack Bug Bounty Program"
        }
      ],
      "datePublic": "2026-04-01T16:26:21.475Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Cross-Site Request Forgery (CSRF) vulnerability in blossomthemes Vandana Lite vandana-lite allows Cross Site Request Forgery.\u003cp\u003eThis issue affects Vandana Lite: from n/a through \u003c= 1.1.9.\u003c/p\u003e"
            }
          ],
          "value": "Cross-Site Request Forgery (CSRF) vulnerability in blossomthemes Vandana Lite vandana-lite allows Cross Site Request Forgery.This issue affects Vandana Lite: from n/a through \u003c= 1.1.9."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-62",
          "descriptions": [
            {
              "lang": "en",
              "value": "Cross Site Request Forgery"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-352",
              "description": "Cross-Site Request Forgery (CSRF)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-28T16:09:57.411Z",
        "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "shortName": "Patchstack"
      },
      "references": [
        {
          "tags": [
            "vdb-entry"
          ],
          "url": "https://patchstack.com/database/Wordpress/Theme/vandana-lite/vulnerability/wordpress-vandana-lite-theme-1-1-9-cross-site-request-forgery-csrf-vulnerability?_s_id=cve"
        }
      ],
      "title": "WordPress Vandana Lite theme \u003c= 1.1.9 - Cross Site Request Forgery (CSRF) vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
    "assignerShortName": "Patchstack",
    "cveId": "CVE-2024-37243",
    "datePublished": "2025-01-02T12:00:45.355Z",
    "dateReserved": "2024-06-04T16:46:33.482Z",
    "dateUpdated": "2026-04-28T16:09:57.411Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-37102 (GCVE-0-2024-37102)

Vulnerability from cvelistv5 – Published: 2025-01-02 12:00 – Updated: 2026-04-28 16:09
VLAI?
Title
WordPress Vilva theme <= 1.2.2 - Cross Site Request Forgery (CSRF) vulnerability
Summary
Cross-Site Request Forgery (CSRF) vulnerability in blossomthemes Vilva vilva allows Cross Site Request Forgery.This issue affects Vilva: from n/a through <= 1.2.2.
CWE
  • CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
Impacted products
Vendor Product Version
blossomthemes Vilva Affected: 0 , ≤ 1.2.2 (custom)
Create a notification for this product.
Credits
Dhabaleshwar Das | Patchstack Bug Bounty Program
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-37102",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-01-02T17:05:48.431127Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-01-02T17:05:55.744Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://wordpress.org/plugins",
          "defaultStatus": "unaffected",
          "packageName": "vilva",
          "product": "Vilva",
          "vendor": "blossomthemes",
          "versions": [
            {
              "changes": [
                {
                  "at": "1.2.3",
                  "status": "unaffected"
                }
              ],
              "lessThanOrEqual": "1.2.2",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Dhabaleshwar Das | Patchstack Bug Bounty Program"
        }
      ],
      "datePublic": "2026-04-01T16:26:17.359Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Cross-Site Request Forgery (CSRF) vulnerability in blossomthemes Vilva vilva allows Cross Site Request Forgery.\u003cp\u003eThis issue affects Vilva: from n/a through \u003c= 1.2.2.\u003c/p\u003e"
            }
          ],
          "value": "Cross-Site Request Forgery (CSRF) vulnerability in blossomthemes Vilva vilva allows Cross Site Request Forgery.This issue affects Vilva: from n/a through \u003c= 1.2.2."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-62",
          "descriptions": [
            {
              "lang": "en",
              "value": "Cross Site Request Forgery"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-352",
              "description": "Cross-Site Request Forgery (CSRF)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-28T16:09:55.857Z",
        "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "shortName": "Patchstack"
      },
      "references": [
        {
          "tags": [
            "vdb-entry"
          ],
          "url": "https://patchstack.com/database/Wordpress/Theme/vilva/vulnerability/wordpress-vilva-theme-1-2-2-cross-site-request-forgery-csrf-vulnerability?_s_id=cve"
        }
      ],
      "title": "WordPress Vilva theme \u003c= 1.2.2 - Cross Site Request Forgery (CSRF) vulnerability"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
    "assignerShortName": "Patchstack",
    "cveId": "CVE-2024-37102",
    "datePublished": "2025-01-02T12:00:40.257Z",
    "dateReserved": "2024-06-03T11:44:54.522Z",
    "dateUpdated": "2026-04-28T16:09:55.857Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-2107 (GCVE-0-2024-2107)

Vulnerability from cvelistv5 – Published: 2024-03-12 21:34 – Updated: 2026-04-08 16:56
VLAI?
Title
Blossom Spa <= 1.3.3 - Sensitive Information Exposure
Summary
The Blossom Spa theme for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.3.3 via generated source. This makes it possible for unauthenticated attackers to extract sensitive data including contents of password-protected or scheduled posts.
CWE
Assigner
Impacted products
Vendor Product Version
blossomthemes Blossom Spa Affected: 0 , ≤ 1.3.3 (semver)
Create a notification for this product.
Credits
Krzysztof Zając
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-2107",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-03-13T16:08:53.795328Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-04T17:30:12.584Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-01T19:03:38.847Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5e54dbf9-a5d1-413d-96ac-93dd499c21a4?source=cve"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://themes.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=220138%40blossom-spa\u0026new=220138%40blossom-spa\u0026sfp_email=\u0026sfph_mail="
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Blossom Spa",
          "vendor": "blossomthemes",
          "versions": [
            {
              "lessThanOrEqual": "1.3.3",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Krzysztof Zaj\u0105c"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The Blossom Spa theme for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.3.3 via generated source. This makes it possible for unauthenticated attackers to extract sensitive data including contents of password-protected or scheduled posts."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 5.8,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-862",
              "description": "CWE-862 Missing Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-08T16:56:10.757Z",
        "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "shortName": "Wordfence"
      },
      "references": [
        {
          "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5e54dbf9-a5d1-413d-96ac-93dd499c21a4?source=cve"
        },
        {
          "url": "https://themes.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=220138%40blossom-spa\u0026new=220138%40blossom-spa\u0026sfp_email=\u0026sfph_mail="
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2024-03-12T00:00:00.000Z",
          "value": "Disclosed"
        }
      ],
      "title": "Blossom Spa \u003c= 1.3.3 - Sensitive Information Exposure"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
    "assignerShortName": "Wordfence",
    "cveId": "CVE-2024-2107",
    "datePublished": "2024-03-12T21:34:33.695Z",
    "dateReserved": "2024-03-01T18:30:23.328Z",
    "dateUpdated": "2026-04-08T16:56:10.757Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2022-37338 (GCVE-0-2022-37338)

Vulnerability from cvelistv5 – Published: 2022-09-23 13:35 – Updated: 2026-04-28 16:07
VLAI?
Title
WordPress Blossom Recipe Maker plugin <= 1.0.7 - Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities
Summary
Multiple Authenticated (contributor+) Stored Cross-Site Scripting (XSS) vulnerabilities in Blossom Recipe Maker plugin <= 1.0.7 at WordPress.
CWE
  • CWE-79 - Cross-site Scripting (XSS)
Assigner
Impacted products
Vendor Product Version
Blossomthemes Blossom Recipe Maker (WordPress plugin) Affected: <= 1.0.7 , ≤ 1.0.7 (custom)
Create a notification for this product.
Credits
Vulnerability discovered by Ngo Van Thien (Patchstack Alliance)
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T10:29:20.718Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://patchstack.com/database/vulnerability/blossom-recipe-maker/wordpress-blossom-recipe-maker-plugin-1-0-7-multiple-authenticated-stored-cross-site-scripting-xss-vulnerabilities"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://wordpress.org/plugins/blossom-recipe-maker/"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2022-37338",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-20T19:24:23.028730Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-20T20:04:35.937Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Blossom Recipe Maker (WordPress plugin)",
          "vendor": "Blossomthemes",
          "versions": [
            {
              "lessThanOrEqual": "1.0.7",
              "status": "affected",
              "version": "\u003c= 1.0.7",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Vulnerability discovered by Ngo Van Thien (Patchstack Alliance)"
        }
      ],
      "datePublic": "2022-09-01T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "Multiple Authenticated (contributor+) Stored Cross-Site Scripting (XSS) vulnerabilities in Blossom Recipe Maker plugin \u003c= 1.0.7 at WordPress."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.1,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79 Cross-site Scripting (XSS)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-28T16:07:46.355Z",
        "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "shortName": "Patchstack"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://patchstack.com/database/vulnerability/blossom-recipe-maker/wordpress-blossom-recipe-maker-plugin-1-0-7-multiple-authenticated-stored-cross-site-scripting-xss-vulnerabilities"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://wordpress.org/plugins/blossom-recipe-maker/"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "WordPress Blossom Recipe Maker plugin \u003c= 1.0.7 - Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities",
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "audit@patchstack.com",
          "DATE_PUBLIC": "2022-09-01T19:39:00.000Z",
          "ID": "CVE-2022-37338",
          "STATE": "PUBLIC",
          "TITLE": "WordPress Blossom Recipe Maker plugin \u003c= 1.0.7 - Multiple Authenticated Stored Cross-Site Scripting (XSS) vulnerabilities"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Blossom Recipe Maker (WordPress plugin)",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c=",
                            "version_name": "\u003c= 1.0.7",
                            "version_value": "1.0.7"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Blossomthemes"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "Vulnerability discovered by Ngo Van Thien (Patchstack Alliance)"
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Multiple Authenticated (contributor+) Stored Cross-Site Scripting (XSS) vulnerabilities in Blossom Recipe Maker plugin \u003c= 1.0.7 at WordPress."
            }
          ]
        },
        "generator": {
          "engine": "Vulnogram 0.0.9"
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.1,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-79 Cross-site Scripting (XSS)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://patchstack.com/database/vulnerability/blossom-recipe-maker/wordpress-blossom-recipe-maker-plugin-1-0-7-multiple-authenticated-stored-cross-site-scripting-xss-vulnerabilities",
              "refsource": "CONFIRM",
              "url": "https://patchstack.com/database/vulnerability/blossom-recipe-maker/wordpress-blossom-recipe-maker-plugin-1-0-7-multiple-authenticated-stored-cross-site-scripting-xss-vulnerabilities"
            },
            {
              "name": "https://wordpress.org/plugins/blossom-recipe-maker/",
              "refsource": "CONFIRM",
              "url": "https://wordpress.org/plugins/blossom-recipe-maker/"
            }
          ]
        },
        "source": {
          "discovery": "EXTERNAL"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
    "assignerShortName": "Patchstack",
    "cveId": "CVE-2022-37338",
    "datePublished": "2022-09-23T13:35:04.708Z",
    "dateReserved": "2022-08-09T00:00:00.000Z",
    "dateUpdated": "2026-04-28T16:07:46.355Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}