Colorlib
Products
10- 6 CVEs
- 4 CVEs
- 2 CVEs
- 2 CVEs
- 2 CVEs
- 2 CVEs
- 2 CVEs
- 1 CVE
- 1 CVE
- 1 CVE
Recent CVEs
12| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2020-36708 | Cri | 0.71 | 9.8 | 0.65 | Jun 7, 2023 | The following themes for WordPress are vulnerable to Function Injections in versions up to and including Shapely <= 1.2.7, NewsMag <= 2.4.1, Activello <= 1.4.0, Illdy <= 2.1.4, Allegiant <= 1.2.2, Newspaper X <= 1.3.1, Pixova Lite <= 2.0.5, Brilliance <= 1.2.7, MedZone Lite <=… | ||
| CVE-2025-26894 | Hig | 0.49 | 7.5 | 0.00 | Apr 15, 2025 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mobeen Abdullah Coming Soon, Maintenance Mode site-mode allows PHP Local File Inclusion.This issue affects Coming Soon, Maintenance Mode: from n/a through <=… | ||
| CVE-2020-36721 | Med | 0.42 | 6.5 | 0.01 | Jun 7, 2023 | The Brilliance <= 1.2.7, Activello <= 1.4.0, and Newspaper X <= 1.3.1 themes for WordPress are vulnerable to Plugin Activation/Deactivation. This is due to the 'activello_activate_plugin' and 'activello_deactivate_plugin' functions in the 'inc/welcome-screen/class-activello-welco… | ||
| CVE-2024-1475 | Med | 0.34 | 5.3 | 0.00 | Feb 29, 2024 | The Coming Soon Maintenance Mode plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0.5 via the REST API. This makes it possible for unauthenticated attackers to obtain post and page content thus bypassing the protection… | ||
| CVE-2024-49321 | Med | 0.28 | 4.3 | 0.00 | Oct 21, 2024 | Missing Authorization vulnerability in colorlibplugins Simple Custom Post Order simple-custom-post-order allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Simple Custom Post Order: from n/a through <= 2.5.7. | ||
| CVE-2024-1473 | Med | 0.27 | 5.3 | 0.01 | Mar 20, 2024 | The Coming Soon & Maintenance Mode by Colorlib plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.0.99 via the REST API. This makes it possible for unauthenticated attackers to obtain post and page contents via REST API thus… | ||
| CVE-2022-45849 | 0.00 | — | 0.00 | Apr 16, 2023 | Auth. (subscriber+) Reflected Cross-Site Scripting (XSS) vulnerability in Silkalns Activello theme <= 1.4.4 versions. | |||
| CVE-2022-45358 | 0.00 | — | 0.00 | Apr 13, 2023 | Auth. (subscriber+) Reflected Cross-Site Scripting (XSS) vulnerability in Silkalns Activello theme <= 1.4.4 versions. | |||
| CVE-2022-1576 | 0.00 | — | 0.00 | Jul 11, 2022 | The WP Maintenance Mode & Coming Soon WordPress plugin before 2.4.5 is lacking CSRF when emptying the subscribed users list, which could allow attackers to make a logged in admin perform such action via a CSRF attack | |||
| CVE-2022-0199 | 0.00 | — | 0.00 | Feb 21, 2022 | The Coming soon and Maintenance mode WordPress plugin before 3.6.8 does not have CSRF check in its coming_soon_send_mail AJAX action, allowing attackers to make logged in admin to send arbitrary emails to all subscribed users via a CSRF attack | |||
| CVE-2022-0164 | 0.00 | — | 0.00 | Feb 21, 2022 | The Coming soon and Maintenance mode WordPress plugin before 3.5.3 does not have authorisation and CSRF checks in its coming_soon_send_mail AJAX action, allowing any authenticated users, with a role as low as subscriber to send arbitrary emails to all subscribed users | |||
| CVE-2015-1494 | 0.00 | — | 0.06 | Feb 17, 2015 | The FancyBox for WordPress plugin before 3.0.3 for WordPress does not properly restrict access, which allows remote attackers to conduct cross-site scripting (XSS) attacks via an mfbfw[*] parameter in an update action to wp-admin/admin-post.php, as demonstrated by the… |
- risk 0.71cvss 9.8epss 0.65
The following themes for WordPress are vulnerable to Function Injections in versions up to and including Shapely <= 1.2.7, NewsMag <= 2.4.1, Activello <= 1.4.0, Illdy <= 2.1.4, Allegiant <= 1.2.2, Newspaper X <= 1.3.1, Pixova Lite <= 2.0.5, Brilliance <= 1.2.7, MedZone Lite <=…
- risk 0.49cvss 7.5epss 0.00
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mobeen Abdullah Coming Soon, Maintenance Mode site-mode allows PHP Local File Inclusion.This issue affects Coming Soon, Maintenance Mode: from n/a through <=…
- risk 0.42cvss 6.5epss 0.01
The Brilliance <= 1.2.7, Activello <= 1.4.0, and Newspaper X <= 1.3.1 themes for WordPress are vulnerable to Plugin Activation/Deactivation. This is due to the 'activello_activate_plugin' and 'activello_deactivate_plugin' functions in the 'inc/welcome-screen/class-activello-welco…
- risk 0.34cvss 5.3epss 0.00
The Coming Soon Maintenance Mode plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0.5 via the REST API. This makes it possible for unauthenticated attackers to obtain post and page content thus bypassing the protection…
- risk 0.28cvss 4.3epss 0.00
Missing Authorization vulnerability in colorlibplugins Simple Custom Post Order simple-custom-post-order allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Simple Custom Post Order: from n/a through <= 2.5.7.
- risk 0.27cvss 5.3epss 0.01
The Coming Soon & Maintenance Mode by Colorlib plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.0.99 via the REST API. This makes it possible for unauthenticated attackers to obtain post and page contents via REST API thus…
- CVE-2022-45849Apr 16, 2023risk 0.00cvss —epss 0.00
Auth. (subscriber+) Reflected Cross-Site Scripting (XSS) vulnerability in Silkalns Activello theme <= 1.4.4 versions.
- CVE-2022-45358Apr 13, 2023risk 0.00cvss —epss 0.00
Auth. (subscriber+) Reflected Cross-Site Scripting (XSS) vulnerability in Silkalns Activello theme <= 1.4.4 versions.
- CVE-2022-1576Jul 11, 2022risk 0.00cvss —epss 0.00
The WP Maintenance Mode & Coming Soon WordPress plugin before 2.4.5 is lacking CSRF when emptying the subscribed users list, which could allow attackers to make a logged in admin perform such action via a CSRF attack
- CVE-2022-0199Feb 21, 2022risk 0.00cvss —epss 0.00
The Coming soon and Maintenance mode WordPress plugin before 3.6.8 does not have CSRF check in its coming_soon_send_mail AJAX action, allowing attackers to make logged in admin to send arbitrary emails to all subscribed users via a CSRF attack
- CVE-2022-0164Feb 21, 2022risk 0.00cvss —epss 0.00
The Coming soon and Maintenance mode WordPress plugin before 3.5.3 does not have authorisation and CSRF checks in its coming_soon_send_mail AJAX action, allowing any authenticated users, with a role as low as subscriber to send arbitrary emails to all subscribed users
- CVE-2015-1494Feb 17, 2015risk 0.00cvss —epss 0.06
The FancyBox for WordPress plugin before 3.0.3 for WordPress does not properly restrict access, which allows remote attackers to conduct cross-site scripting (XSS) attacks via an mfbfw[*] parameter in an update action to wp-admin/admin-post.php, as demonstrated by the…