Imithemes
Products
3- 9 CVEs
- 1 CVE
- 1 CVE
Recent CVEs
11| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-2253 | Cri | 0.64 | 9.8 | 0.01 | May 9, 2025 | The IMITHEMES Listing plugin is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.3. This is due to the plugin not properly validating a verification code value prior to updating their password through the imic_reset_password_init()… | ||
| CVE-2025-39481 | Cri | 0.60 | 9.3 | 0.00 | May 16, 2025 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in imithemes Eventer eventer allows Blind SQL Injection.This issue affects Eventer: from n/a through < 3.11.4. | ||
| CVE-2026-32518 | Hig | 0.46 | 7.1 | 0.00 | Mar 25, 2026 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in imithemes Gaea gaea allows Reflected XSS.This issue affects Gaea: from n/a through < 3.8. | ||
| CVE-2025-22635 | Hig | 0.46 | 7.1 | 0.00 | Feb 23, 2025 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in imithemes Eventer eventer allows Reflected XSS.This issue affects Eventer: from n/a through < 3.9.9. | ||
| CVE-2025-39483 | Med | 0.42 | 6.5 | 0.00 | Aug 14, 2025 | Improper Control of Generation of Code ('Code Injection') vulnerability in imithemes Eventer eventer allows Code Injection.This issue affects Eventer: from n/a through < 3.9.9.1. | ||
| CVE-2024-11132 | Med | 0.42 | 6.4 | 0.00 | Feb 3, 2025 | The Eventer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcodes in versions up to, and including, 3.9.9.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with… | ||
| CVE-2024-11133 | Med | 0.34 | 5.3 | 0.00 | Feb 3, 2025 | The Eventer plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'handle_pdf_download_request' function in all versions up to, and including, 3.9.9.5. This makes it possible for unauthenticated attackers to download event… | ||
| CVE-2025-39482 | Med | 0.28 | 4.3 | 0.00 | May 16, 2025 | Missing Authorization vulnerability in imithemes Eventer eventer allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Eventer: from n/a through < 3.11.4. | ||
| CVE-2024-11134 | 0.00 | — | 0.00 | Feb 3, 2025 | The Eventer plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'eventer_export_bookings_csv' function in all versions up to, and including, 3.9.9. This makes it possible for authenticated attackers with subscriber-level… | |||
| CVE-2024-11135 | 0.00 | — | 0.00 | Jan 28, 2025 | The Eventer plugin for WordPress is vulnerable to SQL Injection via the 'event' parameter in the 'eventer_get_attendees' function in all versions up to, and including, 3.9.8 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the… | |||
| CVE-2024-10799 | 0.00 | — | 0.01 | Jan 17, 2025 | The Eventer plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 3.9.7 via the eventer_woo_download_tickets() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the contents of… |
- risk 0.64cvss 9.8epss 0.01
The IMITHEMES Listing plugin is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.3. This is due to the plugin not properly validating a verification code value prior to updating their password through the imic_reset_password_init()…
- risk 0.60cvss 9.3epss 0.00
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in imithemes Eventer eventer allows Blind SQL Injection.This issue affects Eventer: from n/a through < 3.11.4.
- risk 0.46cvss 7.1epss 0.00
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in imithemes Gaea gaea allows Reflected XSS.This issue affects Gaea: from n/a through < 3.8.
- risk 0.46cvss 7.1epss 0.00
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in imithemes Eventer eventer allows Reflected XSS.This issue affects Eventer: from n/a through < 3.9.9.
- risk 0.42cvss 6.5epss 0.00
Improper Control of Generation of Code ('Code Injection') vulnerability in imithemes Eventer eventer allows Code Injection.This issue affects Eventer: from n/a through < 3.9.9.1.
- risk 0.42cvss 6.4epss 0.00
The Eventer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via shortcodes in versions up to, and including, 3.9.9.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with…
- risk 0.34cvss 5.3epss 0.00
The Eventer plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'handle_pdf_download_request' function in all versions up to, and including, 3.9.9.5. This makes it possible for unauthenticated attackers to download event…
- risk 0.28cvss 4.3epss 0.00
Missing Authorization vulnerability in imithemes Eventer eventer allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Eventer: from n/a through < 3.11.4.
- CVE-2024-11134Feb 3, 2025risk 0.00cvss —epss 0.00
The Eventer plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'eventer_export_bookings_csv' function in all versions up to, and including, 3.9.9. This makes it possible for authenticated attackers with subscriber-level…
- CVE-2024-11135Jan 28, 2025risk 0.00cvss —epss 0.00
The Eventer plugin for WordPress is vulnerable to SQL Injection via the 'event' parameter in the 'eventer_get_attendees' function in all versions up to, and including, 3.9.8 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the…
- CVE-2024-10799Jan 17, 2025risk 0.00cvss —epss 0.01
The Eventer plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 3.9.7 via the eventer_woo_download_tickets() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the contents of…