GCVE - cpe:2.3:a:hashthemes:total:*:*:*:*:*:*:*:*

Approved changes feed: RSS · Atom

cpe:2.3:a:hashthemes:total:*:*:*:*:*:*:*:*

part: a version: * update: *

Vendor	Hashthemes (`ad6990d3-d10b-5b93-9344-2b8eced11175`)
Product	Total (`c58ec969-e1dc-52ce-a11d-c837d4d5d71e`)
Edition	*
Language	*
Software edition	*
Target software	*
Target hardware	*
Other	*
Notes	Imported from gcve-enriched-dumps CVE data

PURL mappings

PURL	Source	Last updated
No PURL mappings for this CPE yet.

Vulnerability references

Identifier	cpeApplicability	Submitted	db.gcve.eu details	Rationale
`CVE:CVE-2026-5077`	vulnerable	2026-06-03 15:26:26.511212	Total <= 2.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Post Title in Blog Section Image alt Attribute MEDIUM (5.4) The Total theme for WordPress is vulnerable to Stored Cross-Site Scripting via post titles in versions up to, and including, 2.2.1 due to insufficient output escaping when rendering the_title() inside HTML attribute context in the home blog section template. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Exploitation requires the malicious post to be published and displayed with a featured image in the Home Page blog section. Published: 2026-05-02T09:26:16.066Z Updated: 2026-05-04T15:43:20.540Z Open on db.gcve.eu Reference links https://www.wordfence.com/threat-intel/vulnerabilities/id/b1749bef-0952-4530-b607-4574765d2700?source=cve https://themes.trac.wordpress.org/changeset/320590/total	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2024-1771`	vulnerable	2026-06-03 14:54:34.582696	Total <= 2.1.59 - Missing Authorization to Authenticated (Subscriber+) Sections Update MEDIUM (4.3) The Total theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the total_order_sections() function in all versions up to, and including, 2.1.59. This makes it possible for authenticated attackers, with subscriber-level access and above, to repeat sections on the homepage. Published: 2024-03-06T05:33:23.906Z Updated: 2026-04-08T16:42:47.541Z Open on db.gcve.eu Reference links https://www.wordfence.com/threat-intel/vulnerabilities/id/26b64ae3-5839-47d5-9c65-7c595bb18e6c?source=cve https://themes.trac.wordpress.org/browser/total/2.1.59/inc/customizer/customizer-functions.php#L112 https://themes.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=219020%40total%2F2.1.60&old=216973%40total%2F2.1.59	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2023-27456`	vulnerable	2026-06-03 14:51:01.897073	WordPress Total theme <= 2.1.19 - Authenticated Arbitrary Plugin Activation MEDIUM (4.3) Missing Authorization vulnerability in HashThemes Total allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Total: from n/a through 2.1.19. Published: 2024-12-13T14:23:19.705Z Updated: 2026-04-28T16:08:14.147Z Open on db.gcve.eu Reference links https://patchstack.com/database/wordpress/theme/total/vulnerability/wordpress-total-theme-2-1-19-authenticated-arbitrary-plugin-activation?_s_id=cve	Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.