GCVE - cpe:2.3:a:themeisle:menu_icons_by_themeisle:*:*:*:*:*:*:*:*

Approved changes feed: RSS · Atom

cpe:2.3:a:themeisle:menu_icons_by_themeisle:*:*:*:*:*:*:*:*

part: a version: * update: *

Vendor	Themeisle (`952ca4ef-81b0-5b76-b2cc-d8cf654b2d29`)
Product	Menu Icons By Themeisle (`e995432a-aff5-5a95-9162-75ee5689e5c3`)
Edition	*
Language	*
Software edition	*
Target software	*
Target hardware	*
Other	*
Notes	Imported from gcve-enriched-dumps CVE data

PURL mappings

PURL	Source	Last updated
No PURL mappings for this CPE yet.

Vulnerability references

Identifier	cpeApplicability	Submitted	db.gcve.eu details	Rationale
`CVE:CVE-2026-1755`	vulnerable	2026-06-03 15:14:45.267552	Menu Icons by ThemeIsle <= 0.13.20 - Authenticated (Author+) Stored Cross-Site Scripting MEDIUM (6.4) The Menu Icons by ThemeIsle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘_wp_attachment_image_alt’ post meta in all versions up to, and including, 0.13.20 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Published: 2026-02-03T22:22:47.333Z Updated: 2026-04-08T16:44:55.712Z Open on db.gcve.eu Reference links https://www.wordfence.com/threat-intel/vulnerabilities/id/30bfa616-c7f3-4ff0-85b3-468debc8a73e?source=cve https://plugins.trac.wordpress.org/browser/menu-icons/tags/0.13.20/includes/front.php#L497 https://plugins.trac.wordpress.org/changeset/3452685/menu-icons	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2024-4635`	vulnerable	2026-06-03 14:57:15.925906	Menu Icons by ThemeIsle <= 0.13.13 - Authenticated (Author+) Stored Cross-Site Scripting via SVG Upload MEDIUM (6.4) The Menu Icons by ThemeIsle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘add_mime_type’ function in versions up to, and including, 0.13.13 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Published: 2024-05-16T05:33:27.125Z Updated: 2026-04-08T17:06:43.829Z Open on db.gcve.eu Reference links https://www.wordfence.com/threat-intel/vulnerabilities/id/90284576-6570-4e4c-8eb3-743bc402ea1b?source=cve https://plugins.trac.wordpress.org/browser/menu-icons/tags/0.13.13/vendor/codeinwp/icon-picker/includes/types/svg.php#L69 https://plugins.trac.wordpress.org/changeset/3086753/	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2024-1047`	vulnerable	2026-06-03 14:54:26.023899	ThemeIsle SDK <= Various Versions - Missing Authorization MEDIUM (5.3) Multiple plugins and/or themes for WordPress with the ThemeIsle SDK are vulnerable to unauthorized modification of data due to a missing capability check on the register_reference() function in various versions. This makes it possible for unauthenticated attackers to update options values that allow ThemeIsle to track promotional activities via utm_source. Published: 2024-02-02T05:33:14.536Z Updated: 2026-04-08T16:56:47.195Z Open on db.gcve.eu Reference links https://www.wordfence.com/threat-intel/vulnerabilities/id/6147582f-578a-47ad-b16c-65c37896783d?source=cve https://plugins.trac.wordpress.org/browser/themeisle-companion/trunk/vendor/codeinwp/themeisle-sdk/src/Modules/Promotions.php#L175 https://plugins.trac.wordpress.org/changeset/3029507/themeisle-companion/tags/2.10.29/vendor/codeinwp/themeisle-sdk/src/Modules/Promotions.php https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3040302%40templates-patterns-collection&new=3040302%40templates-patterns-collection&sfp_email=&sfph_mail=	Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.