GCVE - cpe:2.3:a:themeum:droip:*:*:*:*:*:wordpress:*:*

Approved changes feed: RSS · Atom

cpe:2.3:a:themeum:droip:*:*:*:*:*:wordpress:*:*

part: a version: * update: *

Vendor	Themeum (`12449a9f-b8a3-5f81-9e39-f958a6d45415`)
Product	Droip (`0c60a7df-e9d9-538c-bee7-8005bca8f953`)
Edition	*
Language	*
Software edition	*
Target software	wordpress
Target hardware	*
Other	*
Notes	Imported from gcve-enriched-dumps CVE data

PURL mappings

PURL	Source	Last updated
No PURL mappings for this CPE yet.

Vulnerability references

Identifier	cpeApplicability	Submitted	db.gcve.eu details	Rationale
`CVE:CVE-2025-5835`	vulnerable	2026-06-03 15:07:54.798683	Droip <= 2.2.6 - Missing Authorization to Authenticated (Subscriber+) Many Actions HIGH (8.8) The Droip plugin for WordPress is vulnerable to unauthorized modification and access of data due to a missing capability check on the droip_post_apis() function in all versions up to, and including, 2.2.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform many actions as the AJAX hooks to several functions. Some potential impacts include arbitrary post deletion, arbitrary post creation, post duplication, settings update, user manipulation, and much more. Published: 2025-07-25T06:43:55.268Z Updated: 2026-04-08T17:29:18.756Z Open on db.gcve.eu Reference links https://www.wordfence.com/threat-intel/vulnerabilities/id/e2e6b451-9835-4887-ade7-b18807223a88?source=cve https://droip.com/	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2025-5831`	vulnerable	2026-06-03 15:07:54.793329	Droip < 2.5.2 - Authenticated (Subscriber+) Arbitrary File Upload HIGH (8.8) The Droip plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the make_google_font_offline() function in all versions up to, and excluding, 2.5.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. Published: 2025-07-25T06:43:54.605Z Updated: 2026-04-08T17:27:57.185Z Open on db.gcve.eu Reference links https://www.wordfence.com/threat-intel/vulnerabilities/id/dd129829-9682-4def-a07f-66f9178eeb77?source=cve https://droip.com/	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2024-43955`	vulnerable	2026-06-03 14:56:47.105536	WordPress Droip plugin <= 1.1.1 - Unauthenticated Arbitrary File Download/Deletion vulnerability CRITICAL (10) Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Themeum Droip allows File Manipulation.This issue affects Droip: from n/a through 1.1.1. Published: 2024-08-29T15:19:57.844Z Updated: 2026-04-28T16:10:14.398Z Open on db.gcve.eu Reference links https://patchstack.com/database/vulnerability/droip/wordpress-droip-plugin-1-1-1-unauthenticated-arbitrary-file-download-deletion-vulnerability?_s_id=cve	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2024-43954`	vulnerable	2026-06-03 14:56:47.105048	WordPress Droip plugin <= 1.1.1 - Subscriber+ Settings Change/Data Exposure Vulnerability MEDIUM (6.3) Incorrect Authorization vulnerability in Themeum Droip allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Droip: from n/a through 1.1.1. Published: 2024-08-29T15:18:07.542Z Updated: 2026-04-28T16:10:14.312Z Open on db.gcve.eu Reference links https://patchstack.com/database/vulnerability/droip/wordpress-droip-plugin-1-1-1-subscriber-settings-change-data-exposure-vulnerability?_s_id=cve	Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.