PatchSiren

Themefic CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

MEDIUM Themefic CVE published 2026-07-13

CVE-2026-57395

A Missing Authorization vulnerability in Themefic Tourfic tourfic allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Tourfic: from n/a through <= 2.22.5. The vulnerability has a CVSS score of 6.5 and is classified as MEDIUM severity. Users of Themefic Tourfic tourfic plugin up to version 2.22.5 should be aware of this vulnerability and take necessary precautions.

HIGH Themefic CVE published 2026-07-13

CVE-2026-57388

CVE-2026-57388 is a Stored Cross-Site Scripting (XSS) vulnerability in the Hydra Booking plugin for WordPress. The vulnerability affects versions from n/a through 1.1.44. This issue allows an attacker to inject malicious scripts into web pages, potentially leading to unauthorized actions or data theft. The vulnerability has a CVSS score of 7.1 and is considered HIGH severity. Administrators and users of t [truncated]

MEDIUM Themefic CVE published 2026-06-15

CVE-2026-39594

A Subscriber Broken Access Control vulnerability was found in Ultra Addons for WPForms versions <= 1.0.11. This vulnerability has a CVSS score of 6.4 and a severity of MEDIUM. The vulnerability was published on [2026-06-15T21:16:48.167Z](https://www.cve.org/CVERecord?id=CVE-2026-39594) and last modified on [2026-06-15T21:24:32.790Z](https://www.cve.org/CVERecord?id=CVE-2026-39594).

HIGH Themefic CVE published 2026-06-01

CVE-2026-42675

A missing authorization vulnerability in the Themefic Hydra Booking WordPress plugin allows exploitation of incorrectly configured access control security levels. The vulnerability affects versions from n/a through 1.1.41 and has been assigned a CVSS 3.1 score of 7.3 (HIGH). The issue is categorized as CWE-862 (Missing Authorization), indicating that functionality or data accessible to users is not proper [truncated]