Favethemes Homey vulnerabilities
5 known vulnerabilities affecting favethemes/homey.
Total CVEs
5
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL2HIGH1MEDIUM2
Vulnerabilities
Page 1 of 1
CVE-2025-52834P2CRITICALCVSS 9.3≤ 2.4.72025-06-27
CVE-2025-52834 [CRITICAL] CWE-89 CVE-2025-52834: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability i
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in favethemes Homey homey allows SQL Injection.This issue affects Homey: from n/a through <= 2.4.7.
nvd
CVE-2024-51800P3CRITICALCVSS 9.8≥ n/a, ≤ 2.4.12025-04-04
CVE-2024-51800 [CRITICAL] CWE-266 CVE-2024-51800: Incorrect Privilege Assignment vulnerability in Favethemes Homey allows Privilege Escalation.This is
Incorrect Privilege Assignment vulnerability in Favethemes Homey allows Privilege Escalation.This issue affects Homey: from n/a through 2.4.1.
nvd
CVE-2025-31037P4HIGHCVSS 7.1≤ 2.4.52025-07-04
CVE-2025-31037 [HIGH] CWE-79 CVE-2025-31037: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability i
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in favethemes Homey homey allows Reflected XSS.This issue affects Homey: from n/a through <= 2.4.5.
nvd
CVE-2025-1326P4MEDIUMCVSS 4.3fixed in 2.4.52025-05-02
CVE-2025-1326 [MEDIUM] CWE-862 CVE-2025-1326: The Homey theme for WordPress is vulnerable to unauthorized modification of data due to a missing ca
The Homey theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the homey_reservation_del() function in all versions up to, and including, 2.4.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary reservations and posts.
nvd
CVE-2025-1327P4MEDIUMCVSS 4.3fixed in 2.4.52025-05-02
CVE-2025-1327 [MEDIUM] CWE-639 CVE-2025-1327: The Homey theme for WordPress is vulnerable to Insecure Direct Object Reference in all versions up t
The Homey theme for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.4.4 via the 'homey_delete_user_account' action due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete other user's accounts.
nvd