Vulnerabilities > Themeum > Qubely

DATE CVE VULNERABILITY TITLE RISK
2024-01-16 CVE-2023-0376 Cross-site Scripting vulnerability in Themeum Qubely
The Qubely WordPress plugin before 1.8.5 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
network
low complexity
themeum CWE-79
5.4
2023-08-07 CVE-2021-24916 Unspecified vulnerability in Themeum Qubely
The Qubely WordPress plugin before 1.8.6 allows unauthenticated user to send arbitrary e-mails to arbitrary addresses via the qubely_send_form_data AJAX action.
network
low complexity
themeum
7.5
2022-01-24 CVE-2021-25013 Cross-Site Request Forgery (CSRF) vulnerability in Themeum Qubely
The Qubely WordPress plugin before 1.7.8 does not have authorisation and CSRF check on the qubely_delete_saved_block AJAX action, and does not ensure that the block to be deleted belong to the plugin, as a result, any authenticated users, such as subscriber can delete arbitrary posts
network
low complexity
themeum CWE-352
6.5