Vulnerabilities > Themeum > Qubely > 1.3.6
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2025-02-14 | CVE-2024-9601 | Cross-site Scripting vulnerability in Themeum Qubely The Qubely – Advanced Gutenberg Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘align’ and 'UniqueID' parameter in all versions up to, and including, 1.8.12 due to insufficient input sanitization and output escaping. | 5.4 |
| 2024-01-16 | CVE-2023-0376 | Cross-site Scripting vulnerability in Themeum Qubely The Qubely WordPress plugin before 1.8.5 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks. | 5.4 |
| 2023-08-07 | CVE-2021-24916 | Unspecified vulnerability in Themeum Qubely The Qubely WordPress plugin before 1.8.6 allows unauthenticated user to send arbitrary e-mails to arbitrary addresses via the qubely_send_form_data AJAX action. | 7.5 |
| 2022-01-24 | CVE-2021-25013 | Cross-Site Request Forgery (CSRF) vulnerability in Themeum Qubely The Qubely WordPress plugin before 1.7.8 does not have authorisation and CSRF check on the qubely_delete_saved_block AJAX action, and does not ensure that the block to be deleted belong to the plugin, as a result, any authenticated users, such as subscriber can delete arbitrary posts | 6.5 |