Orbit Fox by ThemeIsle <= 2.10.30 - Authenticated (Contributor+) Stored Cross-Site Scripting

Wordfence Intelligence   >   Vulnerability Database   >   Orbit Fox by ThemeIsle <= 2.10.30 - Authenticated (Contributor+) Stored Cross-Site Scripting
6.4
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE CVE-2024-1323
CVSS 6.4 (Medium)
Publicly Published February 26, 2024
Last Updated February 27, 2024
Researcher Webbernaut

Description

The Orbit Fox by ThemeIsle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Post Type Grid Widget Title in all versions up to, and including, 2.10.30 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Learn more about Cross-Site Scripting vulnerabilities and how to prevent them.

References

Share

Vulnerability Details for Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More

Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More

Software Type Plugin
Software Slug themeisle-companion (view on wordpress.org)
Patched? Yes
Remediation Update to version 2.10.32, or a newer patched version
Affected Version
  • <= 2.10.31
Patched Version
  • 2.10.32

Recent vulnerabilities in Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More

Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More <= 3.0.6 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'menu-item-icon' Parameter
4.4
CVE-2026-11358
Jun 17, 2026
Researcher: Meher Sudhakar Abbireddi
Orbit Fox Companion <= 3.0.2 - Authenticated (Author+) Stored Cross-Site Scripting via Post Taxonomy
6.4
CVE-2025-12045
Nov 3, 2025
Researcher: Dmitrii Ignatyev
Orbit Fox by ThemeIsle <= 3.0.1 - Authenticated (Author+) Server-Side Request Forgery
6.4
CVE-2025-10874
Oct 3, 2025
Researcher: Ryan Roth
Orbit Fox by ThemeIsle <= 3.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
6.4
CVE-2025-58593
Sep 3, 2025
Researcher: Michael
Orbit Fox by ThemeIsle <= 2.10.44 - Authenticated (Contributor+) Stored Cross-Site Scripting
6.4
CVE-2025-22659
Feb 3, 2025
Researcher: Prissy
Orbit Fox by ThemeIsle <= 2.10.43 - Authenticated (Contributor+) Stored Cross-Site Scripting via title_tag Parameter
6.4
CVE-2024-13183
Jan 9, 2025
Researcher: Ankit Patel
Orbit Fox by ThemeIsle <= 2.10.43 - Authenticated (Contributor+) Stored Cross-Site Scripting via Pricing Table Widget
6.4
CVE-2025-0311
Jan 9, 2025
Researcher: Webbernaut
Orbit Fox by ThemeIsle <= 2.10.36 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
6.4
CVE-2024-7778
Aug 21, 2024
Researcher: wesley (wcraft)
Orbit Fox by ThemeIsle <= 2.10.34 - Authenticated (Contributor+) Stored Cross-Site Scripting via Services and Post Type Grid Widgets
6.4
CVE-2024-2484
Jun 21, 2024
Researcher: wesley (wcraft)
Orbit Fox by ThemeIsle <= 2.10.32 - Authenticated (Contributor+) Stored Cross-Site Scripiting via Registration Form Widget
6.4
CVE-2024-2126
Mar 7, 2024
Researcher: wesley (wcraft)
# Title CVE ID CVSS Researchers Date
1 Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More <= 3.0.6 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'menu-item-icon' Parameter CVE-2026-11358 4.4 Meher Sudhakar Abbireddi June 17, 2026
2 Orbit Fox Companion <= 3.0.2 - Authenticated (Author+) Stored Cross-Site Scripting via Post Taxonomy CVE-2025-12045 6.4 Dmitrii Ignatyev November 3, 2025
3 Orbit Fox by ThemeIsle <= 3.0.1 - Authenticated (Author+) Server-Side Request Forgery CVE-2025-10874 6.4 Ryan Roth October 3, 2025
4 Orbit Fox by ThemeIsle <= 3.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting CVE-2025-58593 6.4 Michael September 3, 2025
5 Orbit Fox by ThemeIsle <= 2.10.44 - Authenticated (Contributor+) Stored Cross-Site Scripting CVE-2025-22659 6.4 Prissy February 3, 2025
6 Orbit Fox by ThemeIsle <= 2.10.43 - Authenticated (Contributor+) Stored Cross-Site Scripting via title_tag Parameter CVE-2024-13183 6.4 Ankit Patel January 9, 2025
7 Orbit Fox by ThemeIsle <= 2.10.43 - Authenticated (Contributor+) Stored Cross-Site Scripting via Pricing Table Widget CVE-2025-0311 6.4 Webbernaut January 9, 2025
8 Orbit Fox by ThemeIsle <= 2.10.36 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload CVE-2024-7778 6.4 wesley (wcraft) August 21, 2024
9 Orbit Fox by ThemeIsle <= 2.10.34 - Authenticated (Contributor+) Stored Cross-Site Scripting via Services and Post Type Grid Widgets CVE-2024-2484 6.4 wesley (wcraft) June 21, 2024
10 Orbit Fox by ThemeIsle <= 2.10.32 - Authenticated (Contributor+) Stored Cross-Site Scripiting via Registration Form Widget CVE-2024-2126 6.4 wesley (wcraft) March 7, 2024
View more vulnerabilities in this software package View more vulnerabilities

This record contains material that is subject to copyright.

Copyright 2012-2026 Defiant Inc.

License: Defiant hereby grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute this software vulnerability information. Any copy of the software vulnerability information you make for such purposes is authorized provided that you include a hyperlink to this vulnerability record and reproduce Defiant's copyright designation and this license in any such copy. Read more.

Copyright 1999-2026 The MITRE Corporation

License: CVE Usage: MITRE hereby grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute Common Vulnerabilities and Exposures (CVE®). Any copy you make for such purposes is authorized provided that you reproduce MITRE's copyright designation and this license in any such copy. Read more.

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation