PLUGIN SECURITY
Is Themeisle Companion safe?
Known vulnerabilities, PHP compatibility and safer alternatives for the Themeisle Companion WordPress plugin — checked against WP Clinic's local security database.
Plugin details
- Slug:
themeisle-companion - Requires PHP: 7.4+
- Max supported PHP (analyzed): 8.4
Known vulnerabilities
- Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More [themeisle-companion] < 2.10.3 [CVE-2021-24157, Orbit Fox by ThemeIsle <= 2.10.2 - Authenticated (Contributor+) Stored Cross Site Scripting, Orbit Fox by ThemeIsle < 2.10.3 - Authenticated Stored Cross Site Scripting]
- Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More [themeisle-companion] < 2.10.3 [CVE-2021-24158, Orbit Fox by ThemeIsle <= 2.10.2 - Authenticated Privilege Escalation, Orbit Fox by ThemeIsle < 2.10.3 - Authenticated Privilege Escalation]
- Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More [themeisle-companion] < 2.10.3 [WordPress Orbit Fox by ThemeIsle plugin <= 2.10.2 - Authenticated Privilege Escalation vulnerability]
- Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More [themeisle-companion] < 2.10.3 [WordPress Orbit Fox by ThemeIsle plugin <= 2.10.2 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability]
- Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More [themeisle-companion] < 2.6.4 [Orbit Fox by ThemeIsle <= 2.6.3 - Improper REST Capabilities Checks]
+ 21 more known vulnerabilities
- Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More [themeisle-companion] < 2.10.24 [WordPress Orbit Fox by ThemeIsle Plugin < 2.10.24 is vulnerable to Server Side Request Forgery (SSRF)]
- Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More [themeisle-companion] < 2.10.24 [CVE-2023-2287, Orbit Fox by ThemeIsle <= 2.10.23 - Authenticated (Author+) Server-Side Request Forgery via URL, Orbit Fox < 2.10.24 - Author+ Server-Side Request Forgery]
- Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More [themeisle-companion] < 2.6.4 [Orbit Fox by ThemeIsle <= 2.6.3 -Does not properly Authenticate REST API Calls]
- Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More [themeisle-companion] < 2.10.27 [CVE-2023-6781, Orbit Fox Companion <= 2.10.26 - Authenticated (Contributor+) Stored Cross-Site Scripting via custom fields, WordPress Orbit Fox by ThemeIsle Plugin <= 2.10.26 is vulnerable to Cross Site Scripting (XSS), Orbit Fox Companion < 2.10.27 - Contributor+ Stored XSS]
- Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More [themeisle-companion] < 2.10.28 [Orbit Fox by ThemeIsle <= 2.10.27 - Authenticated(Contributor+) Stored Cross-site Scripting via Pricing Table Elementor Widget]
- Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More [themeisle-companion] < 2.10.28 [CVE-2024-0508, WordPress Orbit Fox by ThemeIsle Plugin <= 2.10.27 is vulnerable to Cross Site Scripting (XSS), Orbit Fox by ThemeIsle < 2.10.28 - Contributor+ Stored XSS]
- Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More [themeisle-companion] < 2.10.29 [CVE-2024-1047, ThemeIsle SDK <= Various Versions - Missing Authorization, WordPress Orbit Fox by ThemeIsle Plugin <= 2.10.28 is vulnerable to Broken Access Control, Orbit Fox by ThemeIsle < 2.10.29 - Unauthenticated Connected API Keys Update]
- Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More [themeisle-companion] < 2.10.30 [CVE-2024-1162, WordPress Orbit Fox by ThemeIsle Plugin <= 2.10.29 is vulnerable to Cross Site Request Forgery (CSRF), Orbit Fox by ThemeIsle < 2.10.30 - Connected API Keys Update via CSRF, Orbit Fox by ThemeIsle <= 2.10.29 - Cross-Site Request Forgery]
- Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More [themeisle-companion] < 2.10.32 [CVE-2024-1323, Orbit Fox by ThemeIsle <= 2.10.30 - Authenticated (Contributor+) Stored Cross-Site Scripting, WordPress Orbit Fox by ThemeIsle Plugin <= 2.10.31 is vulnerable to Cross Site Scripting (XSS), Orbit Fox by ThemeIsle < 2.10.32 - Contributor+ Stored XSS via Post Type Grid Widget]
- Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More [themeisle-companion] < 2.10.31 [CVE-2024-1499, Orbit Fox by ThemeIsle <= 2.10.30 - Authenticated (Contributor+) Stored Cross-Site Scripting, WordPress Orbit Fox by ThemeIsle Plugin <= 2.10.30 is vulnerable to Cross Site Scripting (XSS), Orbit Fox by ThemeIsle < 2.10.31 - Contributor+ Stored XSS via Pricing Table Widget]
- Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More [themeisle-companion] < 2.10.31 [CVE-2024-1497, Orbit Fox by ThemeIsle <= 2.10.30 - Authenticated (Contributor+) Stored Cross-Site Scripting via form widget addr2_width attribute, Orbit Fox by ThemeIsle < 2.10.31 - Contributor+ Stored XSS via Form Widget]
- Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More [themeisle-companion] < 2.10.33 [CVE-2024-2126, Orbit Fox by ThemeIsle <= 2.10.32 - Authenticated (Contributor+) Stored Cross-Site Scripiting via Registration Form Widget, WordPress Orbit Fox by ThemeIsle Plugin <= 2.10.32 is vulnerable to Cross Site Scripting (XSS), Orbit Fox by ThemeIsle < 2.10.33 - Authenticated (Contributor+) Stored Cross-Site Scripiting via Registration Form Widget]
- Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More [themeisle-companion] < 2.10.35 [CVE-2024-2484, Orbit Fox by ThemeIsle <= 2.10.34 - Authenticated (Contributor+) Stored Cross-Site Scripting via Services and Post Type Grid Widgets, WordPress Orbit Fox by ThemeIsle Plugin <= 2.10.34 is vulnerable to Cross Site Scripting (XSS)]
- Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More [themeisle-companion] < 2.10.37 [CVE-2024-7778, WordPress Orbit Fox by ThemeIsle Plugin <= 2.10.36 is vulnerable to Cross Site Scripting (XSS), Orbit Fox by ThemeIsle <= 2.10.36 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload]
- Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More [themeisle-companion] < 2.10.44 [CVE-2025-0311, WordPress Orbit Fox by ThemeIsle Plugin <= 2.10.43 is vulnerable to Cross Site Scripting (XSS), Orbit Fox by ThemeIsle <= 2.10.43 - Authenticated (Contributor+) Stored Cross-Site Scripting via Pricing Table Widget, EUVD-2025-1598]
- Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More [themeisle-companion] < 2.10.44 [CVE-2024-13183, Orbit Fox by ThemeIsle <= 2.10.43 - Authenticated (Contributor+) Stored Cross-Site Scripting via title_tag Parameter, EUVD-2024-51405]
- Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More [themeisle-companion] < 2.10.45 [CVE-2025-22659, Orbit Fox by ThemeIsle <= 2.10.44 - Authenticated (Contributor+) Stored Cross-Site Scripting, EUVD-2025-8456]
- Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More [themeisle-companion] < 3.0.1 [CVE-2025-58593, Orbit Fox by ThemeIsle <= 3.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting, EUVD-2025-26572]
- Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More [themeisle-companion] < 3.0.2 [CVE-2025-10874, Orbit Fox by ThemeIsle <= 3.0.1 - Authenticated (Author+) Server-Side Request Forgery, EUVD-2025-35800]
- Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More [themeisle-companion] < 3.0.3 [CVE-2025-12045, Orbit Fox Companion <= 3.0.2 - Authenticated (Author+) Stored Cross-Site Scripting via Post Taxonomy]
- Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More [themeisle-companion] < 3.0.7 [CVE-2026-11358, Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More <= 3.0.6 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'menu-item-icon' Parameter]
Vulnerabilities are matched against the exact installed version when it's known. Always keep the plugin updated to the latest release.
Safer / more established alternatives
- Duplicate Page — 3000000+ active installs
- CookieYes – Cookie Banner for Cookie Consent (Easy to setup GDPR/CCPA Compliant Cookie Notice) — 1000000+ active installs — max PHP 8.4
- Complianz – GDPR/CCPA Cookie Consent — 1000000+ active installs — max PHP 8.4
- WPConsent – Cookie Banner & Cookie Consent for Privacy Compliance (GDPR / CCPA / EU Compliance Cookie Notice) — 100000+ active installs
- Cookiebot by Usercentrics – Automatic Cookie Banner for GDPR/CCPA & Google Consent Mode — 100000+ active installs
Check your own WordPress site
Run a free passive scan now, or create a free account and install the WP Clinic plugin for a deep scan of your whole hosting account and AI-assisted repair.