14
Here’s what’s officially verified about Civi 2.1.6.3 – Job Board, Freelance Marketplace WordPress Theme:
✅ Version 2.1.6.3 — Recognized Official Release (May 28, 2025)
- This version is documented in the official changelog (via AEThemes mirror) with the following updates:
- Updated social login settings
- Fixed minor JavaScript and CSS issues
Reddit+14AEThemes+14nullgrand.com+14
🚨 Security & Compatibility Alerts
- Versions ≤ 2.1.4 are known to contain a critical authentication bypass vulnerability, allowing unauthenticated users to change any account password.
AEThemes+4wordfence.com+4Vulners+4 - Additionally, the Civi Framework plugin bundled with the theme has a confirmed CSRF vulnerability in version 2.1.6.3 and earlier, enabling unauthorized actions by tricking an admin user.
Rapid7 - These issues are addressed in Civi 2.1.6.4, released June 3, 2025, which includes a critical fix preventing unauthorized user deletion via the
civi_deactive_user()function.
uxper.gitbook.io+10AEThemes+10Rapid7+10
🌟 What Changed Around This Version
| Version | Release Date | Key Updates |
|---|---|---|
| 2.1.6.3 | May 28, 2025 | Social login settings update; minor CSS/JS fixes |
| 2.1.6.4 | June 3, 2025 | Critical user deletion security patch |
| 2.1.6.6 | June 19, 2025 | Demo import and layout fixes |
| 2.2.0 | June 24, 2025 | Added identity verification, sidebar fixes, improved filters and import workflows Reddit+8AEThemes+8nullgrand.com+8 |
⚙️ About Civi
Civi is a comprehensive job board and freelance marketplace theme built with Elementor and designed for high-feature job sites:
- Supports private messaging, subscription plans for employers, job alerts, social logins, company profiles, video/audio interviews, analytics, and multiple application methods.
uxper.gitbook.io+9WordPress SoftWebz+9wordfence.com+9 - Offers multilingual support (Polylang, WPML), demo import tools, GDPR compliance notices, and employer/job moderation workflows.
WordPress SoftWebzWPClub
✅ How It Affects You
- Version 2.1.6.3 is a real and documented theme release, but it includes a non-trivial CSRF vulnerability via the framework plugin.
- To mitigate critical risks (authentication bypass or unauthorized actions), upgrading to version 2.1.6.4 or later is strongly recommended.
AEThemesRapid7
🛠 Recommended Actions
- Check your current version via
style.css, theme header, or your WordPress dashboard. - If you’re on 2.1.6.3 (or older):
- Upgrade to 2.1.6.4 or higher, ideally 2.1.6.6 or 2.2.0, which contain multiple security and compatibility fixes.
- Back up your site, especially user data and the database, before applying updates.
- Test upgrades in a staging environment, verifying social login workflows, demo import, and user-role actions.
- If you manage a theme with limited updates, consider switching to more actively maintained alternatives—even if support is short-lived.
Reddit
🧠 Still Need Help With:
- Identifying your installed version or changelog internally
- Safely applying the update to 2.1.6.4+
- Verifying post-update behaviors like social login or demo import
- Considering theme alternatives or long-term maintenance strategies
Let me know how I can assist further with any of these steps!
