CVE-2024-1047
5.3
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Summary
Multiple plugins and/or themes for WordPress with the ThemeIsle SDK are vulnerable to unauthorized modification of data due to a missing capability check on the register_reference() function in various versions. This makes it possible for unauthenticated attackers to update options values that allow ThemeIsle to track promotional activities via utm_source.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| themeisle | Menu Icons by ThemeIsle | 0 <= 0.13.8 | affected |
| themeisle | Starter Sites & Templates by Neve | 0 <= 1.2.6 | affected |
| themeisle | Otter Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE | 0 <= 2.6.2 | affected |
| themeisle | LightStart – Maintenance Mode, Coming Soon and Landing Page Builder | 0 <= 2.6.9 | affected |
| themeisle | Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More | 0 <= 2.10.28 | affected |
| themeisle | Multiple Page Generator Plugin – MPG | 0 <= 3.4.0 | affected |
| themeisle | Visualizer: Tables and Charts Manager for WordPress | 0 <= 3.10.6 | affected |
| optimole | Optimole – Optimize Images in Real Time | 0 <= 3.12.4 | affected |
| themeisle | RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator | 0 <= 4.4.1 | affected |
| optimole | Super Page Cache | 0 <= 4.7.5 | affected |
| rsocial | Revive Social – Social Media Auto Post and Scheduling Automation Plugin | 0 <= 9.0.25 | affected |
| themeisle | PPOM – Product Addons & Custom Fields for WooCommerce | 0 <= 32.0.9 | affected |
Weaknesses
- CWE-862: CWE-862 Missing Authorization
ADP Enrichment
CVE Program Container
Additional References
- https://www.wordfence.com/threat-intel/vulnerabilities/id/6147582f-578a-47ad-b16c-65c37896783d?source=cve
- https://plugins.trac.wordpress.org/browser/themeisle-companion/trunk/vendor/codeinwp/themeisle-sdk/src/Modules/Promotions.php#L175
- https://plugins.trac.wordpress.org/changeset/3029507/themeisle-companion/tags/2.10.29/vendor/codeinwp/themeisle-sdk/src/Modules/Promotions.php
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: yes
- Technical Impact: partial
References
- https://www.wordfence.com/threat-intel/vulnerabilities/id/6147582f-578a-47ad-b16c-65c37896783d?source=cve
- https://plugins.trac.wordpress.org/browser/themeisle-companion/trunk/vendor/codeinwp/themeisle-sdk/src/Modules/Promotions.php#L175
- https://plugins.trac.wordpress.org/changeset/3029507/themeisle-companion/tags/2.10.29/vendor/codeinwp/themeisle-sdk/src/Modules/Promotions.php
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3040302%40templates-patterns-collection&new=3040302%40templates-patterns-collection&sfp_email=&sfph_mail=
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.