CVE-2024-1047

Summary

Multiple plugins and/or themes for WordPress with the ThemeIsle SDK are vulnerable to unauthorized modification of data due to a missing capability check on the register_reference() function in various versions. This makes it possible for unauthenticated attackers to update options values that allow ThemeIsle to track promotional activities via utm_source.

Affected Software

VendorProductVersion RangeStatus
themeisleMenu Icons by ThemeIsle0 <= 0.13.8affected
themeisleStarter Sites & Templates by Neve0 <= 1.2.6affected
themeisleOtter Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE0 <= 2.6.2affected
themeisleLightStart – Maintenance Mode, Coming Soon and Landing Page Builder0 <= 2.6.9affected
themeisleOrbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More0 <= 2.10.28affected
themeisleMultiple Page Generator Plugin – MPG0 <= 3.4.0affected
themeisleVisualizer: Tables and Charts Manager for WordPress0 <= 3.10.6affected
optimoleOptimole – Optimize Images in Real Time0 <= 3.12.4affected
themeisleRSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator0 <= 4.4.1affected
optimoleSuper Page Cache0 <= 4.7.5affected
rsocialRevive Social – Social Media Auto Post and Scheduling Automation Plugin0 <= 9.0.25affected
themeislePPOM – Product Addons & Custom Fields for WooCommerce0 <= 32.0.9affected

Weaknesses

  • CWE-862: CWE-862 Missing Authorization

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References