Arbitrary Option Update Vulnerability Affects Materialis WordPress Theme
CVE-2023-3204

6.5MEDIUM

Key Information:

Vendor: Wordpress
Status: Materialis
Vendor: CVE Published:; 20 June 2024

Summary

The Materialis theme for WordPress contains a vulnerability that arises from inadequate authorization checks within the companion_disable_popup() function, which is executed through an AJAX action. This flaw allows authenticated attackers, even those with low privilege levels such as subscribers, to alter any site option to a numerical value, potentially leading to significant unwanted changes in site functionality and user experience. This issue affects all versions of the Materialis theme up to and including 1.1.24.

Affected Version(s)

Materialis * <= 1.1.24

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://themes.trac.wordpress.org/browser/materialis/1.1....

https://themes.trac.wordpress.org/changeset?sfp_email=&sf...

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jun 20, 2024
Vulnerability Reserved
Jun 12, 2023

Credit

Gibran Abdillah