Arbitrary Option Update Vulnerability Affects Materialis WordPress Theme

CVE-2023-3204

6.5MEDIUM

Key Information

Vendor: Extendthemes
Status: Materialis
Vendor: CVE Published:; 20 June 2024

Summary

The Materialis theme for WordPress is vulnerable to limited arbitrary options updates in versions up to, and including, 1.1.24. This is due to missing authorization checks on the companion_disable_popup() function called via an AJAX action. This makes it possible for authenticated attackers, with minimal permissions such as subscribers, to modify any option on the site to a numerical value.

Affected Version(s)

Materialis <= 1.1.24

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published.
Jun 20, 2024
Disclosed
Jun 19, 2024
Vulnerability Reserved.
Jun 12, 2023

Collectors

NVD DatabaseMitre Database

Credit

Gibran Abdillah