Clever Fox Plugin Vulnerable to Unauthorized Theme Modification

CVE-2023-6876

5.4MEDIUM

Key Information

Vendor: Nayrathemes
Status: Clever Fox
Vendor: CVE Published:; 7 June 2024

Summary

The Clever Fox – One Click Website Importer by Nayra Themes plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'clever-fox-activate-theme' function in all versions up to, and including, 25.2.0. This makes it possible for authenticated attackers, with subscriber access and above, to modify the active theme, including to an invalid value which can take down the site.

Affected Version(s)

Clever Fox <= 25.2.0

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published.
Jun 7, 2024
Disclosed
Jun 6, 2024
Vulnerability Reserved.
Dec 15, 2023

Collectors

NVD DatabaseMitre Database

Credit

Lucio Sá