Unauthorized Access Vulnerability in ColorMag Theme for WordPress
CVE-2024-0679

6.5MEDIUM

Key Information:

Vendor: Wordpress
Status: ColorMag
Vendor: CVE Published:; 20 January 2024

Badges

👾 Exploit Exists🟡 Public PoC

Summary

The ColorMag theme for WordPress contains a security flaw that permits authenticated users with subscriber-level access and above to exploit a missing capability check in the plugin_action_callback() function. This vulnerability allows malicious actors to install and activate arbitrary plugins, potentially leading to significant security risks for affected WordPress sites. It is crucial for users to ensure their ColorMag theme is updated to mitigate this issue.

Affected Version(s)

ColorMag * <= 3.1.2

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2024-0679
Created by RandomRobbieBF

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://themes.trac.wordpress.org/browser/colormag/3.1.2/...

https://themes.trac.wordpress.org/changeset?sfp_email=&sf...

EPSS Score

7% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jan 20, 2024
🟡
Public PoC available
Jan 19, 2024
👾
Exploit known to exist
Jan 19, 2024
Vulnerability Reserved
Jan 18, 2024

Credit

Sean Murphy