Unauthorized Modification of Data in Child Theme Creator plugin for WordPress
CVE-2024-12263

4.3MEDIUM

Key Information:

Vendor: Wordpress
Status: Child Theme Creator By Orbisius
Vendor: CVE Published:; 12 December 2024

Summary

The Child Theme Creator by Orbisius plugin for WordPress is susceptible to unauthorized data modification due to a lack of capability checks on the cloud_delete() and cloud_update() functions. This vulnerability enables authenticated attackers, even those with Subscriber-level access, to manipulate cloud snippets, allowing them to perform updates and deletions. This security flaw resides within the Cloud Library Addon connected to the plugin, which has since been withdrawn. Users of affected versions are advised to take immediate precautions to secure their sites.

Affected Version(s)

Child Theme Creator by Orbisius * <= 1.5.5

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset?sfp_email=&s...

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Dec 12, 2024
Vulnerability Reserved
Dec 5, 2024

Credit

Tieu Pham Trong Nhan