Unauthorized Plugin Control in Sparkling Theme for WordPress
CVE-2024-13423

5.3MEDIUM

Key Information:

Vendor
WordPress
Status
Sparkling
Vendor
CVE Published:
5 March 2025

Summary

The Sparkling theme for WordPress has a significant vulnerability that allows unauthorized users to activate or deactivate plugins due to a lack of necessary capability checks in specific functions. This flaw affects versions up to and including 2.4.9, making it possible for unauthenticated attackers to manipulate the site's plugins, potentially compromising the site's security and functionality.

Affected Version(s)

Sparkling * <= 2.4.9

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://themes.trac.wordpress.org/browser/sparkling/2.4.9...
https://themes.trac.wordpress.org/browser/sparkling/2.4.9...

CVSS V3.1

Score:
5.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Michael Mazzolini
.