Vulnerability Details CVE-2019-25142
The Mesmerize & Materialis themes for WordPress are vulnerable to authenticated options change in versions up to, and including,1.6.89 (Mesmerize) and 1.0.172 (Materialis). This is due to 'companion_disable_popup' function only checking the nonce while sending user input to the 'update_option' function. This makes it possible for authenticated attackers to change otherwise restricted options.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.004
EPSS Ranking 62.3%
CVSS Severity
CVSS v3 Score 8.8
References
- https://blog.nintechnet.com/wordpress-mesmerize-and-materialis-themes-fixed-an-authenticated-options-change-vulnerability/
- https://themes.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=121290%40materialis&new=121290%40materialis&sfp_email=&sfph_mail=
- https://themes.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=121291%40mesmerize&new=121291%40mesmerize&sfp_email=&sfph_mail=
- https://wordpress.org/themes/materialis/
- https://wordpress.org/themes/mesmerize/
- https://wpscan.com/vulnerability/e4d70f03-69d5-4cca-8300-985f68d19ddc
- https://www.wordfence.com/threat-intel/vulnerabilities/id/8c9c3302-47cd-4dbe-b79e-5e6032928074?source=cve
- https://blog.nintechnet.com/wordpress-mesmerize-and-materialis-themes-fixed-an-authenticated-options-change-vulnerability/
- https://themes.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=121290%40materialis&new=121290%40materialis&sfp_email=&sfph_mail=
- https://themes.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=121291%40mesmerize&new=121291%40mesmerize&sfp_email=&sfph_mail=
- https://wordpress.org/themes/materialis/
- https://wordpress.org/themes/mesmerize/
- https://wpscan.com/vulnerability/e4d70f03-69d5-4cca-8300-985f68d19ddc
- https://www.wordfence.com/threat-intel/vulnerabilities/id/8c9c3302-47cd-4dbe-b79e-5e6032928074?source=cve
Products affected by CVE-2019-25142
-
cpe:2.3:a:extendthemes:materialis:-
-
cpe:2.3:a:extendthemes:materialis:0.9.29
-
cpe:2.3:a:extendthemes:materialis:1.0.10
-
cpe:2.3:a:extendthemes:materialis:1.0.100
-
cpe:2.3:a:extendthemes:materialis:1.0.102
-
cpe:2.3:a:extendthemes:materialis:1.0.103
-
cpe:2.3:a:extendthemes:materialis:1.0.104
-
cpe:2.3:a:extendthemes:materialis:1.0.105
-
cpe:2.3:a:extendthemes:materialis:1.0.13
-
cpe:2.3:a:extendthemes:materialis:1.0.163
-
cpe:2.3:a:extendthemes:materialis:1.0.164
-
cpe:2.3:a:extendthemes:materialis:1.0.167
-
cpe:2.3:a:extendthemes:materialis:1.0.168
-
cpe:2.3:a:extendthemes:materialis:1.0.171
-
cpe:2.3:a:extendthemes:materialis:1.0.172
-
cpe:2.3:a:extendthemes:materialis:1.0.5
-
cpe:2.3:a:extendthemes:materialis:1.0.6
-
cpe:2.3:a:extendthemes:materialis:1.0.7
-
cpe:2.3:a:extendthemes:materialis:1.0.8
-
cpe:2.3:a:extendthemes:materialis:1.0.9
-
cpe:2.3:a:extendthemes:materialis:1.0.96
-
cpe:2.3:a:extendthemes:materialis:1.0.98
-
cpe:2.3:a:extendthemes:materialis:1.0.99
-
cpe:2.3:a:extendthemes:mesmerize:0.1
-
cpe:2.3:a:extendthemes:mesmerize:0.9.1
-
cpe:2.3:a:extendthemes:mesmerize:0.9.10
-
cpe:2.3:a:extendthemes:mesmerize:0.9.11
-
cpe:2.3:a:extendthemes:mesmerize:0.9.2
-
cpe:2.3:a:extendthemes:mesmerize:0.9.4
-
cpe:2.3:a:extendthemes:mesmerize:0.9.5
-
cpe:2.3:a:extendthemes:mesmerize:0.9.6
-
cpe:2.3:a:extendthemes:mesmerize:0.9.7
-
cpe:2.3:a:extendthemes:mesmerize:0.9.8
-
cpe:2.3:a:extendthemes:mesmerize:0.9.9
-
cpe:2.3:a:extendthemes:mesmerize:1.0.65
-
cpe:2.3:a:extendthemes:mesmerize:1.0.66
-
cpe:2.3:a:extendthemes:mesmerize:1.0.72
-
cpe:2.3:a:extendthemes:mesmerize:1.0.73
-
cpe:2.3:a:extendthemes:mesmerize:1.0.86
-
cpe:2.3:a:extendthemes:mesmerize:1.0.90
-
cpe:2.3:a:extendthemes:mesmerize:1.1.0
-
cpe:2.3:a:extendthemes:mesmerize:1.1.1
-
cpe:2.3:a:extendthemes:mesmerize:1.1.2
-
cpe:2.3:a:extendthemes:mesmerize:1.1.3
-
cpe:2.3:a:extendthemes:mesmerize:1.1.4
-
cpe:2.3:a:extendthemes:mesmerize:1.2
-
cpe:2.3:a:extendthemes:mesmerize:1.2.1
-
cpe:2.3:a:extendthemes:mesmerize:1.2.2
-
cpe:2.3:a:extendthemes:mesmerize:1.5.42
-
cpe:2.3:a:extendthemes:mesmerize:1.5.45
-
cpe:2.3:a:extendthemes:mesmerize:1.5.50
-
cpe:2.3:a:extendthemes:mesmerize:1.5.52
-
cpe:2.3:a:extendthemes:mesmerize:1.6.59
-
cpe:2.3:a:extendthemes:mesmerize:1.6.61
-
cpe:2.3:a:extendthemes:mesmerize:1.6.62
-
cpe:2.3:a:extendthemes:mesmerize:1.6.72
-
cpe:2.3:a:extendthemes:mesmerize:1.6.77
-
cpe:2.3:a:extendthemes:mesmerize:1.6.81
-
cpe:2.3:a:extendthemes:mesmerize:1.6.82
-
cpe:2.3:a:extendthemes:mesmerize:1.6.85
-
cpe:2.3:a:extendthemes:mesmerize:1.6.88
-
cpe:2.3:a:extendthemes:mesmerize:1.6.89