Vulnerability Details CVE-2023-3204
The Materialis theme for WordPress is vulnerable to limited arbitrary options updates in versions up to, and including, 1.1.24. This is due to missing authorization checks on the companion_disable_popup() function called via an AJAX action. This makes it possible for authenticated attackers, with minimal permissions such as subscribers, to modify any option on the site to a numerical value.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 30.2%
CVSS Severity
CVSS v3 Score 6.5
References
- https://themes.trac.wordpress.org/browser/materialis/1.1.20/inc/companion.php#L45
- https://themes.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=231816%40materialis&new=231816%40materialis&sfp_email=&sfph_mail=#file6
- https://www.wordfence.com/threat-intel/vulnerabilities/id/a2e05094-8344-4388-a703-518daf3d2948?source=cve
- https://themes.trac.wordpress.org/browser/materialis/1.1.20/inc/companion.php#L45
- https://themes.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=231816%40materialis&new=231816%40materialis&sfp_email=&sfph_mail=#file6
- https://www.wordfence.com/threat-intel/vulnerabilities/id/a2e05094-8344-4388-a703-518daf3d2948?source=cve
Products affected by CVE-2023-3204
-
cpe:2.3:a:extendthemes:materialis:-
-
cpe:2.3:a:extendthemes:materialis:0.9.29
-
cpe:2.3:a:extendthemes:materialis:1.0.10
-
cpe:2.3:a:extendthemes:materialis:1.0.100
-
cpe:2.3:a:extendthemes:materialis:1.0.102
-
cpe:2.3:a:extendthemes:materialis:1.0.103
-
cpe:2.3:a:extendthemes:materialis:1.0.104
-
cpe:2.3:a:extendthemes:materialis:1.0.105
-
cpe:2.3:a:extendthemes:materialis:1.0.13
-
cpe:2.3:a:extendthemes:materialis:1.0.163
-
cpe:2.3:a:extendthemes:materialis:1.0.164
-
cpe:2.3:a:extendthemes:materialis:1.0.167
-
cpe:2.3:a:extendthemes:materialis:1.0.168
-
cpe:2.3:a:extendthemes:materialis:1.0.171
-
cpe:2.3:a:extendthemes:materialis:1.0.172
-
cpe:2.3:a:extendthemes:materialis:1.0.173
-
cpe:2.3:a:extendthemes:materialis:1.0.5
-
cpe:2.3:a:extendthemes:materialis:1.0.6
-
cpe:2.3:a:extendthemes:materialis:1.0.7
-
cpe:2.3:a:extendthemes:materialis:1.0.8
-
cpe:2.3:a:extendthemes:materialis:1.0.9
-
cpe:2.3:a:extendthemes:materialis:1.0.96
-
cpe:2.3:a:extendthemes:materialis:1.0.98
-
cpe:2.3:a:extendthemes:materialis:1.0.99
-
cpe:2.3:a:extendthemes:materialis:1.1.10
-
cpe:2.3:a:extendthemes:materialis:1.1.12
-
cpe:2.3:a:extendthemes:materialis:1.1.13
-
cpe:2.3:a:extendthemes:materialis:1.1.14
-
cpe:2.3:a:extendthemes:materialis:1.1.15
-
cpe:2.3:a:extendthemes:materialis:1.1.16
-
cpe:2.3:a:extendthemes:materialis:1.1.17
-
cpe:2.3:a:extendthemes:materialis:1.1.18
-
cpe:2.3:a:extendthemes:materialis:1.1.19
-
cpe:2.3:a:extendthemes:materialis:1.1.20
-
cpe:2.3:a:extendthemes:materialis:1.1.8