WordPress Plugin Vulnerabilities

Orbit Fox by ThemeIsle <= 2.6.3 -Does not properly Authenticate REST API Calls

Description

Orbit Fox by Themeisle (aka Themeisle Companion) version <= 2.6.3 does not properly authenticate REST API calls allowing unauthenticated users to execute several API calls.

In some cases one of these calls can be used to upload arbitrary files which can lead to remote code execution.

Affects Plugins

Plugin icon
themeisle-companion
Fixed in 2.6.4

Classification

Type
AUTHBYPASS
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-287

Miscellaneous

Original Researcher
James Golovich
Submitter
James Golovich
Submitter website
https://pritect.net
Submitter twitter
Pritect
Verified
No
WPVDB ID
014073fa-7949-49e8-996f-2f84dab94ba9

Timeline

Publicly Published
2018-12-07 (about 7 years ago)
Added
2018-12-11 (about 7 years ago)
Last Updated
2018-12-11 (about 7 years ago)

Other

Published
Title
Published
2025-02-12
Title
WP Directorybox Manager <= 2.5 - Authentication Bypass
Published
2022-01-17
Title
Coming Soon & Maintenance Plugin by NiteoThemes < 4.0.19 - Unauthenticated Arbitrary CSS Update
Published
2024-07-10
Title
profile-builder < 3.11.9 - Unauthenticated Privilege Escalation
Published
2022-10-31
Title
WP User Frontend < 3.5.29 - Obscure Registration as Admin
Published
2023-10-25
Title
Admin and Site Enhancements (ASE) < 5.8.0 - Password Protection Mode Security Feature Bypass