Themes Vulnerabilities

Lafka - Multi Store Burger - Pizza & Food Delivery WooCommerce Theme <= 4.5.7 - Missing Authorization to Authenticated (Subscriber+) Demo Import

Description

The Lafka - Multi Store Burger - Pizza & Food Delivery WooCommerce Theme theme for WordPress is vulnerable to unauthorized access due to a missing capability check on the 'lafka_import_lafka' AJAX actions in all versions up to, and including, 4.5.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to import demo data that overrides the site.

Affects Themes

lafka
No known fix

References

CVE
CVE-2024-13811
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/50d60e4f-7680-4ec0-9183-bdc8439679db

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Lucio Sá
Verified
No
WPVDB ID
0d42b000-0d12-4d3a-99f7-075385b20836

Timeline

Publicly Published
2025-03-04 (about 1 year ago)
Added
2025-03-04 (about 1 year ago)
Last Updated
2025-03-05 (about 1 year ago)

Other

Published
Title
Published
2025-03-25
Title
Active Products Tables for WooCommerce < 1.0.6.8 - Unauthenticated Arbitrary Filter Call
Published
2025-11-07
Title
Contact Form 7 AWeber Extension < 0.1.43 - Missing Authorization to Authenticated (Subscriber+) Log Reset
Published
2025-05-16
Title
EventON - WordPress Virtual Event Calendar Plugin < 4.9.7 - Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting
Published
2024-03-04
Title
Page Builder Sandwich <= 5.1.0 - Missing Authorization to Authenticated(Subscriber+) Arbitrary Post Editing
Published
2022-10-30
Title
Attorney <= 3 - Unauthenticated Arbitrary Page/Post Deletion