Erwan, a security researcher from the WPScan team, discovered and responsibly disclosed a Cross-Site Request Forgery (CSRF) vulnerability that could allow an unauthenticated attacker to change the background image of the theme. For a successful attack, a privileged authenticated WordPress user would need to visit a page the attack controls, for the CSRF attack to be executed.
ErwanLR from WPScan
2020-10-29 (about 8 months ago)
2020-10-31 (about 8 months ago)
2020-12-15 (about 7 months ago)