Themes Vulnerabilities

Total < 2.1.60 - Missing Authorization to Authenticated (Subscriber+) Sections Update

Description

The Total theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the total_order_sections() function in all versions up to, and including, 2.1.59. This makes it possible for authenticated attackers, with subscriber-level access and above, to repeat sections on the homepage.

Affects Themes

total
Fixed in 2.1.60
Total
Fixed in 2.1.60

References

CVE
CVE-2024-1771
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/26b64ae3-5839-47d5-9c65-7c595bb18e6c

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Krzysztof Zając
Verified
No
WPVDB ID
29f2bd79-e1ea-4ac5-907b-02334535ba38

Timeline

Publicly Published
2024-03-05 (about 2 years ago)
Added
2024-03-05 (about 2 years ago)
Last Updated
2024-03-05 (about 2 years ago)

Other

Published
Title
Published
2026-02-19
Title
Checkout for PayPal < 1.0.47 - Missing Authorization
Published
2025-09-25
Title
Email marketing for WordPress by GetResponse Official < 1.5.4 - Missing Authorization
Published
2024-04-12
Title
Aspose.Words Exporter <= 6.3.1 - Missing Authorization
Published
2025-06-18
Title
GiveWP – Donation Plugin and Fundraising Platform < 4.3.1 - Missing Authorization To Authenticated (Contributor+) Campaign Data View And Modification
Published
2024-08-16
Title
Asset CleanUp: Page Speed Booster < 1.3.9.4 - Missing Authorization