Themes Vulnerabilities

XStore < 9.3.9 - Subscriber+ Arbitrary Options Update

Description

The theme is vulnerable to unauthorized modification of data due to a missing capability check on a function, allowing authenticated attackers, with subscriber-level access and above, to update arbitrary options which can be used to achieve privilege escalation.

Affects Themes

xstore
Fixed in 9.3.9

References

CVE
CVE-2024-33564
URL
https://patchstack.com/database/vulnerability/xstore/wordpress-xstore-theme-9-3-5-arbitrary-option-update-vulnerability

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
8.8 (high)

Miscellaneous

Original Researcher
Rafie Muhammad
Verified
No
WPVDB ID
2b5ce062-d97d-4702-8e50-4269a1f37b88

Timeline

Publicly Published
2024-04-25 (about 1 year ago)
Added
2024-05-01 (about 1 year ago)
Last Updated
2024-05-07 (about 1 year ago)

Other

Published
Title
Published
2023-11-16
Title
Restaurant & Cafe Addon for Elementor < 1.5.4 - Missing Authorization via multiple AJAX functions
Published
2025-12-12
Title
Employee Spotlight – Team Member Showcase & Meet the Team Plugin < 5.1.4 - Missing Authorization to Authenticated (Subscriber+) Tracking Opt-In/Opt-Out Modification
Published
2025-09-15
Title
Blaze Demo Importer < 1.0.13 - Missing Authorization to Authenticated (Subscriber+) Limited Plugin Install
Published
2024-04-02
Title
ShortPixel Adaptive Images < 3.8.3 - Missing Authorization in activate_ai_handler and deactivate_ai_handler
Published
2024-04-22
Title
Hummingbird < 3.7.4 - Missing Authorization