Discy < 5.0 - Subscriber+ Broken Access Control to change settings
The theme lacks authorization checks then processing ajax requests to the discy_update_options action, allowing any logged in users (with privileges as low as Subscriber,) to change the theme options by sending a crafted POST request.
Proof of Concept
POST /wp-admin/admin-ajax.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8