Themes Vulnerabilities

OceanWP < 3.5.5 - Subscriber+ Sensitive Information Exposure

Description

The theme is vulnerable to unauthorized access of data due to a missing capability check on the load_theme_panel_pane function, allowing authenticated attackers, with subscriber-level access and above, to expose sensitive information such as system/environment data and API keys.

Affects Themes

oceanwp
Fixed in 3.5.5

References

CVE
CVE-2024-2476
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/5ec2743d-0d96-4056-8fdf-dc81d4e9b76f

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Webbernaut
Verified
No
WPVDB ID
629dcd1d-d2b1-4ea7-bc7d-a7d2c07b7a25

Timeline

Publicly Published
2024-03-28 (about 1 year ago)
Added
2024-03-29 (about 1 year ago)
Last Updated
2024-03-29 (about 1 year ago)

Other

Published
Title
Published
2022-01-28
Title
Perfect Brands for WooCommerce < 2.0.5 - Subscriber+ Arbitrary Brand Creation
Published
2025-04-09
Title
Sandwich Adsense <= 4.0.2 - Missing Authorization
Published
2026-01-06
Title
aBlocks – WordPress Gutenberg Blocks <= 2.4.0 - Missing Authorization to Authenticated (Subscriber+) Settings Modification
Published
2024-04-25
Title
XStore Core <= 5.3.5 - Missing Authorization
Published
2024-09-05
Title
AI Assistant with ChatGPT by AYS <= 2.0.9 - Unauthenticated AJAX Calls