Themes Vulnerabilities

Fraction Theme < 1.1.2 - Privilege Escalation

Description

This vulnerability allows an attacker (either authenticated or unauthenticated) to escalate privileges on the site and have an admin account which may lead to a full site takeover.

Proof of Concept

Affects Themes

fraction-theme
Fixed in 1.1.2

References

URL
https://packetstormsecurity.com/files/#130738/
URL
https://web.archive.org/web/20150324084929/https://research.evex.pw/?vuln=8
URL
https://themeforest.net/item/fraction-multipurpose-news-magazine-theme/8655281

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
8.3 (high)

Miscellaneous

Submitter
Abdallah Samman
Submitter twitter
Evex_1337
Verified
No
WPVDB ID
7c049847-f1ff-4540-9eaa-4214561159c2

Timeline

Publicly Published
2015-03-10 (about 11 years ago)
Added
2015-03-10 (about 11 years ago)
Last Updated
2021-01-13 (about 5 years ago)

Other

Published
Title
Published
2023-02-20
Title
Accept Stripe Donation - AidWP < 3.1.6 - CSRF
Published
2022-10-31
Title
Event Monster < 1.2.0 - Visitors Deletion via CSRF
Published
2024-06-13
Title
WP STAGING PRO - Backup Duplicator & Migration < 5.6.1 - Cross-Site Request Forgery to Limited Local File Inclusion
Published
2023-02-06
Title
ShopLentor < 2.5.2 - Settings Update via CSRF
Published
2021-07-06
Title
WP HTML Mail < 3.0.8 - CSRF to XSS