Themes Vulnerabilities
Multiple Themes - Unauthenticated Function Injection
Description
Jerome Bruandet, from nintechnet, discovered numerous themes affected by Unauthenticated Function Injection issues, due to the lack of capability and CSRF nonce checks in AJAX actions.
The naturemag-lite theme partially fixed the issues in v1.0.5, however it has been removed from the WordPress repository.
Three of the themes, Brilliance, Activello and Newspaper X were also affected by an Unauthenticated Plugin Activation/Deactivation issue.
Affects Themes
Fixed in 1.2.9
Fixed in 2.4.2
Fixed in 1.4.2
Fixed in 2.1.7
Fixed in 1.2.6
Fixed in 1.3.2
Fixed in 2.0.7
Fixed in 1.3.0
Fixed in 1.2.6
Fixed in 2.0.6
Fixed in 1.2.0
Fixed in 1.1.2
Fixed in 1.0.6
Fixed in 1.0.7
No known fix
Fixed in 2.4.9
References
CVE
CVE
Classification
Type
INJECTION
OWASP top 10
CVSS
Miscellaneous
Original Researcher
Jerome Bruandet (nintechnet)
Verified
No
WPVDB ID
Timeline
Publicly Published
2020-10-01 (about 3 years ago)
Added
2020-10-01 (about 3 years ago)
Last Updated
2023-06-08 (about 11 months ago)