Themes Vulnerabilities

ColorMag < 3.1.3 - Missing Authorization to Arbitrary Plugin Installation

Description

The plugin is vulnerable to unauthorized access due to a missing capability check on the plugin_action_callback() function in all versions up to, allowing authenticated attackers, with subscriber-level access and above, to install and activate arbitrary plugins.

Affects Themes

colormag
Fixed in 3.1.3

References

CVE
CVE-2024-0679
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/e982d457-29db-468f-88c3-5afe04002dcf

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
6.5 (medium)

Miscellaneous

Original Researcher
Sean Murphy
Verified
No
WPVDB ID
d1f40db4-f049-48a7-bcc4-cf0343ccad95

Timeline

Publicly Published
2024-01-19 (about 2 years ago)
Added
2024-01-24 (about 2 years ago)
Last Updated
2024-01-24 (about 2 years ago)

Other

Published
Title
Published
2025-12-06
Title
Actionwear products sync <= 2.3.3 - Missing Authorization
Published
2025-11-08
Title
Cookie Notice for GDPR, CCPA & ePrivacy Consent < 4.0.4 - Missing Authorization
Published
2025-12-11
Title
Email Subscribers & Newsletters < 5.9.11 - Unauthenticated Action Scheduler Task Execution
Published
2025-09-22
Title
WowAddons <= 1.6.0 - Missing Authorization
Published
2025-12-18
Title
HomeFix Elementor Portfolio <= 1.0.1 - Missing Authorization