Themes Vulnerabilities

Mesmerize & Materialis Themes - Authenticated Options Update

Description

Discovered by NinTechNet, both the Mesmerize and Materialis WordPress themes were affected by an authenticated options update vulnerability. This could allow a lower privileged user to update site options, which they should not be permitted to.

Affects Themes

mesmerize
Fixed in 1.6.90
materialis
Fixed in 1.0.173

References

CVE
CVE-2019-25142
URL
https://blog.nintechnet.com/wordpress-mesmerize-and-materialis-themes-fixed-an-authenticated-options-change-vulnerability/

Miscellaneous

Original Researcher
NinTechNet
Verified
No
WPVDB ID
e4d70f03-69d5-4cca-8300-985f68d19ddc

Timeline

Publicly Published
2019-12-02 (about 4 years ago)
Added
2019-12-02 (about 4 years ago)
Last Updated
2023-06-08 (about 11 months ago)

Other

Published
Title
Published
2004-12-31
Title
WordPress 1.2 - HTTP Response Splitting
Published
2016-11-08
Title
Post Grid <= 2.0.12 - Unauthenticated Arbitrary File Deletion
Published
2023-02-03
Title
User Activity <= 1.0.1 - IP Spoofing
Published
2016-09-20
Title
WP Support Plus Responsive Ticket System < 7.1.0 - Insecure Direct Object Reference
Published
2017-03-06
Title
WordPress 4.7.0-4.7.2 - Authenticated Unintended File Deletion in Plugin Delete