WordPress Plugin Vulnerabilities

Orbit Fox by ThemeIsle < 2.10.29 - Unauthenticated Connected API Keys Update

Description

The plugin is vulnerable to unauthorized modification of data due to a missing capability check on the register_reference() function, allowing unauthenticated attackers to update the connected API keys.

Affects Plugins

Plugin icon
themeisle-companion
Fixed in 2.10.29

References

CVE
CVE-2024-1047
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/6147582f-578a-47ad-b16c-65c37896783d

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Francesco Carlucci
Verified
No
WPVDB ID
f4912c06-a8c6-4857-9f2c-416efaf7fe75

Timeline

Publicly Published
2024-02-01 (about 2 years ago)
Added
2024-02-02 (about 2 years ago)
Last Updated
2024-02-02 (about 2 years ago)

Other

Published
Title
Published
2026-01-24
Title
Integrate Google Drive <= 1.5.6 - Missing Authorization
Published
2023-04-05
Title
WCFM Membership < 2.10.1 - Unauthenticated AJAX Calls
Published
2025-12-15
Title
Webba Booking < 6.2.2 - Missing Authorization
Published
2026-03-23
Title
Five Star Restaurant Reservations – WordPress Booking Plugin < 2.7.10 - Missing Authorization
Published
2022-10-19
Title
Webmaster Tools Verification <= 1.2 - Unauthenticated Arbitrary Plugin Deactivation