Vulnerabilities > CVE-2023-3204 - Missing Authorization vulnerability in Extendthemes Materialis

CVSS 6.5 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

LOW

Confidentiality impact

NONE

Integrity impact

HIGH

Availability impact

NONE

network

low complexity

extendthemes

CWE-862

NVD

Published: 2024-06-20

Updated: 2024-07-15

Summary

The Materialis theme for WordPress is vulnerable to limited arbitrary options updates in versions up to, and including, 1.1.24. This is due to missing authorization checks on the companion_disable_popup() function called via an AJAX action. This makes it possible for authenticated attackers, with minimal permissions such as subscribers, to modify any option on the site to a numerical value.

Vulnerable Configurations

Part	Description	Count
Application	Extendthemes Extendthemes Materialis 0.9.29 Extendthemes Materialis 1.0.5 Extendthemes Materialis 1.0.6 Extendthemes Materialis 1.0.7 Extendthemes Materialis 1.0.8 Extendthemes Materialis 1.0.9 Extendthemes Materialis 1.0.10 Extendthemes Materialis 1.0.13 Extendthemes Materialis 1.0.96 Extendthemes Materialis 1.0.98 Extendthemes Materialis 1.0.99 Extendthemes Materialis 1.0.100 Extendthemes Materialis 1.0.102 Extendthemes Materialis 1.0.103 Extendthemes Materialis 1.0.104 Extendthemes Materialis 1.0.105 Extendthemes Materialis 1.0.163 Extendthemes Materialis 1.0.164 Extendthemes Materialis 1.0.167 Extendthemes Materialis 1.0.168 Extendthemes Materialis 1.0.171 Extendthemes Materialis 1.0.172 Extendthemes Materialis 1.0.173 Extendthemes Materialis 1.1.8 Extendthemes Materialis 1.1.10 Extendthemes Materialis 1.1.12 Extendthemes Materialis 1.1.13 Extendthemes Materialis 1.1.14 Extendthemes Materialis 1.1.15 Extendthemes Materialis 1.1.16 Extendthemes Materialis 1.1.17 Extendthemes Materialis 1.1.18 Extendthemes Materialis 1.1.19 Extendthemes Materialis 1.1.20	34

Common Weakness Enumeration (CWE)

CWE-862 - Missing Authorization

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

References