CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-33686 – Broken Access Control vulnerability affecting multiple WordPress themes by Extend Themes
https://notcve.org/view.php?id=CVE-2024-33686
Missing Authorization vulnerability in Extend Themes Pathway, Extend Themes Hugo WP, Extend Themes Althea WP, Extend Themes Elevate WP, Extend Themes Brite, Extend Themes Colibri WP, Extend Themes Vertice.This issue affects Pathway: from n/a through 1.0.15; Hugo WP: from n/a through 1.0.8; Althea WP: from n/a through 1.0.13; Elevate WP: from n/a through 1.0.15; Brite: from n/a through 1.0.11; Colibri WP: from n/a through 1.0.94; Vertice: from n/a through 1.0.7. Vulnerabilidad de autorización faltante en Extend Themes Pathway, Extend Themes Hugo WP, Extend Themes Althea WP, Extend Themes Elevate WP, Extend Themes Brite, Extend Themes Colibri WP, Extend Themes Vertice. Este problema afecta a Pathway: desde n/a hasta 1.0.15; Hugo WP: desde n/a hasta 1.0.8; Althea WP: desde n/a hasta 1.0.13; Elevar WP: desde n/a hasta 1.0.15; Brite: desde n/a hasta 1.0.11; Colibri WP: desde n/a hasta 1.0.94; Vertice: desde n/a hasta 1.0.7. The ColibriWP Theme framework used by multiple themes for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'activate_plugin' AJAX action in various versions. This makes it possible for authenticated attackers, with subscriber-level access and above, to activate arbitrary plugins. • https://patchstack.com/database/vulnerability/althea-wp/wordpress-althea-wp-theme-1-0-13-broken-access-control-vulnerability https://patchstack.com/database/vulnerability/brite/wordpress-brite-theme-1-0-11-broken-access-control-vulnerability https://patchstack.com/database/vulnerability/colibri-wp/wordpress-colibri-wp-theme-1-0-94-broken-access-control-vulnerability https://patchstack.com/database/vulnerability/elevate-wp/wordpress-elevate-wp-theme-1-0-15-broken-access-control-vulnerability https://patchstack.com/database/vulnerab • CWE-862: Missing Authorization •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-1360 – Colibri WP <= 1.0.94 - Cross-Site Request Forgery to Limited Plugin Installation
https://notcve.org/view.php?id=CVE-2024-1360
The Colibri WP theme for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.94. This is due to missing or incorrect nonce validation on the colibriwp_install_plugin() function. This makes it possible for unauthenticated attackers to install recommended plugins via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. El tema Colibri WP para WordPress es vulnerable a Cross-Site Request Forgery en todas las versiones hasta la 1.0.94 incluida. Esto se debe a una validación nonce faltante o incorrecta en la función colibriwp_install_plugin(). • https://themes.trac.wordpress.org/changeset/218308/colibri-wp/1.0.101/inc/src/PluginsManager.php https://www.wordfence.com/threat-intel/vulnerabilities/id/db56844f-9988-4f6a-ba1d-f190ff009f2b?source=cve • CWE-352: Cross-Site Request Forgery (CSRF) •