CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-3204 – Materialis <= 1.1.24 - Missing Authorization to Limited Arbitrary Options Update
https://notcve.org/view.php?id=CVE-2023-3204
19 Jun 2024 — The Materialis theme for WordPress is vulnerable to limited arbitrary options updates in versions up to, and including, 1.1.24. This is due to missing authorization checks on the companion_disable_popup() function called via an AJAX action. This makes it possible for authenticated attackers, with minimal permissions such as subscribers, to modify any option on the site to a numerical value. El tema Materialis para WordPress es vulnerable a actualizaciones limitadas de opciones arbitrarias en versiones hasta... • https://themes.trac.wordpress.org/browser/materialis/1.1.20/inc/companion.php#L45 • CWE-862: Missing Authorization •
CVSS: 9.0EPSS: 0%CPEs: 2EXPL: 1CVE-2019-25142 – Mesmerize <= 1.6.89 & Materialis <= 1.0.172 - Authenticated Arbitrary Options Update
https://notcve.org/view.php?id=CVE-2019-25142
02 Dec 2019 — The Mesmerize & Materialis themes for WordPress are vulnerable to authenticated options change in versions up to, and including,1.6.89 (Mesmerize) and 1.0.172 (Materialis). This is due to 'companion_disable_popup' function only checking the nonce while sending user input to the 'update_option' function. This makes it possible for authenticated attackers to change otherwise restricted options. • https://blog.nintechnet.com/wordpress-mesmerize-and-materialis-themes-fixed-an-authenticated-options-change-vulnerability • CWE-862: Missing Authorization •