CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-1771 – Total <= 2.1.59 - Missing Authorization to Authenticated (Subscriber+) Sections Update
https://notcve.org/view.php?id=CVE-2024-1771
05 Mar 2024 — The Total theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the total_order_sections() function in all versions up to, and including, 2.1.59. This makes it possible for authenticated attackers, with subscriber-level access and above, to repeat sections on the homepage. El tema Total para WordPress es vulnerable a modificaciones no autorizadas de datos debido a una falta de verificación de capacidad en la función total_order_sections() en todas las ve... • https://themes.trac.wordpress.org/browser/total/2.1.59/inc/customizer/customizer-functions.php#L112 • CWE-862: Missing Authorization •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-27456 – WordPress Total theme <= 2.1.19 - Authenticated Arbitrary Plugin Activation
https://notcve.org/view.php?id=CVE-2023-27456
01 Mar 2023 — Missing Authorization vulnerability in HashThemes Total allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Total: from n/a through 2.1.19. The Total theme for WordPress is vulnerable to Plugin Activation due to insufficient capability and nonce checks on the 'activate_plugin' function in versions up to, and including, 2.1.19. This allows any authenticated attacker with subscriber-level capabilities or greater to activate arbitrary plugins already installed on the site... • https://patchstack.com/database/wordpress/theme/total/vulnerability/wordpress-total-theme-2-1-19-authenticated-arbitrary-plugin-activation?_s_id=cve • CWE-862: Missing Authorization •