CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 1CVE-2024-2476 – OceanWP <= 3.5.4 - Missing Authorization to Sensitive Information Exposure via Limited Local File Inclusion
https://notcve.org/view.php?id=CVE-2024-2476
The OceanWP theme for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the load_theme_panel_pane function in all versions up to, and including, 3.5.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to expose sensitive information such as system/environment data and API keys. El tema OceanWP para WordPress es vulnerable al acceso no autorizado a los datos debido a una falta de verificación de capacidad en la función load_theme_panel_pane en todas las versiones hasta la 3.5.4 incluida. Esto hace posible que atacantes autenticados, con acceso a nivel de suscriptor y superior, expongan información confidencial como datos del sistema/entorno y claves API. • https://github.com/killerbees19/CVE-2024-24760 https://themes.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=222387%40oceanwp&new=222387%40oceanwp&sfp_email=&sfph_mail= https://www.wordfence.com/threat-intel/vulnerabilities/id/5ec2743d-0d96-4056-8fdf-dc81d4e9b76f?source=cve • CWE-862: Missing Authorization •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-23700 – WordPress OceanWP theme <= 3.4.1 - Authenticated Local File Inclusion vulnerability
https://notcve.org/view.php?id=CVE-2023-23700
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in OceanWP allows PHP Local File Inclusion.This issue affects OceanWP: from n/a through 3.4.1. La limitación inadecuada de un nombre de ruta a una vulnerabilidad de directorio restringido ("Path Traversal") en OceanWP permite la inclusión de archivos locales PHP. Este problema afecta a OceanWP: desde n/a hasta 3.4.1. The OceanWP theme for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 3.4. This allows subscriber-level attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. • https://patchstack.com/database/vulnerability/oceanwp/wordpress-oceanwp-theme-3-4-1-authenticated-local-file-inclusion-vulnerability?_s_id=cve • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') •