CVE-2024-1047
ThemeIsle SDK <= Various Versions - Missing Authorization
Multiple plugins and/or themes for WordPress with the ThemeIsle SDK are vulnerable to unauthorized modification of data due to a missing capability check on the register_reference() function in various versions. This makes it possible for unauthenticated attackers to update options values that allow ThemeIsle to track promotional activities via utm_source.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Productos afectados
optimole · Optimole – Optimize Images in Real Timeoptimole · Super Page Cachersocial · Revive Social – Social Media Auto Post and Scheduling Automation Pluginthemeisle · LightStart – Maintenance Mode, Coming Soon and Landing Page Builderthemeisle · Menu Icons by ThemeIslethemeisle · Multiple Page Generator Plugin – MPGthemeisle · Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & Morethemeisle · Otter Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSEthemeisle · PPOM – Product Addons & Custom Fields for WooCommercethemeisle · RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregatorthemeisle · Starter Sites & Templates by Nevethemeisle · Visualizer: Tables and Charts Manager for WordPress¿Quieres saber si tu infraestructura está expuesta a esto?
Hablar con TrueHacking →Referencias
https://plugins.trac.wordpress.org/browser/themeisle-companion/trunk/vendor/codeinwp/themeisle-sdk/src/Modules/Promotions.php#L175https://plugins.trac.wordpress.org/changeset/3029507/themeisle-companion/tags/2.10.29/vendor/codeinwp/themeisle-sdk/src/Modules/Promotions.phphttps://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3040302%40templates-patterns-collection&new=3040302%40templates-patterns-collection&sfp_email=&sfph_mail=https://www.wordfence.com/threat-intel/vulnerabilities/id/6147582f-578a-47ad-b16c-65c37896783d?source=cve