CVE-2024-1047

Description

Multiple plugins and/or themes for WordPress with the ThemeIsle SDK are vulnerable to unauthorized modification of data due to a missing capability check on the register_reference() function in various versions. This makes it possible for unauthenticated attackers to update options values that allow ThemeIsle to track promotional activities via utm_source.

CVSS breakdown

Affected products

• optimole / Optimole – Optimize Images in Real Time0 – 3.12.4
• optimole / Super Page Cache0 – 4.7.5
• rsocial / Revive Social – Social Media Auto Post and Scheduling Automation Plugin0 – 9.0.25
• themeisle / LightStart – Maintenance Mode, Coming Soon and Landing Page Builder0 – 2.6.9
• themeisle / Menu Icons by ThemeIsle0 – 0.13.8
• themeisle / Multiple Page Generator Plugin – MPG0 – 3.4.0
• themeisle / Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More0 – 2.10.28
• themeisle / Otter Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE0 – 2.6.2
• themeisle / PPOM – Product Addons & Custom Fields for WooCommerce0 – 32.0.9
• themeisle / RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator0 – 4.4.1
• themeisle / Starter Sites & Templates by Neve0 – 1.2.6
• themeisle / Visualizer: Tables and Charts Manager for WordPress0 – 3.10.6

References

• MISChttps://www.wordfence.com/threat-intel/vulnerabilities/id/6147582f-578a-47ad-b16c-65c37896783d?source=cve
• MISChttps://plugins.trac.wordpress.org/browser/themeisle-companion/trunk/vendor/codeinwp/themeisle-sdk/src/Modules/Promotions.php#L175
• MISChttps://plugins.trac.wordpress.org/changeset/3029507/themeisle-companion/tags/2.10.29/vendor/codeinwp/themeisle-sdk/src/Modules/Promotions.php
• MISChttps://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3040302%40templates-patterns-collection&new=3040302%40templates-patterns-collection&sfp_email=&sfph_mail=