8.8

CVE-2019-25142

Exploit

EPSS 0.55%
Veröffentlicht 07.06.2023 02:15:10
Zuletzt bearbeitet 21.11.2024 04:39:58
Quelle security@wordfence.com
CVE-Watchlists
Login
Unerledigt
Login

Mesmerize <= 1.6.89 & Materialis <= 1.0.172 - Authenticated Arbitrary Options Update

The Mesmerize & Materialis themes for WordPress are vulnerable to authenticated options change in versions up to, and including,1.6.89 (Mesmerize) and 1.0.172 (Materialis). This is due to 'companion_disable_popup' function only checking the nonce while sending user input to the 'update_option' function. This makes it possible for authenticated attackers to change otherwise restricted options.

Mögliche Gegenmaßnahme

Materialis: Update to version 1.0.173, or a newer patched version

Mesmerize: Update to version 1.6.90, or a newer patched version

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 11

Weitere Schwachstelleninformationen

SystemWordPress Theme

≫

Produkt Materialis

Version *-1.0.172

SystemWordPress Theme

≫

Produkt Mesmerize

Version *-1.6.89

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Extendthemes ≫ Materialis SwPlatformwordpress Version < 1.0.173

Extendthemes ≫ Mesmerize SwPlatformwordpress Version < 1.6.90

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.55%	0.677

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
security@wordfence.com	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE-862 Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

https://blog.nintechnet.com/wordpress-mesmerize-and-materialis-themes-fixed-an-authenticated-options-change-vulnerability/

Third Party Advisory

Exploit

Technical Description

https://themes.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=121290%40materialis&new=121290%40materialis&sfp_email=&sfph_mail=

Patch

Release Notes

https://themes.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=121291%40mesmerize&new=121291%40mesmerize&sfp_email=&sfph_mail=

Patch

Release Notes

https://wordpress.org/themes/materialis/

Product

https://wordpress.org/themes/mesmerize/

Product

https://wpscan.com/vulnerability/e4d70f03-69d5-4cca-8300-985f68d19ddc

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/8c9c3302-47cd-4dbe-b79e-5e6032928074?source=cve

Patch

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/8c9c3302-47cd-4dbe-b79e-5e6032928074

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2019-25142

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2019-25142

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2019-25142

EUVD