PT-2024-37918 · WordPress · Templatespare
Lucio Sá
·
Published
2024-08-03
·
Updated
2024-08-13
·
CVE-2024-6872
CVSS v3.1
5.4
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
TemplateSpare plugin for WordPress versions up to, and including, 2.4.2
Description
The TemplateSpare plugin for WordPress has an issue due to a missing capability check on the
templatespare activate required theme and templatespare get theme status functions. This allows authenticated attackers with Subscriber-level access and above to activate any installed theme and read any theme status. If an attacker attempts to activate a theme that is not installed, the site may be left with no theme functionality.Recommendations
For TemplateSpare plugin for WordPress versions up to, and including, 2.4.2: Update to a patched version as soon as possible to fix the authorization flaw. As a temporary workaround, consider restricting access to the
templatespare activate required theme and templatespare get theme status functions until a patch is available.Fix
Missing Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Templatespare