CVE-2024-3610

2024-06-2102:15:10

CWE-862

[email protected]

web.nvd.nist.gov

wordpress

child theme

vulnerability

unauthorized access

data modification

capability check

attack

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

EPSS

0.001

Percentile

20.7%

JSON

The WP Child Theme Generator plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wctg_easy_child_theme() function in all versions up to, and including, 1.1.1. This makes it possible for unauthenticated attackers to create a blank child theme and activate it cause the site to whitescreen.

Affected configurations

Nvd

Node

wensolutionswp_child_theme_generatorRange<1.1.2wordpress

VendorProductVersionCPE
wensolutionswp_child_theme_generator*cpe:2.3:a:wensolutions:wp_child_theme_generator:*:*:*:*:*:wordpress:*:*

Vendor	Product	Version	CPE
wensolutions	wp_child_theme_generator	*	cpe:2.3:a:wensolutions:wp_child_theme_generator::::::wordpress::*

References

plugins.trac.wordpress.org/browser/wp-child-theme-generator/trunk/wp-easy-child/wp-easy-child.php#L60

plugins.trac.wordpress.org/changeset?old_path=/wp-child-theme-generator/tags/1.1.1&new_path=/wp-child-theme-generator/tags/1.1.2&sfp_email=&sfph_mail=

www.wordfence.com/threat-intel/vulnerabilities/id/581e6686-a103-43f6-aa99-6a9862d98837?source=cve