2 matches found
CVE-2023-3204
CVE-2023-3204 affects the Materialis WordPress theme up to version 1.1.24. The root cause is missing authorization checks in companion_disable_popup() invoked via AJAX, allowing authenticated users with low privileges (e.g., subscribers) to set any option to a numeric value. The vulnerability is ...
CVE-2019-25142
The Mesmerize (up to 1.6.89) and Materialis (up to 1.0.172) WordPress themes are vulnerable to authenticated options changes due to companion_disable_popup not fully validating input before update_option. This allows authenticated attackers to modify restricted options. Remediation: upgrade Mesme...