CVE-2019-25142

HIGH

WordPress Mesmerize & Materialis <1.6.89-1.0.172 - Authenticated Op...

Title source: llm
STIX 2.1

Description

The Mesmerize & Materialis themes for WordPress are vulnerable to authenticated options change in versions up to, and including,1.6.89 (Mesmerize) and 1.0.172 (Materialis). This is due to 'companion_disable_popup' function only checking the nonce while sending user input to the 'update_option' function. This makes it possible for authenticated attackers to change otherwise restricted options.

Scores

CVSS v3 8.8
EPSS 0.0131
EPSS Percentile 67.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-862
Status published
Products (4)
extendthemes/Materialis < 1.0.172
extendthemes/materialis < 1.0.173
extendthemes/Mesmerize < 1.6.89
extendthemes/mesmerize < 1.6.90
Published Jun 07, 2023
Tracked Since Feb 18, 2026