CVE-2024-1047
published 2024-02-02CVE-2024-1047: Multiple plugins and/or themes for WordPress with the ThemeIsle SDK are vulnerable to unauthorized modification of data due to a missing capability check on…
PriorityP429medium5.3CVSS 3.1
AVNACLPRNUINSUCNILAN
EPSS
0.56%
42.3th percentile
Multiple plugins and/or themes for WordPress with the ThemeIsle SDK are vulnerable to unauthorized modification of data due to a missing capability check on the register_reference() function in various versions. This makes it possible for unauthenticated attackers to update options values that allow ThemeIsle to track promotional activities via utm_source.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| optimole | optimole_optimize_images_in_real_time | <= 3.12.4 | — |
| optimole | super_page_cache | <= 4.7.5 | — |
| rsocial | revive_social_social_media_auto_post_and_scheduling_automation_plugin | <= 9.0.25 | — |
| themeisle | menu_icons_by_themeisle | <= 0.13.8 | — |
| themeisle | multiple_page_generator_plugin_mpg | <= 3.4.0 | — |
| themeisle | orbit_fox | <= 2.10.28 | — |
| themeisle | ppom_product_addons_custom_fields_for_woocommerce | <= 32.0.9 | — |
| themeisle | starter_sites_templates_by_neve | <= 1.2.6 | — |
| themeisle | visualizer_tables_and_charts_manager_for_wordpress | <= 3.10.6 | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
ThemeIsle Orbit Fox Plugin up to 2.10.28 on WordPress authorization (ID 3029507)
vuldb·2026-04-11·CVSS 5.3
CVE-2024-1047 [MEDIUM] ThemeIsle Orbit Fox Plugin up to 2.10.28 on WordPress authorization (ID 3029507)
A vulnerability was found in ThemeIsle Orbit Fox Plugin up to 2.10.28 on WordPress and classified as critical. This affects an unknown part. The manipulation results in missing authorization.
This vulnerability is identified as CVE-2024-1047. The attack can be executed remotely. There is not any exploit available.
GHSA
GHSA-f527-jggh-c37w: The Orbit Fox by ThemeIsle plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the register_r
ghsa_unreviewed·2024-02-02
CVE-2024-1047 [MEDIUM] CWE-862 GHSA-f527-jggh-c37w: The Orbit Fox by ThemeIsle plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the register_r
The Orbit Fox by ThemeIsle plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the register_reference() function in all versions up to, and including, 2.10.28. This makes it possible for unauthenticated attackers to update the connected API keys.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://plugins.trac.wordpress.org/browser/themeisle-companion/trunk/vendor/codeinwp/themeisle-sdk/src/Modules/Promotions.php#L175https://plugins.trac.wordpress.org/changeset/3029507/themeisle-companion/tags/2.10.29/vendor/codeinwp/themeisle-sdk/src/Modules/Promotions.phphttps://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3040302%40templates-patterns-collection&new=3040302%40templates-patterns-collection&sfp_email=&sfph_mail=https://www.wordfence.com/threat-intel/vulnerabilities/id/6147582f-578a-47ad-b16c-65c37896783d?source=cvehttps://plugins.trac.wordpress.org/browser/themeisle-companion/trunk/vendor/codeinwp/themeisle-sdk/src/Modules/Promotions.php#L175https://plugins.trac.wordpress.org/changeset/3029507/themeisle-companion/tags/2.10.29/vendor/codeinwp/themeisle-sdk/src/Modules/Promotions.phphttps://www.wordfence.com/threat-intel/vulnerabilities/id/6147582f-578a-47ad-b16c-65c37896783d?source=cve
2024-02-02
Published