CVE-2024-1047

State: PUBLISHED · Published: 2024-02-02 · Updated: 2026-04-08 · Assigner: Wordfence

Description

Multiple plugins and/or themes for WordPress with the ThemeIsle SDK are vulnerable to unauthorized modification of data due to a missing capability check on the register_reference() function in various versions. This makes it possible for unauthenticated attackers to update options values that allow ThemeIsle to track promotional activities via utm_source.

CWE

CWE-862 — CWE-862 Missing Authorization

Affected

themeisle / Menu Icons by ThemeIsle — v=0 ≤0.13.8 [affected]
themeisle / Starter Sites & Templates by Neve — v=0 ≤1.2.6 [affected]
themeisle / Otter Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE — v=0 ≤2.6.2 [affected]
themeisle / LightStart – Maintenance Mode, Coming Soon and Landing Page Builder — v=0 ≤2.6.9 [affected]
themeisle / Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More — v=0 ≤2.10.28 [affected]
themeisle / Multiple Page Generator Plugin – MPG — v=0 ≤3.4.0 [affected]
themeisle / Visualizer: Tables and Charts Manager for WordPress — v=0 ≤3.10.6 [affected]
optimole / Optimole – Optimize Images in Real Time — v=0 ≤3.12.4 [affected]
themeisle / RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator — v=0 ≤4.4.1 [affected]
optimole / Super Page Cache — v=0 ≤4.7.5 [affected]
rsocial / Revive Social – Social Media Auto Post and Scheduling Automation Plugin — v=0 ≤9.0.25 [affected]
themeisle / PPOM – Product Addons & Custom Fields for WooCommerce — v=0 ≤32.0.9 [affected]

CVSS

3.1 score=5.3 severity=MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

References

Source

cvelistV5-main/cves/2024/1xxx/CVE-2024-1047.json