Search criteria
11 vulnerabilities by blazethemes
CVE-2025-13334 (GCVE-0-2025-13334)
Vulnerability from cvelistv5 – Published: 2025-12-12 03:20 – Updated: 2025-12-12 18:39
VLAI?
Summary
The Blaze Demo Importer plugin for WordPress is vulnerable to unauthorized database resets and file deletion due to a missing capability check on the "blaze_demo_importer_install_demo" function in all versions up to, and including, 1.0.13. This makes it possible for authenticated attackers, with subscriber level access and above, to reset the database by truncating all tables (except options, usermeta, and users), delete all sidebar widgets, theme modifications, and content of the uploads folder.
Severity ?
8.1 (High)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| blazethemes | Blaze Demo Importer |
Affected:
1.0.0 , ≤ 1.0.13
(semver)
|
Credits
Kenneth Dunn
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-13334",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-12T18:39:38.816851Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-12T18:39:51.275Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Blaze Demo Importer",
"vendor": "blazethemes",
"versions": [
{
"lessThanOrEqual": "1.0.13",
"status": "affected",
"version": "1.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Kenneth Dunn"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Blaze Demo Importer plugin for WordPress is vulnerable to unauthorized database resets and file deletion due to a missing capability check on the \"blaze_demo_importer_install_demo\" function in all versions up to, and including, 1.0.13. This makes it possible for authenticated attackers, with subscriber level access and above, to reset the database by truncating all tables (except options, usermeta, and users), delete all sidebar widgets, theme modifications, and content of the uploads folder."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-12T03:20:58.895Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d83cd6a0-d69c-4e6c-b76f-00c398b5f7e6?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/blaze-demo-importer/tags/1.0.13/blaze-demo-importer.php?marks=67-89#L68"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-11-06T00:00:00.000+00:00",
"value": "Discovered"
},
{
"lang": "en",
"time": "2025-12-11T15:12:44.000+00:00",
"value": "Disclosed"
}
],
"title": "Blaze Demo Importer 1.0.0 - 1.0.13 - Missing Authorization to Authenticated (Subscriber+) Database Reset and File Deletion"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-13334",
"datePublished": "2025-12-12T03:20:58.895Z",
"dateReserved": "2025-11-17T20:03:30.316Z",
"dateUpdated": "2025-12-12T18:39:51.275Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-8446 (GCVE-0-2025-8446)
Vulnerability from cvelistv5 – Published: 2025-09-16 11:17 – Updated: 2025-09-16 19:30
VLAI?
Summary
The Blaze Demo Importer plugin for WordPress is vulnerable to unauthorized limited plugin install due to a missing capability check on the 'blaze_demo_importer_install_plugin' function in all versions up to, and including, 1.0.12. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install and activate a limited number of specific plugins. The News Kit Elementor Addons plugin and a BlazeThemes theme must be installed and activated in order to exploit the vulnerability.
Severity ?
4.3 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| blazethemes | Blaze Demo Importer |
Affected:
* , ≤ 1.0.12
(semver)
|
Credits
wesley
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-8446",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-16T19:29:56.774556Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T19:30:06.936Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Blaze Demo Importer",
"vendor": "blazethemes",
"versions": [
{
"lessThanOrEqual": "1.0.12",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "wesley"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Blaze Demo Importer plugin for WordPress is vulnerable to unauthorized limited plugin install due to a missing capability check on the \u0027blaze_demo_importer_install_plugin\u0027 function in all versions up to, and including, 1.0.12. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install and activate a limited number of specific plugins. The News Kit Elementor Addons plugin and a BlazeThemes theme must be installed and activated in order to exploit the vulnerability."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-16T11:17:09.118Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a91bd1cf-ac63-4d65-b9fc-3fa2507cc27e?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/blaze-demo-importer/trunk/blaze-demo-importer.php#L91"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3361179/"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-09-15T00:00:00.000+00:00",
"value": "Disclosed"
}
],
"title": "Blaze Demo Importer \u003c= 1.0.12 - Missing Authorization to Authenticated (Subscriber+) Limited Plugin Install"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-8446",
"datePublished": "2025-09-16T11:17:09.118Z",
"dateReserved": "2025-07-31T19:44:08.833Z",
"dateUpdated": "2025-09-16T19:30:06.936Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-54037 (GCVE-0-2025-54037)
Vulnerability from cvelistv5 – Published: 2025-07-16 10:36 – Updated: 2025-07-16 20:02
VLAI?
Summary
Missing Authorization vulnerability in blazethemes News Kit Elementor Addons allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects News Kit Elementor Addons: from n/a through 1.3.4.
Severity ?
5.4 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| blazethemes | News Kit Elementor Addons |
Affected:
n/a , ≤ 1.3.4
(custom)
|
Credits
zaim (Patchstack Alliance)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-54037",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-16T20:01:51.808188Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-16T20:02:00.434Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "news-kit-elementor-addons",
"product": "News Kit Elementor Addons",
"vendor": "blazethemes",
"versions": [
{
"changes": [
{
"at": "1.3.5",
"status": "unaffected"
}
],
"lessThanOrEqual": "1.3.4",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "zaim (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eMissing Authorization vulnerability in blazethemes News Kit Elementor Addons allows Exploiting Incorrectly Configured Access Control Security Levels.\u003c/p\u003e\u003cp\u003eThis issue affects News Kit Elementor Addons: from n/a through 1.3.4.\u003c/p\u003e"
}
],
"value": "Missing Authorization vulnerability in blazethemes News Kit Elementor Addons allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects News Kit Elementor Addons: from n/a through 1.3.4."
}
],
"impacts": [
{
"capecId": "CAPEC-180",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-16T10:36:48.754Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/wordpress/plugin/news-kit-elementor-addons/vulnerability/wordpress-news-kit-elementor-addons-plugin-1-3-4-broken-access-control-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update the WordPress News Kit Elementor Addons plugin to the latest available version (at least 1.3.5)."
}
],
"value": "Update the WordPress News Kit Elementor Addons plugin to the latest available version (at least 1.3.5)."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress News Kit Elementor Addons plugin \u003c= 1.3.4 - Broken Access Control Vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-54037",
"datePublished": "2025-07-16T10:36:48.754Z",
"dateReserved": "2025-07-16T08:51:58.889Z",
"dateUpdated": "2025-07-16T20:02:00.434Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-32196 (GCVE-0-2025-32196)
Vulnerability from cvelistv5 – Published: 2025-04-04 15:59 – Updated: 2025-04-04 20:12
VLAI?
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in blazethemes News Kit Elementor Addons allows Stored XSS. This issue affects News Kit Elementor Addons: from n/a through 1.3.1.
Severity ?
6.5 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| blazethemes | News Kit Elementor Addons |
Affected:
n/a , ≤ 1.3.1
(custom)
|
Credits
João Pedro S Alcântara (Kinorth) (Patchstack Alliance)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-32196",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-04T19:53:06.398910Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-04T20:12:33.661Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "news-kit-elementor-addons",
"product": "News Kit Elementor Addons",
"vendor": "blazethemes",
"versions": [
{
"lessThanOrEqual": "1.3.1",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Jo\u00e3o Pedro S Alc\u00e2ntara (Kinorth) (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eImproper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in blazethemes News Kit Elementor Addons allows Stored XSS.\u003c/p\u003e\u003cp\u003eThis issue affects News Kit Elementor Addons: from n/a through 1.3.1.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in blazethemes News Kit Elementor Addons allows Stored XSS. This issue affects News Kit Elementor Addons: from n/a through 1.3.1."
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-592 Stored XSS"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-04T15:59:07.935Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/wordpress/plugin/news-kit-elementor-addons/vulnerability/wordpress-news-kit-elementor-addons-plugin-1-3-1-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress News Kit Elementor Addons plugin \u003c= 1.3.1 - Cross Site Scripting (XSS) vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-32196",
"datePublished": "2025-04-04T15:59:07.935Z",
"dateReserved": "2025-04-04T10:01:28.633Z",
"dateUpdated": "2025-04-04T20:12:33.661Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-37473 (GCVE-0-2024-37473)
Vulnerability from cvelistv5 – Published: 2025-01-02 12:00 – Updated: 2025-01-02 14:52
VLAI?
Summary
Cross-Site Request Forgery (CSRF) vulnerability in BlazeThemes Trendy News allows Cross Site Request Forgery.This issue affects Trendy News: from n/a through 1.0.15.
Severity ?
4.3 (Medium)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| BlazeThemes | Trendy News |
Affected:
n/a , ≤ 1.0.15
(custom)
|
Credits
Dhabaleshwar Das (Patchstack Alliance)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-37473",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-02T14:45:38.478595Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-02T14:52:05.775Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/themes",
"defaultStatus": "unaffected",
"packageName": "trendy-news",
"product": "Trendy News",
"vendor": "BlazeThemes",
"versions": [
{
"changes": [
{
"at": "1.0.16",
"status": "unaffected"
}
],
"lessThanOrEqual": "1.0.15",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Dhabaleshwar Das (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eCross-Site Request Forgery (CSRF) vulnerability in BlazeThemes Trendy News allows Cross Site Request Forgery.\u003c/p\u003e\u003cp\u003eThis issue affects Trendy News: from n/a through 1.0.15.\u003c/p\u003e"
}
],
"value": "Cross-Site Request Forgery (CSRF) vulnerability in BlazeThemes Trendy News allows Cross Site Request Forgery.This issue affects Trendy News: from n/a through 1.0.15."
}
],
"impacts": [
{
"capecId": "CAPEC-62",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-62 Cross Site Request Forgery"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-02T12:00:55.611Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/wordpress/theme/trendy-news/vulnerability/wordpress-trendy-news-theme-1-0-15-cross-site-request-forgery-csrf-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update the WordPress Trendy News theme to the latest available version (at least 1.0.16)."
}
],
"value": "Update the WordPress Trendy News theme to the latest available version (at least 1.0.16)."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Trendy News theme \u003c= 1.0.15 - Cross Site Request Forgery (CSRF) vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2024-37473",
"datePublished": "2025-01-02T12:00:55.611Z",
"dateReserved": "2024-06-09T11:43:13.095Z",
"dateUpdated": "2025-01-02T14:52:05.775Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-54260 (GCVE-0-2024-54260)
Vulnerability from cvelistv5 – Published: 2024-12-09 11:32 – Updated: 2024-12-09 18:39
VLAI?
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in BlazeThemes News Kit Elementor Addons allows Stored XSS.This issue affects News Kit Elementor Addons: from n/a through 1.2.2.
Severity ?
6.5 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| BlazeThemes | News Kit Elementor Addons |
Affected:
n/a , ≤ 1.2.2
(custom)
|
Credits
Gab (Patchstack Alliance)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-54260",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-09T13:28:29.445688Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-09T18:39:31.148Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "news-kit-elementor-addons",
"product": "News Kit Elementor Addons",
"vendor": "BlazeThemes",
"versions": [
{
"lessThanOrEqual": "1.2.2",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Gab (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eImproper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in BlazeThemes News Kit Elementor Addons allows Stored XSS.\u003c/p\u003e\u003cp\u003eThis issue affects News Kit Elementor Addons: from n/a through 1.2.2.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in BlazeThemes News Kit Elementor Addons allows Stored XSS.This issue affects News Kit Elementor Addons: from n/a through 1.2.2."
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-592 Stored XSS"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-09T11:32:11.925Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/wordpress/plugin/news-kit-elementor-addons/vulnerability/wordpress-news-kit-elementor-addons-plugin-1-2-2-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress News Kit Elementor Addons plugin \u003c= 1.2.2 - Cross Site Scripting (XSS) vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2024-54260",
"datePublished": "2024-12-09T11:32:11.925Z",
"dateReserved": "2024-12-02T12:03:42.957Z",
"dateUpdated": "2024-12-09T18:39:31.148Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-10578 (GCVE-0-2024-10578)
Vulnerability from cvelistv5 – Published: 2024-12-06 05:26 – Updated: 2024-12-06 16:07
VLAI?
Summary
The Pubnews theme for WordPress is vulnerable to unauthorized arbitrary plugin installation due to a missing capability check on the pubnews_importer_plugin_action_for_notice() function in all versions up to, and including, 1.0.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install arbitrary plugins that can be leveraged to exploit other vulnerabilities.
Severity ?
8.8 (High)
CWE
- CWE-434 - Unrestricted Upload of File with Dangerous Type
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| blazethemes | Pubnews |
Affected:
* , ≤ 1.0.7
(semver)
|
Credits
Kevin Murphy
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:blazethemes:pubnews:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "pubnews",
"vendor": "blazethemes",
"versions": [
{
"lessThanOrEqual": "1.0.7",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-10578",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-06T16:05:34.385926Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-06T16:07:41.393Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Pubnews",
"vendor": "blazethemes",
"versions": [
{
"lessThanOrEqual": "1.0.7",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Kevin Murphy"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Pubnews theme for WordPress is vulnerable to unauthorized arbitrary plugin installation due to a missing capability check on the pubnews_importer_plugin_action_for_notice() function in all versions up to, and including, 1.0.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to install arbitrary plugins that can be leveraged to exploit other vulnerabilities."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434 Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-06T05:26:15.514Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7eaa0117-5320-431f-b3d2-05a867901528?source=cve"
},
{
"url": "https://themes.trac.wordpress.org/browser/pubnews/1.0.7/inc/admin/admin.php#L1017"
},
{
"url": "https://themes.trac.wordpress.org/changeset/250743/pubnews/1.0.8?contextall=1\u0026old=245552\u0026old_path=%2Fpubnews%2F1.0.7"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-12-05T16:47:54.000+00:00",
"value": "Disclosed"
}
],
"title": "Pubnews \u003c= 1.0.7 - Unauthenticated Arbitrary Plugin Installation"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-10578",
"datePublished": "2024-12-06T05:26:15.514Z",
"dateReserved": "2024-10-31T12:31:56.380Z",
"dateUpdated": "2024-12-06T16:07:41.393Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-37468 (GCVE-0-2024-37468)
Vulnerability from cvelistv5 – Published: 2024-11-01 14:18 – Updated: 2024-11-01 18:19
VLAI?
Summary
Missing Authorization vulnerability in blazethemes Newsmatic allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Newsmatic: from n/a through 1.3.1.
Severity ?
5.3 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| blazethemes | Newsmatic |
Affected:
n/a , ≤ 1.3.1
(custom)
|
Credits
Dhabaleshwar Das (Patchstack Alliance)
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:blazethemes:newsmatic:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "newsmatic",
"vendor": "blazethemes",
"versions": [
{
"lessThanOrEqual": "1.3.1",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-37468",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-01T18:17:50.346044Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-01T18:19:25.071Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/themes",
"defaultStatus": "unaffected",
"packageName": "newsmatic",
"product": "Newsmatic",
"vendor": "blazethemes",
"versions": [
{
"changes": [
{
"at": "1.3.3",
"status": "unaffected"
}
],
"lessThanOrEqual": "1.3.1",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Dhabaleshwar Das (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Missing Authorization vulnerability in blazethemes Newsmatic allows Exploiting Incorrectly Configured Access Control Security Levels.\u003cp\u003eThis issue affects Newsmatic: from n/a through 1.3.1.\u003c/p\u003e"
}
],
"value": "Missing Authorization vulnerability in blazethemes Newsmatic allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Newsmatic: from n/a through 1.3.1."
}
],
"impacts": [
{
"capecId": "CAPEC-1",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-01T14:18:18.704Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/newsmatic/wordpress-newsmatic-theme-1-3-1-broken-access-control-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to 1.3.3 or a higher version."
}
],
"value": "Update to 1.3.3 or a higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Newsmatic theme \u003c= 1.3.1 - Broken Access Control vulnerability",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2024-37468",
"datePublished": "2024-11-01T14:18:18.704Z",
"dateReserved": "2024-06-09T08:52:28.718Z",
"dateUpdated": "2024-11-01T18:19:25.071Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-9541 (GCVE-0-2024-9541)
Vulnerability from cvelistv5 – Published: 2024-10-22 07:36 – Updated: 2024-10-22 13:14
VLAI?
Summary
The News Kit Elementor Addons plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.2.1 via the render function in includes/widgets/canvas-menu/canvas-menu.php. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive private, pending, and draft Elementor template data.
Severity ?
4.3 (Medium)
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| blazethemes | News Kit Elementor Addons |
Affected:
* , ≤ 1.2.1
(semver)
|
Credits
Nir KUM
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-9541",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-22T13:14:12.815829Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-22T13:14:20.285Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "News Kit Elementor Addons",
"vendor": "blazethemes",
"versions": [
{
"lessThanOrEqual": "1.2.1",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Nir KUM"
}
],
"descriptions": [
{
"lang": "en",
"value": "The News Kit Elementor Addons plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.2.1 via the render function in includes/widgets/canvas-menu/canvas-menu.php. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive private, pending, and draft Elementor template data."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-22T07:36:35.355Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ffc5408c-ca31-4cb6-8cb5-063acbbad01e?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3169975/news-kit-elementor-addons"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-10-08T00:00:00.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2024-10-21T00:00:00.000+00:00",
"value": "Disclosed"
}
],
"title": "News Kit Elementor Addons \u003c= 1.2.1 - Authenticated (Contributor+) Sensitive Information Exposure via Canvas Menu Elementor Template"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-9541",
"datePublished": "2024-10-22T07:36:35.355Z",
"dateReserved": "2024-10-04T18:49:02.680Z",
"dateUpdated": "2024-10-22T13:14:20.285Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-37198 (GCVE-0-2024-37198)
Vulnerability from cvelistv5 – Published: 2024-06-21 13:46 – Updated: 2024-08-02 03:50
VLAI?
Summary
Cross-Site Request Forgery (CSRF) vulnerability in blazethemes Digital Newspaper.This issue affects Digital Newspaper: from n/a through 1.1.5.
Severity ?
4.3 (Medium)
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Assigner
References
| URL | Tags | |
|---|---|---|
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| blazethemes | Digital Newspaper |
Affected:
n/a , ≤ 1.1.5
(custom)
|
Credits
Dhabaleshwar Das (Patchstack Alliance)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-37198",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-26T20:05:39.581924Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-24T17:39:31.599Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T03:50:55.279Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/digital-newspaper/wordpress-digital-newspaper-theme-1-1-5-cross-site-request-forgery-csrf-vulnerability?_s_id=cve"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/themes",
"defaultStatus": "unaffected",
"packageName": "digital-newspaper",
"product": "Digital Newspaper",
"vendor": "blazethemes",
"versions": [
{
"changes": [
{
"at": "1.1.6",
"status": "unaffected"
}
],
"lessThanOrEqual": "1.1.5",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Dhabaleshwar Das (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Cross-Site Request Forgery (CSRF) vulnerability in blazethemes Digital Newspaper.\u003cp\u003eThis issue affects Digital Newspaper: from n/a through 1.1.5.\u003c/p\u003e"
}
],
"value": "Cross-Site Request Forgery (CSRF) vulnerability in blazethemes Digital Newspaper.This issue affects Digital Newspaper: from n/a through 1.1.5."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-21T13:46:27.866Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/digital-newspaper/wordpress-digital-newspaper-theme-1-1-5-cross-site-request-forgery-csrf-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to 1.1.6 or a higher version."
}
],
"value": "Update to 1.1.6 or a higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Digital Newspaper theme \u003c= 1.1.5 - Cross Site Request Forgery (CSRF) vulnerability",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2024-37198",
"datePublished": "2024-06-21T13:46:27.866Z",
"dateReserved": "2024-06-04T16:45:43.450Z",
"dateUpdated": "2024-08-02T03:50:55.279Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-1587 (GCVE-0-2024-1587)
Vulnerability from cvelistv5 – Published: 2024-04-09 18:59 – Updated: 2025-08-26 20:08
VLAI?
Summary
The Newsmatic theme for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.3.0 via the 'newsmatic_filter_posts_load_tab_content'. This makes it possible for unauthenticated attackers to view draft posts and post content.
Severity ?
5.3 (Medium)
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| blazethemes | Newsmatic |
Affected:
* , ≤ 1.3.4
(semver)
|
Credits
Krzysztof Zając
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-1587",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-11T17:16:26.612598Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-26T20:08:09.716Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T18:40:21.457Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/bd2ea430-48ce-43c3-ba3d-8ef5f91460ce?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://themes.trac.wordpress.org/browser/newsmatic/1.3.0/inc/template-functions.php#L634"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Newsmatic",
"vendor": "blazethemes",
"versions": [
{
"lessThanOrEqual": "1.3.4",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Krzysztof Zaj\u0105c"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Newsmatic theme for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.3.0 via the \u0027newsmatic_filter_posts_load_tab_content\u0027. This makes it possible for unauthenticated attackers to view draft posts and post content."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-862 Missing Authorization",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-04-09T18:59:18.626Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/bd2ea430-48ce-43c3-ba3d-8ef5f91460ce?source=cve"
},
{
"url": "https://themes.trac.wordpress.org/browser/newsmatic/1.3.0/inc/template-functions.php#L634"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-03-25T00:00:00.000+00:00",
"value": "Disclosed"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-1587",
"datePublished": "2024-04-09T18:59:18.626Z",
"dateReserved": "2024-02-16T16:23:10.143Z",
"dateUpdated": "2025-08-26T20:08:09.716Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}