The ThemeBlvd theme framework doesn’t properly authenticate if a user is able to commit specific actions. We uncovered two specific vulnerabilities in their product and notified the vendor. This release was made after the vendor notified us a fix was released.
The first could be used to damage a WordPress site and possibly could be used for much more.
/**
* Clear set of options. Hooked to "admin_init".
*
* @since 2.3.0
*/
function themeblvd_clear_options() {
if ( isset( $_POST['themeblvd_clear___options'] ) ) {
$option_id = $_POST['themeblvd_clear___options'];
delete_option( $option_id );
add_settings_error( $option_id , 'clear_defaults',
__( 'Options cleared from database.', 'themeblvd' ),
'themeblvd-error error fade' );
}
}
This code doesn’t authenticate the user in any way, so it allows any user to delete an arbitrary option from the wp_options table.
The second vulnerability allows a user to set any of their user_meta data to ‘true’. Which could be leveraged for additional access.
function themeblvd_disable_nag() {
global $current_user;
if ( isset( $_GET[‘tb_nag_ignore’] ) ) {
add_user_meta( $current_user->ID, $_GET[‘tb_nag_ignore’], ‘true’, true );
}
}
I notified the author Jason Bobich on 11/2/2014. The first issue was fixed around 11/26/2014 and the second around 12/9/2014.
Themes Affected
- WP Jump Start (version 1.2.4)
- Alyeska (version 3.1.4)
- Akita (version 2.1.4)
- Arcadian Responsive (version 2.0.5)
- Swagger (version 2.1.4)
- Commodore (version 3.0.2)
- Barely Corporate (version 4.1.4)
Plugins Affected
- Theme Blvd Shortcodes (version 1.5.2)
- Theme Blvd Widget Areas (version 1.2.2)
- Theme Blvd Layout Builder (version 2.0.1)
- Theme Blvd Sliders (version 1.2.3)