Home » Archives for James Golovich » Page 12

Author: James Golovich

ThemeBlvd theme framework vulnerability

ThemeBlvd

 

The ThemeBlvd theme framework doesn’t properly authenticate if a user is able to commit specific actions.  We uncovered two specific vulnerabilities in their product and notified the vendor.  This release was made after the vendor notified us a fix was released.

The first could be used to damage a WordPress site and possibly could be used for much more.


/**
* Clear set of options. Hooked to "admin_init".
*
* @since 2.3.0
*/
function themeblvd_clear_options() {
if ( isset( $_POST['themeblvd_clear___options'] ) ) {
$option_id = $_POST['themeblvd_clear___options'];
delete_option( $option_id );
add_settings_error( $option_id , 'clear_defaults',
__( 'Options cleared from database.', 'themeblvd' ),
'themeblvd-error error fade' );
}
}

This code doesn’t authenticate the user in any way, so it allows any user to delete an arbitrary option from the wp_options table.

The second vulnerability allows a user to set any of their user_meta data to ‘true’. Which could be leveraged for additional access.

function themeblvd_disable_nag() {

global $current_user;

if ( isset( $_GET[‘tb_nag_ignore’] ) ) {
add_user_meta( $current_user->ID, $_GET[‘tb_nag_ignore’], ‘true’, true );
}
}

I notified the author Jason Bobich on 11/2/2014. The first issue was fixed around 11/26/2014 and the second around 12/9/2014.

Themes Affected

Plugins Affected