Unauthenticated Privilege Escalation in Discy WordPress Theme

Unauthenticated Privilege Escalation in Discy WordPress Theme

CVE-2022-1323 · MEDIUM Severity

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

The Discy WordPress theme before 5.0 lacks authorization checks then processing ajax requests to the discy_update_options action, allowing any logged in users (with privileges as low as Subscriber,) to change Theme options by sending a crafted POST request.

Learn more about our Wordpress Pen Testing.