High severity8.8NVD Advisory· Published Jun 7, 2023· Updated Apr 8, 2026
CVE-2019-25142
CVE-2019-25142
Description
The Mesmerize & Materialis themes for WordPress are vulnerable to authenticated options change in versions up to, and including,1.6.89 (Mesmerize) and 1.0.172 (Materialis). This is due to 'companion_disable_popup' function only checking the nonce while sending user input to the 'update_option' function. This makes it possible for authenticated attackers to change otherwise restricted options.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
4cpe:2.3:a:extendthemes:materialis:*:*:*:*:*:wordpress:*:*+ 1 more
- cpe:2.3:a:extendthemes:materialis:*:*:*:*:*:wordpress:*:*range: <1.0.173
- (no CPE)range: <=1.0.172
Patches
Vulnerability mechanics
References
7- themes.trac.wordpress.org/changesetnvdPatchRelease Notes
- themes.trac.wordpress.org/changesetnvdPatchRelease Notes
- www.wordfence.com/threat-intel/vulnerabilities/id/8c9c3302-47cd-4dbe-b79e-5e6032928074nvdPatchThird Party Advisory
- blog.nintechnet.com/wordpress-mesmerize-and-materialis-themes-fixed-an-authenticated-options-change-vulnerability/nvdExploitTechnical DescriptionThird Party Advisory
- wpscan.com/vulnerability/e4d70f03-69d5-4cca-8300-985f68d19ddcnvdThird Party Advisory
- wordpress.org/themes/materialis/nvdProduct
- wordpress.org/themes/mesmerize/nvdProduct
News mentions
0No linked articles in our index yet.