High severity8.8NVD Advisory· Published Jun 7, 2023· Updated Apr 8, 2026

CVE-2019-25142

Description

The Mesmerize & Materialis themes for WordPress are vulnerable to authenticated options change in versions up to, and including,1.6.89 (Mesmerize) and 1.0.172 (Materialis). This is due to 'companion_disable_popup' function only checking the nonce while sending user input to the 'update_option' function. This makes it possible for authenticated attackers to change otherwise restricted options.

Affected products

Extendthemes/Materialis
cpe:2.3:a:extendthemes:materialis:*:*:*:*:*:wordpress:*:*
Range: <1.0.173
Extendthemes/Mesmerize
cpe:2.3:a:extendthemes:mesmerize:*:*:*:*:*:wordpress:*:*
Range: <1.6.90

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

themes.trac.wordpress.org/changesetnvdPatchRelease Notes
themes.trac.wordpress.org/changesetnvdPatchRelease Notes
www.wordfence.com/threat-intel/vulnerabilities/id/8c9c3302-47cd-4dbe-b79e-5e6032928074nvdPatchThird Party Advisory
blog.nintechnet.com/wordpress-mesmerize-and-materialis-themes-fixed-an-authenticated-options-change-vulnerability/nvdExploitTechnical DescriptionThird Party Advisory
wpscan.com/vulnerability/e4d70f03-69d5-4cca-8300-985f68d19ddcnvdThird Party Advisory
wordpress.org/themes/materialis/nvdProduct
wordpress.org/themes/mesmerize/nvdProduct

News mentions

No linked articles in our index yet.

cvss	0.572
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000