CVE-2022-42479

Vulnerability

The Soledad premium WordPress theme, versions n/a through 8.2.5, contains a Missing Authorization vulnerability [1]. This broken access control issue means that certain functions lack proper authorization, authentication, or nonce token checks, allowing unprivileged users to execute higher-privileged actions [1].

Exploitation

An attacker does not require any special privileges beyond being able to interact with the website. No user interaction is needed. The vulnerability can be exploited remotely by sending crafted requests to the affected theme endpoints that bypass access control checks [1].

Impact

Successful exploitation leads to unauthorized access to functionality that should be constrained by ACLs. The attacker can perform actions reserved for higher-privileged users, potentially leading to information disclosure or site manipulation [1].

Mitigation

The vendor has released version 8.2.6 which resolves the vulnerability. Users are strongly advised to update immediately. For those unable to update, a mitigation rule from Patchstack is available to block attacks until the update is applied [1].