CVE-2023-28619

The Resoto WordPress Resoto theme versions from n/a through 1.0.8 suffer from a missing authorization vulnerability. The issue stems from a broken access control mechanism, where the theme fails to properly verify user capabilities or nonce tokens before allowing plugin activation actions. This flaw enables authenticated users with lower privileges to perform actions that should be restricted to higher-privileged roles like administrators [1].

To exploit this vulnerability, an attacker must first have an authenticated session on the WordPress site, such as a subscriber or contributor account. No additional network position is required beyond standard web access. The attacker can then craft a request to activate any plugin installed on the site, bypassing the intended access control checks [1].

The impact of successful exploitation is that an attacker can enable arbitrary plugins, potentially including those with further security vulnerabilities or backdoor functionality. This could lead to site compromise, data theft, or defacement, depending on the capabilities of the activated plugin. The vulnerability is considered moderately dangerous and is expected to be used in mass-exploit in mass-exploit campaigns targeting thousands of sites [1].

As a mitigation, users should update the Resoto theme to a patched version beyond 1.0.8 immediately. If updating is not possible, site administrators should review and restrict user roles, or consult with their hosting provider for additional security measures [1].