CVE-2023-32959

Vulnerability

The MetroStore WordPress theme versions from n/a through 1.3.2 contain a missing authorization vulnerability [1]. The theme fails to properly enforce access control checks on certain functions, allowing unauthenticated or low-privileged users to access administrative capabilities.

Exploitation

An attacker with no prior authentication or with a low-privileged account can exploit this broken access control by sending crafted requests to the vulnerable endpoints [1]. No special network position or user interaction is required; the attack can be performed remotely.

Impact

Successful exploitation enables an unprivileged attacker to execute actions that should be restricted to higher-privileged users, such as modifying theme settings or other administrative operations [1]. This can lead to unauthorized changes to the website's configuration.

Mitigation

The theme has not received updates for over a year and is likely abandoned; no official patch is available [1]. The recommended mitigation is to remove and replace the theme with an actively maintained alternative. Deactivating the theme does not eliminate the security risk. Patchstack offers a mitigation rule to block attacks until a permanent fix can be applied [1].