Medium severity5.3NVD Advisory· Published Feb 2, 2024· Updated Apr 8, 2026

CVE-2024-1047

Description

Multiple plugins and/or themes for WordPress with the ThemeIsle SDK are vulnerable to unauthorized modification of data due to a missing capability check on the register_reference() function in various versions. This makes it possible for unauthenticated attackers to update options values that allow ThemeIsle to track promotional activities via utm_source.

Affected products

Themeisle/Orbit Fox
cpe:2.3:a:themeisle:orbit_fox:*:*:*:*:*:wordpress:*:*
Range: <=2.10.28

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

plugins.trac.wordpress.org/browser/themeisle-companion/trunk/vendor/codeinwp/themeisle-sdk/src/Modules/Promotions.phpnvdPatch
plugins.trac.wordpress.org/changeset/3029507/themeisle-companion/tags/2.10.29/vendor/codeinwp/themeisle-sdk/src/Modules/Promotions.phpnvdPatch
www.wordfence.com/threat-intel/vulnerabilities/id/6147582f-578a-47ad-b16c-65c37896783dnvdThird Party Advisory
plugins.trac.wordpress.org/changesetnvd

News mentions

No linked articles in our index yet.

cvss	0.345
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000