VYPR

Discy

by WordPress

CVEs (3)

  • CVE-2022-1323MedAug 8, 2022
    risk 0.42cvss 6.5epss 0.01

    The Discy WordPress theme before 5.0 lacks authorization checks then processing ajax requests to the discy_update_options action, allowing any logged in users (with privileges as low as Subscriber,) to change Theme options by sending a crafted POST request.

  • CVE-2022-1422MedJun 8, 2022
    risk 0.42cvss 6.5epss 0.01

    The Discy WordPress theme before 5.2 does not check for CSRF tokens in the AJAX action discy_reset_options, allowing an attacker to trick an admin into resetting the site settings back to defaults.

  • CVE-2022-1421MedJun 8, 2022
    risk 0.28cvss 4.3epss 0.01

    The Discy WordPress theme before 5.2 lacks CSRF checks in some AJAX actions, allowing an attacker to make a logged in admin change arbitrary 's settings including payment methods via a CSRF attack