Vulnerabilites related to kriesi - enfold
Vulnerability from fkie_nvd
Published
2014-10-13 10:55
Modified
2024-11-21 02:16
Severity ?
Summary
Unspecified vulnerability in the folder framework in the Enfold theme before 3.0.1 for WordPress has unknown impact and attack vectors.
References
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:kriesi:enfold:*:*:*:*:*:wordpress:*:*", matchCriteriaId: "EE7B3A4E-19B4-46FF-BE8F-A804ACE5CCA6", versionEndIncluding: "3.0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Unspecified vulnerability in the folder framework in the Enfold theme before 3.0.1 for WordPress has unknown impact and attack vectors.", }, { lang: "es", value: "Vulnerabilidad no especificada en el Framework de carpetas en el tema Enfold anterior a 3.0.1 para WordPress tiene impacto y vectores de ataque desconocidos.", }, ], id: "CVE-2014-7297", lastModified: "2024-11-21T02:16:42.577", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "HIGH", cvssData: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "COMPLETE", baseScore: 10, confidentialityImpact: "COMPLETE", integrityImpact: "COMPLETE", vectorString: "AV:N/AC:L/Au:N/C:C/I:C/A:C", version: "2.0", }, exploitabilityScore: 10, impactScore: 10, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], }, published: "2014-10-13T10:55:08.450", references: [ { source: "cve@mitre.org", tags: [ "Patch", "Vendor Advisory", ], url: "http://themeforest.net/item/enfold-responsive-multipurpose-theme/4519990", }, { source: "cve@mitre.org", url: "https://wpvulndb.com/vulnerabilities/9809", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Vendor Advisory", ], url: "http://themeforest.net/item/enfold-responsive-multipurpose-theme/4519990", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://wpvulndb.com/vulnerabilities/9809", }, ], sourceIdentifier: "cve@mitre.org", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "NVD-CWE-noinfo", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2025-02-25 10:15
Modified
2025-02-28 01:34
Severity ?
6.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Summary
The Enfold theme for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 6.0.9 via the 'attachment_id' parameter. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
References
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:kriesi:enfold:*:*:*:*:*:wordpress:*:*", matchCriteriaId: "7B9C8C8B-1A91-4325-822A-9EABB7B2D57F", versionEndExcluding: "7.0.0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "The Enfold theme for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 6.0.9 via the 'attachment_id' parameter. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.", }, { lang: "es", value: " El tema Enfold para WordPress es vulnerable a la falsificación de Server-Side Request Forgery en todas las versiones hasta la 6.0.9 incluida a través del parámetro 'attachment_id'. Esto permite que atacantes autenticados, con acceso de nivel de suscriptor y superior, realicen solicitudes web a ubicaciones arbitrarias que se originan en la aplicación web y se pueden usar para consultar y modificar información de servicios internos.", }, ], id: "CVE-2024-13695", lastModified: "2025-02-28T01:34:39.920", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.4, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", version: "3.1", }, exploitabilityScore: 3.1, impactScore: 2.7, source: "security@wordfence.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.4, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 2.5, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2025-02-25T10:15:09.940", references: [ { source: "security@wordfence.com", tags: [ "Release Notes", ], url: "https://themeforest.net/item/enfold-responsive-multipurpose-theme/4519990#item-description__changelog", }, { source: "security@wordfence.com", tags: [ "Third Party Advisory", ], url: "https://www.wordfence.com/threat-intel/vulnerabilities/id/b55722f9-a0b9-4484-bd3b-c21dbe5716ee?source=cve", }, ], sourceIdentifier: "security@wordfence.com", vulnStatus: "Analyzed", weaknesses: [ { description: [ { lang: "en", value: "CWE-918", }, ], source: "security@wordfence.com", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2021-10-11 11:15
Modified
2024-11-21 05:53
Severity ?
Summary
The Enfold Enfold WordPress theme before 4.8.4 was vulnerable to Reflected Cross-Site Scripting (XSS). The vulnerability is present on Enfold versions previous than 4.8.4 which use Avia Page Builder.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| contact@wpscan.com | http://packetstormsecurity.com/files/164548/WordPress-Enfold-Theme-4.8.3-Cross-Site-Scripting.html | Exploit, Third Party Advisory, VDB Entry | |
| contact@wpscan.com | https://wpscan.com/vulnerability/a53e213f-6011-47f8-93e6-aa5ad30e857e | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://packetstormsecurity.com/files/164548/WordPress-Enfold-Theme-4.8.3-Cross-Site-Scripting.html | Exploit, Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://wpscan.com/vulnerability/a53e213f-6011-47f8-93e6-aa5ad30e857e | Exploit, Third Party Advisory |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:kriesi:enfold:*:*:*:*:*:wordpress:*:*", matchCriteriaId: "720E8A55-8B32-422C-B5A5-2AD4E2DCFF29", versionEndExcluding: "4.8.4", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "The Enfold Enfold WordPress theme before 4.8.4 was vulnerable to Reflected Cross-Site Scripting (XSS). The vulnerability is present on Enfold versions previous than 4.8.4 which use Avia Page Builder.", }, { lang: "es", value: "El tema Enfold de WordPress versiones anteriores a 4.8.4, era vulnerable a un ataque de tipo Cross-Site Scripting (XSS) Reflejado. La vulnerabilidad está presente en las versiones de Enfold anteriores a la 4.8.4 que usan Avia Page Builder", }, ], id: "CVE-2021-24719", lastModified: "2024-11-21T05:53:37.737", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 4.3, confidentialityImpact: "NONE", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:N/I:P/A:N", version: "2.0", }, exploitabilityScore: 8.6, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: true, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.1, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 2.7, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2021-10-11T11:15:09.377", references: [ { source: "contact@wpscan.com", tags: [ "Exploit", "Third Party Advisory", "VDB Entry", ], url: "http://packetstormsecurity.com/files/164548/WordPress-Enfold-Theme-4.8.3-Cross-Site-Scripting.html", }, { source: "contact@wpscan.com", tags: [ "Exploit", "Third Party Advisory", ], url: "https://wpscan.com/vulnerability/a53e213f-6011-47f8-93e6-aa5ad30e857e", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Third Party Advisory", "VDB Entry", ], url: "http://packetstormsecurity.com/files/164548/WordPress-Enfold-Theme-4.8.3-Cross-Site-Scripting.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Third Party Advisory", ], url: "https://wpscan.com/vulnerability/a53e213f-6011-47f8-93e6-aa5ad30e857e", }, ], sourceIdentifier: "contact@wpscan.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-79", }, ], source: "contact@wpscan.com", type: "Secondary", }, { description: [ { lang: "en", value: "CWE-79", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2025-02-25 10:15
Modified
2025-02-28 01:35
Severity ?
Summary
The Enfold theme for WordPress is vulnerable to unauthorized access of data due to a missing capability check in avia-export-class.php in all versions up to, and including, 6.0.9. This makes it possible for unauthenticated attackers to export all avia settings which may included sensitive information such as the Mailchimp API Key, reCAPTCHA Secret Key, or Envato private token if they are set.
References
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:kriesi:enfold:*:*:*:*:*:wordpress:*:*", matchCriteriaId: "CE0FB6E9-976F-4908-9B03-5AFE3941CE8E", versionEndExcluding: "7.0", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "The Enfold theme for WordPress is vulnerable to unauthorized access of data due to a missing capability check in avia-export-class.php in all versions up to, and including, 6.0.9. This makes it possible for unauthenticated attackers to export all avia settings which may included sensitive information such as the Mailchimp API Key, reCAPTCHA Secret Key, or Envato private token if they are set.", }, { lang: "es", value: " El tema Enfold para WordPress es vulnerable al acceso no autorizado a los datos debido a una verificación de capacidad faltante en avia-export-class.php en todas las versiones hasta la 6.0.9 incluida. Esto hace posible que atacantes no autenticados exporten todas las configuraciones de Avia que pueden incluir información confidencial como la clave API de Mailchimp, la clave secreta de reCAPTCHA o el token privado de Envato si están configurados.", }, ], id: "CVE-2024-13693", lastModified: "2025-02-28T01:35:34.740", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 1.4, source: "security@wordfence.com", type: "Primary", }, ], }, published: "2025-02-25T10:15:09.643", references: [ { source: "security@wordfence.com", tags: [ "Product", ], url: "https://themeforest.net/item/enfold-responsive-multipurpose-theme/4519990#item-description__changelog", }, { source: "security@wordfence.com", tags: [ "Third Party Advisory", ], url: "https://www.wordfence.com/threat-intel/vulnerabilities/id/61a9ad18-28d4-488c-b3a7-e35745f9c83e?source=cve", }, ], sourceIdentifier: "security@wordfence.com", vulnStatus: "Analyzed", weaknesses: [ { description: [ { lang: "en", value: "CWE-284", }, ], source: "security@wordfence.com", type: "Primary", }, { description: [ { lang: "en", value: "CWE-862", }, ], source: "nvd@nist.gov", type: "Secondary", }, ], }
Vulnerability from fkie_nvd
Published
2024-08-30 04:15
Modified
2024-09-03 15:11
Severity ?
6.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Summary
The Enfold - Responsive Multi-Purpose Theme theme for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘wrapper_class’ and 'class' parameters in all versions up to, and including, 6.0.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
References
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:kriesi:enfold:*:*:*:*:*:wordpress:*:*", matchCriteriaId: "D99DBAAC-B25C-480D-9CAC-2FCAFF8E5F46", versionEndIncluding: "6.0.3", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "The Enfold - Responsive Multi-Purpose Theme theme for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘wrapper_class’ and 'class' parameters in all versions up to, and including, 6.0.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.", }, { lang: "es", value: "El tema Enfold - Responsive Multi-Purpose Theme para WordPress es vulnerable a Cross-Site Scripting Almacenado a través de los parámetros 'wrapper_class' y 'class' en todas las versiones hasta la 6.0.3 incluida, debido a una desinfección de entrada y un escape de salida insuficientes. Esto permite que atacantes autenticados, con acceso de nivel de colaborador y superior, inyecten scripts web arbitrarias en páginas que se ejecutarán cada vez que un usuario acceda a una página inyectada.", }, ], id: "CVE-2024-5061", lastModified: "2024-09-03T15:11:56.787", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.4, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", version: "3.1", }, exploitabilityScore: 3.1, impactScore: 2.7, source: "security@wordfence.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.4, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", version: "3.1", }, exploitabilityScore: 2.3, impactScore: 2.7, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2024-08-30T04:15:07.310", references: [ { source: "security@wordfence.com", tags: [ "Product", ], url: "https://themeforest.net/item/enfold-responsive-multipurpose-theme/4519990", }, { source: "security@wordfence.com", tags: [ "Third Party Advisory", ], url: "https://www.wordfence.com/threat-intel/vulnerabilities/id/25462492-59d2-44b7-81c3-93ac04a08bcc?source=cve", }, ], sourceIdentifier: "security@wordfence.com", vulnStatus: "Analyzed", weaknesses: [ { description: [ { lang: "en", value: "CWE-79", }, ], source: "security@wordfence.com", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2024-07-22 10:15
Modified
2024-11-21 09:23
Severity ?
7.1 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Kriesi.At Enfold allows Reflected XSS.This issue affects Enfold: from n/a through 5.6.9.
References
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:kriesi:enfold:*:*:*:*:*:wordpress:*:*", matchCriteriaId: "B58FD2EF-4AB8-4B8D-9E61-E63DE628F5E3", versionEndExcluding: "5.6.10", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Kriesi.At Enfold allows Reflected XSS.This issue affects Enfold: from n/a through 5.6.9.", }, { lang: "es", value: "Vulnerabilidad de neutralización incorrecta de la entrada durante la generación de páginas web (XSS o 'Cross-site Scripting') en Kriesi.At Enfold permite XSS reflejado. Este problema afecta a Enfold: desde n/a hasta 5.6.9.", }, ], id: "CVE-2024-37199", lastModified: "2024-11-21T09:23:23.287", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 7.1, baseSeverity: "HIGH", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 3.7, source: "audit@patchstack.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.1, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 2.7, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2024-07-22T10:15:05.983", references: [ { source: "audit@patchstack.com", tags: [ "Third Party Advisory", ], url: "https://patchstack.com/database/vulnerability/enfold/wordpress-enfold-theme-5-6-9-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://patchstack.com/database/vulnerability/enfold/wordpress-enfold-theme-5-6-9-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve", }, ], sourceIdentifier: "audit@patchstack.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-79", }, ], source: "audit@patchstack.com", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2023-11-30 17:15
Modified
2024-11-21 08:13
Severity ?
7.1 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Kriesi Enfold - Responsive Multi-Purpose Theme allows Reflected XSS.This issue affects Enfold - Responsive Multi-Purpose Theme: from n/a through 5.6.4.
References
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:kriesi:enfold:*:*:*:*:*:wordpress:*:*", matchCriteriaId: "3A448401-824B-4E02-AC2F-9A577ED91DD9", versionEndIncluding: "5.6.4", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Kriesi Enfold - Responsive Multi-Purpose Theme allows Reflected XSS.This issue affects Enfold - Responsive Multi-Purpose Theme: from n/a through 5.6.4.\n\n", }, { lang: "es", value: "Vulnerabilidad de neutralización inadecuada de la entrada durante la generación de páginas web ('Cross-site Scripting') en Kriesi Enfold - Responsive Multi-Purpose Theme permite XSS reflejado. Este problema afecta a Enfold - Responsive Multi-Purpose Theme: desde n/a hasta 5.6.4.", }, ], id: "CVE-2023-38400", lastModified: "2024-11-21T08:13:29.270", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 7.1, baseSeverity: "HIGH", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 3.7, source: "audit@patchstack.com", type: "Secondary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.1, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", version: "3.1", }, exploitabilityScore: 2.8, impactScore: 2.7, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2023-11-30T17:15:09.750", references: [ { source: "audit@patchstack.com", tags: [ "Third Party Advisory", ], url: "https://patchstack.com/database/vulnerability/enfold/wordpress-enfold-theme-5-6-4-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://patchstack.com/database/vulnerability/enfold/wordpress-enfold-theme-5-6-4-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve", }, ], sourceIdentifier: "audit@patchstack.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-79", }, ], source: "audit@patchstack.com", type: "Primary", }, ], }
cve-2024-37199
Vulnerability from cvelistv5
Published
2024-07-22 09:33
Modified
2024-08-02 03:50
Severity ?
EPSS score ?
Summary
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Kriesi.At Enfold allows Reflected XSS.This issue affects Enfold: from n/a through 5.6.9.
References
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-37199", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-07-22T10:26:37.008243Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-07-22T10:26:50.229Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, { providerMetadata: { dateUpdated: "2024-08-02T03:50:55.248Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "vdb-entry", "x_transferred", ], url: "https://patchstack.com/database/vulnerability/enfold/wordpress-enfold-theme-5-6-9-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Enfold", vendor: "Kriesi.at", versions: [ { changes: [ { at: "5.6.10", status: "unaffected", }, ], lessThanOrEqual: "5.6.9", status: "affected", version: "n/a", versionType: "custom", }, ], }, ], credits: [ { lang: "en", type: "finder", user: "00000000-0000-4000-9000-000000000000", value: "tom (Patchstack Alliance)", }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Kriesi.At Enfold allows Reflected XSS.<p>This issue affects Enfold: from n/a through 5.6.9.</p>", }, ], value: "Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Kriesi.At Enfold allows Reflected XSS.This issue affects Enfold: from n/a through 5.6.9.", }, ], impacts: [ { capecId: "CAPEC-591", descriptions: [ { lang: "en", value: "CAPEC-591 Reflected XSS", }, ], }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 7.1, baseSeverity: "HIGH", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-79", description: "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-07-22T09:33:23.394Z", orgId: "21595511-bba5-4825-b968-b78d1f9984a3", shortName: "Patchstack", }, references: [ { tags: [ "vdb-entry", ], url: "https://patchstack.com/database/vulnerability/enfold/wordpress-enfold-theme-5-6-9-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve", }, ], solutions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "Update to 5.6.10 or a higher version.", }, ], value: "Update to 5.6.10 or a higher version.", }, ], source: { discovery: "EXTERNAL", }, title: "WordPress Enfold theme <= 5.6.9 - Reflected Cross Site Scripting (XSS) vulnerability", x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "21595511-bba5-4825-b968-b78d1f9984a3", assignerShortName: "Patchstack", cveId: "CVE-2024-37199", datePublished: "2024-07-22T09:33:23.394Z", dateReserved: "2024-06-04T16:45:43.450Z", dateUpdated: "2024-08-02T03:50:55.248Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-5061
Vulnerability from cvelistv5
Published
2024-08-30 03:24
Modified
2024-08-30 14:06
Severity ?
EPSS score ?
Summary
The Enfold - Responsive Multi-Purpose Theme theme for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘wrapper_class’ and 'class' parameters in all versions up to, and including, 6.0.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Kriesi | Enfold - Responsive Multi-Purpose Theme |
Version: * ≤ 6.0.3 |
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-5061", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2024-08-30T14:01:02.674997Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2024-08-30T14:06:54.100Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Enfold - Responsive Multi-Purpose Theme", vendor: "Kriesi", versions: [ { lessThanOrEqual: "6.0.3", status: "affected", version: "*", versionType: "semver", }, ], }, ], credits: [ { lang: "en", type: "finder", value: "Matthew Rollings", }, ], descriptions: [ { lang: "en", value: "The Enfold - Responsive Multi-Purpose Theme theme for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘wrapper_class’ and 'class' parameters in all versions up to, and including, 6.0.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.", }, ], metrics: [ { cvssV3_1: { baseScore: 6.4, baseSeverity: "MEDIUM", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-79", description: "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-08-30T03:24:15.330Z", orgId: "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", shortName: "Wordfence", }, references: [ { url: "https://www.wordfence.com/threat-intel/vulnerabilities/id/25462492-59d2-44b7-81c3-93ac04a08bcc?source=cve", }, { url: "https://themeforest.net/item/enfold-responsive-multipurpose-theme/4519990", }, ], timeline: [ { lang: "en", time: "2024-08-29T14:54:04.000+00:00", value: "Disclosed", }, ], title: "Enfold <= 6.0.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via wrapper_class and class Parameters", }, }, cveMetadata: { assignerOrgId: "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", assignerShortName: "Wordfence", cveId: "CVE-2024-5061", datePublished: "2024-08-30T03:24:15.330Z", dateReserved: "2024-05-17T11:00:47.792Z", dateUpdated: "2024-08-30T14:06:54.100Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2021-24719
Vulnerability from cvelistv5
Published
2021-10-11 10:45
Modified
2024-08-03 19:42
Severity ?
EPSS score ?
Summary
The Enfold Enfold WordPress theme before 4.8.4 was vulnerable to Reflected Cross-Site Scripting (XSS). The vulnerability is present on Enfold versions previous than 4.8.4 which use Avia Page Builder.
References
| ▼ | URL | Tags |
|---|---|---|
| https://wpscan.com/vulnerability/a53e213f-6011-47f8-93e6-aa5ad30e857e | x_refsource_MISC | |
| http://packetstormsecurity.com/files/164548/WordPress-Enfold-Theme-4.8.3-Cross-Site-Scripting.html | x_refsource_MISC |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T19:42:16.657Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://wpscan.com/vulnerability/a53e213f-6011-47f8-93e6-aa5ad30e857e", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "http://packetstormsecurity.com/files/164548/WordPress-Enfold-Theme-4.8.3-Cross-Site-Scripting.html", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "Enfold", vendor: "Unknown", versions: [ { lessThan: "4.8.4", status: "affected", version: "4.8.4", versionType: "custom", }, ], }, ], credits: [ { lang: "en", value: "David Álvarez Robles", }, { lang: "en", value: "Francisco Díaz-Pache Alonso", }, { lang: "en", value: "Sergio Corral Cristo", }, ], descriptions: [ { lang: "en", value: "The Enfold Enfold WordPress theme before 4.8.4 was vulnerable to Reflected Cross-Site Scripting (XSS). The vulnerability is present on Enfold versions previous than 4.8.4 which use Avia Page Builder.", }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-79", description: "CWE-79 Cross-site Scripting (XSS)", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2021-10-19T16:06:10", orgId: "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", shortName: "WPScan", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://wpscan.com/vulnerability/a53e213f-6011-47f8-93e6-aa5ad30e857e", }, { tags: [ "x_refsource_MISC", ], url: "http://packetstormsecurity.com/files/164548/WordPress-Enfold-Theme-4.8.3-Cross-Site-Scripting.html", }, ], source: { discovery: "EXTERNAL", }, title: "Enfold Theme < 4.8.4 - Reflected Cross-Site Scripting (XSS)", x_generator: "WPScan CVE Generator", x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "contact@wpscan.com", ID: "CVE-2021-24719", STATE: "PUBLIC", TITLE: "Enfold Theme < 4.8.4 - Reflected Cross-Site Scripting (XSS)", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "Enfold", version: { version_data: [ { version_affected: "<", version_name: "4.8.4", version_value: "4.8.4", }, ], }, }, ], }, vendor_name: "Unknown", }, ], }, }, credit: [ { lang: "eng", value: "David Álvarez Robles", }, { lang: "eng", value: "Francisco Díaz-Pache Alonso", }, { lang: "eng", value: "Sergio Corral Cristo", }, ], data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "The Enfold Enfold WordPress theme before 4.8.4 was vulnerable to Reflected Cross-Site Scripting (XSS). The vulnerability is present on Enfold versions previous than 4.8.4 which use Avia Page Builder.", }, ], }, generator: "WPScan CVE Generator", problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "CWE-79 Cross-site Scripting (XSS)", }, ], }, ], }, references: { reference_data: [ { name: "https://wpscan.com/vulnerability/a53e213f-6011-47f8-93e6-aa5ad30e857e", refsource: "MISC", url: "https://wpscan.com/vulnerability/a53e213f-6011-47f8-93e6-aa5ad30e857e", }, { name: "http://packetstormsecurity.com/files/164548/WordPress-Enfold-Theme-4.8.3-Cross-Site-Scripting.html", refsource: "MISC", url: "http://packetstormsecurity.com/files/164548/WordPress-Enfold-Theme-4.8.3-Cross-Site-Scripting.html", }, ], }, source: { discovery: "EXTERNAL", }, }, }, }, cveMetadata: { assignerOrgId: "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", assignerShortName: "WPScan", cveId: "CVE-2021-24719", datePublished: "2021-10-11T10:45:48", dateReserved: "2021-01-14T00:00:00", dateUpdated: "2024-08-03T19:42:16.657Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2023-38400
Vulnerability from cvelistv5
Published
2023-11-30 16:57
Modified
2024-08-02 17:39
Severity ?
EPSS score ?
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Kriesi Enfold - Responsive Multi-Purpose Theme allows Reflected XSS.This issue affects Enfold - Responsive Multi-Purpose Theme: from n/a through 5.6.4.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Kriesi | Enfold - Responsive Multi-Purpose Theme |
Version: n/a < |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-02T17:39:13.619Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "vdb-entry", "x_transferred", ], url: "https://patchstack.com/database/vulnerability/enfold/wordpress-enfold-theme-5-6-4-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Enfold - Responsive Multi-Purpose Theme", vendor: "Kriesi", versions: [ { changes: [ { at: "5.6.5", status: "unaffected", }, ], lessThanOrEqual: "5.6.4", status: "affected", version: "n/a", versionType: "custom", }, ], }, ], credits: [ { lang: "en", type: "finder", user: "00000000-0000-4000-9000-000000000000", value: "Rafie Muhammad (Patchstack)", }, ], descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Kriesi Enfold - Responsive Multi-Purpose Theme allows Reflected XSS.<p>This issue affects Enfold - Responsive Multi-Purpose Theme: from n/a through 5.6.4.</p>", }, ], value: "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Kriesi Enfold - Responsive Multi-Purpose Theme allows Reflected XSS.This issue affects Enfold - Responsive Multi-Purpose Theme: from n/a through 5.6.4.\n\n", }, ], impacts: [ { capecId: "CAPEC-591", descriptions: [ { lang: "en", value: "CAPEC-591 Reflected XSS", }, ], }, ], metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "LOW", baseScore: 7.1, baseSeverity: "HIGH", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "CHANGED", userInteraction: "REQUIRED", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", version: "3.1", }, format: "CVSS", scenarios: [ { lang: "en", value: "GENERAL", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-79", description: "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-11-30T16:57:16.768Z", orgId: "21595511-bba5-4825-b968-b78d1f9984a3", shortName: "Patchstack", }, references: [ { tags: [ "vdb-entry", ], url: "https://patchstack.com/database/vulnerability/enfold/wordpress-enfold-theme-5-6-4-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve", }, ], solutions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "Update to 5.6.5 or a higher version.", }, ], value: "Update to 5.6.5 or a higher version.", }, ], source: { discovery: "EXTERNAL", }, title: "WordPress Enfold Theme <= 5.6.4 is vulnerable to Cross Site Scripting (XSS)", x_generator: { engine: "Vulnogram 0.1.0-dev", }, }, }, cveMetadata: { assignerOrgId: "21595511-bba5-4825-b968-b78d1f9984a3", assignerShortName: "Patchstack", cveId: "CVE-2023-38400", datePublished: "2023-11-30T16:57:16.768Z", dateReserved: "2023-07-17T15:22:13.927Z", dateUpdated: "2024-08-02T17:39:13.619Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2014-7297
Vulnerability from cvelistv5
Published
2014-10-13 10:00
Modified
2024-08-06 12:47
Severity ?
EPSS score ?
Summary
Unspecified vulnerability in the folder framework in the Enfold theme before 3.0.1 for WordPress has unknown impact and attack vectors.
References
| ▼ | URL | Tags |
|---|---|---|
| http://themeforest.net/item/enfold-responsive-multipurpose-theme/4519990 | x_refsource_CONFIRM | |
| https://wpvulndb.com/vulnerabilities/9809 | x_refsource_MISC |
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-06T12:47:32.498Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://themeforest.net/item/enfold-responsive-multipurpose-theme/4519990", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://wpvulndb.com/vulnerabilities/9809", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], datePublic: "2014-10-07T00:00:00", descriptions: [ { lang: "en", value: "Unspecified vulnerability in the folder framework in the Enfold theme before 3.0.1 for WordPress has unknown impact and attack vectors.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2020-01-10T00:06:05", orgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", shortName: "mitre", }, references: [ { tags: [ "x_refsource_CONFIRM", ], url: "http://themeforest.net/item/enfold-responsive-multipurpose-theme/4519990", }, { tags: [ "x_refsource_MISC", ], url: "https://wpvulndb.com/vulnerabilities/9809", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve@mitre.org", ID: "CVE-2014-7297", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Unspecified vulnerability in the folder framework in the Enfold theme before 3.0.1 for WordPress has unknown impact and attack vectors.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "http://themeforest.net/item/enfold-responsive-multipurpose-theme/4519990", refsource: "CONFIRM", url: "http://themeforest.net/item/enfold-responsive-multipurpose-theme/4519990", }, { name: "https://wpvulndb.com/vulnerabilities/9809", refsource: "MISC", url: "https://wpvulndb.com/vulnerabilities/9809", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "8254265b-2729-46b6-b9e3-3dfca2d5bfca", assignerShortName: "mitre", cveId: "CVE-2014-7297", datePublished: "2014-10-13T10:00:00", dateReserved: "2014-10-02T00:00:00", dateUpdated: "2024-08-06T12:47:32.498Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-13693
Vulnerability from cvelistv5
Published
2025-02-25 09:21
Modified
2025-02-25 14:37
Severity ?
EPSS score ?
Summary
The Enfold theme for WordPress is vulnerable to unauthorized access of data due to a missing capability check in avia-export-class.php in all versions up to, and including, 6.0.9. This makes it possible for unauthenticated attackers to export all avia settings which may included sensitive information such as the Mailchimp API Key, reCAPTCHA Secret Key, or Envato private token if they are set.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Kriesi | Enfold - Responsive Multi-Purpose Theme |
Version: * ≤ 6.0.9 |
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-13693", options: [ { Exploitation: "none", }, { Automatable: "yes", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2025-02-25T14:32:29.636031Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2025-02-25T14:37:21.976Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Enfold - Responsive Multi-Purpose Theme", vendor: "Kriesi", versions: [ { lessThanOrEqual: "6.0.9", status: "affected", version: "*", versionType: "semver", }, ], }, ], credits: [ { lang: "en", type: "finder", value: "Michael Mazzolini", }, ], descriptions: [ { lang: "en", value: "The Enfold theme for WordPress is vulnerable to unauthorized access of data due to a missing capability check in avia-export-class.php in all versions up to, and including, 6.0.9. This makes it possible for unauthenticated attackers to export all avia settings which may included sensitive information such as the Mailchimp API Key, reCAPTCHA Secret Key, or Envato private token if they are set.", }, ], metrics: [ { cvssV3_1: { baseScore: 5.3, baseSeverity: "MEDIUM", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-284", description: "CWE-284 Improper Access Control", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2025-02-25T09:21:33.130Z", orgId: "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", shortName: "Wordfence", }, references: [ { url: "https://www.wordfence.com/threat-intel/vulnerabilities/id/61a9ad18-28d4-488c-b3a7-e35745f9c83e?source=cve", }, { url: "https://themeforest.net/item/enfold-responsive-multipurpose-theme/4519990#item-description__changelog", }, ], timeline: [ { lang: "en", time: "2025-01-23T00:00:00.000+00:00", value: "Vendor Notified", }, { lang: "en", time: "2025-02-24T00:00:00.000+00:00", value: "Disclosed", }, ], title: "Enfold <= 6.0.9 - Missing Authorization to Sensitive Information Disclosure in avia-export-class.php", }, }, cveMetadata: { assignerOrgId: "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", assignerShortName: "Wordfence", cveId: "CVE-2024-13693", datePublished: "2025-02-25T09:21:33.130Z", dateReserved: "2025-01-23T20:46:48.682Z", dateUpdated: "2025-02-25T14:37:21.976Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-13695
Vulnerability from cvelistv5
Published
2025-02-25 09:21
Modified
2025-02-25 14:37
Severity ?
EPSS score ?
Summary
The Enfold theme for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 6.0.9 via the 'attachment_id' parameter. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Kriesi | Enfold - Responsive Multi-Purpose Theme |
Version: * ≤ 6.0.9 |
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-13695", options: [ { Exploitation: "none", }, { Automatable: "no", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2025-02-25T14:06:20.167494Z", version: "2.0.3", }, type: "ssvc", }, }, ], providerMetadata: { dateUpdated: "2025-02-25T14:37:13.976Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Enfold - Responsive Multi-Purpose Theme", vendor: "Kriesi", versions: [ { lessThanOrEqual: "6.0.9", status: "affected", version: "*", versionType: "semver", }, ], }, ], credits: [ { lang: "en", type: "finder", value: "Michael Mazzolini", }, ], descriptions: [ { lang: "en", value: "The Enfold theme for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 6.0.9 via the 'attachment_id' parameter. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.", }, ], metrics: [ { cvssV3_1: { baseScore: 6.4, baseSeverity: "MEDIUM", vectorString: "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", version: "3.1", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-918", description: "CWE-918 Server-Side Request Forgery (SSRF)", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2025-02-25T09:21:33.873Z", orgId: "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", shortName: "Wordfence", }, references: [ { url: "https://www.wordfence.com/threat-intel/vulnerabilities/id/b55722f9-a0b9-4484-bd3b-c21dbe5716ee?source=cve", }, { url: "https://themeforest.net/item/enfold-responsive-multipurpose-theme/4519990#item-description__changelog", }, ], timeline: [ { lang: "en", time: "2025-01-23T00:00:00.000+00:00", value: "Vendor Notified", }, { lang: "en", time: "2025-02-24T00:00:00.000+00:00", value: "Disclosed", }, ], title: "Enfold <= 6.0.9 - Authenticated (Subscriber+) Server-Side Request Forgery via attachment_id", }, }, cveMetadata: { assignerOrgId: "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", assignerShortName: "Wordfence", cveId: "CVE-2024-13695", datePublished: "2025-02-25T09:21:33.873Z", dateReserved: "2025-01-23T20:53:47.459Z", dateUpdated: "2025-02-25T14:37:13.976Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }