Werkstatt
Monthly
Cross-Site Request Forgery in the Werkstatt WordPress theme (FuelThemes) version 4.7.2 and earlier allows remote unauthenticated attackers to perform unauthorized state-changing actions on behalf of authenticated WordPress users. The flaw stems from missing or inadequate CSRF token validation on one or more theme action endpoints, meaning a crafted web page or link can silently trigger privileged operations when visited by a logged-in user. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.
Broken access control in the Werkstatt WordPress theme (Fuelthemes) versions 4.7.2 and below allows subscriber-level authenticated users to access functionality or data restricted to higher-privileged roles. The root cause is missing authorization checks (CWE-862), permitting low-privilege WordPress accounts to bypass intended access restrictions and read protected information. No public exploit code is identified and the vulnerability is not listed in CISA KEV, but the low-complexity network vector makes it trivially exploitable by any subscriber-level user on affected sites.
PHP Object Injection in the Werkstatt WordPress theme (fuelthemes) through version 4.8.3 lets a Contributor-level user pass attacker-controlled data into an unsafe deserialization routine, enabling instantiation of arbitrary PHP objects. With the right POP gadget chain present in WordPress core, another plugin, or the theme itself, this can escalate to file operations, SQL manipulation, or remote code execution. No public exploit identified at time of analysis, and it is not listed in CISA KEV; the 8.8 CVSS reflects the low-privilege network-exploitable path with high confidentiality, integrity, and availability impact.
Cross-Site Request Forgery in the Werkstatt WordPress theme (FuelThemes) version 4.7.2 and earlier allows remote unauthenticated attackers to perform unauthorized state-changing actions on behalf of authenticated WordPress users. The flaw stems from missing or inadequate CSRF token validation on one or more theme action endpoints, meaning a crafted web page or link can silently trigger privileged operations when visited by a logged-in user. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.
Broken access control in the Werkstatt WordPress theme (Fuelthemes) versions 4.7.2 and below allows subscriber-level authenticated users to access functionality or data restricted to higher-privileged roles. The root cause is missing authorization checks (CWE-862), permitting low-privilege WordPress accounts to bypass intended access restrictions and read protected information. No public exploit code is identified and the vulnerability is not listed in CISA KEV, but the low-complexity network vector makes it trivially exploitable by any subscriber-level user on affected sites.
PHP Object Injection in the Werkstatt WordPress theme (fuelthemes) through version 4.8.3 lets a Contributor-level user pass attacker-controlled data into an unsafe deserialization routine, enabling instantiation of arbitrary PHP objects. With the right POP gadget chain present in WordPress core, another plugin, or the theme itself, this can escalate to file operations, SQL manipulation, or remote code execution. No public exploit identified at time of analysis, and it is not listed in CISA KEV; the 8.8 CVSS reflects the low-privilege network-exploitable path with high confidentiality, integrity, and availability impact.