{"error":0,"message":null,"data":{"name":"Ripple","theme":"ripple","link":"https:\/\/wordpress.org\/themes\/ripple\/","latest":null,"closed":0,"vulnerability":[{"uuid":"9f6585ad2db2f2063ab9dfa319a6b833589b5b3dfcb591b3d14181fdf30ebbaa","name":"Ripple [ripple] < 1.2.1","description":null,"operator":{"min_version":null,"min_operator":null,"max_version":"1.2.1","max_operator":"lt","unfixed":"0","closed":"0"},"source":[{"id":"CVE-2021-24867","name":"CVE-2021-24867","link":"https:\/\/www.cve.org\/CVERecord?id=CVE-2021-24867","description":"[en] Numerous Plugins and Themes from the AccessPress Themes (aka Access Keys) vendor are backdoored due to their website being compromised. Only plugins and themes downloaded via the vendor website are affected, and those hosted on wordpress.org are not. However, all of them were updated or removed to avoid any confusion","date":"2022-02-21"},{"id":"9c76bada-fa32-4c2f-9855-d0efd1e63eff","name":"One more step","link":"https:\/\/wpscan.com\/vulnerability\/9c76bada-fa32-4c2f-9855-d0efd1e63eff","description":null,"date":null},{"id":"033a642859380cb4daa00b3165ede8acaeee7bdd","name":"AccessPress Anonymous Post = 2.8.0 - Backdoored","link":"https:\/\/www.wordfence.com\/threat-intel\/vulnerabilities\/wordpress-plugins\/accesspress-anonymous-post\/accesspress-anonymous-post-280-backdoored","description":"Numerous Plugins and Themes from the AccessPress Themes (aka Access Keys) vendor are backdoored due to their website being compromised. Only plugins and themes downloaded via the vendor website are affected, and those hosted on wordpress.org are not. However, all of them were updated or removed to avoid any confusion","date":"2021-10-13"}],"impact":{"cvss":{"version":"3.1","vector":"CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:H\/I:H\/A:H","av":"n","ac":"l","pr":"n","ui":"n","s":"u","c":"h","i":"h","a":"h","score":"9.8","severity":"c","exploitable":"3.9","impact":"5.9"},"cwe":[{"cwe":"CWE-912","name":"Hidden Functionality","description":"The product contains functionality that is not documented, not part of the specification, and not accessible through an interface or command sequence that is obvious to the product's users or administrators."}]}},{"uuid":"2be5fa3fc50b0cfae07b9101cc6075c562945fbe4aba21d1b7855d081a1c2911","name":"Ripple [ripple] <= 1.2.0","description":null,"operator":{"min_version":null,"min_operator":null,"max_version":"1.2.0","max_operator":"le","unfixed":"0","closed":"0"},"source":[{"id":"CVE-2021-39317","name":"CVE-2021-39317","link":"https:\/\/www.cve.org\/CVERecord?id=CVE-2021-39317","description":"[en] A WordPress plugin and several WordPress themes developed by AccessPress Themes are vulnerable to malicious file uploads via the plugin_offline_installer AJAX action due to a missing capability check in the plugin_offline_installer_callback function found in the \/demo-functions.php file or \/welcome.php file of the affected products. The complete list of affected products and their versions are below: WordPress Plugin: AccessPress Demo Importer <=1.0.6 WordPress Themes: accesspress-basic <= 3.2.1 accesspress-lite <= 2.92 accesspress-mag <= 2.6.5 accesspress-parallax <= 4.5 accesspress-root <= 2.5 accesspress-store <= 2.4.9 agency-lite <= 1.1.6 arrival <= 1.4.2 bingle <= 1.0.4 bloger <= 1.2.6 brovy <= 1.3 construction-lite <= 1.2.5 doko <= 1.0.27 edict-lite <= 1.1.4 eightlaw-lite <= 2.1.5 eightmedi-lite <= 2.1.8 eight-sec <= 1.1.4 eightstore-lite <= 1.2.5 enlighten <= 1.3.5 fotography <= 2.4.0 opstore <= 1.4.3 parallaxsome <= 1.3.6 punte <= 1.1.2 revolve <= 1.3.1 ripple <= 1.2.0 sakala <= 1.0.4 scrollme <= 2.1.0 storevilla <= 1.4.1 swing-lite <= 1.1.9 the100 <= 1.1.2 the-launcher <= 1.3.2 the-monday <= 1.4.1 ultra-seven <= 1.2.8 uncode-lite <= 1.3.3 vmag <= 1.2.7 vmagazine-lite <= 1.3.5 vmagazine-news <= 1.0.5 wpparallax <= 2.0.6 wp-store <= 1.1.9 zigcy-baby <= 1.0.6 zigcy-cosmetics <= 1.0.5 zigcy-lite <= 2.0.9","date":"2021-10-11"},{"id":"8770c219165354fce80f8b36469e3e669dbcef5d","name":"WordPress Ripple theme <= 1.2.0 - Arbitrary File Upload vulnerability","link":"https:\/\/patchstack.com\/database\/wordpress\/theme\/ripple\/vulnerability\/wordpress-ripple-theme-1-2-0-arbitrary-file-upload-vulnerability","description":"Arbitrary File Upload vulnerability discovered by Lenon Leite (Patchstack Red Team project) in WordPress Ripple theme (versions <= 1.2.0). This theme uses a vulnerable piece of code related to previously identified vulnerability - CVE-2021-39317.","date":"2021-11-28"},{"id":"375cdb9bddfabe2afed23edadaf2851a10172bf7","name":"AccessPress Themes and Plugin <= Various Versions - Authenticated (Subscriber+) Arbitrary File Upload","link":"https:\/\/www.wordfence.com\/threat-intel\/vulnerabilities\/detail\/accesspress-themes-and-plugin-various-versions-authenticated-subscriber-arbitrary-file-upload","description":"A WordPress plugin and several WordPress themes developed by AccessPress Themes are vulnerable to malicious file uploads via the plugin_offline_installer AJAX action due to a missing capability check in the plugin_offline_installer_callback function found in the \/demo-functions.php file or \/welcome.php file of the affected products.","date":"2021-10-06"}],"impact":{"cvss":{"version":"3.1","vector":"CVSS:3.1\/AV:N\/AC:L\/PR:L\/UI:N\/S:U\/C:H\/I:H\/A:H","av":"n","ac":"l","pr":"l","ui":"n","s":"u","c":"h","i":"h","a":"h","score":"8.8","severity":"h","exploitable":"2.8","impact":"5.9"},"cwe":[{"cwe":"CWE-285","name":"Improper Authorization","description":"The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action."},{"cwe":"CWE-434","name":"Unrestricted Upload of File with Dangerous Type","description":"The product allows the upload or transfer of dangerous file types that are automatically processed within its environment."}]}},{"uuid":"faf0f470cdfb45be9888ebce7bba55603895d797c992e570be349a2ccd82d749","name":"Ripple [ripple] <= 1.2.0 (unfixed)","description":null,"operator":{"min_version":null,"min_operator":null,"max_version":"1.2.0","max_operator":"le","unfixed":"1","closed":"0"},"source":[{"id":"420d875a6eb7b16e4b16e9e9fd7396f1d6041d00","name":"WordPress Ripple theme <= 1.2.0 - Authenticated Arbitrary Plugin Activation\/Deactivation vulnerability","link":"https:\/\/patchstack.com\/database\/wordpress\/theme\/ripple\/vulnerability\/wordpress-ripple-theme-1-2-0-authenticated-arbitrary-plugin-activation-deactivation-vulnerability","description":"Authenticated Arbitrary Plugin Activation\/Deactivation vulnerability discovered by Ex.Mi (Patchstack) in WordPress Ripple theme (versions <= 1.2.0).","date":"2022-01-28"}],"impact":[]},{"uuid":"c06c6a6713d14ce565776ae21d24eff286e640a173a4c7cc99b8713f7d0ed6d9","name":"Ripple [ripple] <= 1.2.0 (unfixed)","description":null,"operator":{"min_version":null,"min_operator":null,"max_version":"1.2.0","max_operator":"le","unfixed":"1","closed":"0"},"source":[{"id":"bcf93d2ac1e0943c2b804673fea259c9c2ebf615","name":"WordPress Ripple theme <= 1.2.0 - Cross-Site Request Forgery (CSRF) leading to Arbitrary Plugin Activation\/Deactivation","link":"https:\/\/patchstack.com\/database\/wordpress\/theme\/ripple\/vulnerability\/wordpress-ripple-theme-1-2-0-cross-site-request-forgery-csrf-leading-to-arbitrary-plugin-activation-deactivation","description":"Cross-Site Request Forgery (CSRF) leading to Arbitrary Plugin Activation\/Deactivation discovered by Ex.Mi (Patchstack) in WordPress Ripple theme (versions <= 1.2.0).","date":"2022-01-24"}],"impact":[]},{"uuid":"0e7d9f7d83dd8caaddd884826ac7f1aa3602dd7ee39e3d2233bc8cb7a0d98f86","name":"Ripple [ripple] <= 1.2.1 (unfixed)","description":null,"operator":{"min_version":null,"min_operator":null,"max_version":"1.2.1","max_operator":"le","unfixed":"1","closed":"0"},"source":[{"id":"bdc6341249ff2bd93c306d10596df54207db50e6","name":"AccessPress Themes and Plugin <= Various Versions - Cross-Site Request Forgery","link":"https:\/\/www.wordfence.com\/threat-intel\/vulnerabilities\/detail\/accesspress-themes-and-plugin-various-versions-cross-site-request-forgery","description":"A WordPress plugin and several WordPress themes developed by AccessPress Themes are vulnerable to cross-site request forgery via the plugin_activation_callback and plugin_deactivate_callback functions, called via AJAX actions, that were missing capability checks and nonce validation. This makes it possible for unauthenticated attackers to deactivate and activate arbitrary plugins, granted they could trick a site administrator into performing an action such as clicking a link. This could be used to deactivate security plugins and exploit other potential vulnerabilities.","date":"2022-01-11"}],"impact":[]},{"uuid":"50e91842b3b6ddc0d9899c293ad9a8726c81e5d217f471eb7a614bcc1fdf0f51","name":"Ripple [ripple] <= 1.2.1 (unfixed)","description":null,"operator":{"min_version":null,"min_operator":null,"max_version":"1.2.1","max_operator":"le","unfixed":"1","closed":"0"},"source":[{"id":"CVE-2022-23975","name":"CVE-2022-23975","link":"https:\/\/www.cve.org\/CVERecord?id=CVE-2022-23975","description":"[en] Cross-Site Request Forgery (CSRF) in Access Demo Importer <= 1.0.7 on WordPress allows an attacker to activate any installed plugin.","date":"2022-04-18"},{"id":"f8e42c94d85322f0655dfb77039eaeadd6d15c93","name":"AccessPress Themes and Plugin <= Various Versions - Missing Authorization to Arbitrary Plugin Deactivation\/Activation","link":"https:\/\/www.wordfence.com\/threat-intel\/vulnerabilities\/detail\/accesspress-themes-and-plugin-various-versions-missing-authorization-to-arbitrary-plugin-deactivationactivation","description":"A WordPress plugin and several WordPress themes developed by AccessPress Themes are vulnerable to unauthorized plugin deactivation and activation via the plugin_activation_callback and plugin_deactivate_callback functions called via AJAX actions that were missing capability checks and nonce validation. This makes it possible for authenticated attackers, with minimal permissions such as a subscriber, to deactivate and activate arbitrary plugins. This could be used to deactivate security plugins and exploit other potential vulnerabilities.","date":"2022-01-11"}],"impact":{"cvss":{"version":"3.1","vector":"CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:R\/S:U\/C:N\/I:H\/A:N","av":"n","ac":"l","pr":"n","ui":"r","s":"u","c":"n","i":"h","a":"n","score":"6.5","severity":"m","exploitable":"2.8","impact":"3.6"},"cwe":[{"cwe":"CWE-352","name":"Cross-Site Request Forgery (CSRF)","description":"The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor."}]}}]},"updated":"1671603603"}