CVE-2023-3204
📋 TL;DR
The Materialis WordPress theme has an authorization bypass vulnerability that allows authenticated users with minimal permissions (like subscribers) to modify any site option to a numerical value. This occurs because the companion_disable_popup() function lacks proper authorization checks when called via AJAX. WordPress sites using Materialis theme versions up to 1.1.24 are affected.
💻 Affected Systems
- Materialis WordPress Theme
📦 What is this software?
Materialis by Extendthemes
⚠️ Risk & Real-World Impact
Worst Case
Attackers could modify critical WordPress options like site URL, admin email, or user roles, potentially taking over the site or causing complete service disruption.
Likely Case
Attackers modify less critical options to deface the site, redirect users, or enable other vulnerabilities by changing security settings.
If Mitigated
With proper access controls and monitoring, impact is limited to minor configuration changes that can be quickly reverted.
🎯 Exploit Status
Exploitation requires authenticated access but minimal permissions. Public exploit code exists in security advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.1.25 and later
Vendor Advisory: https://themes.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=231816%40materialis&new=231816%40materialis&sfp_email=&sfph_mail=#file6
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Appearance > Themes. 3. Check if Materialis theme update is available. 4. Click 'Update Now' for Materialis theme. 5. Verify theme version is 1.1.25 or higher.
🔧 Temporary Workarounds
Disable vulnerable AJAX endpoint
allRemove or restrict access to the vulnerable companion_disable_popup() function via .htaccess or WordPress hooks
Add to .htaccess: RewriteRule ^wp-admin/admin-ajax\.php$ - [F] (Note: This breaks all AJAX functionality)
Restrict user registration
allTemporarily disable new user registration to prevent attackers from obtaining accounts
In WordPress Settings > General, uncheck 'Anyone can register'
🧯 If You Can't Patch
- Temporarily switch to a different WordPress theme
- Implement strict monitoring of WordPress option changes in database logs
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Appearance > Themes > Materialis theme details for version numberCheck Version:
wp theme list --field=name,version --status=active (if WP-CLI installed)Verify Fix Applied:
Verify Materialis theme version is 1.1.25 or higher in WordPress admin📡 Detection & Monitoring
Log Indicators:
- Unusual option_value changes in wp_options table
- AJAX requests to admin-ajax.php with action=companion_disable_popup from low-privilege users
Network Indicators:
- POST requests to /wp-admin/admin-ajax.php with specific parameters
SIEM Query:
source="wordpress.log" AND "admin-ajax.php" AND "companion_disable_popup"🔗 References
- https://themes.trac.wordpress.org/browser/materialis/1.1.20/inc/companion.php#L45
- https://themes.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=231816%40materialis&new=231816%40materialis&sfp_email=&sfph_mail=#file6
- https://www.wordfence.com/threat-intel/vulnerabilities/id/a2e05094-8344-4388-a703-518daf3d2948?source=cve
- https://themes.trac.wordpress.org/browser/materialis/1.1.20/inc/companion.php#L45
- https://themes.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=231816%40materialis&new=231816%40materialis&sfp_email=&sfph_mail=#file6
- https://www.wordfence.com/threat-intel/vulnerabilities/id/a2e05094-8344-4388-a703-518daf3d2948?source=cve
