CVE-2023-46145 – This vulnerability in the Themify Ultra WordPre... (How to Fix)

Q: What is the severity of CVE-2023-46145?

CVE-2023-46145 has a CVSS score of 8.8 (HIGH). This vulnerability in the Themify Ultra WordPress theme allows authenticated users to escalate their privileges to administrator level. It affects WordPress sites using Themify Ultra theme versions up to 7.3.5. Attackers with any authenticated account can potentially gain full administrative control.

📋 TL;DR

This vulnerability in the Themify Ultra WordPress theme allows authenticated users to escalate their privileges to administrator level. It affects WordPress sites using Themify Ultra theme versions up to 7.3.5. Attackers with any authenticated account can potentially gain full administrative control.

💻 Affected Systems

Products:

Themify Ultra WordPress Theme

Versions: n/a through 7.3.5

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress installation with Themify Ultra theme and at least one authenticated user account.

📦 What is this software?

Ultra by Themify

View all CVEs affecting Ultra →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete site takeover where attackers gain administrator access, install backdoors, steal sensitive data, deface the site, or use it for further attacks.

🟠

Likely Case

Attackers with subscriber/contributor accounts escalate to administrator and compromise the WordPress installation.

🟢

If Mitigated

Limited impact with proper user role management and monitoring, though privilege escalation attempts may still occur.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access but is straightforward once an account is obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 7.3.6 or later

Vendor Advisory: https://themify.me/changelogs/themify-ultra.txt

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Appearance > Themes. 3. Click on Themify Ultra theme details. 4. Click 'Update Now' if available. 5. Alternatively, download latest version from Themify and upload via FTP.

🔧 Temporary Workarounds

Disable vulnerable theme

all

Switch to a different WordPress theme temporarily

Restrict user registration

all

Disable new user registration to limit attack surface

🧯 If You Can't Patch

Implement strict user role management and monitor for privilege changes
Use web application firewall rules to block privilege escalation attempts

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Appearance > Themes > Themify Ultra details for version number

Check Version:

wp theme list --field=name,version --path=/path/to/wordpress | grep ultra

Verify Fix Applied:

Confirm theme version is 7.3.6 or higher in WordPress admin

📡 Detection & Monitoring

Log Indicators:

Unusual user role changes in WordPress logs
Multiple failed privilege escalation attempts
Administrator account creation from non-admin users

Network Indicators:

HTTP POST requests to theme-specific admin-ajax endpoints with privilege parameters

SIEM Query:

source="wordpress.log" AND ("user_role_changed" OR "capabilities_modified" OR "admin_created")

📊 Metadata

CVE ID: CVE-2023-46145

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-269

Published: May 17, 2024

Last Updated: May 5, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-46145, you might also want to check these: