๐Ÿ” CVE Alert

CVE-2019-25142

HIGH 8.8

Mesmerize <= 1.6.89 & Materialis <= 1.0.172 - Authenticated Arbitrary Options Update

CVSS Score
8.8
EPSS Score
0.0%
EPSS Percentile
0th

The Mesmerize & Materialis themes for WordPress are vulnerable to authenticated options change in versions up to, and including,1.6.89 (Mesmerize) and 1.0.172 (Materialis). This is due to 'companion_disable_popup' function only checking the nonce while sending user input to the 'update_option' function. This makes it possible for authenticated attackers to change otherwise restricted options.

CWE CWE-862
Vendor extendthemes
Product materialis
Published Jun 7, 2023
Last Updated Apr 8, 2026
Stay Ahead of the Next One

Get instant alerts for extendthemes materialis

Be the first to know when new high vulnerabilities affecting extendthemes materialis are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability

Affected Versions

extendthemes / Materialis
0 โ‰ค 1.0.172
extendthemes / Mesmerize
0 โ‰ค 1.6.89

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
wordfence.com: https://www.wordfence.com/threat-intel/vulnerabilities/id/8c9c3302-47cd-4dbe-b79e-5e6032928074?source=cve blog.nintechnet.com: https://blog.nintechnet.com/wordpress-mesmerize-and-materialis-themes-fixed-an-authenticated-options-change-vulnerability/ wpscan.com: https://wpscan.com/vulnerability/e4d70f03-69d5-4cca-8300-985f68d19ddc wordpress.org: https://wordpress.org/themes/mesmerize/ wordpress.org: https://wordpress.org/themes/materialis/ themes.trac.wordpress.org: https://themes.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=121291%40mesmerize&new=121291%40mesmerize&sfp_email=&sfph_mail= themes.trac.wordpress.org: https://themes.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=121290%40materialis&new=121290%40materialis&sfp_email=&sfph_mail=

Credits

Jerome Bruandet