Zox News WordPress Theme Missing Authorization Vulnerability Allows Privilege Escalation and Arbitrary Options Modification

A vulnerability exists in the Zox News - Professional WordPress News & Magazine Theme plugin, affecting all versions through 3.17.0. The issue arises from missing capability checks in the backup_options() and reset_options() functions, allowing authenticated attackers with Subscriber-level access and above to modify or delete arbitrary option values. This vulnerability could be exploited to escalate privileges by changing the default user role for new registrations to Administrator, thereby gaining administrative access. Additionally, attackers could remove critical options, potentially disrupting the site's functionality and causing denial-of-service conditions for legitimate users.

Impact

Exploitation of this vulnerability could lead to unauthorized modification or deletion of WordPress option values, privilege escalation by granting administrative access to a user, and denial-of-service conditions by removing essential options, causing site errors that disrupt normal user access.

Remediation

Users are advised to update the Zox News WordPress theme to version 3.17.1 or a newer patched version.