ThemeBlvd Themes/Plugins (Various Versions) - Missing Authorization Checks

Missing Authorization
CVE Not available
CVSS Medium (6.5)
Publicly Published November 8, 2014
Last Updated January 22, 2024
Researcher James Golovich
Description

The following plugins and themes for WordPress are vulnerable to arbitrary option deletion and user data manipulation: Theme Blvd Shortcodes plugin <= 1.5.2 , Theme Blvd Widget Areas plugin < = 1.2.2, Theme Blvd Layout Builder plugin <= 2.0.1, Theme Blvd Sliders plugin <= 1.2.3, WP Jump Start theme <= 1.2.4, Alyeska theme <= 3.1.4, Akita theme <= 2.1.4, Arcadian Responsive theme <= 2.0.5, Swagger theme <= 2.1.4, Commodore theme <= 3.0.2, and Barely Corporate theme <= 4.1.4. This is due to missing authorization on the themeblvd_clear_options() and themeblvd_disable_nag() functions called via 'admin_init' hooks. This makes it possible for unauthenticated attackers to delete any option from the 'wp_options' table and edit any of their user metadata to 'true.'

References

11 affected software package

Software Type Theme
Software Slug swagger (view on wordpress.org)
Patched? Yes
Affected Version
  • <= 2.1.4
Patched Version
  • 2.1.5
Software Type Theme
Software Slug alyeska (view on wordpress.org)
Patched? Yes
Affected Version
  • <= 3.1.4
Patched Version
  • 3.1.5
Software Type Plugin
Software Slug theme-blvd-shortcodes (view on wordpress.org)
Patched? Yes
Affected Version
  • <= 1.5.2
Patched Version
  • 1.5.3
Software Type Theme
Software Slug jumpstart (view on wordpress.org)
Patched? Yes
Affected Version
  • <= 1.2.4
Patched Version
  • 1.2.5
Software Type Theme
Software Slug commodore (view on wordpress.org)
Patched? Yes
Affected Version
  • <= 3.0.2
Patched Version
  • 3.0.3
Software Type Theme
Software Slug barelycorporate (view on wordpress.org)
Patched? Yes
Affected Version
  • <= 4.1.4
Patched Version
  • 4.1.5
Software Type Plugin
Software Slug theme-blvd-sliders (view on wordpress.org)
Patched? Yes
Affected Version
  • <= 1.2.3
Patched Version
  • 1.2.4
Software Type Theme
Software Slug arcadian (view on wordpress.org)
Patched? Yes
Affected Version
  • <= 2.0.5
Patched Version
  • 2.0.6
Software Type Plugin
Software Slug theme-blvd-widget-areas (view on wordpress.org)
Patched? Yes
Affected Version
  • <= 1.2.2
Patched Version
  • 1.2.3
Software Type Theme
Software Slug akita (view on wordpress.org)
Patched? Yes
Affected Version
  • <= 2.1.4
Patched Version
  • 2.1.5
Software Type Plugin
Software Slug theme-blvd-layout-builder (view on wordpress.org)
Patched? Yes
Affected Version
  • <= 2.0.1
Patched Version
  • 2.0.2
This record contains material that is subject to copyright

Copyright 2012-2026 Defiant Inc.
License: Defiant hereby grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute this software vulnerability information. Any copy of the software vulnerability information you make for such purposes is authorized provided that you include a hyperlink to this vulnerability record and reproduce Defiant's copyright designation and this license in any such copy. License Detail.