Vulnerability Type: Authenticated arbitrary file upload, authenticated arbitrary plugin enable/disablement, authenticated data deletion, and lack of CSRF checks in authenticated actions. Publish Date: 11 January 2022 Nature of Vulnerability: Affects unpatched WordPress Themes with PHP code, putting approximately 50,000 sites at risk. Vulnerability Details: - Authenticated arbitrary file upload - Authenticated arbitrary plugin enable/disablement - Authenticated data deletion - Lack of CSRF checks in authenticated actions Discovery Data: Initially reported by Leonor Leite but subsequently, additional vulnerabilities were uncovered by Vlad Visse. Impact: Can be exploited by subscriber-level accounts requiring user authentication to take over the site. Affected Themes: Includes AccessPress Parallax, Uncode Lite, Accesspress Lite, and others. Disclosure History: - 2021-11-28: Vulnerabilities reported by Leonor Leite. - 2021-12-02: Verified, vPatches released to Patchstack Developer users. - 2021-12-09: Follow-up as there was no response from the developer. - 2021-12-22: Developer acknowledges issue. - 2022-01-06: Patchstack vPatch updated.