CVE-2024-1047

Published: Feb 2, 2024

Modified: Apr 8, 2026

PUBLISHED

CVSS v3.1

5.3

MEDIUM

Description

Multiple plugins and/or themes for WordPress with the ThemeIsle SDK are vulnerable to unauthorized modification of data due to a missing capability check on the register_reference() function in various versions. This makes it possible for unauthenticated attackers to update options values that allow ThemeIsle to track promotional activities via utm_source.

Vendor	Product	Versions
themeisle	Menu Icons by ThemeIsle	affected `0 - <= 0.13.8`
themeisle	Starter Sites & Templates by Neve	affected `0 - <= 1.2.6`
themeisle	Otter Blocks – Gutenberg Blocks, Page Builder for Gutenberg Editor & FSE	affected `0 - <= 2.6.2`
themeisle	LightStart – Maintenance Mode, Coming Soon and Landing Page Builder	affected `0 - <= 2.6.9`
themeisle	Orbit Fox: Duplicate Page, Menu Icons, SVG Support, Cookie Notice, Custom Fonts & More	affected `0 - <= 2.10.28`
themeisle	Multiple Page Generator Plugin – MPG	affected `0 - <= 3.4.0`
themeisle	Visualizer: Tables and Charts Manager for WordPress	affected `0 - <= 3.10.6`
optimole	Optimole – Optimize Images in Real Time	affected `0 - <= 3.12.4`
themeisle	RSS Aggregator by Feedzy – Feed to Post, Autoblogging, News & YouTube Video Feeds Aggregator	affected `0 - <= 4.4.1`
optimole	Super Page Cache	affected `0 - <= 4.7.5`
rsocial	Revive Social – Social Media Auto Post and Scheduling Automation Plugin	affected `0 - <= 9.0.25`
themeisle	PPOM – Product Addons & Custom Fields for WooCommerce	affected `0 - <= 32.0.9`