While doing a security audit I uncovered another potential vulnerability in the jumpstart theme. The themeblvd_clear_options() function is hooked to the WordPress 'admin_init' action. This function checks a somewhat arbitrary nonce in order to function.
This allows anyone with a valid nonce to execute the function and delete an arbitrary WordPress option.
In WordPress core and the theme I did not see an easily leaked nonce that ends in '-options' but there are many other plugins that do use a nonce that matches. If a site had one of those plugins installed and a user could retrieve a leaked nonce then they could delete an arbitrary WordPress option.
I am contacting the other plugin authors that are making those nonce available but there's no way to be sure the nonce is secure.
This function should be protected by a capability check and ideally restrict the options that can be deleted.
From James Golovich, Pritect, Inc.:
While doing a security audit I uncovered another potential vulnerability in the jumpstart theme. The themeblvd_clear_options() function is hooked to the WordPress 'admin_init' action. This function checks a somewhat arbitrary nonce in order to function.
This allows anyone with a valid nonce to execute the function and delete an arbitrary WordPress option.
In WordPress core and the theme I did not see an easily leaked nonce that ends in '-options' but there are many other plugins that do use a nonce that matches. If a site had one of those plugins installed and a user could retrieve a leaked nonce then they could delete an arbitrary WordPress option.
I am contacting the other plugin authors that are making those nonce available but there's no way to be sure the nonce is secure.
This function should be protected by a capability check and ideally restrict the options that can be deleted.