A critical vulnerability has been discovered in the KLEO WordPress theme, potentially allowing attackers to take over user accounts. The vulnerability, tracked as CVE-2024-56000 and assigned a CVSS score of 9.8, affects the K Elements plugin, which is bundled with the KLEO theme and provides custom elements and shortcodes. With over 23,000 sales, KLEO stands as one of the most popular premium BuddyPress themes in the WordPress ecosystem
The vulnerability stems from a flaw in the Facebook social login process. Attackers could exploit this vulnerability by supplying a target user’s email address during the login process, bypassing authentication and gaining access to the account. This occurred because the code did not properly verify the user’s identity during the Facebook login process.
According to the security advisory from Patchstack, “The vulnerability occurred due to broken logic on the Facebook social login process where users can log in to any other user’s account by only supplying their account’s email address.” The advisory further explains that the underlying vulnerability exists in the kleo_fb_intialize function, where the code constructs the user ID based on data received from Facebook without proper validation.
The vendor, SeventhQueen, has addressed the vulnerability in version 5.4.0 of the K Elements plugin. The patch implements a proper check on the Facebook login process, using the kleo_verify_facebook_token_and_get_data function to fetch and verify the user’s data via their Facebook access token.
Users of the KLEO theme are strongly urged to update to the latest version of the K Elements plugin immediately. It is also recommended to review account activity for any signs of compromise and to change passwords as a precautionary measure.
