Over 15,000 Sites at Risk: Woffice WordPress Theme Vulnerabilities Could Lead to Full Site Takeovers
Patchstack has disclosed two critical vulnerabilities in the widely used Woffice WordPress theme, a premium intranet/extranet solution with over 15,000 sales. Developed by Xtendify, the Woffice theme offers team and project management features, making it a popular choice for advanced business workflows. However, the recent discovery of these vulnerabilities—rated at a critical CVSS 9.8 severity—poses a significant security risk to affected websites.
Patchstack identified two critical flaws in the Woffice Core plugin, which is required for the theme’s functionality:
- Privilege Escalation Vulnerability (CVE-2024-43153): This flaw allows unauthenticated users to register with any role on an affected website, including the highly privileged Administrator role. According to the report, “This vulnerability could lead to an attacker’s full takeover of the website and malicious code installed on the server.” The issue resides in the
registrationfunction located in theinc/classes/Woffice_Register.phpfile. When Woffice’s custom login options, such as Auto Login and the Role field in the form, are enabled, attackers can submit arbitrary roles in the$_POST[“reg_role”]parameter to gain elevated privileges. - Unauthenticated Account Takeover (CVE-2024-43234): This flaw leverages broken authentication mechanisms, enabling attackers to log in as any existing user without authorization. The vulnerability is linked to the
register_redirectfunction in the sameWoffice_Register.phpfile. By extracting the WofficeRegisterRedirect security nonce from the custom registration page and sending a request with the nonce and$_POST['user_id']set to an existing user ID (e.g.,1for the Administrator), attackers can gain unauthorized access.
Both vulnerabilities, if exploited, could lead to a full site compromise, the deployment of malicious code, and potential reputational and financial losses for businesses using the theme.
Xtendify, the developers of Woffice, have addressed these vulnerabilities in versions 5.4.12 and 5.4.15, respectively. All users are strongly urged to update their theme to at least version 5.4.15 immediately.
