CVE-2024-12920
Published: 19 March 2025
Summary
CVE-2024-12920 is a high-severity Missing Authorization (CWE-862) vulnerability in Themeforest (inferred from references). Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 36.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses missing capability checks by enforcing approved authorizations for logical access to functions enabling unauthorized file deletion, option modifications, and backup operations.
Mandates identification, reporting, and correction of flaws like the missing authorization checks in the FoodBakery theme, preventing exploitation across affected versions.
Employs least privilege to restrict Subscriber-level users from possessing capabilities for sensitive actions, limiting potential unauthorized access despite missing checks.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability in a public-facing WordPress theme directly enables exploitation via T1190; allows arbitrary file deletion via T1070.004; and facilitates stored data manipulation including theme options, backups, and widget data via T1565.001.
NVD Description
The FoodBakery | Delivery Restaurant Directory WordPress Theme theme for WordPress is vulnerable to unauthorized access of data and modification of data due to a missing capability check on the foodbakery_var_backup_file_delete, foodbakery_widget_file_delete, theme_option_save, export_widget_settings, ajax_import_widget_data, foodbakery_var_settings_backup_generate, foodbakery_var_backup_file_restore, and theme_option_rest_all functions…
more
in all versions up to, and including, 4.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files, update theme options, export widget options, import widget options, generate backups, restore backups, and reset theme options.
Deeper analysisAI
CVE-2024-12920 is a high-severity vulnerability (CVSS 8.8) in the FoodBakery | Delivery Restaurant Directory WordPress Theme for WordPress, affecting all versions up to and including 4.7. It arises from missing capability checks on functions including foodbakery_var_backup_file_delete, foodbakery_widget_file_delete, theme_option_save, export_widget_settings, ajax_import_widget_data, foodbakery_var_settings_backup_generate, foodbakery_var_backup_file_restore, and theme_option_rest_all, enabling unauthorized data access and modification (CWE-862).
Authenticated attackers with Subscriber-level access or higher can exploit this vulnerability remotely over the network with low attack complexity and no user interaction required. Exploitation allows attackers to delete arbitrary files, update or reset theme options, export widget settings, import widget data, generate backups, and restore backups, potentially leading to high confidentiality, integrity, and availability impacts.
Advisories from Wordfence and the theme's ThemeForest page provide additional details on the issue, though no specific patched version is detailed in available information. Security practitioners should review these sources for mitigation guidance and monitor for theme updates.
Details
- CWE(s)