Cyber Posture

CVE-2024-13373

High

Published: 01 March 2025

Published
01 March 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0019 41.0th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-13373 is a high-severity Unverified Password Change (CWE-620) vulnerability in Themeforest (inferred from references). Its CVSS base score is 8.1 (High).

Operationally, ranked at the 41.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-5 (Authenticator Management).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

IA-5 Authenticator Management good match
prevent

IA-5 requires verifying the identity of the user receiving or changing an authenticator such as a password, directly mitigating the plugin's failure to validate identity in fl_forgot_pass_new().

AC-3 Access Enforcement good match
prevent

AC-3 enforces approved authorizations for access to sensitive operations like password updates, preventing unauthenticated attackers from changing arbitrary user passwords.

AC-2 Account Management partial match
prevent

AC-2 establishes procedures for managing account modifications including passwords, reducing risk of unauthorized changes through defined approval and monitoring processes.

NVD Description

The Exertio Framework plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.3.1. This is due to the plugin not properly validating a user's identity prior to updating their password through…

more

the fl_forgot_pass_new() function. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account.

Deeper analysisAI

CVE-2024-13373 is a privilege escalation vulnerability via account takeover in the Exertio Framework plugin for WordPress, affecting all versions up to and including 1.3.1. The issue arises because the plugin fails to properly validate a user's identity before updating their password through the fl_forgot_pass_new() function. Published on 2025-03-01, it carries a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-620 (Unverified Password Change).

Unauthenticated attackers can exploit this vulnerability remotely with high attack complexity, requiring no privileges or user interaction. Successful exploitation allows them to change the passwords of arbitrary users, including administrators, enabling full account takeover and potential complete compromise of the affected WordPress site.

Mitigation guidance is available in related advisories, including the Wordfence threat intelligence report at https://www.wordfence.com/threat-intel/vulnerabilities/id/897ce9a9-8b3e-40bc-9815-c55cc7a838f9?source=cve and the plugin's product page on ThemeForest at https://themeforest.net/item/exertio-freelance-marketplace-wordpress-theme/30602587.

Details

CWE(s)
CWE-620

Affected Products

Themeforest
inferred from references and description; NVD did not file a CPE for this CVE

CVEs Like This One

CVE-2025-9286Shared CWE-620
CVE-2025-63362Shared CWE-620
CVE-2026-24440Shared CWE-620
CVE-2026-27757Shared CWE-620
CVE-2026-24443Shared CWE-620
CVE-2025-1107Shared CWE-620
CVE-2024-12824Shared CWE-620
CVE-2025-11235Shared CWE-620
CVE-2024-13375Shared CWE-620
CVE-2024-12860Shared CWE-620

References