CVE-2024-13412
Published: 19 March 2025
Summary
CVE-2024-13412 is a high-severity Missing Authorization (CWE-862) vulnerability in Themeforest (inferred from references). Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 47.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2024-13412 affects the CozyStay theme for WordPress, specifically due to a missing capability check on the ajax_handler function in all versions up to and including 1.7.0. This vulnerability, classified under CWE-862 (Missing Authorization), enables unauthorized modification of data, with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N). It was published on 2025-03-19.
Unauthenticated attackers can exploit this vulnerability remotely over the network with low complexity and no user interaction required. Successful exploitation allows attackers to execute arbitrary actions on the targeted WordPress site, resulting in high integrity impacts through unauthorized data modifications.
Advisories reference the CozyStay theme changelog on ThemeForest and Wordfence threat intelligence for details on mitigation. Security practitioners should update the CozyStay theme to a version beyond 1.7.0 where the capability check has been implemented.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-54103
Vulnerability details
The CozyStay theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_handler function in all versions up to, and including, 1.7.0. This makes it possible for unauthenticated attackers to execute arbitrary…
more
actions.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a missing authorization check in a public-facing WordPress theme's AJAX handler, directly enabling remote unauthenticated exploitation of a web application for unauthorized data modification.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mandates enforcement of approved authorizations for access to system resources, addressing the missing capability check in the ajax_handler function that allowed unauthorized data modifications.
Enforces least privilege to restrict access to only necessary capabilities, mitigating unauthorized arbitrary actions by unauthenticated attackers.
Requires timely identification, reporting, and remediation of flaws such as the missing authorization in CozyStay theme versions up to 1.7.0.