CVE-2024-13442
Published: 19 March 2025
Summary
CVE-2024-13442 is a critical-severity Authentication Bypass Using an Alternate Path or Channel (CWE-288) vulnerability in Themeforest (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 46.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-5 (Authenticator Management).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
AC-3 enforces approved authorizations for access to system resources, directly preventing unauthorized profile updates and auto-logins without proper identity validation.
IA-5 requires verifying user identity prior to changing authenticators like passwords, mitigating the vulnerability's arbitrary password update capability.
IA-8 ensures identification and authentication of non-organizational users, countering unauthenticated attackers' ability to perform account takeovers via auto-login or profile changes.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in public-facing WordPress plugin enables unauthenticated exploitation for account takeover and password updates, directly mapping to T1190 (public-facing app exploit), T1078 (valid accounts access), and T1098 (account manipulation via password changes).
NVD Description
The Service Finder Bookings plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 5.0. This is due to the plugin not properly validating a user's identity prior to (1) performing a…
more
post-booking auto-login or (2) updating their profile details (e.g. password). This makes it possible for unauthenticated attackers to (1) login as an arbitrary user if their email address is known or (2) change an arbitrary user's password, including administrators, and leverage that to gain access to their account.
Deeper analysisAI
CVE-2024-13442 is a privilege escalation vulnerability via account takeover affecting the Service Finder Bookings plugin for WordPress in all versions up to and including 5.0. The issue stems from the plugin's failure to properly validate a user's identity before performing post-booking auto-login actions or updating profile details, such as passwords. This flaw, mapped to CWE-288 and assigned a CVSS 3.1 base score of 9.8 (Critical), enables severe authentication bypass.
Unauthenticated attackers can exploit this vulnerability over the network with low complexity and no user interaction required. If an attacker's email address is known, they can log in as that arbitrary user; alternatively, they can update any user's password, including administrators, to gain unauthorized access to their accounts. Successful exploitation results in high impacts to confidentiality, integrity, and availability (C:H/I:H/A:H).
Advisories, including the Wordfence threat intelligence report, provide additional details on the vulnerability. The plugin is available via the ThemeForest marketplace at the referenced URL. No specific patch information is detailed in the available CVE data.
Details
- CWE(s)