CVE-2024-13643
Published: 11 February 2025
Summary
CVE-2024-13643 is a high-severity Missing Authorization (CWE-862) vulnerability in Mvpthemes (inferred from references). Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 25.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Deeper analysis
CVE-2024-13643 is a vulnerability in the Zox News - Professional WordPress News & Magazine Theme plugin for WordPress, affecting all versions up to and including 3.17.0. It stems from missing capability checks on the backup_options() and reset_options() functions, enabling unauthorized data modification. This flaw, classified under CWE-862 (Missing Authorization), carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and was published on 2025-02-11.
Authenticated attackers with Subscriber-level access or higher can exploit this vulnerability to update or delete arbitrary WordPress option values. By modifying site options, they can escalate privileges—for instance, by setting the default user role for registration to Administrator and enabling user registration, thereby gaining administrative control. Attackers can also delete critical options, leading to errors that disrupt site functionality and cause denial-of-service conditions for legitimate users.
Advisories and further details are available from sources including the MVP Themes website at https://mvpthemes.com/zoxnews/, the ThemeForest product page at https://themeforest.net/item/zox-news-professional-wordpress-news-magazine-theme/20381541, and Wordfence's threat intelligence report at https://www.wordfence.com/threat-intel/vulnerabilities/id/4adb7436-11e6-4512-b6c9-551402909bf0?source=cve.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-51701
Vulnerability details
The Zox News - Professional WordPress News & Magazine Theme plugin for WordPress is vulnerable to unauthorized data modification. This vulnerability can lead to privilege escalation and denial of service conditions due to missing capability checks on the backup_options() and…
more
reset_options() functions in all versions up to and including 3.17.0. This vulnerability allows authenticated attackers with Subscriber-level access and above to update and delete arbitrary option values on the WordPress site. Attackers can exploit this issue to update the default user role for registration to Administrator and enable user registration, thereby gaining administrative access to the vulnerable site. Additionally, they could delete critical options, causing errors that may disrupt the site's functionality and deny service to legitimate users.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Missing auth on option-modifying functions directly enables T1068 via role changes for priv esc; T1190 as public WP plugin exploit; T1489 via critical option deletion causing site DoS.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly addresses the missing capability checks in backup_options() and reset_options() by requiring enforcement of approved authorizations for modifying WordPress site options.
Mitigates privilege escalation from Subscriber-level access by ensuring only necessary privileges are granted, preventing unauthorized updates to critical options like default user roles.
Requires timely remediation of the specific flaw in the Zox News plugin versions up to 3.17.0, eliminating the unauthorized data modification vulnerability.