CVE-2024-13646

High

Published: 30 January 2025

Published

30 January 2025

Modified

31 January 2025

KEV Added

—

Patch

—

CVSS Score 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

EPSS Score 0.0008 24.1th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-13646 is a high-severity Improper Authorization (CWE-285) vulnerability in Aakashbhagat Single User Chat. Its CVSS base score is 8.1 (High).

Operationally, ranked at the 24.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match

prevent

Enforces approved authorizations to prevent authenticated low-privilege users from unauthorized modification of WordPress options via the insufficiently validated plugin function.

AC-6 Least Privilege good match

prevent

Applies least privilege to restrict subscriber-level and higher users from accessing functions that modify critical site options, addressing improper authorization.

SI-10 Information Input Validation good match

prevent

Mandates validation of inputs to the single_user_chat_update_login function to block invalid option updates that lead to denial of service or unauthorized settings changes.

NVD Description

The Single-user-chat plugin for WordPress is vulnerable to unauthorized modification of data that can lead to a denial of service due to insufficient validation on the 'single_user_chat_update_login' function in all versions up to, and including, 0.5. This makes it possible…

for authenticated attackers, with subscriber-level access and above, to update option values to 'login' on the WordPress site. This may be leveraged to update an option that would create an error on the site and deny service to legitimate users or be used to set some values to true such as registration.

Deeper analysisAI

CVE-2024-13646 affects the Single-user-chat plugin for WordPress, specifically due to insufficient validation in the 'single_user_chat_update_login' function across all versions up to and including 0.5. This flaw enables unauthorized modification of data, which can result in a denial of service. The vulnerability is rated with a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H) and is associated with CWE-285 (Improper Authorization).

Authenticated attackers with subscriber-level access or higher can exploit this vulnerability remotely over the network with low complexity and no user interaction required. By calling the affected function, they can update WordPress option values to 'login', potentially triggering site errors that deny service to legitimate users or enabling settings such as registration by setting certain values to true.

Advisories from sources like Wordfence detail the vulnerability in their threat intelligence report, while the plugin's source code at line 326 in single-user-chat.php highlights the insufficient validation in the trac repository. No specific patch information is detailed in the available references, but security practitioners should update to a patched version if available or disable the plugin.