CVE-2024-13655
Published: 07 March 2025
Summary
CVE-2024-13655 is a high-severity Missing Authorization (CWE-862) vulnerability in Themeforest (inferred from references). Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 32.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations to prevent unauthorized data modification due to the missing capability check in the propanel_of_ajax_callback() function.
Employs least privilege to restrict Subscriber-level users from deleting arbitrary WordPress option values that could lead to denial of service.
Requires identification, reporting, and timely remediation of the flaw in the Flex Mag theme to eliminate the missing authorization vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in public-facing WordPress theme allows authenticated attackers to delete arbitrary options via missing authorization check, directly enabling exploitation of the web application (T1190) to achieve denial of service through application/system exploitation (T1499.004).
NVD Description
The Flex Mag - Responsive WordPress News Theme theme for WordPress is vulnerable to unauthorized modification of data that can lead to a denial of service due to a missing capability check on the propanel_of_ajax_callback() function in all versions up…
more
to, and including, 3.5.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary option values on the WordPress site. This can be leveraged to delete an option that would create an error on the site and deny service to legitimate users.
Deeper analysisAI
CVE-2024-13655 is a vulnerability in the Flex Mag - Responsive WordPress News Theme for WordPress, affecting all versions up to and including 3.5.2. It arises from a missing capability check in the propanel_of_ajax_callback() function, enabling unauthorized modification of data that can result in a denial of service. The issue, published on 2025-03-07, carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H) and is classified under CWE-862 (Missing Authorization).
Authenticated attackers with Subscriber-level access or higher can exploit this vulnerability over the network with low complexity and no user interaction required. They can delete arbitrary option values on the WordPress site, which can be leveraged to target specific options that trigger site errors, thereby denying service to legitimate users.
Advisories and further details are available from references including the theme's page on ThemeForest (https://themeforest.net/item/flex-mag-responsive-wordpress-news-theme/12772303) and Wordfence threat intelligence (https://www.wordfence.com/threat-intel/vulnerabilities/id/23f53ff1-f0bc-4ad3-9b9e-cf365f064066?source=cve).
Details
- CWE(s)