CVE-2024-13771

Critical

Published: 14 March 2025

Published

14 March 2025

Modified

08 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0003 7.5th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-13771 is a critical-severity Authentication Bypass Using an Alternate Path or Channel (CWE-288) vulnerability in Uxper Civi. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 7.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-5 (Authenticator Management).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

IA-5 Authenticator Management good match

prevent

Requires verifying the identity of users before reissuing authenticators like passwords, directly preventing unauthenticated password changes for arbitrary users.

AC-3 Access Enforcement good match

prevent

Enforces approved access control policies to block unauthorized logical access to privileged functions such as changing other users' passwords.

SI-2 Flaw Remediation good match

prevent

Mandates timely identification, prioritization, and remediation of flaws like this authentication bypass vulnerability through patching or removal of the affected plugin.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Authentication bypass in public-facing WordPress plugin enables remote unauthenticated exploitation for initial access and account takeover.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

The Civi - Job Board & Freelance Marketplace WordPress Theme plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.1.4. This is due to a lack of user validation before changing a password. This…

makes it possible for unauthenticated attackers to change the password of arbitrary users, including administrators, if the attacker knows the username of the victim.

Deeper analysisAI

CVE-2024-13771 is an authentication bypass vulnerability affecting the Civi - Job Board & Freelance Marketplace WordPress Theme plugin for WordPress in all versions up to and including 2.1.4. The issue stems from a lack of user validation before changing a password, allowing attackers to reset passwords without proper authentication checks. It has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-288 and CWE-306.

Unauthenticated attackers can exploit this vulnerability remotely over the network with low complexity and no privileges required. If an attacker knows the username of a target user, including administrators, they can change that user's password, potentially gaining full account takeover and control over the WordPress site.

Advisories and further details are available from Wordfence at https://www.wordfence.com/threat-intel/vulnerabilities/id/5ab2c74d-b83b-40ea-951c-83aeb76a7515?source=cve and the plugin's ThemeForest page at https://themeforest.net/item/civi-job-board-wordpress-theme/42770817. The vulnerability was published on 2025-03-14.