Cyber Resilience

CVE-2024-13771

Critical

Published: 14 March 2025

Published
14 March 2025
Modified
08 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0002 5.8th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-13771 is a critical-severity Authentication Bypass Using an Alternate Path or Channel (CWE-288) vulnerability in Uxper Civi. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 5.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-5 (Authenticator Management).

Deeper analysis

CVE-2024-13771 is an authentication bypass vulnerability affecting the Civi - Job Board & Freelance Marketplace WordPress Theme plugin for WordPress in all versions up to and including 2.1.4. The issue stems from a lack of user validation before changing a password, allowing attackers to reset passwords without proper authentication checks. It has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-288 and CWE-306.

Unauthenticated attackers can exploit this vulnerability remotely over the network with low complexity and no privileges required. If an attacker knows the username of a target user, including administrators, they can change that user's password, potentially gaining full account takeover and control over the WordPress site.

Advisories and further details are available from Wordfence at https://www.wordfence.com/threat-intel/vulnerabilities/id/5ab2c74d-b83b-40ea-951c-83aeb76a7515?source=cve and the plugin's ThemeForest page at https://themeforest.net/item/civi-job-board-wordpress-theme/42770817. The vulnerability was published on 2025-03-14.

EU & UK References

Vulnerability details

The Civi - Job Board & Freelance Marketplace WordPress Theme plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.1.4. This is due to a lack of user validation before changing a password. This…

more

makes it possible for unauthenticated attackers to change the password of arbitrary users, including administrators, if the attacker knows the username of the victim.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Authentication bypass in public-facing WordPress plugin enables remote unauthenticated exploitation for initial access and account takeover.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2024-13773Same product: Uxper Civi
CVE-2025-0159Shared CWE-288, CWE-306
CVE-2026-22731Shared CWE-288, CWE-306
CVE-2025-61673Shared CWE-288, CWE-306
CVE-2025-1283Shared CWE-288, CWE-306
CVE-2025-59367Shared CWE-288, CWE-306
CVE-2024-12876Same vendor: Uxper
CVE-2026-3461Shared CWE-288
CVE-2025-67070Shared CWE-288
CVE-2026-42760Shared CWE-288

Affected Assets

uxper
civi
≤ 2.1.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires verifying the identity of users before reissuing authenticators like passwords, directly preventing unauthenticated password changes for arbitrary users.

prevent

Enforces approved access control policies to block unauthorized logical access to privileged functions such as changing other users' passwords.

prevent

Mandates timely identification, prioritization, and remediation of flaws like this authentication bypass vulnerability through patching or removal of the affected plugin.

References