Cyber Resilience

CVE-2024-13852

High

Published: 18 February 2025

Published
18 February 2025
Modified
21 February 2025
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0005 16.0th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-13852 is a high-severity CSRF (CWE-352) vulnerability in Backie Option Editor. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 16.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2024-13852 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, affecting version 1.0 of the Option Editor plugin for WordPress. The flaw arises from missing nonce validation in the plugin_page() function, which enables unauthorized modifications to WordPress site options. Published on 2025-02-18, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high severity due to its network accessibility and potential for significant impact.

Unauthenticated attackers can exploit this vulnerability by tricking a site administrator into executing a forged request, such as clicking a malicious link. Successful exploitation allows attackers to update arbitrary WordPress options on the target site. This can be leveraged to enable user registration and change the default role for new registrants to administrator, enabling attackers to create administrative accounts and gain full control over the vulnerable site.

Advisories and related resources, including the Wordfence threat intelligence report, the plugin's developer page on WordPress.org, and the source code at line 70 of option-editor.php in the plugin's Trac repository, provide further details on the issue. Practitioners should consult these for guidance on remediation, such as plugin updates or deactivation.

EU & UK References

Vulnerability details

The Option Editor plugin for WordPress is vulnerable to Cross-Site Request Forgery in version 1.0. This is due to missing nonce validation on the plugin_page() function. This makes it possible for unauthenticated attackers to update arbitrary options on the WordPress…

more

site via a forged request, granted they can trick a site administrator into performing an action such as clicking on a link. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1136.001 Local Account Persistence
Adversaries may create a local account to maintain access to victim systems.
T1098 Account Manipulation Persistence
Adversaries may manipulate accounts to maintain and/or elevate access to victim systems.
Why these techniques?

CSRF in public-facing WP plugin directly enables exploitation via malicious link (T1190); option tampering facilitates unauthorized account creation (T1136.001) and role/group manipulation (T1098) for admin access.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-59891Shared CWE-352
CVE-2024-13146Shared CWE-352
CVE-2025-1687Shared CWE-352
CVE-2026-24885Shared CWE-352
CVE-2020-36908Shared CWE-352
CVE-2024-55076Shared CWE-352
CVE-2025-27910Shared CWE-352
CVE-2025-25967Shared CWE-352
CVE-2025-25907Shared CWE-352
CVE-2026-33649Shared CWE-352

Affected Assets

backie
option editor
≤ 1.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Protects session authenticity using mechanisms like nonces to prevent forged requests that bypass authentication and enable unauthorized option updates.

prevent

Validates information inputs such as nonce tokens in the plugin_page() function to block CSRF exploitation and arbitrary option modifications.

prevent

Requires identification, reporting, and remediation of flaws like missing nonce validation in the vulnerable plugin to eliminate the CSRF vulnerability.

References