CVE-2024-13852
Published: 18 February 2025
Summary
CVE-2024-13852 is a high-severity CSRF (CWE-352) vulnerability in Backie Option Editor. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 16.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2024-13852 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, affecting version 1.0 of the Option Editor plugin for WordPress. The flaw arises from missing nonce validation in the plugin_page() function, which enables unauthorized modifications to WordPress site options. Published on 2025-02-18, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high severity due to its network accessibility and potential for significant impact.
Unauthenticated attackers can exploit this vulnerability by tricking a site administrator into executing a forged request, such as clicking a malicious link. Successful exploitation allows attackers to update arbitrary WordPress options on the target site. This can be leveraged to enable user registration and change the default role for new registrants to administrator, enabling attackers to create administrative accounts and gain full control over the vulnerable site.
Advisories and related resources, including the Wordfence threat intelligence report, the plugin's developer page on WordPress.org, and the source code at line 70 of option-editor.php in the plugin's Trac repository, provide further details on the issue. Practitioners should consult these for guidance on remediation, such as plugin updates or deactivation.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-4834
Vulnerability details
The Option Editor plugin for WordPress is vulnerable to Cross-Site Request Forgery in version 1.0. This is due to missing nonce validation on the plugin_page() function. This makes it possible for unauthenticated attackers to update arbitrary options on the WordPress…
more
site via a forged request, granted they can trick a site administrator into performing an action such as clicking on a link. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CSRF in public-facing WP plugin directly enables exploitation via malicious link (T1190); option tampering facilitates unauthorized account creation (T1136.001) and role/group manipulation (T1098) for admin access.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Protects session authenticity using mechanisms like nonces to prevent forged requests that bypass authentication and enable unauthorized option updates.
Validates information inputs such as nonce tokens in the plugin_page() function to block CSRF exploitation and arbitrary option modifications.
Requires identification, reporting, and remediation of flaws like missing nonce validation in the vulnerable plugin to eliminate the CSRF vulnerability.