Cyber Resilience

CVE-2024-13933

High

Published: 19 March 2025

Published
19 March 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0020 42.6th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-13933 is a high-severity CSRF (CWE-352) vulnerability in Themeforest (inferred from references). Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious Link (T1204.001); ranked at the 42.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2024-13933 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, in the FoodBakery | Delivery Restaurant Directory WordPress Theme for WordPress. It affects all versions up to and including 4.7. The flaw arises from missing or incorrect nonce validation in several functions, including foodbakery_var_backup_file_delete, foodbakery_widget_file_delete, theme_option_save, export_widget_settings, ajax_import_widget_data, foodbakery_var_settings_backup_generate, foodbakery_var_backup_file_restore, and theme_option_rest_all.

Unauthenticated attackers can exploit this vulnerability by tricking a site administrator into performing an action, such as clicking on a malicious link, which submits a forged request. Successful exploitation enables attackers to delete arbitrary files, update theme options, export widget settings, import widget data, generate backups, restore backups, and reset theme options. The CVSS v3.1 base score is 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high severity due to network accessibility, low complexity, no privileges required, and significant impacts on confidentiality, integrity, and availability.

Advisories provide further details on the vulnerability, including the Wordfence threat intelligence report at https://www.wordfence.com/threat-intel/vulnerabilities/id/45eda79d-f999-413e-88ce-b7d06f09f191?source=cve and the theme's page on ThemeForest at https://themeforest.net/item/food-bakery-restaurant-bakery-responsive-wordpress-theme/18970331.

EU & UK References

Vulnerability details

The FoodBakery | Delivery Restaurant Directory WordPress Theme theme for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.7. This is due to missing or incorrect nonce validation on the foodbakery_var_backup_file_delete, foodbakery_widget_file_delete, theme_option_save, export_widget_settings,…

more

ajax_import_widget_data, foodbakery_var_settings_backup_generate, foodbakery_var_backup_file_restore, and theme_option_rest_all functions. This makes it possible for unauthenticated attackers to delete arbitrary files, update theme options, export widget options, import widget options, generate backups, restore backups, and reset theme options via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1204.001 Malicious Link Execution
An adversary may rely upon a user clicking a malicious link in order to gain execution.
T1070.004 File Deletion Stealth
Adversaries may delete files left behind by the actions of their intrusion activity.
Why these techniques?

CSRF vuln enables attacks via malicious links tricking admins (T1204.001) to perform actions including arbitrary file deletion (T1070.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-25769Shared CWE-352
CVE-2024-57373Shared CWE-352
CVE-2025-28867Shared CWE-352
CVE-2025-28856Shared CWE-352
CVE-2026-39671Shared CWE-352
CVE-2026-41347Shared CWE-352
CVE-2025-25121Shared CWE-352
CVE-2025-24001Shared CWE-352
CVE-2025-25147Shared CWE-352
CVE-2026-34904Shared CWE-352

Affected Assets

Themeforest
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SC-23 mandates mechanisms such as anti-CSRF tokens to protect session authenticity against forged requests exploiting authenticated administrator sessions, directly addressing the missing nonce validation in the vulnerable functions.

prevent

SI-10 requires validation of critical inputs like nonce tokens in functions such as foodbakery_var_backup_file_delete and theme_option_save to block unauthorized administrative actions via CSRF.

prevent

IA-11 enforces re-authentication for sensitive operations like file deletion and theme option resets, preventing CSRF exploitation by requiring credentials beyond session cookies.

References