CVE-2024-13933
Published: 19 March 2025
Summary
CVE-2024-13933 is a high-severity CSRF (CWE-352) vulnerability in Themeforest (inferred from references). Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious Link (T1204.001); ranked at the 42.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2024-13933 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, in the FoodBakery | Delivery Restaurant Directory WordPress Theme for WordPress. It affects all versions up to and including 4.7. The flaw arises from missing or incorrect nonce validation in several functions, including foodbakery_var_backup_file_delete, foodbakery_widget_file_delete, theme_option_save, export_widget_settings, ajax_import_widget_data, foodbakery_var_settings_backup_generate, foodbakery_var_backup_file_restore, and theme_option_rest_all.
Unauthenticated attackers can exploit this vulnerability by tricking a site administrator into performing an action, such as clicking on a malicious link, which submits a forged request. Successful exploitation enables attackers to delete arbitrary files, update theme options, export widget settings, import widget data, generate backups, restore backups, and reset theme options. The CVSS v3.1 base score is 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high severity due to network accessibility, low complexity, no privileges required, and significant impacts on confidentiality, integrity, and availability.
Advisories provide further details on the vulnerability, including the Wordfence threat intelligence report at https://www.wordfence.com/threat-intel/vulnerabilities/id/45eda79d-f999-413e-88ce-b7d06f09f191?source=cve and the theme's page on ThemeForest at https://themeforest.net/item/food-bakery-restaurant-bakery-responsive-wordpress-theme/18970331.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-54111
Vulnerability details
The FoodBakery | Delivery Restaurant Directory WordPress Theme theme for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.7. This is due to missing or incorrect nonce validation on the foodbakery_var_backup_file_delete, foodbakery_widget_file_delete, theme_option_save, export_widget_settings,…
more
ajax_import_widget_data, foodbakery_var_settings_backup_generate, foodbakery_var_backup_file_restore, and theme_option_rest_all functions. This makes it possible for unauthenticated attackers to delete arbitrary files, update theme options, export widget options, import widget options, generate backups, restore backups, and reset theme options via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CSRF vuln enables attacks via malicious links tricking admins (T1204.001) to perform actions including arbitrary file deletion (T1070.004).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SC-23 mandates mechanisms such as anti-CSRF tokens to protect session authenticity against forged requests exploiting authenticated administrator sessions, directly addressing the missing nonce validation in the vulnerable functions.
SI-10 requires validation of critical inputs like nonce tokens in functions such as foodbakery_var_backup_file_delete and theme_option_save to block unauthorized administrative actions via CSRF.
IA-11 enforces re-authentication for sensitive operations like file deletion and theme option resets, preventing CSRF exploitation by requiring credentials beyond session cookies.