CVE-2024-12920
Published: 19 March 2025
Description
Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.
Security Summary
CVE-2024-12920 is a high-severity vulnerability (CVSS 8.8) in the FoodBakery | Delivery Restaurant Directory WordPress Theme for WordPress, affecting all versions up to and including 4.7. It arises from missing capability checks on functions including foodbakery_var_backup_file_delete, foodbakery_widget_file_delete, theme_option_save, export_widget_settings, ajax_import_widget_data, foodbakery_var_settings_backup_generate, foodbakery_var_backup_file_restore, and theme_option_rest_all, enabling unauthorized data access and modification (CWE-862).
Authenticated attackers with Subscriber-level access or higher can exploit this vulnerability remotely over the network with low attack complexity and no user interaction required. Exploitation allows attackers to delete arbitrary files, update or reset theme options, export widget settings, import widget data, generate backups, and restore backups, potentially leading to high confidentiality, integrity, and availability impacts.
Advisories from Wordfence and the theme's ThemeForest page provide additional details on the issue, though no specific patched version is detailed in available information. Security practitioners should review these sources for mitigation guidance and monitor for theme updates.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability in a public-facing WordPress theme directly enables exploitation via T1190; allows arbitrary file deletion via T1070.004; and facilitates stored data manipulation including theme options, backups, and widget data via T1565.001.