CVE-2024-13373
Published: 01 March 2025
Description
The Exertio Framework plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.3.1. This is due to the plugin not properly validating a user's identity prior to updating their password through the fl_forgot_pass_new() function. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account.
Security Summary
CVE-2024-13373 is a privilege escalation vulnerability via account takeover in the Exertio Framework plugin for WordPress, affecting all versions up to and including 1.3.1. The issue arises because the plugin fails to properly validate a user's identity before updating their password through the fl_forgot_pass_new() function. Published on 2025-03-01, it carries a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-620 (Unverified Password Change).
Unauthenticated attackers can exploit this vulnerability remotely with high attack complexity, requiring no privileges or user interaction. Successful exploitation allows them to change the passwords of arbitrary users, including administrators, enabling full account takeover and potential complete compromise of the affected WordPress site.
Mitigation guidance is available in related advisories, including the Wordfence threat intelligence report at https://www.wordfence.com/threat-intel/vulnerabilities/id/897ce9a9-8b3e-40bc-9815-c55cc7a838f9?source=cve and the plugin's product page on ThemeForest at https://themeforest.net/item/exertio-freelance-marketplace-wordpress-theme/30602587.
Details
- CWE(s)