CVE-2024-13376

CVE-2024-13376 affects the Industrial theme for WordPress, specifically due to a missing capability check on the _ajax_get_total_content_import_items() function. This vulnerability allows unauthorized modification of data, leading to privilege escalation, in all versions up to and including 1.7.8. It has been assigned a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-269 (Improper Privilege Management). The issue was published on March 14, 2025.

Authenticated attackers with subscriber-level access or higher can exploit this vulnerability remotely with low complexity and no user interaction required. By abusing the flawed AJAX function, they can update arbitrary WordPress options, such as changing the default role for new user registrations to administrator and enabling open registration. This enables attackers to create accounts with full administrative privileges on the targeted site.

Advisories from Wordfence provide detailed threat intelligence on the vulnerability, while the theme's page on ThemeForest offers additional context on the Industrial theme. Security practitioners should review these resources for patch information and update to a fixed version of the theme if available.