CVE-2024-13412
Published: 19 March 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2024-13412 affects the CozyStay theme for WordPress, specifically due to a missing capability check on the ajax_handler function in all versions up to and including 1.7.0. This vulnerability, classified under CWE-862 (Missing Authorization), enables unauthorized modification of data, with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N). It was published on 2025-03-19.
Unauthenticated attackers can exploit this vulnerability remotely over the network with low complexity and no user interaction required. Successful exploitation allows attackers to execute arbitrary actions on the targeted WordPress site, resulting in high integrity impacts through unauthorized data modifications.
Advisories reference the CozyStay theme changelog on ThemeForest and Wordfence threat intelligence for details on mitigation. Security practitioners should update the CozyStay theme to a version beyond 1.7.0 where the capability check has been implemented.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability is a missing authorization check in a public-facing WordPress theme's AJAX handler, directly enabling remote unauthenticated exploitation of a web application for unauthorized data modification.