CVE-2024-13643

CVE-2024-13643 is a vulnerability in the Zox News - Professional WordPress News & Magazine Theme plugin for WordPress, affecting all versions up to and including 3.17.0. It stems from missing capability checks on the backup_options() and reset_options() functions, enabling unauthorized data modification. This flaw, classified under CWE-862 (Missing Authorization), carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and was published on 2025-02-11.

Authenticated attackers with Subscriber-level access or higher can exploit this vulnerability to update or delete arbitrary WordPress option values. By modifying site options, they can escalate privileges—for instance, by setting the default user role for registration to Administrator and enabling user registration, thereby gaining administrative control. Attackers can also delete critical options, leading to errors that disrupt site functionality and cause denial-of-service conditions for legitimate users.

Advisories and further details are available from sources including the MVP Themes website at https://mvpthemes.com/zoxnews/, the ThemeForest product page at https://themeforest.net/item/zox-news-professional-wordpress-news-magazine-theme/20381541, and Wordfence's threat intelligence report at https://www.wordfence.com/threat-intel/vulnerabilities/id/4adb7436-11e6-4512-b6c9-551402909bf0?source=cve.