CVE-2024-13655
Published: 07 March 2025
Description
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Security Summary
CVE-2024-13655 is a vulnerability in the Flex Mag - Responsive WordPress News Theme for WordPress, affecting all versions up to and including 3.5.2. It arises from a missing capability check in the propanel_of_ajax_callback() function, enabling unauthorized modification of data that can result in a denial of service. The issue, published on 2025-03-07, carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H) and is classified under CWE-862 (Missing Authorization).
Authenticated attackers with Subscriber-level access or higher can exploit this vulnerability over the network with low complexity and no user interaction required. They can delete arbitrary option values on the WordPress site, which can be leveraged to target specific options that trigger site errors, thereby denying service to legitimate users.
Advisories and further details are available from references including the theme's page on ThemeForest (https://themeforest.net/item/flex-mag-responsive-wordpress-news-theme/12772303) and Wordfence threat intelligence (https://www.wordfence.com/threat-intel/vulnerabilities/id/23f53ff1-f0bc-4ad3-9b9e-cf365f064066?source=cve).
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Vulnerability in public-facing WordPress theme allows authenticated attackers to delete arbitrary options via missing authorization check, directly enabling exploitation of the web application (T1190) to achieve denial of service through application/system exploitation (T1499.004).