CVE-2024-13656
Published: 12 February 2025
Description
The Click Mag - Viral WordPress News Magazine/Blog Theme theme for WordPress is vulnerable to unauthorized modification of data that can lead to a denial of service due to a missing capability check on the propanel_of_ajax_callback() function in all versions up to, and including, 3.6.0. This makes it possible for authenticated attackers, with subscriber-level access and above, to delete arbitrary option values on the WordPress site. This can be leveraged to delete an option that would create an error on the site and deny service to legitimate users.
Security Summary
CVE-2024-13656 is a vulnerability in the Click Mag - Viral WordPress News Magazine/Blog Theme for WordPress, affecting all versions up to and including 3.6.0. It stems from a missing capability check in the propanel_of_ajax_callback() function, enabling unauthorized modification of data (CWE-862). The issue has a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H), rated High due to its potential for integrity and availability impacts.
Authenticated attackers with subscriber-level access or higher can exploit this vulnerability remotely without user interaction. By leveraging the flawed AJAX callback, they can delete arbitrary WordPress option values, which may trigger site errors and result in a denial of service for legitimate users.
Advisories, including the Wordfence threat intelligence report at https://www.wordfence.com/threat-intel/vulnerabilities/id/ee5df5fe-4213-4d36-aa8f-7eb2710c32b6?source=cve, provide detailed analysis. The theme's page on ThemeForest at https://themeforest.net/item/click-mag-viral-wordpress-news-magazineblog-theme/18081003 offers additional context on the software.
Details
- CWE(s)