Cyber Posture

CVE-2024-13801

High

Published: 26 March 2025

Published
26 March 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
EPSS Score 0.0013 31.7th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

Security Summary

CVE-2024-13801 is a vulnerability in the BWL Advanced FAQ Manager plugin for WordPress, affecting all versions up to and including 2.1.4. It stems from a missing capability check on the 'baf_set_notice_status' AJAX action (CWE-862), enabling unauthorized modification of data that can result in denial of service. The issue has a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H), highlighting high integrity and availability impacts with no confidentiality loss.

Authenticated attackers possessing Subscriber-level access or higher can exploit this vulnerability remotely with low complexity and no user interaction required. By sending crafted AJAX requests, they can update WordPress option values to '1', potentially triggering site errors that deny service to legitimate users or enabling unintended features such as registration.

Advisories and further details are available from Wordfence at https://www.wordfence.com/threat-intel/vulnerabilities/id/b3a84201-6cd8-4528-ae7a-7fd813c8da18?source=cve and the plugin's Codecanyon page at https://codecanyon.net/item/bwl-advanced-faq-manager/5007135.

Details

CWE(s)
CWE-862

MITRE ATT&CK Enterprise Techniques

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

Vulnerability in public-facing WordPress plugin allows authenticated exploitation via crafted AJAX requests for unauthorized option modification and DoS.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References