CVE-2024-13852
Published: 18 February 2025
Description
The Option Editor plugin for WordPress is vulnerable to Cross-Site Request Forgery in version 1.0. This is due to missing nonce validation on the plugin_page() function. This makes it possible for unauthenticated attackers to update arbitrary options on the WordPress site via a forged request, granted they can trick a site administrator into performing an action such as clicking on a link. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.
Security Summary
CVE-2024-13852 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, affecting version 1.0 of the Option Editor plugin for WordPress. The flaw arises from missing nonce validation in the plugin_page() function, which enables unauthorized modifications to WordPress site options. Published on 2025-02-18, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high severity due to its network accessibility and potential for significant impact.
Unauthenticated attackers can exploit this vulnerability by tricking a site administrator into executing a forged request, such as clicking a malicious link. Successful exploitation allows attackers to update arbitrary WordPress options on the target site. This can be leveraged to enable user registration and change the default role for new registrants to administrator, enabling attackers to create administrative accounts and gain full control over the vulnerable site.
Advisories and related resources, including the Wordfence threat intelligence report, the plugin's developer page on WordPress.org, and the source code at line 70 of option-editor.php in the plugin's Trac repository, provide further details on the issue. Practitioners should consult these for guidance on remediation, such as plugin updates or deactivation.
Details
- CWE(s)