CVE-2024-13933

CVE-2024-13933 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, in the FoodBakery | Delivery Restaurant Directory WordPress Theme for WordPress. It affects all versions up to and including 4.7. The flaw arises from missing or incorrect nonce validation in several functions, including foodbakery_var_backup_file_delete, foodbakery_widget_file_delete, theme_option_save, export_widget_settings, ajax_import_widget_data, foodbakery_var_settings_backup_generate, foodbakery_var_backup_file_restore, and theme_option_rest_all.

Unauthenticated attackers can exploit this vulnerability by tricking a site administrator into performing an action, such as clicking on a malicious link, which submits a forged request. Successful exploitation enables attackers to delete arbitrary files, update theme options, export widget settings, import widget data, generate backups, restore backups, and reset theme options. The CVSS v3.1 base score is 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high severity due to network accessibility, low complexity, no privileges required, and significant impacts on confidentiality, integrity, and availability.

Advisories provide further details on the vulnerability, including the Wordfence threat intelligence report at https://www.wordfence.com/threat-intel/vulnerabilities/id/45eda79d-f999-413e-88ce-b7d06f09f191?source=cve and the theme's page on ThemeForest at https://themeforest.net/item/food-bakery-restaurant-bakery-responsive-wordpress-theme/18970331.