CVE-2024-13420

Smart Framework <= Multiple Plugins - Missing Authorization to Authenticated (Subscriber+) Settings Updates

Description

Multiple plugins and/or themes for WordPress are vulnerable to unauthorized access due to a missing capability check on several AJAX actions like 'gsf_reset_section_options', 'gsf_reset_section_options', 'gsf_create_preset_options' and more in various versions. This makes it possible for authenticated attackers, with Subscriber-level access and above, to reset and modify some of the plugin/theme settings. This issue was escalated to Envato over two months from the date of this disclosure and the issues, while partially patched, are still vulnerable.

References

Link	Tags
https://www.wordfence.com/threat-intel/vulnerabilities/id/6d484422-4adf-4370-b228-61496d5ad78a?source=cve	third party advisory
https://themeforest.net/item/beyot-wordpress-real-estate-theme/19514964	product

Frequently Asked Questions

What is the severity of CVE-2024-13420?: CVE-2024-13420 has been scored as a medium severity vulnerability.
How to fix CVE-2024-13420?: To fix CVE-2024-13420, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2024-13420 being actively exploited in the wild?: As for now, there are no information to confirm that CVE-2024-13420 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2024-13420?: CVE-2024-13420 affects G5Theme Benaa Framework, G5Theme April Framework, G5Theme Beyot Framework, G5Theme Auteur Framework.

Description

Categories

CWE-94 – Improper Control of Generation of Code ('Code Injection')

CWE-862 – Missing Authorization

References

Frequently Asked Questions