CVE-2024-13933

Name of the Vulnerable Software and Affected Versions FoodBakery | Delivery Restaurant Directory WordPress Theme versions up to 4.7

Description The issue is related to Cross-Site Request Forgery due to missing or incorrect nonce validation on several functions, including foodbakery var backup file delete, foodbakery widget file delete, theme option save, export widget settings, ajax import widget data, foodbakery var settings backup generate, foodbakery var backup file restore, and theme option rest all. This allows unauthenticated attackers to perform various actions, such as deleting arbitrary files, updating theme options, exporting and importing widget options, generating and restoring backups, and resetting theme options, by tricking a site administrator into performing an action.

Recommendations For FoodBakery | Delivery Restaurant Directory WordPress Theme versions up to 4.7, update to a version that includes the necessary nonce validation to prevent Cross-Site Request Forgery attacks. As a temporary workaround, consider restricting access to the vulnerable functions, such as foodbakery var backup file delete, foodbakery widget file delete, theme option save, export widget settings, ajax import widget data, foodbakery var settings backup generate, foodbakery var backup file restore, and theme option rest all, until a patch is available.