CVE-2024-13801

Name of the Vulnerable Software and Affected Versions BWL Advanced FAQ Manager plugin for WordPress versions up to and including 2.1.4

Description The issue allows for unauthorized modification of data, potentially leading to a denial of service. This is due to a missing capability check on the baf set notice status AJAX action. Authenticated attackers with Subscriber-level access or higher can update option values to 1 on the WordPress site. This can be exploited to create an error on the site, denying service to legitimate users, or to set certain values to true, such as registration.

Recommendations For versions up to and including 2.1.4, update to a version higher than 2.1.4 to resolve the issue. As a temporary workaround, consider restricting access to the baf set notice status AJAX action to prevent unauthorized modifications.