CVE-2024-13643

Name of the Vulnerable Software and Affected Versions: Zox News - Professional WordPress News & Magazine Theme plugin for WordPress versions up to and including 3.17.0

Description: The vulnerability can lead to privilege escalation and denial of service conditions due to missing capability checks on the backup options() and reset options() functions. This allows authenticated attackers with Subscriber-level access and above to update and delete arbitrary option values on the WordPress site, potentially gaining administrative access or disrupting site functionality.

Recommendations: For Zox News - Professional WordPress News & Magazine Theme plugin for WordPress versions up to and including 3.17.0, update to a version later than 3.17.0 to resolve the issue. As a temporary workaround, consider restricting access to the backup options() and reset options() functions to minimize the risk of exploitation. Additionally, restrict the ability of subscribers to update or delete option values to prevent potential attacks.