CVE-2024-13653

Name of the Vulnerable Software and Affected Versions The ZoxPress - The All-In-One WordPress News Theme versions up to, and including, 2.12.0

Description The issue allows unauthorized modification of data, leading to privilege escalation due to a missing capability check on the backup options function. This enables authenticated attackers with Subscriber-level access and above to update arbitrary options on the WordPress site, potentially updating the default role for registration to administrator and enabling user registration for attackers to gain administrative user access.

Recommendations For versions up to, and including, 2.12.0, update to a version that includes a fix for the missing capability check on the backup options function to prevent unauthorized modification of data. As a temporary workaround, consider restricting access to the backup options function until a patch is available. Restrict user registration and closely monitor user role assignments to minimize the risk of exploitation.