CVE-2024-13852

Name of the Vulnerable Software and Affected Versions Option Editor plugin for WordPress version 1.0

Description The issue is due to missing nonce validation on the plugin page() function, making it possible for unauthenticated attackers to update arbitrary options on the WordPress site via a forged request. This can be leveraged to update the default role for registration to administrator and enable user registration, allowing attackers to gain administrative user access to a vulnerable site.

Recommendations For version 1.0, consider disabling the plugin page() function until a patch is available to prevent exploitation. Additionally, restrict access to the plugin's settings to minimize the risk of unauthorized changes. At the moment, there is no information about a newer version that contains a fix for this vulnerability.