CVE-2024-13373

Name of the Vulnerable Software and Affected Versions Exertio Framework plugin for WordPress versions prior to 1.3.2

Description The issue allows for privilege escalation via account takeover due to improper validation of a user's identity before updating their password through the fl forgot pass new() function. This enables unauthenticated attackers to change arbitrary users' passwords, including administrators, and gain access to their accounts.

Recommendations For versions prior to 1.3.2, update to version 1.3.2 or later to resolve the issue. As a temporary workaround, consider disabling the fl forgot pass new() function until a patch is available. Restrict access to password update functionality to minimize the risk of exploitation.