CVE-2024-12920 is a critical authorization bypass vulnerability categorized under CWE-862 (Missing Authorization) in the FoodBakery Delivery Restaurant Directory WordPress Theme developed by Chimpstudio. The vulnerability affects all versions up to and including 4.7. It arises because several theme functions—namely foodbakery_var_backup_file_delete, foodbakery_widget_file_delete, theme_option_save, export_widget_settings, ajax_import_widget_data, foodbakery_var_settings_backup_generate, foodbakery_var_backup_file_restore, and theme_option_rest_all—lack proper capability checks. This flaw enables any authenticated user with at least Subscriber-level privileges to perform unauthorized operations such as deleting arbitrary files on the server, modifying theme options, exporting and importing widget configurations, generating and restoring backups, and resetting theme options. Exploitation requires no user interaction and can be performed remotely over the network, increasing the attack surface. The vulnerability has a CVSS v3.1 base score of 8.8, reflecting its high impact on confidentiality, integrity, and availability. Although no public exploits have been reported yet, the ease of exploitation combined with the broad scope of affected functions makes this a significant threat to WordPress sites using this theme, especially those with multiple user roles and lower privilege accounts. The absence of patches at the time of reporting further exacerbates the risk.

The impact of CVE-2024-12920 is substantial for organizations using the FoodBakery WordPress theme. Attackers with minimal privileges can escalate their influence by deleting critical files, potentially causing denial of service or site downtime. Unauthorized modification of theme options and widget settings can lead to website defacement, loss of business continuity, or insertion of malicious content. The ability to generate and restore backups without authorization could allow attackers to revert security configurations or inject malicious backups, complicating recovery efforts. Confidential data stored or displayed by the theme could be exposed or altered, undermining user trust and regulatory compliance. The vulnerability threatens the availability, integrity, and confidentiality of affected websites, which can result in financial losses, reputational damage, and legal consequences. Given the widespread use of WordPress and the popularity of restaurant directory themes, the threat has a broad potential impact globally.

To mitigate CVE-2024-12920, organizations should immediately audit user roles and restrict Subscriber-level or higher access to trusted users only, minimizing exposure. Disable or limit the use of vulnerable theme functions where possible until a patch is released. Implement strict monitoring and logging of theme option changes, file deletions, and backup operations to detect suspicious activities early. Employ Web Application Firewalls (WAFs) with custom rules to block unauthorized requests targeting the vulnerable functions. Regularly back up website data and store backups offline to prevent tampering. Engage with the theme vendor or community to obtain or develop patches and apply them promptly once available. Consider isolating the WordPress environment and applying the principle of least privilege to all user accounts. Additionally, conduct penetration testing focused on authorization controls to identify and remediate similar weaknesses in other plugins or themes.