CVE-2024-12920: CWE-862 Missing Authorization in Chimpstudio FoodBakery | Delivery Restaurant Directory WordPress Theme
The FoodBakery | Delivery Restaurant Directory WordPress Theme theme for WordPress is vulnerable to unauthorized access of data and modification of data due to a missing capability check on the foodbakery_var_backup_file_delete, foodbakery_widget_file_delete, theme_option_save, export_widget_settings, ajax_import_widget_data, foodbakery_var_settings_backup_generate, foodbakery_var_backup_file_restore, and theme_option_rest_all functions in all versions up to, and including, 4.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files, update theme options, export widget options, import widget options, generate backups, restore backups, and reset theme options.
AI Analysis
Technical Summary
The FoodBakery WordPress theme suffers from a missing capability check (CWE-862) in several functions including foodbakery_var_backup_file_delete, foodbakery_widget_file_delete, theme_option_save, export_widget_settings, ajax_import_widget_data, foodbakery_var_settings_backup_generate, foodbakery_var_backup_file_restore, and theme_option_rest_all. This flaw permits authenticated users with low privileges (Subscriber or above) to delete arbitrary files, alter theme options, export and import widget configurations, generate and restore backups, and reset theme options. The vulnerability affects all versions up to and including 4.7 and has a CVSS v3.1 score of 8.8, indicating high impact on confidentiality, integrity, and availability.
Potential Impact
An attacker with Subscriber-level access can exploit this vulnerability to delete arbitrary files within the theme context, modify or reset theme options, and manipulate widget settings. This can result in unauthorized data modification, potential site disruption, and loss of configuration data, severely impacting the confidentiality, integrity, and availability of the affected WordPress site.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict Subscriber-level access and above to trusted users only. Monitor for updates from Chimpstudio regarding a security patch for this vulnerability and apply it promptly once available.
CVE-2024-12920: CWE-862 Missing Authorization in Chimpstudio FoodBakery | Delivery Restaurant Directory WordPress Theme
Description
The FoodBakery | Delivery Restaurant Directory WordPress Theme theme for WordPress is vulnerable to unauthorized access of data and modification of data due to a missing capability check on the foodbakery_var_backup_file_delete, foodbakery_widget_file_delete, theme_option_save, export_widget_settings, ajax_import_widget_data, foodbakery_var_settings_backup_generate, foodbakery_var_backup_file_restore, and theme_option_rest_all functions in all versions up to, and including, 4.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files, update theme options, export widget options, import widget options, generate backups, restore backups, and reset theme options.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The FoodBakery WordPress theme suffers from a missing capability check (CWE-862) in several functions including foodbakery_var_backup_file_delete, foodbakery_widget_file_delete, theme_option_save, export_widget_settings, ajax_import_widget_data, foodbakery_var_settings_backup_generate, foodbakery_var_backup_file_restore, and theme_option_rest_all. This flaw permits authenticated users with low privileges (Subscriber or above) to delete arbitrary files, alter theme options, export and import widget configurations, generate and restore backups, and reset theme options. The vulnerability affects all versions up to and including 4.7 and has a CVSS v3.1 score of 8.8, indicating high impact on confidentiality, integrity, and availability.
Potential Impact
An attacker with Subscriber-level access can exploit this vulnerability to delete arbitrary files within the theme context, modify or reset theme options, and manipulate widget settings. This can result in unauthorized data modification, potential site disruption, and loss of configuration data, severely impacting the confidentiality, integrity, and availability of the affected WordPress site.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict Subscriber-level access and above to trusted users only. Monitor for updates from Chimpstudio regarding a security patch for this vulnerability and apply it promptly once available.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2024-12-24T23:33:46.746Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 699f6e4bb7ef31ef0b59c71e
Added to database: 2/25/2026, 9:48:59 PM
Last enriched: 4/9/2026, 12:56:45 PM
Last updated: 4/12/2026, 3:34:14 PM
Views: 15
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.