CVE-2024-13335 is a vulnerability identified in the Spexo Addons for Elementor – Free Elementor Addons, Widgets and Templates WordPress plugin, maintained by templatescoderthemes. The flaw is due to a missing authorization check in the tmpcoder_theme_install_func() function, which is responsible for installing themes. This missing capability check means that any authenticated user with at least Subscriber-level privileges can invoke this function to install arbitrary themes on the WordPress site. Since Subscriber-level users have minimal permissions, this vulnerability effectively allows privilege escalation by enabling them to modify the site's theme without administrator approval. The vulnerability affects all versions up to and including 1.0.14. The CVSS v3.1 base score is 4.3 (medium severity), reflecting that the attack vector is network-based, requires low privileges, no user interaction, and impacts integrity but not confidentiality or availability. No patches or fixes are currently linked, and no known exploits have been reported in the wild. The vulnerability falls under CWE-862 (Missing Authorization), indicating a failure to properly enforce access control. This flaw could be exploited remotely by authenticated users to alter the website’s appearance or potentially introduce malicious themes, which could be a stepping stone for further compromise.

The primary impact of this vulnerability is unauthorized theme installation by low-privileged authenticated users, which can lead to unauthorized changes in website appearance and potentially introduce malicious code if the attacker installs a compromised theme. This undermines the integrity of the website and could facilitate further attacks such as cross-site scripting (XSS), malware distribution, or privilege escalation to administrative roles. While confidentiality and availability are not directly impacted, the integrity breach can damage organizational reputation, user trust, and lead to compliance issues. Organizations relying on WordPress sites with this plugin are at risk of unauthorized modifications, especially if they allow user registrations or have multiple authenticated users with Subscriber or higher roles. The ease of exploitation and the wide usage of WordPress globally increase the threat surface, making it a concern for many organizations, particularly those with public-facing websites or e-commerce platforms.

Organizations should immediately audit their WordPress installations to identify the presence of the Spexo Addons for Elementor plugin and verify the version in use. Until an official patch is released, restrict plugin usage to trusted users only and consider temporarily disabling the plugin if possible. Limit user roles and permissions rigorously, ensuring that Subscriber-level users do not have unnecessary access or capabilities. Implement monitoring and alerting for unexpected theme installations or changes in the WordPress environment. Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious requests targeting the tmpcoder_theme_install_func() function. Regularly update all WordPress plugins and themes once patches become available. Conduct security awareness training for site administrators to recognize unauthorized changes. Finally, consider isolating critical WordPress instances and backing up site data frequently to enable quick recovery if compromise occurs.