CVE-2024-13364 is a vulnerability identified in the Raptive Ads plugin for WordPress, a widely used advertising management tool. The issue stems from a missing authorization (CWE-862) in the functions site_ads_files_reset() and cls_file_reset(), which are responsible for resetting advertisement and CLS (Cumulative Layout Shift) files. Because these functions lack proper capability checks, unauthenticated attackers can invoke them remotely without any privileges or user interaction. This unauthorized access allows attackers to reset or manipulate ad-related files, potentially disrupting ad delivery, skewing analytics, or causing inconsistencies in ad presentation. The vulnerability affects all versions up to and including 3.6.3 of the plugin. The CVSS 3.1 base score is 5.3, reflecting a medium severity level, with the vector indicating network attack vector, low attack complexity, no privileges required, no user interaction, and an impact limited to integrity loss. No patches or exploit code are currently publicly available, and no known exploits in the wild have been reported. The vulnerability was reserved in January 2025 and published in February 2025 by Wordfence. Since the plugin is integrated into WordPress sites, the attack surface includes any website using Raptive Ads, which is common among publishers relying on ad monetization. The flaw does not affect confidentiality or availability but can undermine the integrity of advertising data and operations.

The primary impact of CVE-2024-13364 is the unauthorized modification of ad and CLS files, which can disrupt the normal functioning of advertising on affected WordPress sites. This may lead to inaccurate ad delivery, loss of advertising revenue, and compromised analytics data integrity. While the vulnerability does not expose sensitive data or cause denial of service, the integrity compromise can affect business operations reliant on accurate ad performance metrics and user experience optimization. For publishers and advertisers, this could translate into financial losses and reputational damage if ads are reset or manipulated unexpectedly. Since exploitation requires no authentication or user interaction, the risk of automated or mass exploitation attempts exists, especially on high-traffic sites. However, the lack of known exploits in the wild suggests limited current active threat but a potential for future abuse if unpatched. Organizations with significant reliance on Raptive Ads for monetization are at higher risk of operational disruption.

To mitigate CVE-2024-13364, organizations should immediately update the Raptive Ads plugin to a version that includes proper authorization checks once available from the vendor. In the absence of an official patch, administrators can implement temporary workarounds such as restricting access to the vulnerable functions via web application firewall (WAF) rules that block requests targeting the site_ads_files_reset() and cls_file_reset() endpoints. Additionally, limiting access to the WordPress admin interface and plugin files to trusted IP addresses can reduce exposure. Monitoring web server logs for suspicious requests invoking these functions can help detect exploitation attempts early. It is also advisable to audit ad-related files regularly to identify unauthorized resets or modifications. Organizations should follow best practices for WordPress security, including least privilege principles for user roles and timely plugin updates. Engaging with the plugin vendor for patch timelines and security advisories is recommended.