CVE-2024-13368 is a vulnerability classified under CWE-862 (Missing Authorization) found in the Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress. The issue arises from the youzify_offer_banner() function lacking proper capability checks, allowing authenticated users with Subscriber-level privileges or higher to update arbitrary site options by setting them to a value of one. This missing authorization check means that even low-privileged users can manipulate site configurations that should normally be restricted to administrators or higher privileged roles. The vulnerability affects all versions up to and including 1.3.2 of the plugin. Exploitation requires authentication but no additional user interaction, and it can be performed remotely over the network. The impact is limited to integrity as it allows unauthorized modification of site options, which could lead to altered site behavior or security posture. The CVSS v3.1 base score is 4.3, indicating a medium severity level. No known exploits have been reported in the wild, and no official patches have been linked yet. The vulnerability was published on January 25, 2025, and was assigned by Wordfence. The plugin is widely used in WordPress environments that leverage BuddyPress for social networking and community features, making this a relevant risk for many WordPress sites.

The primary impact of this vulnerability is unauthorized modification of site options, which compromises the integrity of the affected WordPress site. Although it does not directly affect confidentiality or availability, unauthorized changes to site options can lead to misconfigurations that degrade site functionality, weaken security controls, or enable further attacks. For example, attackers could enable or disable features, alter plugin settings, or change user interface elements, potentially confusing users or exposing additional vulnerabilities. Since the vulnerability requires only Subscriber-level access, it lowers the barrier for exploitation, especially on sites with many registered users. Organizations relying on Youzify for community or social networking features may face increased risk of internal misuse or exploitation by compromised accounts. The lack of known exploits in the wild reduces immediate risk, but the vulnerability remains a concern until patched. The medium CVSS score reflects the moderate impact and ease of exploitation by authenticated users.

To mitigate this vulnerability, organizations should first check if an official patch or updated version of the Youzify plugin has been released and apply it promptly. In the absence of an official patch, administrators should restrict Subscriber-level user capabilities as much as possible, limiting the number of users with such access. Implementing strong user account management and monitoring for unusual changes in site options can help detect exploitation attempts. Additionally, consider temporarily disabling or removing the Youzify plugin if it is not critical to site operations. Employing a Web Application Firewall (WAF) with custom rules to detect and block unauthorized requests targeting the youzify_offer_banner() function may provide interim protection. Regularly audit site options and plugin configurations for unauthorized changes. Finally, educate site administrators and users about the risks of privilege escalation and the importance of maintaining least privilege principles.