CVE-2024-13370 is a vulnerability classified under CWE-862 (Missing Authorization) affecting the Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress. The issue arises from the save_addon_key_license() function, which fails to perform a capability check before allowing changes to license key options. This missing authorization check means that any authenticated user with at least Subscriber-level privileges can invoke this function to update arbitrary options with a valid license key value. Since WordPress Subscriber roles typically have limited permissions, this vulnerability effectively escalates their ability to modify sensitive plugin settings without proper authorization. The vulnerability affects all versions up to and including 1.3.2 of the Youzify plugin. The CVSS 3.1 base score of 6.5 indicates a medium severity, with an attack vector over the network, low attack complexity, requiring privileges, no user interaction, and impacting integrity but not confidentiality or availability. No public exploits have been reported yet, but the flaw could be leveraged to manipulate license keys, potentially bypassing licensing restrictions or causing unauthorized plugin behavior. The vulnerability was published on January 25, 2025, and assigned by Wordfence. No official patches have been linked yet, so mitigation relies on access control and monitoring.

The primary impact of CVE-2024-13370 is unauthorized modification of license key options within the Youzify plugin by users with minimal privileges (Subscriber-level and above). This could allow attackers to bypass licensing restrictions, potentially enabling unauthorized use of premium features or disabling license enforcement mechanisms. While this does not directly compromise confidentiality or availability, it undermines the integrity of licensing controls, which could lead to financial losses for plugin vendors and operational issues for site administrators. Additionally, attackers might leverage this flaw as a stepping stone for further privilege escalation or to manipulate plugin behavior in ways that could indirectly affect site stability or security. Organizations relying on Youzify for community and social networking features on WordPress sites may face risks of unauthorized access to premium functionalities or disruption of licensing compliance. Given the widespread use of WordPress and BuddyPress plugins globally, the vulnerability has a broad potential impact, especially for sites with multiple user roles and active community participation.

To mitigate CVE-2024-13370, organizations should first verify if they are using the Youzify plugin version 1.3.2 or earlier and plan to update to a patched version once available. In the absence of an official patch, administrators should restrict Subscriber-level user capabilities to prevent unauthorized access to license key management functions. This can be done by customizing user roles and permissions using WordPress role management plugins to remove or limit access to plugin settings. Additionally, monitoring and logging changes to plugin options related to licensing can help detect suspicious activity. Implementing Web Application Firewalls (WAFs) with rules targeting unauthorized attempts to invoke save_addon_key_license() can provide an additional layer of defense. Site owners should also educate users about the risks of privilege misuse and regularly audit user accounts to ensure that only trusted users have elevated privileges. Finally, subscribing to vendor and security mailing lists will ensure timely awareness of patches and updates.