CVE-2024-13373 is a vulnerability classified under CWE-620 (Unverified Password Change) found in the Exertio Framework plugin for WordPress, affecting all versions up to 1.3.1. The vulnerability exists because the plugin’s fl_forgot_pass_new() function does not properly verify the identity of users requesting password changes. This flaw allows unauthenticated attackers to arbitrarily change the passwords of any user accounts, including those with administrative privileges. By exploiting this, attackers can escalate privileges and fully compromise the WordPress site. The vulnerability is remotely exploitable over the network without requiring any authentication or user interaction, though the attack complexity is rated high, indicating some non-trivial conditions must be met. The CVSS v3.1 base score is 8.1, reflecting high impact on confidentiality, integrity, and availability. No public exploits have been reported yet, but the vulnerability poses a significant risk due to the widespread use of WordPress and the plugin. The lack of proper identity validation in password reset functionality is a critical security oversight that can lead to complete site takeover. The vulnerability was reserved in January 2025 and published in March 2025, with no patches currently linked, indicating that mitigation may require vendor updates or manual intervention.

The impact of CVE-2024-13373 is severe for organizations using the Exertio Framework plugin on WordPress sites. Successful exploitation allows attackers to reset passwords of any user account, including administrators, leading to full site compromise. This can result in unauthorized access to sensitive data, defacement, insertion of malicious code or backdoors, disruption of services, and potential use of the compromised site as a launchpad for further attacks. Given WordPress’s extensive use globally, especially for business, e-commerce, and content management, the vulnerability could affect a large number of organizations. The ability to escalate privileges without authentication increases the risk profile significantly. Additionally, the attack could damage organizational reputation, cause regulatory compliance issues, and incur financial losses. The absence of known exploits in the wild currently provides a window for remediation, but the high severity score underscores the urgency for mitigation.

Organizations should immediately audit their WordPress installations to identify the presence of the Exertio Framework plugin and its version. Until an official patch is released, administrators should consider disabling or removing the plugin to eliminate the attack surface. If removal is not feasible, restrict access to the password reset endpoint (fl_forgot_pass_new()) via web application firewalls (WAFs), IP whitelisting, or other network controls to prevent unauthenticated requests. Monitoring logs for suspicious password reset attempts targeting this function is critical. Implement multi-factor authentication (MFA) for all administrative accounts to reduce the risk of account takeover even if passwords are compromised. Regularly back up WordPress sites and databases to enable recovery in case of compromise. Stay alert for vendor updates or security advisories providing patches or official fixes and apply them promptly. Security teams should also conduct penetration testing focused on password reset mechanisms to detect similar vulnerabilities.