CVE-2024-13375 is a critical security vulnerability identified in the spoonthemes Adifier System plugin for WordPress, affecting all versions up to and including 3.1.7. The root cause is an improper validation of user identity within the adifier_recover() function, which handles password recovery and updates. Specifically, the plugin does not verify that the password change request originates from the legitimate user, allowing unauthenticated attackers to arbitrarily reset passwords for any user account, including those with administrative privileges. This flaw constitutes a CWE-620 (Unverified Password Change) vulnerability. Exploiting this vulnerability requires no authentication or user interaction, and the attack vector is network-based (remote). The CVSS v3.1 base score is 9.8 (critical), reflecting the high impact on confidentiality, integrity, and availability of affected systems. Successful exploitation results in full account takeover, enabling attackers to gain administrative control over the WordPress site, potentially leading to data theft, site defacement, malware deployment, or further lateral movement within the hosting environment. No official patches or fixes were listed at the time of publication, and no known exploits have been reported in the wild, but the vulnerability's nature and severity make it a prime target for attackers. The plugin's widespread use in classified ads and marketplace websites built on WordPress increases the potential attack surface.

The impact of CVE-2024-13375 is severe for organizations using the spoonthemes Adifier System plugin. An attacker can gain unauthorized administrative access to WordPress sites, leading to complete compromise of the website and potentially the underlying server environment. This can result in data breaches, defacement, injection of malicious code (such as backdoors or ransomware), disruption of business operations, and loss of customer trust. Since WordPress powers a significant portion of the web, especially small to medium businesses and niche marketplaces, the vulnerability could facilitate widespread attacks. The lack of authentication and user interaction requirements lowers the barrier for exploitation, increasing the risk of automated mass attacks. Organizations relying on this plugin for critical online services face risks to confidentiality, integrity, and availability, with potential regulatory and reputational consequences.

To mitigate CVE-2024-13375, organizations should immediately upgrade the spoonthemes Adifier System plugin to a patched version once available. Until a patch is released, implement the following specific measures: 1) Disable or restrict access to the adifier_recover() function by applying web application firewall (WAF) rules to block unauthenticated requests targeting password recovery endpoints; 2) Restrict password reset functionality to authenticated users only, if feasible, by customizing plugin code or using WordPress hooks to add verification steps; 3) Monitor logs for unusual password reset attempts or changes, especially targeting administrator accounts; 4) Enforce strong multi-factor authentication (MFA) on all administrator accounts to reduce the impact of potential account takeovers; 5) Conduct regular backups and ensure rapid restoration capabilities; 6) Isolate WordPress hosting environments to limit lateral movement in case of compromise; 7) Engage in proactive threat hunting for indicators of compromise related to this vulnerability. These targeted steps go beyond generic advice by focusing on the specific vulnerable function and attack vector.