The vulnerability identified as CVE-2024-13412 affects the CozyStay Hotel Booking WordPress theme developed by LoftOcean, specifically versions up to and including 1.7.0. The root cause is a missing authorization check (CWE-862) in the ajax_handler function, which processes AJAX requests. This missing capability check means that any unauthenticated user can invoke this function and perform arbitrary actions that should normally require authorization. Because the ajax_handler function is exposed over the network and does not require authentication or user interaction, an attacker can remotely exploit this flaw to modify data within the theme's scope. The vulnerability impacts the integrity of the application’s data, potentially allowing attackers to alter booking information, manipulate reservations, or change configuration settings. The CVSS 3.1 base score is 7.5, indicating a high severity due to the combination of network attack vector, no privileges required, no user interaction, and a significant impact on integrity. Although no public exploits have been reported yet, the vulnerability is critical given the theme’s use in hotel booking websites, which often handle sensitive operational data. The lack of a patch at the time of reporting means users must rely on mitigations until an official fix is released.

This vulnerability poses a significant risk to organizations using the CozyStay WordPress theme for hotel booking websites. Unauthorized modification of booking data can lead to operational disruptions, financial losses, and reputational damage. Attackers could manipulate reservations, create fraudulent bookings, or alter pricing and availability information, undermining customer trust and business integrity. Since the flaw allows unauthenticated remote exploitation, attackers do not need valid credentials, increasing the attack surface. The integrity compromise could also facilitate further attacks, such as injecting malicious content or redirecting users to phishing sites. While confidentiality and availability are not directly impacted, the integrity breach alone can have cascading effects on business operations and compliance with data protection regulations. Organizations relying on this theme are at risk of targeted attacks, especially those in the hospitality sector with high online booking volumes.

Until an official patch is released, organizations should implement immediate mitigations to reduce risk. First, restrict access to the vulnerable AJAX endpoints by configuring web application firewalls (WAFs) or server-level access controls to allow only trusted IP addresses or authenticated users. Second, implement custom authorization checks in the theme’s ajax_handler function by modifying the code to verify user capabilities before processing requests. Third, monitor web server and application logs for unusual or unauthorized AJAX requests indicative of exploitation attempts. Fourth, consider temporarily disabling the theme’s AJAX functionality if feasible without disrupting critical operations. Additionally, maintain regular backups of website data to enable recovery in case of unauthorized modifications. Finally, stay informed about updates from LoftOcean and apply patches promptly once available. Employing a layered defense approach combining access restrictions, monitoring, and code hardening will mitigate exploitation risks effectively.