CVE-2024-13419 identifies a missing authorization vulnerability in the G5Theme Benaa Framework, which is integrated into multiple WordPress plugins and themes built on the Smart Framework. The core issue lies in the absence of proper capability checks within the saveOptions() and importThemeOptions() functions. These functions are responsible for saving and importing theme or plugin settings, including custom JavaScript code. Because the authorization check is missing, any authenticated user with at least Subscriber-level privileges can invoke these functions to update settings arbitrarily. This enables attackers to inject malicious JavaScript that is stored persistently and executed across the entire site, constituting a stored cross-site scripting (XSS) attack. The vulnerability spans all versions of the Benaa Framework, indicating a systemic flaw rather than a version-specific bug. The CVSS 3.1 base score is 6.4 (medium severity), reflecting network attack vector, low attack complexity, low privileges required, no user interaction, and partial confidentiality and integrity impacts. The scope is changed due to the potential for site-wide script execution. Despite being reported to Envato over two months prior to public disclosure, no patch or mitigation has been released, increasing risk for sites using these themes or plugins. No known exploits have been observed in the wild yet, but the vulnerability's nature and ease of exploitation make it a significant threat to WordPress sites using the affected framework.

The vulnerability allows authenticated users with minimal privileges (Subscriber-level) to escalate their capabilities by injecting malicious JavaScript site-wide. This can lead to theft of sensitive user data such as cookies, session tokens, or credentials, enabling further account takeover or privilege escalation. Attackers can also perform actions on behalf of other users, deface the website, or distribute malware to visitors. The stored XSS can compromise site integrity and user trust, potentially damaging brand reputation and causing financial losses. Since WordPress powers a large portion of the web, and many sites use themes/plugins from Envato marketplaces, the impact is broad. Organizations relying on affected themes risk unauthorized access and persistent compromise. The lack of a patch increases exposure time, and automated exploitation could become feasible, amplifying the threat. The vulnerability does not affect availability directly but undermines confidentiality and integrity significantly.

Organizations should immediately audit their WordPress installations for the presence of G5Theme Benaa Framework-based themes or plugins, especially those sourced from Envato marketplaces. Until a patch is released, restrict user roles to the minimum necessary privileges, ideally removing Subscriber-level users who do not require access. Implement Web Application Firewalls (WAFs) with rules to detect and block suspicious POST requests targeting saveOptions() and importThemeOptions() endpoints. Monitor logs for unusual activity related to theme or plugin settings changes. Consider disabling or replacing vulnerable themes/plugins with alternatives that have proper authorization controls. Engage with vendors or Envato to expedite patch development and deployment. Additionally, implement Content Security Policy (CSP) headers to limit the impact of injected scripts and conduct regular security reviews of user roles and permissions. Backup site data frequently to enable recovery in case of compromise.