CVE-2024-13449 identifies a missing authorization vulnerability (CWE-862) in the Boom Fest WordPress plugin developed by ibsofts. The vulnerability exists in the 'bf_admin_action' function, which lacks proper capability checks before allowing modifications to plugin settings. This flaw permits any authenticated user with Subscriber-level privileges or higher to update settings that affect the website's appearance, such as layout or visual elements controlled by the plugin. Since WordPress Subscriber roles typically have minimal permissions, this vulnerability effectively elevates their ability to alter site presentation without administrative consent. The vulnerability affects all versions up to and including 2.2.1 of Boom Fest. The CVSS 3.1 base score is 5.3 (medium), with vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N, indicating network exploitability, low attack complexity, no privileges required beyond authentication, no user interaction, unchanged scope, no confidentiality or availability impact, but integrity impact present. No patches or exploits are currently known, but the risk stems from the potential for unauthorized visual modifications that could be used for defacement or social engineering. The vulnerability was published on January 25, 2025, and assigned by Wordfence. The lack of authorization checks is a common security oversight that can lead to privilege escalation within web applications. Organizations using Boom Fest should assess their exposure and implement mitigations promptly.

The primary impact of CVE-2024-13449 is unauthorized modification of website appearance by low-privilege authenticated users. This can lead to website defacement, misleading content presentation, or insertion of malicious visual elements that could facilitate phishing or social engineering attacks against site visitors. While confidentiality and availability are not directly affected, the integrity of the website's content and user trust can be significantly compromised. For organizations relying on Boom Fest for event or festival-related content, such unauthorized changes could damage brand reputation and user confidence. Attackers exploiting this vulnerability do not require elevated privileges beyond Subscriber-level access, which is commonly granted to registered users or commenters, increasing the attack surface. The vulnerability could be leveraged in multi-user environments where many users have Subscriber roles, such as community sites or membership platforms. Although no known exploits are reported, the ease of exploitation and potential for visual manipulation make this a notable risk for WordPress sites globally.

To mitigate CVE-2024-13449, organizations should first check for and apply any official patches or updates released by ibsofts for the Boom Fest plugin. If no patch is available, administrators should restrict Subscriber-level access or review user roles to limit who can authenticate with such privileges. Implementing a Web Application Firewall (WAF) with rules to detect and block unauthorized requests targeting the 'bf_admin_action' function can provide temporary protection. Additionally, monitoring and logging changes to plugin settings and website appearance can help detect exploitation attempts early. Site administrators should also consider disabling or removing the Boom Fest plugin if it is not essential. Conducting regular security audits of WordPress plugins and enforcing the principle of least privilege for user roles will reduce the risk of similar vulnerabilities. Finally, educating users about the risks of unauthorized access and maintaining strong authentication controls can further reduce exposure.