CVE-2024-13643 is a critical authorization bypass vulnerability identified in the MVPThemes Zox News - Professional WordPress News & Magazine Theme, affecting all versions up to and including 3.17.0. The root cause is missing capability checks in the theme's backup_options() and reset_options() functions, which manage site option backups and resets. These functions can be invoked by authenticated users with minimal privileges (Subscriber-level or higher) to modify or delete arbitrary WordPress options. By exploiting this flaw, an attacker can escalate privileges by changing the default user role for new registrations to Administrator and enabling user registration, effectively granting themselves or others administrative access. Furthermore, attackers can delete critical options, potentially causing site malfunctions or denial of service conditions. The vulnerability does not require user interaction beyond authentication and can be exploited remotely over the network. The CVSS v3.1 base score is 8.8 (high), reflecting the vulnerability's ease of exploitation, high impact on confidentiality, integrity, and availability, and the broad scope of affected systems. No patches or official fixes are currently linked, and no known exploits have been reported in the wild as of the publication date. The vulnerability is classified under CWE-862 (Missing Authorization).

The impact of CVE-2024-13643 is severe for organizations using the Zox News WordPress theme. Attackers with low-level authenticated access can escalate privileges to full administrative control, compromising site confidentiality by accessing sensitive data and integrity by modifying or deleting critical configurations. This can lead to complete site takeover, unauthorized content manipulation, and persistent backdoors. The ability to delete essential options can cause site instability or denial of service, disrupting business operations and user access. For news and magazine websites relying on this theme, such disruptions can damage reputation, reduce user trust, and cause financial losses. The vulnerability also increases the risk of further attacks, such as malware deployment or phishing campaigns, leveraging the compromised site. Given WordPress's widespread use globally, the potential attack surface is large, especially for sites that have not implemented strict access controls or timely updates.

To mitigate CVE-2024-13643, organizations should immediately restrict access to the WordPress admin area, ensuring that only trusted users have Subscriber-level or higher privileges. Implement strict role-based access controls and audit user permissions regularly. Disable user registration if not required to reduce attack vectors. Monitor WordPress option changes and site logs for unusual activity indicative of exploitation attempts. Since no official patch is currently available, consider temporarily switching to a different theme or disabling the vulnerable theme until a fix is released. Employ Web Application Firewalls (WAFs) with custom rules to detect and block unauthorized attempts to invoke backup_options() and reset_options() functions. Keep WordPress core, plugins, and themes updated and subscribe to vendor security advisories for timely patch deployment. Additionally, maintain regular site backups stored securely offline to enable recovery in case of compromise.