CVE-2024-13643: CWE-862 Missing Authorization in MVPThemes Zox News - Professional WordPress News & Magazine Theme
The Zox News - Professional WordPress News & Magazine Theme plugin for WordPress is vulnerable to unauthorized data modification. This vulnerability can lead to privilege escalation and denial of service conditions due to missing capability checks on the backup_options() and reset_options() functions in all versions up to and including 3.17.0. This vulnerability allows authenticated attackers with Subscriber-level access and above to update and delete arbitrary option values on the WordPress site. Attackers can exploit this issue to update the default user role for registration to Administrator and enable user registration, thereby gaining administrative access to the vulnerable site. Additionally, they could delete critical options, causing errors that may disrupt the site's functionality and deny service to legitimate users.
AI Analysis
Technical Summary
The Zox News - Professional WordPress News & Magazine Theme plugin suffers from a missing authorization vulnerability (CWE-862) in its backup_options() and reset_options() functions. This flaw allows authenticated users with low privileges (Subscriber and above) to update or delete arbitrary WordPress options. Attackers can escalate privileges by setting the default registration role to Administrator and enabling user registration, thereby gaining full administrative access. They can also disrupt site functionality by deleting essential options, causing denial of service. The vulnerability affects all versions up to and including 3.17.0. The CVSS 3.1 base score is 8.8, reflecting high impact on confidentiality, integrity, and availability. No official patch or vendor advisory is provided in the data.
Potential Impact
An attacker with Subscriber-level access or higher can exploit this vulnerability to escalate privileges to Administrator by modifying site options related to user roles and registration. This leads to full administrative control over the WordPress site. Additionally, attackers can delete critical options, causing site errors and denial of service conditions, impacting availability and functionality.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict Subscriber-level access and above to trusted users only. Monitor for suspicious changes to site options and consider disabling user registration if not required. Avoid granting unnecessary privileges to low-level users.
CVE-2024-13643: CWE-862 Missing Authorization in MVPThemes Zox News - Professional WordPress News & Magazine Theme
Description
The Zox News - Professional WordPress News & Magazine Theme plugin for WordPress is vulnerable to unauthorized data modification. This vulnerability can lead to privilege escalation and denial of service conditions due to missing capability checks on the backup_options() and reset_options() functions in all versions up to and including 3.17.0. This vulnerability allows authenticated attackers with Subscriber-level access and above to update and delete arbitrary option values on the WordPress site. Attackers can exploit this issue to update the default user role for registration to Administrator and enable user registration, thereby gaining administrative access to the vulnerable site. Additionally, they could delete critical options, causing errors that may disrupt the site's functionality and deny service to legitimate users.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The Zox News - Professional WordPress News & Magazine Theme plugin suffers from a missing authorization vulnerability (CWE-862) in its backup_options() and reset_options() functions. This flaw allows authenticated users with low privileges (Subscriber and above) to update or delete arbitrary WordPress options. Attackers can escalate privileges by setting the default registration role to Administrator and enabling user registration, thereby gaining full administrative access. They can also disrupt site functionality by deleting essential options, causing denial of service. The vulnerability affects all versions up to and including 3.17.0. The CVSS 3.1 base score is 8.8, reflecting high impact on confidentiality, integrity, and availability. No official patch or vendor advisory is provided in the data.
Potential Impact
An attacker with Subscriber-level access or higher can exploit this vulnerability to escalate privileges to Administrator by modifying site options related to user roles and registration. This leads to full administrative control over the WordPress site. Additionally, attackers can delete critical options, causing site errors and denial of service conditions, impacting availability and functionality.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict Subscriber-level access and above to trusted users only. Monitor for suspicious changes to site options and consider disabling user registration if not required. Avoid granting unnecessary privileges to low-level users.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-01-23T00:57:16.614Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 699f6e64b7ef31ef0b59fde3
Added to database: 2/25/2026, 9:49:24 PM
Last enriched: 4/9/2026, 1:14:02 PM
Last updated: 4/12/2026, 5:05:19 AM
Views: 22
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.