CVE-2024-13653 is a vulnerability classified under CWE-862 (Missing Authorization) found in the ZoxPress - The All-In-One WordPress News Theme developed by MVPThemes. The issue arises from the 'backup_options' function, which lacks a proper capability check, allowing authenticated users with as low as Subscriber-level privileges to modify arbitrary WordPress options. This missing authorization enables attackers to escalate privileges by changing the default registration role to administrator and enabling user registration, thereby creating new administrative accounts without requiring higher privileges or user interaction. The vulnerability affects all versions up to and including 2.12.0 of the theme. The CVSS v3.1 base score is 8.8, reflecting high impact on confidentiality, integrity, and availability, with network attack vector, low attack complexity, and no user interaction required. Although no known exploits are currently in the wild, the vulnerability's nature makes it a critical risk for WordPress sites using this theme, especially news and media sites relying on ZoxPress. The flaw allows attackers to gain full control over the site, potentially leading to data breaches, defacement, or further compromise of connected systems. The vulnerability was publicly disclosed in February 2025, with no official patch available at the time, emphasizing the need for immediate mitigation.

The impact of CVE-2024-13653 is severe for organizations running WordPress sites with the ZoxPress theme. Attackers with minimal authenticated access can escalate privileges to administrator level, effectively gaining full control over the website. This can lead to unauthorized data modification, site defacement, insertion of malicious code, theft of sensitive information, and disruption of service. For news and media organizations, this could result in reputational damage, loss of user trust, and potential regulatory consequences if user data is compromised. The ability to create new admin accounts also facilitates persistent access and lateral movement within the hosting environment. Given WordPress's widespread use globally, especially in content management for news outlets, the vulnerability poses a significant risk to the integrity and availability of critical information platforms. The lack of required user interaction and low complexity of exploitation further increase the likelihood of successful attacks.

To mitigate CVE-2024-13653, organizations should immediately restrict access to the WordPress admin area to trusted users only, ensuring that Subscriber-level users are carefully managed or temporarily disabled if not necessary. Until an official patch is released, consider disabling user registration and setting the default role to a non-privileged level manually via the WordPress settings. Implement web application firewall (WAF) rules to detect and block unauthorized attempts to invoke the 'backup_options' function or modify site options. Regularly audit user roles and permissions to detect any unauthorized changes. Monitoring logs for unusual option updates or new administrator accounts can provide early warning of exploitation attempts. Additionally, consider isolating the WordPress environment and applying principle of least privilege to database and file system access. Once a patch becomes available from MVPThemes, apply it promptly. Backup site data regularly to enable recovery in case of compromise.