CVE-2024-13654 is a vulnerability classified under CWE-862 (Missing Authorization) affecting the ZoxPress - The All-In-One WordPress News Theme developed by MVPThemes. The flaw exists in all versions up to and including 2.12.0, where the 'reset_options' function lacks proper capability checks, allowing authenticated users with minimal privileges (Subscriber-level or above) to invoke this function. This unauthorized access enables attackers to delete arbitrary option values stored in the WordPress database. Since WordPress options control various configuration settings, deleting critical options can cause the theme or site to malfunction, potentially leading to denial of service (DoS) by generating errors that prevent legitimate users from accessing the site. The vulnerability does not require user interaction beyond authentication and can be exploited remotely over the network. The CVSS v3.1 base score is 8.1, reflecting high severity due to the ease of exploitation (low attack complexity), the requirement of only low privileges, and the significant impact on integrity and availability. No known public exploits have been reported yet, but the vulnerability's nature makes it a prime candidate for exploitation once weaponized. The vulnerability highlights a common security oversight in WordPress themes where authorization checks are insufficient or missing, emphasizing the need for secure coding practices in plugin and theme development.

The primary impact of CVE-2024-13654 is the potential for denial of service on WordPress sites using the ZoxPress theme. By deleting arbitrary options, attackers can disrupt site functionality, causing errors that prevent legitimate users from accessing content or services. This compromises availability and integrity of the affected sites. Since the vulnerability requires only Subscriber-level access, which is often granted to registered users or contributors, the attack surface is broad within many WordPress installations. For organizations relying on ZoxPress for news or media delivery, this can result in significant operational disruption, loss of user trust, and potential revenue impact. Additionally, the ability to modify options without authorization could be leveraged as part of a larger attack chain, potentially facilitating further compromise or persistent disruption. The vulnerability does not directly impact confidentiality but poses a serious risk to site stability and reliability.

To mitigate CVE-2024-13654, organizations should immediately update the ZoxPress theme to a patched version once released by MVPThemes. Until an official patch is available, administrators can implement the following measures: 1) Restrict Subscriber-level users from accessing or triggering the 'reset_options' functionality by customizing user roles and capabilities using plugins like User Role Editor. 2) Employ Web Application Firewalls (WAFs) to detect and block suspicious requests targeting the 'reset_options' endpoint or related AJAX actions. 3) Monitor logs for unusual option deletions or unauthorized access attempts to quickly identify exploitation attempts. 4) Harden WordPress installations by limiting plugin and theme installations to trusted sources and regularly auditing user privileges. 5) Consider temporarily disabling or removing the ZoxPress theme if the risk outweighs operational needs until a fix is applied. 6) Educate site administrators and users about the risk of granting unnecessary privileges to reduce the attack surface. These targeted mitigations go beyond generic advice by focusing on controlling access to the vulnerable function and monitoring for exploitation indicators.