CVE-2024-13655 is a vulnerability classified under CWE-862 (Missing Authorization) found in the Flex Mag - Responsive WordPress News Theme developed by MVPThemes. The issue resides in the propanel_of_ajax_callback() function, which lacks proper capability checks before allowing modifications to WordPress options. This flaw permits any authenticated user with Subscriber-level access or higher to delete arbitrary option values on the affected WordPress site. Since WordPress roles like Subscriber are commonly assigned to registered users with minimal privileges, this vulnerability significantly lowers the barrier for exploitation. The deletion of certain options can cause the site to malfunction, resulting in denial of service (DoS) conditions that prevent legitimate users from accessing the site. The vulnerability affects all versions up to and including 3.5.2 of the theme. The CVSS v3.1 base score is 8.1, indicating high severity, with an attack vector of network, low attack complexity, requiring privileges but no user interaction, and impacting integrity and availability. No patches or official fixes are currently linked, and no exploits have been reported in the wild yet. However, the vulnerability's nature makes it a critical concern for WordPress sites using this theme, as it can be exploited remotely by low-privileged authenticated users to disrupt site operations.

The primary impact of CVE-2024-13655 is the potential for denial of service on WordPress sites using the Flex Mag theme. By allowing authenticated users with minimal privileges to delete arbitrary options, attackers can cause site errors that disrupt availability and degrade user experience. This can lead to loss of revenue, damage to brand reputation, and increased operational costs due to recovery efforts. The integrity of site configuration is compromised, as attackers can manipulate or remove critical settings. Although confidentiality is not directly impacted, the disruption of service can affect business continuity and trust. Organizations relying on this theme for news or content delivery are particularly vulnerable to service interruptions. The ease of exploitation and the low privilege requirement increase the likelihood of insider threats or compromised accounts being leveraged for attacks. The lack of current known exploits does not diminish the risk, as automated scanning and exploitation tools could emerge rapidly once the vulnerability is publicized.

1. Immediately restrict Subscriber-level user capabilities by reviewing and hardening WordPress role permissions to limit access to theme option modifications. 2. Implement monitoring and alerting on changes to WordPress options, especially those related to the Flex Mag theme, to detect unauthorized deletions promptly. 3. Employ Web Application Firewalls (WAFs) with custom rules to block suspicious AJAX requests targeting the propanel_of_ajax_callback() function or related endpoints. 4. Temporarily disable or replace the Flex Mag theme with a secure alternative until an official patch or update is released by MVPThemes. 5. Regularly back up WordPress site configurations and databases to enable quick restoration in case of exploitation. 6. Enforce strong authentication mechanisms and monitor for compromised accounts that could be used to exploit this vulnerability. 7. Follow MVPThemes and WordPress security advisories closely for patch releases and apply updates immediately upon availability. 8. Conduct internal security audits focusing on user privilege assignments and plugin/theme security posture to identify and remediate similar authorization issues.