CVE-2024-13656 is a missing authorization vulnerability (CWE-862) affecting the Click Mag - Viral WordPress News Magazine/Blog Theme developed by MVPThemes, present in all versions up to and including 3.6.0. The vulnerability arises from the lack of a capability check in the propanel_of_ajax_callback() function, which handles AJAX requests related to theme options. Authenticated users with subscriber-level privileges or higher can exploit this flaw to delete arbitrary option values stored in the WordPress database. These options control various theme settings and site configurations. By deleting specific options, an attacker can induce errors that cause the site to malfunction or become unavailable, effectively resulting in a denial of service (DoS). The vulnerability is remotely exploitable over the network without requiring additional user interaction beyond authentication. The CVSS v3.1 base score is 8.1 (high), reflecting the ease of exploitation (low attack complexity), the requirement for low privileges (PR:L), and the significant impact on integrity and availability, though confidentiality is not affected. No patches or official fixes have been linked yet, and no known exploits are reported in the wild. However, the vulnerability poses a substantial risk to WordPress sites using this theme, especially those with multiple user roles where subscriber-level accounts exist.

The primary impact of CVE-2024-13656 is the potential for denial of service on WordPress sites using the Click Mag theme. By deleting critical option values, attackers can cause site errors that disrupt normal operation, leading to downtime and loss of availability. This can affect user trust, site revenue, and brand reputation, particularly for news and media websites relying on this theme. Additionally, the integrity of site configurations is compromised, as attackers can modify or remove settings without proper authorization. Although confidentiality is not directly impacted, the disruption to service can indirectly affect business continuity and user experience. Since the vulnerability requires only subscriber-level access, it lowers the barrier for exploitation, increasing risk in environments with many registered users. Organizations worldwide using this theme are vulnerable, especially those with public-facing WordPress installations that allow user registrations.

To mitigate CVE-2024-13656, organizations should immediately restrict subscriber-level user capabilities to minimize the risk of exploitation. Implement strict user role management and audit existing user accounts to remove unnecessary privileges. Disable or restrict AJAX endpoints related to theme option modifications if possible. Monitor site logs for unusual option deletion activities or AJAX requests from authenticated users. Since no official patch is currently available, consider temporarily switching to a different theme or applying custom code to enforce capability checks on the propanel_of_ajax_callback() function. Engage with MVPThemes for updates or security patches and apply them promptly once released. Additionally, maintain regular backups of the WordPress database and site files to enable quick restoration in case of successful exploitation. Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious AJAX requests targeting this vulnerability.