CVE-2024-13693 is a vulnerability categorized under CWE-284 (Improper Access Control) found in the Enfold - Responsive Multi-Purpose Theme for WordPress. The flaw exists in the avia-export-class.php file where a missing capability check allows unauthenticated attackers to export all avia settings. These settings may contain sensitive credentials such as Mailchimp API keys, reCAPTCHA secret keys, and Envato private tokens if configured by the site administrator. The vulnerability affects all versions of the theme up to and including version 6.0.9. The attack vector is network-based (remote), requiring no privileges or user interaction, making it straightforward to exploit. The vulnerability impacts confidentiality by exposing sensitive configuration data but does not affect integrity or availability of the system. No patches are currently linked, and no known exploits have been observed in the wild as of the publication date. This vulnerability is significant because it exposes critical API keys and tokens that could be leveraged for further attacks such as spam campaigns, bypassing CAPTCHA protections, or unauthorized purchases/downloads via Envato tokens. The CVSS v3.1 score of 5.3 reflects a medium severity due to the ease of exploitation and the sensitivity of the leaked data.

The primary impact of CVE-2024-13693 is the unauthorized disclosure of sensitive configuration data, which can lead to further compromise of an organization's security posture. Exposure of Mailchimp API keys can allow attackers to manipulate email marketing campaigns, potentially sending phishing or spam emails from trusted sources. Disclosure of reCAPTCHA secret keys can enable attackers to bypass CAPTCHA protections, facilitating automated attacks such as credential stuffing or brute force attempts. Exposure of Envato private tokens can lead to unauthorized access to premium assets or services, causing financial or reputational damage. Although the vulnerability does not directly affect system integrity or availability, the confidentiality breach can be leveraged for lateral movement or escalation within the victim's environment. Organizations worldwide using the Enfold theme on WordPress sites, particularly those handling sensitive customer data or relying on the exposed services, face increased risk. The ease of exploitation without authentication increases the likelihood of opportunistic attacks, especially in environments with publicly accessible WordPress installations.

To mitigate CVE-2024-13693, organizations should immediately audit their WordPress sites using the Enfold theme to determine if they are running affected versions (up to 6.0.9). Until an official patch is released, administrators should restrict access to the avia-export-class.php functionality by implementing web application firewall (WAF) rules that block unauthenticated requests to export endpoints. Additionally, sensitive API keys and tokens stored in theme settings should be rotated or revoked to prevent misuse. Monitoring web server logs for unusual export attempts or suspicious access patterns can help detect exploitation attempts early. It is also advisable to minimize the exposure of WordPress admin or theme export functionalities to the public internet by limiting access to trusted IP addresses or requiring authentication where possible. Once a patch or update is available from the vendor, promptly apply it to close the vulnerability. Regularly reviewing and hardening WordPress theme and plugin configurations can reduce the risk of similar access control issues in the future.