CVE-2024-13772 is a medium-severity authentication bypass vulnerability affecting the uxper Civi - Job Board & Freelance Marketplace WordPress theme in all versions up to 2.1.6.1. The vulnerability arises from a lack of proper password randomization and inadequate user validation in the theme's AJAX login or registration endpoints, specifically fb_ajax_login_or_register and google_ajax_login_or_register. These endpoints fail to enforce sufficient authentication checks, allowing an attacker who knows a valid user's email address to bypass normal login procedures and gain unauthorized access to that user's account. This is classified under CWE-288, which involves authentication bypass using alternate paths or channels. The vulnerability does not require user interaction but has a high attack complexity, as the attacker must correctly exploit the flawed login mechanism. The impact includes potential unauthorized access leading to confidentiality breaches, integrity violations through unauthorized actions, and availability concerns if attackers disrupt services. No patches or official fixes are currently linked, and no exploits have been observed in the wild, indicating the window for proactive mitigation is still open. The vulnerability affects all installations of the uxper Civi theme up to version 2.1.6.1, which is commonly used in WordPress-based job board and freelance marketplace websites.

This vulnerability allows attackers to impersonate any user on affected WordPress sites by bypassing authentication controls, provided they know the user's email address. This can lead to unauthorized access to sensitive user data, modification or deletion of content, and potential privilege escalation if administrative accounts are compromised. For organizations running job board or freelance marketplace platforms, this could result in data breaches involving personal and financial information, loss of user trust, and reputational damage. Additionally, attackers could manipulate listings, post fraudulent jobs or offers, or disrupt platform availability. The medium CVSS score reflects moderate impact due to the requirement of knowing valid emails and the high attack complexity, but the scope is significant given the widespread use of WordPress and the theme's niche. The lack of user interaction needed increases the risk of automated attacks targeting user accounts en masse.

Organizations should immediately verify if they are using the uxper Civi - Job Board & Freelance Marketplace WordPress theme at or below version 2.1.6.1 and plan to upgrade to a patched version once available. In the absence of an official patch, administrators should disable or restrict access to the vulnerable AJAX login endpoints (fb_ajax_login_or_register and google_ajax_login_or_register) via web application firewall (WAF) rules or server-level access controls. Implementing multi-factor authentication (MFA) for all user accounts can reduce the risk of unauthorized access even if credentials are bypassed. Monitoring logs for unusual login activity, especially from unknown IPs or multiple failed attempts, can help detect exploitation attempts. Additionally, limiting exposure by restricting user enumeration and ensuring email addresses are not publicly accessible can reduce attacker knowledge. Regular backups and incident response plans should be updated to prepare for potential compromise. Finally, contacting the theme vendor for updates and subscribing to security advisories is recommended.