CVE-2024-12113 – This vulnerability allows authenticated WordPre... (How to Fix)

Q: What is the severity of CVE-2024-12113?

CVE-2024-12113 has a CVSS score of 4.3 (MEDIUM). This vulnerability allows authenticated WordPress users with Subscriber-level access or higher to delete other users' reviews in the Youzify plugin. It affects all WordPress sites using Youzify plugin versions up to 1.3.2. The issue stems from missing capability checks in delete_user_review() and delete_review() functions.

📋 TL;DR

This vulnerability allows authenticated WordPress users with Subscriber-level access or higher to delete other users' reviews in the Youzify plugin. It affects all WordPress sites using Youzify plugin versions up to 1.3.2. The issue stems from missing capability checks in delete_user_review() and delete_review() functions.

💻 Affected Systems

Products:

Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress

Versions: All versions up to and including 1.3.2

Operating Systems: All operating systems running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress installation with Youzify plugin enabled and user registration functionality active.

📦 What is this software?

Youzify by Kainelabs

View all CVEs affecting Youzify →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Malicious users could systematically delete all user reviews, damaging community trust and content integrity, potentially leading to business impact for review-dependent sites.

🟠

Likely Case

Individual users deleting reviews they disagree with or targeting specific users' content, causing content loss and user frustration.

🟢

If Mitigated

Limited to authenticated users only, with no data exfiltration or privilege escalation possible.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access but is technically simple once authenticated. The vulnerability is publicly disclosed with technical details available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.3.3 or later

Vendor Advisory: https://wordpress.org/plugins/youzify/

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Youzify plugin and click 'Update Now'. 4. Verify update completes successfully.

🔧 Temporary Workarounds

Disable User Registration

all

Prevent new user accounts from being created to limit potential attackers.

Navigate to WordPress Settings → General → Membership: Uncheck 'Anyone can register'

Disable Youzify Plugin

all

Temporarily disable the vulnerable plugin until patched.

Navigate to WordPress Plugins → Installed Plugins → Youzify → Deactivate

🧯 If You Can't Patch

Restrict user registration to trusted individuals only using manual approval workflows.
Implement regular backups of WordPress database to restore deleted reviews if needed.

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel → Plugins → Installed Plugins → Youzify version. If version is 1.3.2 or lower, you are vulnerable.

Check Version:

wp plugin list --name=youzify --field=version

Verify Fix Applied:

After updating, verify Youzify plugin version shows 1.3.3 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

Unusual frequency of review deletion actions in WordPress logs
User accounts with Subscriber role performing delete_review operations

Network Indicators:

POST requests to /wp-admin/admin-ajax.php with action parameters containing 'delete_review' or 'delete_user_review'

SIEM Query:

source="wordpress.log" AND (action="delete_review" OR action="delete_user_review") | stats count by user

📊 Metadata

CVE ID: CVE-2024-12113

CVSS v3 Score: 4.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

CWE: CWE-862

EPSS Score: 0.09% exploit probability (24.7th percentile)

Published: January 25, 2025

Last Updated: May 28, 2025

🔗 References

https://wordpress.org/plugins/youzify/ Product
https://www.wordfence.com/threat-intel/vulnerabilities/id/977e407c-0650-454f-98bd-b39bb8c8c61f?source=cve Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-12113, you might also want to check these: