CVE-2024-12920 – This vulnerability in the FoodBakery WordPress ... (How to Fix)

Q: What is the severity of CVE-2024-12920?

CVE-2024-12920 has a CVSS score of 8.8 (HIGH). This vulnerability in the FoodBakery WordPress theme allows authenticated users with Subscriber-level access or higher to perform administrative actions without proper authorization. Attackers can delete files, modify theme options, export/import widget settings, and manage backups. All WordPress sites using FoodBakery theme versions up to 4.7 are affected.

📋 TL;DR

This vulnerability in the FoodBakery WordPress theme allows authenticated users with Subscriber-level access or higher to perform administrative actions without proper authorization. Attackers can delete files, modify theme options, export/import widget settings, and manage backups. All WordPress sites using FoodBakery theme versions up to 4.7 are affected.

💻 Affected Systems

Products:

FoodBakery | Delivery Restaurant Directory WordPress Theme

Versions: All versions up to and including 4.7

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerable in default WordPress installations where the theme is active. Requires at least Subscriber-level authenticated access.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete site compromise including file deletion, theme option manipulation, backup restoration with malicious code, and potential privilege escalation leading to full administrative control.

🟠

Likely Case

Unauthorized theme option changes, widget configuration tampering, and backup file manipulation leading to site defacement or functionality disruption.

🟢

If Mitigated

Limited impact if proper user role management restricts Subscriber accounts and file permissions are properly configured.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires authenticated access but only Subscriber-level privileges needed. Exploitation involves calling vulnerable AJAX functions with crafted requests.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version after 4.7

Vendor Advisory: https://themeforest.net/item/food-bakery-restaurant-bakery-responsive-wordpress-theme/18970331

Restart Required: No

Instructions:

1. Update FoodBakery theme to latest version (above 4.7). 2. Check WordPress admin panel > Appearance > Themes. 3. If update not available, download latest version from ThemeForest. 4. Replace theme files via FTP/SFTP if needed.

🔧 Temporary Workarounds

Restrict User Registration

WordPress

Disable new user registration or require administrator approval to prevent attackers from obtaining Subscriber accounts.

WordPress Settings > General > Membership: Uncheck 'Anyone can register'

Remove Vulnerable Functions

WordPress

Temporarily disable the vulnerable AJAX functions by removing or commenting them in theme files.

Locate and modify functions in theme PHP files: foodbakery_var_backup_file_delete, foodbakery_widget_file_delete, theme_option_save, export_widget_settings, ajax_import_widget_data, foodbakery_var_settings_backup_generate, foodbakery_var_backup_file_restore, theme_option_rest_all

🧯 If You Can't Patch

Switch to a different WordPress theme immediately
Implement strict user role management and audit all Subscriber-level accounts

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin > Appearance > Themes > FoodBakery theme details. If version is 4.7 or lower, you are vulnerable.

Check Version:

Check WordPress admin panel or inspect theme's style.css file for Version: header

Verify Fix Applied:

After updating, verify theme version is above 4.7. Test if Subscriber users can access theme management functions.

📡 Detection & Monitoring

Log Indicators:

Unusual AJAX requests from Subscriber accounts to theme-specific endpoints
File deletion/modification events in theme directories from non-admin users
Theme option changes from low-privilege accounts

Network Indicators:

POST requests to /wp-admin/admin-ajax.php with action parameters matching vulnerable function names
Unusual backup file operations from authenticated sessions

SIEM Query:

source="wordpress" AND (uri_path="/wp-admin/admin-ajax.php") AND (http_method="POST") AND (user_role="subscriber" OR user_role="contributor" OR user_role="author") AND (action="foodbakery_var_backup_file_delete" OR action="foodbakery_widget_file_delete" OR action="theme_option_save" OR action="export_widget_settings" OR action="ajax_import_widget_data" OR action="foodbakery_var_settings_backup_generate" OR action="foodbakery_var_backup_file_restore" OR action="theme_option_rest_all")

📊 Metadata

CVE ID: CVE-2024-12920

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-862

EPSS Score: 0.2% exploit probability (42.2th percentile)

Published: March 19, 2025

Last Updated: March 19, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-12920, you might also want to check these: