CVE-2024-13370
📋 TL;DR
This vulnerability allows authenticated WordPress users with Subscriber-level access or higher to update arbitrary plugin options, including setting valid license keys. Attackers can exploit this to potentially activate premium features without authorization. All WordPress sites using Youzify plugin versions up to 1.3.2 are affected.
💻 Affected Systems
- Youzify – BuddyPress Community, User Profile, Social Network & Membership Plugin for WordPress
📦 What is this software?
Youzify by Kainelabs
⚠️ Risk & Real-World Impact
Worst Case
Attackers could activate premium features, modify critical plugin settings, or potentially chain with other vulnerabilities for further compromise.
Likely Case
Unauthorized activation of premium features, license key manipulation, or modification of plugin configuration settings.
If Mitigated
Limited impact if proper access controls and monitoring are in place, though unauthorized license activation remains possible.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once authenticated. The vulnerability is in a publicly accessible admin function.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.3.3 or later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3159998/youzify/tags/1.3.3/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Youzify plugin and click 'Update Now'. 4. Verify update to version 1.3.3 or higher.
🔧 Temporary Workarounds
Restrict User Registration
allTemporarily disable new user registration to prevent new attacker accounts.
Navigate to Settings → General in WordPress admin and uncheck 'Anyone can register'
Remove Vulnerable Plugin
allTemporarily deactivate the Youzify plugin until patched.
Navigate to Plugins → Installed Plugins in WordPress admin, find Youzify, and click 'Deactivate'
🧯 If You Can't Patch
- Implement strict access controls and monitor user activity logs for suspicious license-related actions.
- Apply web application firewall rules to block requests to the vulnerable save_addon_key_license() function.
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for Youzify version. If version is 1.3.2 or lower, you are vulnerable.Check Version:
wp plugin list --name=youzify --field=versionVerify Fix Applied:
After updating, verify Youzify version shows 1.3.3 or higher in WordPress admin plugins list.📡 Detection & Monitoring
Log Indicators:
- POST requests to /wp-admin/admin-ajax.php with action=youzify_save_addon_key_license
- Unusual license activation events from non-admin users
Network Indicators:
- HTTP POST requests containing 'youzify_save_addon_key_license' parameter from non-admin IP addresses
SIEM Query:
source="wordpress.log" AND "youzify_save_addon_key_license" AND user_role!="administrator"