CVE-2024-13420
📋 TL;DR
This vulnerability allows authenticated WordPress users with Subscriber-level access or higher to reset and modify plugin/theme settings due to missing capability checks on AJAX actions. It affects multiple WordPress plugins and themes from Envato. Attackers can alter configuration settings without proper authorization.
💻 Affected Systems
- Beyot WordPress Real Estate Theme
- Other unspecified Envato WordPress plugins/themes
📦 What is this software?
April by G5plus
Auteur by G5plus
Benaa by G5plus
Beyot by G5plus
⚠️ Risk & Real-World Impact
Worst Case
Attackers could reset critical plugin settings, disable security features, or modify configuration to enable further attacks, potentially leading to site compromise or data exposure.
Likely Case
Unauthorized users modify theme/plugin settings, causing site functionality issues, broken layouts, or minor configuration changes that require administrative cleanup.
If Mitigated
With proper user role management and network segmentation, impact is limited to non-critical configuration changes that can be restored from backups.
🎯 Exploit Status
Exploitation requires authenticated access but uses simple AJAX requests. The vulnerability has been publicly disclosed with technical details.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Latest versions of affected plugins/themes
Vendor Advisory: https://themeforest.net/item/beyot-wordpress-real-estate-theme/19514964
Restart Required: No
Instructions:
1. Update all affected WordPress plugins and themes to latest versions. 2. Verify patches are applied by checking version numbers. 3. Monitor Envato/developer communications for additional fixes.
🔧 Temporary Workarounds
Restrict User Registration
allDisable new user registration or limit to trusted users only
WordPress Admin → Settings → General → Membership: Uncheck 'Anyone can register'
Remove Vulnerable Components
allTemporarily disable or remove affected plugins/themes until patched
WordPress Admin → Plugins → Deactivate vulnerable plugins
WordPress Admin → Appearance → Themes → Switch to default theme
🧯 If You Can't Patch
- Implement strict user role management and review all user accounts
- Monitor AJAX requests in WordPress logs for suspicious activity patterns
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin for affected plugin/theme versions. Review user roles and capabilities.Check Version:
WordPress Admin → Plugins/Themes → View version numbersVerify Fix Applied:
Verify all plugins/themes are updated to latest versions. Test AJAX endpoints with Subscriber accounts.📡 Detection & Monitoring
Log Indicators:
- Unusual AJAX requests from non-admin users to gsf_* endpoints
- Multiple configuration reset events in short timeframes
Network Indicators:
- POST requests to /wp-admin/admin-ajax.php with action parameters like gsf_reset_section_options
SIEM Query:
source="wordpress.log" AND (action="gsf_reset_section_options" OR action="gsf_create_preset_options") AND user_role!="administrator"