CVE-2024-13554 – The WP Extended WordPress plugin has an authori... (How to Fix)

Q: What is the severity of CVE-2024-13554?

CVE-2024-13554 has a CVSS score of 5.3 (MEDIUM). The WP Extended WordPress plugin has an authorization bypass vulnerability that allows unauthenticated attackers to reorder posts. This affects all WordPress sites using WP Extended plugin versions up to 3.0.13. Attackers can manipulate post ordering without any authentication.

📋 TL;DR

The WP Extended WordPress plugin has an authorization bypass vulnerability that allows unauthenticated attackers to reorder posts. This affects all WordPress sites using WP Extended plugin versions up to 3.0.13. Attackers can manipulate post ordering without any authentication.

💻 Affected Systems

Products:

The Ultimate WordPress Toolkit - WP Extended

Versions: All versions up to and including 3.0.13

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all WordPress installations with vulnerable plugin versions installed and activated.

📦 What is this software?

Wp Extended by Wpextended

View all CVEs affecting Wp Extended →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could disrupt website content organization, manipulate featured content order, or combine with other vulnerabilities for more severe attacks.

🟠

Likely Case

Unauthenticated attackers reorder posts to disrupt website content flow, potentially affecting user experience or business operations.

🟢

If Mitigated

With proper access controls and monitoring, impact is limited to minor content manipulation that can be quickly detected and reverted.

🌐 Internet-Facing: HIGH

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Direct API call to vulnerable function without authentication required.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.0.14 or later

Vendor Advisory: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3233951%40wpextended&new=3233951%40wpextended&sfp_email=&sfph_mail=

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'The Ultimate WordPress Toolkit - WP Extended'. 4. Click 'Update Now' if available, or download version 3.0.14+ from WordPress repository. 5. Activate updated plugin.

🔧 Temporary Workarounds

Disable vulnerable plugin

all

Temporarily deactivate WP Extended plugin until patched version can be installed.

wp plugin deactivate wpextended

Restrict API access

all

Use web application firewall to block unauthenticated access to plugin API endpoints.

🧯 If You Can't Patch

Disable the WP Extended plugin completely
Implement strict network access controls to limit who can reach the WordPress admin interface

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin > Plugins > Installed Plugins for WP Extended version 3.0.13 or earlier.

Check Version:

wp plugin get wpextended --field=version

Verify Fix Applied:

Verify plugin version is 3.0.14 or later in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

Unauthenticated POST requests to /wp-json/wpextended/v1/reorder
Multiple post order changes from single IP
403 errors followed by successful reorder requests

Network Indicators:

HTTP POST requests to reorder endpoint without authentication headers
Unusual traffic patterns to WordPress REST API endpoints

SIEM Query:

source="wordpress" AND (uri_path="/wp-json/wpextended/v1/reorder" OR plugin="wpextended") AND http_method="POST" AND NOT user_agent="WordPress/*"

📊 Metadata

CVE ID: CVE-2024-13554

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CWE: CWE-862

EPSS Score: 0.28% exploit probability (50.8th percentile)

Published: February 12, 2025

Last Updated: February 25, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-13554, you might also want to check these: