CVE-2024-13656
📋 TL;DR
This vulnerability in the Click Mag WordPress theme allows authenticated attackers with subscriber-level access or higher to delete arbitrary WordPress option values, potentially causing site errors and denial of service. It affects all versions up to and including 3.6.0 due to a missing capability check in the propanel_of_ajax_callback() function.
💻 Affected Systems
- Click Mag - Viral WordPress News Magazine/Blog Theme
📦 What is this software?
Click Mag by Mvpthemes
⚠️ Risk & Real-World Impact
Worst Case
Attackers delete critical WordPress options (e.g., siteurl, home) or theme settings, causing the site to crash or become inaccessible, leading to extended downtime and data loss.
Likely Case
Attackers delete non-critical options, causing minor site errors or functionality breaks, but may escalate to denial of service if key options are targeted.
If Mitigated
With proper access controls (e.g., least privilege) and monitoring, impact is limited to minor disruptions, as attacks are logged and can be quickly reverted.
🎯 Exploit Status
Exploitation requires authenticated access (subscriber or higher) and knowledge of WordPress AJAX endpoints, but no advanced skills are needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version after 3.6.0 (check theme updates for exact version)
Vendor Advisory: https://themeforest.net/item/click-mag-viral-wordpress-news-magazineblog-theme/18081003
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Appearance > Themes. 3. Find Click Mag theme and check for updates. 4. If an update is available, click 'Update Now'. 5. Verify the theme version is above 3.6.0.
🔧 Temporary Workarounds
Restrict User Capabilities
allLimit subscriber and higher roles from accessing theme-specific AJAX functions by modifying user roles or using security plugins.
Use a plugin like 'User Role Editor' to remove unnecessary capabilities from subscriber roles.
🧯 If You Can't Patch
- Deactivate the Click Mag theme and switch to a secure alternative until patched.
- Implement strict access controls and monitor for suspicious activity, such as unexpected option deletions in WordPress logs.
🔍 How to Verify
Check if Vulnerable:
Check the theme version in WordPress admin under Appearance > Themes; if Click Mag is version 3.6.0 or lower, it is vulnerable.Check Version:
In WordPress, use: wp theme list --field=name,version | grep 'Click Mag' (requires WP-CLI)Verify Fix Applied:
After updating, confirm the theme version is above 3.6.0 in the same location and test site functionality for errors.📡 Detection & Monitoring
Log Indicators:
- Unusual AJAX requests to theme-specific endpoints (e.g., propanel_of_ajax_callback) from subscriber accounts, followed by option deletion logs in WordPress debug or error logs.
Network Indicators:
- HTTP POST requests to /wp-admin/admin-ajax.php with action parameters related to the theme, from non-admin user IPs.
SIEM Query:
Example: source="wordpress_logs" AND (message="*propanel_of_ajax_callback*" OR message="*delete_option*") AND user_role="subscriber"