CVE-2024-13684 – The Reset plugin for WordPress has a CSRF vulne... (How to Fix)

📋 TL;DR

The Reset plugin for WordPress has a CSRF vulnerability that allows unauthenticated attackers to trick administrators into clicking malicious links that reset database tables. This affects all WordPress sites using Reset plugin versions 1.6 and earlier. Attackers can delete comments, themes, plugins, and other critical data without authentication.

💻 Affected Systems

Products:

WordPress Reset Plugin

Versions: All versions up to and including 1.6

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects WordPress installations with the Reset plugin active. Requires administrator interaction with malicious link.

📦 What is this software?

Reset by Smartzminds

View all CVEs affecting Reset →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete data loss including comments, themes, plugins, and other WordPress database tables, potentially causing site downtime and requiring full restoration from backups.

🟠

Likely Case

Partial data loss where attackers reset specific tables like comments or plugins, disrupting site functionality and user experience.

🟢

If Mitigated

No impact if proper CSRF protections are in place or if administrators don't click malicious links.

🌐 Internet-Facing: HIGH

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires social engineering to trick administrators into clicking malicious links. No authentication required for the reset action itself.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version after 1.6

Vendor Advisory: https://plugins.trac.wordpress.org/browser/reset

Restart Required: No

Instructions:

1. Log into WordPress admin panel
2. Navigate to Plugins → Installed Plugins
3. Find 'Reset' plugin
4. Click 'Update Now' if available
5. If no update available, deactivate and delete the plugin
6. Check for updated version in WordPress plugin repository

🔧 Temporary Workarounds

Disable Reset Plugin

all

Temporarily disable the vulnerable plugin until patched version is available

wp plugin deactivate reset

🧯 If You Can't Patch

Implement strict Content Security Policy (CSP) headers to prevent CSRF attacks
Use WordPress security plugins that add CSRF protection layer

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel → Plugins → Installed Plugins for 'Reset' plugin version 1.6 or earlier

Check Version:

wp plugin list --name=reset --field=version

Verify Fix Applied:

Verify plugin version is higher than 1.6 or plugin is completely removed

📡 Detection & Monitoring

Log Indicators:

Unusual database table truncation/reset operations
Multiple DELETE operations on wp_comments, wp_options tables

Network Indicators:

POST requests to /wp-admin/admin-post.php with reset_db_page action without proper nonce

SIEM Query:

source="wordpress.log" AND ("reset_db_page" OR "truncate table" OR "DELETE FROM wp_")

📊 Metadata

CVE ID: CVE-2024-13684

CVSS v3 Score: 8.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H

CWE: CWE-352

EPSS Score: 0.04% exploit probability (11.4th percentile)

Published: February 18, 2025

Last Updated: February 21, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-13684, you might also want to check these: