CVE-2024-13693 – The Enfold WordPress theme has an authorization... (How to Fix)

Q: What is the severity of CVE-2024-13693?

CVE-2024-13693 has a CVSS score of 5.3 (MEDIUM). The Enfold WordPress theme has an authorization bypass vulnerability that allows unauthenticated attackers to export all theme settings. This can expose sensitive API keys and tokens stored in the theme configuration. All WordPress sites using Enfold theme versions up to 6.0.9 are affected.

📋 TL;DR

The Enfold WordPress theme has an authorization bypass vulnerability that allows unauthenticated attackers to export all theme settings. This can expose sensitive API keys and tokens stored in the theme configuration. All WordPress sites using Enfold theme versions up to 6.0.9 are affected.

💻 Affected Systems

Products:

Enfold WordPress Theme

Versions: All versions up to and including 6.0.9

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists regardless of WordPress configuration; only sites without any sensitive API keys in Enfold settings avoid data exposure.

📦 What is this software?

Enfold by Kriesi

View all CVEs affecting Enfold →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers obtain Mailchimp API keys, reCAPTCHA secrets, Envato tokens, and other sensitive credentials, leading to account compromise, spam campaigns, or unauthorized access to third-party services.

🟠

Likely Case

Attackers harvest API keys and tokens for credential stuffing, account takeover, or selling on dark web markets.

🟢

If Mitigated

No sensitive data exposure if no API keys were configured in Enfold settings, though attackers could still map site configuration.

🌐 Internet-Facing: HIGH

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Simple HTTP request to vulnerable endpoint; no authentication required.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.1.0 or later

Vendor Advisory: https://themeforest.net/item/enfold-responsive-multipurpose-theme/4519990#item-description__changelog

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Appearance > Themes. 3. Click 'Update Now' on Enfold theme. 4. Verify theme version is 6.1.0 or higher.

🔧 Temporary Workarounds

Disable Enfold Export Functionality

linux

Remove or rename the vulnerable avia-export-class.php file to prevent exploitation.

mv /path/to/wp-content/themes/enfold/avia-export-class.php /path/to/wp-content/themes/enfold/avia-export-class.php.disabled

🧯 If You Can't Patch

Remove all sensitive API keys from Enfold theme settings immediately
Implement web application firewall (WAF) rules to block requests to /wp-content/themes/enfold/avia-export-class.php

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Appearance > Themes > Enfold details for version number. If version is 6.0.9 or lower, site is vulnerable.

Check Version:

grep -r 'Version:' /path/to/wp-content/themes/enfold/style.css

Verify Fix Applied:

Confirm theme version is 6.1.0 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

HTTP GET requests to /wp-content/themes/enfold/avia-export-class.php
Unusual export requests from unauthenticated users

Network Indicators:

Outbound connections to Mailchimp/Envato/reCAPTCHA APIs from unexpected sources

SIEM Query:

source="web_server" AND (uri_path="/wp-content/themes/enfold/avia-export-class.php" OR user_agent="*" AND status_code=200)

📊 Metadata

CVE ID: CVE-2024-13693

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE: CWE-284

EPSS Score: 0.46% exploit probability (63.3th percentile)

Published: February 25, 2025

Last Updated: February 28, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-13693, you might also want to check these: