CVE-2024-13801
📋 TL;DR
The BWL Advanced FAQ Manager WordPress plugin has an authorization vulnerability that allows authenticated users with Subscriber-level access or higher to modify WordPress option values. This can be exploited to cause denial of service by setting options that trigger errors or enable features like user registration. All WordPress sites using this plugin up to version 2.1.4 are affected.
💻 Affected Systems
- BWL Advanced FAQ Manager WordPress Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could disable the entire WordPress site by setting critical options to values that cause fatal errors, resulting in complete denial of service for all legitimate users.
Likely Case
Attackers with subscriber accounts could cause site errors or enable unwanted features like open registration, disrupting normal operations.
If Mitigated
With proper access controls and monitoring, impact is limited to minor configuration changes that can be quickly reverted.
🎯 Exploit Status
Exploitation requires authenticated access but only at the low-privilege Subscriber level. Attackers need to understand WordPress AJAX actions and option manipulation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 2.1.5 or later
Vendor Advisory: https://codecanyon.net/item/bwl-advanced-faq-manager/5007135
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'BWL Advanced FAQ Manager'. 4. Click 'Update Now' if available, or download version 2.1.5+ from vendor. 5. Replace plugin files with patched version. 6. No restart required.
🔧 Temporary Workarounds
Disable vulnerable AJAX endpoint
allRemove or restrict access to the 'baf_set_notice_status' AJAX action
Add to theme's functions.php or custom plugin: remove_action('wp_ajax_baf_set_notice_status', 'baf_set_notice_status'); remove_action('wp_ajax_nopriv_baf_set_notice_status', 'baf_set_notice_status');
Temporary plugin deactivation
WordPress CLIDisable the plugin until patched version is available
wp plugin deactivate bwl-advanced-faq-manager
🧯 If You Can't Patch
- Restrict user registration and monitor for new Subscriber accounts
- Implement web application firewall rules to block suspicious AJAX requests to wp-admin/admin-ajax.php
🔍 How to Verify
Check if Vulnerable:
Check plugin version in WordPress admin → Plugins → BWL Advanced FAQ Manager. If version is 2.1.4 or lower, you are vulnerable.Check Version:
wp plugin get bwl-advanced-faq-manager --field=versionVerify Fix Applied:
After update, verify plugin version shows 2.1.5 or higher. Test AJAX endpoint functionality if FAQ features still work properly.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /wp-admin/admin-ajax.php with action=baf_set_notice_status
- Multiple option_value changes in WordPress database from low-privilege users
- Increased errors in WordPress debug.log after option modifications
Network Indicators:
- AJAX requests to vulnerable endpoint from unexpected IPs or user roles
- Spike in admin-ajax.php requests from authenticated users
SIEM Query:
source="wordpress.log" AND "admin-ajax.php" AND "baf_set_notice_status"