CVE-2024-13852 – The Option Editor WordPress plugin version 1.0 ... (How to Fix)

Q: What is the severity of CVE-2024-13852?

CVE-2024-13852 has a CVSS score of 8.8 (HIGH). The Option Editor WordPress plugin version 1.0 has a CSRF vulnerability that allows unauthenticated attackers to trick administrators into clicking malicious links that can modify WordPress settings. This can enable user registration with administrator privileges, potentially giving attackers full control of affected WordPress sites. All WordPress sites using Option Editor plugin version 1.0 are vulnerable.

📋 TL;DR

The Option Editor WordPress plugin version 1.0 has a CSRF vulnerability that allows unauthenticated attackers to trick administrators into clicking malicious links that can modify WordPress settings. This can enable user registration with administrator privileges, potentially giving attackers full control of affected WordPress sites. All WordPress sites using Option Editor plugin version 1.0 are vulnerable.

💻 Affected Systems

Products:

WordPress Option Editor Plugin

Versions: Version 1.0 only

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress administrator to be logged in and tricked into clicking malicious link.

📦 What is this software?

Option Editor by Backie

View all CVEs affecting Option Editor →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain administrative access to WordPress site, allowing complete compromise including data theft, defacement, malware installation, and lateral movement to other systems.

🟠

Likely Case

Attackers create administrator accounts for themselves, gaining persistent access to modify content, install malicious plugins, or steal sensitive data.

🟢

If Mitigated

With proper CSRF protections and admin awareness, exploitation attempts fail, maintaining site integrity.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires social engineering to trick administrators into clicking malicious links while authenticated.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version 1.0.1 or later

Vendor Advisory: https://wordpress.org/plugins/option-editor/#developers

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'Option Editor' plugin. 4. Click 'Update Now' if available. 5. Alternatively, delete plugin and install latest version from WordPress repository.

🔧 Temporary Workarounds

Disable Option Editor Plugin

all

Temporarily disable the vulnerable plugin until patched

wp plugin deactivate option-editor

🧯 If You Can't Patch

Implement Content Security Policy (CSP) headers to restrict script execution
Use WordPress security plugins with CSRF protection features

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > Installed Plugins for Option Editor version 1.0

Check Version:

wp plugin list --name=option-editor --field=version

Verify Fix Applied:

Verify Option Editor plugin version is 1.0.1 or higher in WordPress admin panel

📡 Detection & Monitoring

Log Indicators:

Unexpected changes to WordPress options, particularly default_role or users_can_register settings
Administrator account creation from unusual IP addresses

Network Indicators:

HTTP POST requests to /wp-admin/admin.php?page=option-editor without proper nonce validation

SIEM Query:

source="wordpress" AND (event="option_update" AND option_name IN ("default_role", "users_can_register"))

📊 Metadata

CVE ID: CVE-2024-13852

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-352

EPSS Score: 0.06% exploit probability (17.1th percentile)

Published: February 18, 2025

Last Updated: February 21, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-13852, you might also want to check these: