Privilege Escalation Vulnerability in Exertio Framework by WordPress
CVE-2024-13373

8.1HIGH

Key Information:

Vendor: WordPress
Status: Exertio Framework
Vendor: CVE Published:; 1 March 2025

What is CVE-2024-13373?

The Exertio Framework plugin for WordPress is susceptible to a vulnerability that allows an unauthenticated attacker to escalate privileges by exploiting the fl_forgot_pass_new() function. This flaw arises from inadequate validation of a user's identity during password updates, enabling attackers to reset passwords for any user account, including that of administrators. Consequently, this vulnerability can be leveraged to gain unauthorized access to sensitive accounts, posing a significant threat to the security of websites utilizing this plugin.

Affected Version(s)

Exertio Framework * <= 1.3.1

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://themeforest.net/item/exertio-freelance-marketplac...

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 1, 2025
Vulnerability Reserved
Jan 13, 2025

Credit

Friderika Baranyai