Unauthorized Data Modification in ZoxPress WordPress Theme
CVE-2024-13654

8.1HIGH

Key Information:

Vendor: WordPress
Status: Zoxpress - The All-in-one WordPress News Theme
Vendor: CVE Published:; 12 February 2025

What is CVE-2024-13654?

The ZoxPress theme for WordPress is susceptible to unauthorized modification of data due to a missing capability check on the 'reset_options' function. This vulnerability affects all versions up to and including 2.12.0, enabling authenticated attackers with Subscriber-level access or higher to delete arbitrary option values. Such actions can create errors on the site, potentially leading to a denial of service, making it imperative for users to update and secure their installations.

Affected Version(s)

ZoxPress - The All-In-One WordPress News Theme * <= 2.12.0

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://themeforest.net/item/zoxpress-allinone-wordpress-...

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 12, 2025
Vulnerability Reserved
Jan 23, 2025

Credit

Lucio Sá