CVE-2024-13420

Published: May 2, 2025Modified: May 6, 2025

4.3

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Exploitability: 2.8 / Impact: 1.4

Source: security@wordfence.com (Secondary)

Description

Multiple plugins and/or themes for WordPress are vulnerable to unauthorized access due to a missing capability check on several AJAX actions like 'gsf_reset_section_options', 'gsf_reset_section_options', 'gsf_create_preset_options' and more in various versions. This makes it possible for authenticated attackers, with Subscriber-level access and above, to reset and modify some of the plugin/theme settings. This issue was escalated to Envato over two months from the date of this disclosure and the issues, while partially patched, are still vulnerable.

Affected (4)

Products: G5plus: April, Auteur, Benaa, Beyot

4 products

Configuration A

4 vulnerable

Vulnerable Software	Affected Versions
G5plus April	Up to 5.1
G5plus Auteur	Up to 7.1
G5plus Benaa	Up to 4.0.0
G5plus Beyot	Up to 6.0.6

Related CWEs

Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

References (2)

https://themeforest.net/item/beyot-wordpress-real-estate-theme/19514964

Source: security@wordfence.com

Product

https://www.wordfence.com/threat-intel/vulnerabilities/id/6d484422-4adf-4370-b228-61496d5ad78a?source=cve

Source: security@wordfence.com

Third Party Advisory

Timeline

No history available yet.