CVE-2024-11936: 
WordPress vulnerability analysis and mitigation

The Zox News WordPress theme contains a privilege escalation vulnerability (CVE-2024-11936) discovered in January 2025. The vulnerability affects all versions up to and including 3.16.0, due to a missing capability check on the 'backupoptions' and 'restoreoptions' functions (NVD).

The vulnerability stems from a missing authorization check in the theme's backup and restore options functionality. This security flaw allows authenticated users with Subscriber-level access or higher to modify arbitrary options on the WordPress site. The vulnerability has been assigned a CVSS v3.1 score of 8.8 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating network accessibility with low attack complexity (Wordfence).

The vulnerability allows attackers to update arbitrary options on the WordPress site. Specifically, attackers can modify the default role for new user registrations to administrator and enable user registration, effectively gaining administrative access to the vulnerable site (NVD).

The vulnerability has been patched in version 3.17.0 of the Zox News theme. Site administrators are strongly advised to update to this version or later to protect against potential exploitation (Theme Details).