CVE-2024-12296: 
WordPress vulnerability analysis and mitigation

The Apus Framework plugin for WordPress contains a privilege escalation vulnerability (CVE-2024-12296) discovered in February 2024. The vulnerability affects all versions up to and including 2.3 of the plugin. It stems from a missing capability check on the 'import_page_options' function, which allows authenticated users with Subscriber-level access or higher to modify arbitrary WordPress site options (NVD).

The vulnerability is caused by insufficient authorization controls in the 'import_page_options' function. This security flaw has been assigned a CVSS v3.1 score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating network accessibility, low attack complexity, and high impacts on confidentiality, integrity, and availability. The vulnerability is classified as CWE-862: Missing Authorization (NVD, Wordfence).

The vulnerability allows authenticated attackers with Subscriber-level access to update arbitrary options on the WordPress site. Specifically, attackers can modify the default role for new user registrations to administrator and enable user registration, effectively allowing them to create administrative accounts and gain full control over the vulnerable site (NVD).

The vulnerability was addressed in version 2.3.25 released in February 2025. Site administrators are strongly advised to update their Apus Framework plugin to the latest version to protect against this vulnerability (Themeforest).