CVE-2024-12920: 
WordPress vulnerability analysis and mitigation

The FoodBakery WordPress Theme contains a critical vulnerability (CVE-2024-12920) discovered in versions up to and including 4.7. The vulnerability stems from missing capability checks on multiple functions including foodbakeryvarbackupfiledelete, foodbakerywidgetfiledelete, themeoption_save, and others. This security flaw was disclosed on March 19, 2025 (NVD).

The vulnerability is caused by missing authorization checks on several critical functions: foodbakeryvarbackupfiledelete, foodbakerywidgetfiledelete, themeoptionsave, exportwidgetsettings, ajaximportwidgetdata, foodbakeryvarsettingsbackupgenerate, foodbakeryvarbackupfilerestore, and themeoptionrest_all. The vulnerability has been assigned a CVSS v3.1 score of 8.8 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (Wordfence).

The vulnerability allows authenticated attackers with Subscriber-level access or higher to perform unauthorized actions including: deleting arbitrary files, updating theme options, exporting widget options, importing widget options, generating backups, restoring backups, and resetting theme options (NVD).

Users should upgrade to a version newer than 4.7 when available. As this is a recently disclosed vulnerability, users should monitor the theme developer's website and WordPress repository for security updates (ThemeForest).