CVE-2024-13367: 
WordPress vulnerability analysis and mitigation

The Sandbox plugin for WordPress contains a vulnerability (CVE-2024-13367) related to unauthorized access, discovered and disclosed on January 16, 2025. The vulnerability affects all versions up to and including 0.4 of the plugin. The issue stems from a missing capability check on the export_download action, which creates a security gap in the plugin's functionality (NVD, Wordfence Intel).

The vulnerability is classified with a CVSS v3.1 Base Score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. The security issue is categorized as CWE-862 (Missing Authorization), indicating a fundamental flaw in the authorization mechanism of the plugin (NVD).

The vulnerability allows authenticated attackers with Subscriber-level access or higher to download an entire copy of a sandbox environment. This access can expose sensitive information, including the wp-config.php file, which typically contains critical configuration details and credentials (NVD).

Users should update their Sandbox plugin to a version newer than 0.4 once available. Until then, site administrators should carefully review and potentially restrict Subscriber-level access to their WordPress installations (Wordfence Intel).