CVE-2024-13412: 
WordPress vulnerability analysis and mitigation

The CozyStay theme for WordPress contains a missing authorization vulnerability (CVE-2024-13412) discovered in March 2024. This security flaw affects all versions up to and including 1.7.0, where the ajax_handler function lacks proper capability checks. This allows unauthenticated attackers to execute arbitrary actions on affected WordPress sites (NVD).

The vulnerability stems from a missing capability check in the ajax_handler function, which fails to properly validate user permissions before executing actions. The issue has been assigned a CVSS v3.1 base score of 7.5 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N, indicating that it can be exploited remotely without requiring privileges or user interaction (NVD).

The vulnerability allows unauthenticated attackers to execute arbitrary actions through the ajax_handler function, potentially leading to unauthorized modification of data on affected WordPress sites (NVD).

The vulnerability has been patched in version 1.7.1 of the CozyStay theme, released on February 13, 2025. The update includes improved code security enforcement in AJAX loading to prevent unauthorized modification of data and unauthenticated PHP object injection attacks (ThemeForest). Users are advised to update to the latest version immediately.