CVE-2024-13418: 
NixOS vulnerability analysis and mitigation

Multiple WordPress plugins and themes are affected by an Arbitrary File Upload vulnerability (CVE-2024-13418), discovered and initially disclosed on May 2, 2025. The vulnerability impacts various WordPress themes and plugins, particularly those using the Smart Framework, including April (up to 5.1), Auteur (up to 7.1), Benaa (up to 4.0.0), and Beyot (up to 6.0.6) (NVD).

The vulnerability stems from a missing capability check in the ajaxUploadFonts() function, which allows authenticated users with Subscriber-level access or higher to upload arbitrary files. The severity is rated as HIGH with a CVSS v3.1 base score of 8.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). The vulnerability is classified as CWE-434 (Unrestricted Upload of File with Dangerous Type) (NVD, Wiz).

The vulnerability enables authenticated attackers with Subscriber-level access or higher to upload arbitrary files to affected WordPress installations. This capability could potentially lead to remote code execution on the affected systems, posing a significant security risk to WordPress websites using the vulnerable themes or plugins (NVD).

The issue was reported to Envato and has been partially patched, however, the vulnerability remains exploitable. Website administrators using affected WordPress themes or plugins should monitor for updates and implement them as soon as they become available (NVD).