CVE-2024-13420: 
NixOS vulnerability analysis and mitigation

CVE-2024-13420 is a security vulnerability affecting multiple WordPress plugins and themes, discovered by Lucio Sá and disclosed on May 1, 2025. The vulnerability stems from missing capability checks on several AJAX actions including 'gsfresetsectionoptions' and 'gsfcreatepresetoptions'. The affected software includes various WordPress themes such as April (up to version 5.1), Auteur (up to version 7.1), Benaa (up to version 4.0.0), and Beyot (up to version 6.0.6) (NVD).

The vulnerability has been assigned a CVSS v3.1 base score of 4.3 (MEDIUM) with a vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N. It is classified under both CWE-862 (Missing Authorization) and CWE-94 (Improper Control of Generation of Code). The technical nature of the vulnerability involves unauthorized access due to missing capability checks on various AJAX actions (NVD, Wiz).

The vulnerability enables authenticated attackers with Subscriber-level access or higher to reset and modify plugin/theme settings. This could potentially lead to unauthorized configuration changes in the affected WordPress installations (NVD, Wiz).

While some partial patches have been implemented, the issues remain vulnerable as reported in the disclosure. The vulnerability was escalated to Envato over two months prior to the disclosure date, but complete fixes are still pending (NVD).