CVE-2024-13656: 
WordPress vulnerability analysis and mitigation

The Click Mag - Viral WordPress News Magazine/Blog Theme for WordPress contains a vulnerability (CVE-2024-13656) related to unauthorized modification of data that can lead to a denial of service. The vulnerability exists in versions up to and including 3.6.0 due to a missing capability check in the propanelofajax_callback() function. This security issue was discovered and disclosed in February 2025 (NVD).

The vulnerability stems from a missing capability check in the propanelofajax_callback() function. This security flaw allows authenticated attackers with subscriber-level access or higher to delete arbitrary option values on the WordPress site. The vulnerability has been assigned a CVSS v3.1 base score of 8.1 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H, indicating network accessibility with low attack complexity (Wordfence).

The vulnerability can be exploited to delete arbitrary option values on the WordPress site. When exploited, this can be leveraged to delete critical options that would create errors on the site, effectively causing a denial of service condition and preventing legitimate users from accessing the site (NVD).

The vulnerability has been patched in version 3.7.0 of the Click Mag theme, released on February 10, 2025. Site administrators are strongly advised to update to this latest version to protect against potential attacks (Theme Details).