CVE-2024-13693: 
WordPress vulnerability analysis and mitigation

The Enfold theme for WordPress is vulnerable to unauthorized access of data due to a missing capability check in avia-export-class.php in all versions up to, and including, 6.0.9. This vulnerability was discovered in February 2025 and is tracked as CVE-2024-13693. The vulnerability affects the theme's export functionality and could potentially expose sensitive configuration data (NVD, CVE Mitre).

The vulnerability stems from a missing capability check in the avia-export-class.php file, which handles the theme's settings export functionality. This security flaw allows unauthenticated attackers to access and export all avia settings without proper authorization (Theme Changelog).

If exploited, this vulnerability allows unauthorized users to export sensitive configuration data including Mailchimp API Key, reCAPTCHA Secret Key, and Envato private token if these are configured in the theme settings (NVD).

The vulnerability was addressed in version 7.0 of the Enfold theme. The fix includes limiting the download of theme options to admin users only. Users are advised to update to version 7.0 or later to protect against this vulnerability (Theme Changelog).

The vulnerability was discovered and reported by security researcher mikemyers. The theme developers acknowledged the security issue and implemented the fix in their version 7.0 release (Theme Changelog, Wordfence).