CVE-2024-13801: 
WordPress vulnerability analysis and mitigation

The BWL Advanced FAQ Manager plugin for WordPress (versions up to 2.1.4) contains a vulnerability identified as CVE-2024-13801. The vulnerability stems from a missing capability check on the 'bafsetnotice_status' AJAX action, which allows authenticated attackers with Subscriber-level access or higher to perform unauthorized modification of data (NVD).

The vulnerability is classified as a Missing Authorization issue (CWE-862) with a CVSS v3.1 Base Score of 8.1 (HIGH). The attack vector is network-based (AV:N) with low attack complexity (AC:L), requiring low privileges (PR:L) and no user interaction (UI:N). The scope is unchanged (S:U) with no impact on confidentiality (C:N) but high impacts on integrity and availability (I:H, A:H) (NVD, Wordfence).

The vulnerability allows authenticated attackers to update option values to '1' on the WordPress site. This can be exploited to create errors that deny service to legitimate users or manipulate certain settings like registration options. The impact primarily affects the site's integrity and availability (NVD).

Site administrators should update the BWL Advanced FAQ Manager plugin to a version newer than 2.1.4 when available. In the meantime, consider restricting access to the plugin's functionality to trusted users only or temporarily disabling the plugin if it's not critical to site operations (NVD).