CVE-2024-13643: 
WordPress vulnerability analysis and mitigation

The Zox News Professional WordPress News & Magazine Theme plugin for WordPress contains a vulnerability (CVE-2024-13643) related to unauthorized data modification. The vulnerability affects all versions up to and including 3.17.0 and was discovered on February 11, 2025. The issue stems from missing capability checks on the backupoptions() and resetoptions() functions (NVD).

The vulnerability is characterized by missing authorization checks (CWE-862) in the backupoptions() and resetoptions() functions. It has received a CVSS v3.1 Base Score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating network accessibility, low attack complexity, and high impact across confidentiality, integrity, and availability (NVD).

The vulnerability allows authenticated attackers with Subscriber-level access or higher to update and delete arbitrary option values on WordPress sites. Attackers can exploit this to update the default user role for registration to Administrator and enable user registration, thereby gaining administrative access. Additionally, they can delete critical options, potentially causing errors that disrupt site functionality and deny service to legitimate users (NVD).

The vulnerability was addressed in version 3.17.1 released on February 10, 2025. Users are advised to update to this latest version to protect against this security issue (Theme Details).