CVE-2024-13852 Overview
The Option Editor plugin for WordPress version 1.0 contains a Cross-Site Request Forgery (CSRF) vulnerability [CWE-352]. The flaw exists because the plugin_page() function lacks nonce validation. Unauthenticated attackers can update arbitrary WordPress options by tricking an authenticated administrator into clicking a crafted link. Attackers can abuse this to change the default registration role to administrator and enable open user registration. The result is full administrative access to the affected WordPress site. The vulnerability affects the Backie Option Editor plugin and is tracked under CWE-352 (Cross-Site Request Forgery).
Critical Impact
Successful exploitation allows attackers to gain administrative access to vulnerable WordPress sites by manipulating site options through forged requests.
Affected Products
- Backie Option Editor plugin for WordPress, version 1.0
- WordPress sites running the vulnerable plugin with administrator sessions
- All cpe:2.3:a:backie:option_editor installations
Discovery Timeline
- 2025-02-18 - CVE-2024-13852 published to NVD
- 2025-02-21 - Last updated in NVD database
Technical Details for CVE-2024-13852
Vulnerability Analysis
The vulnerability is a Cross-Site Request Forgery flaw in the Option Editor plugin's administrative interface. The plugin exposes an option-update handler through the plugin_page() function but does not validate WordPress nonces. WordPress relies on nonces as the primary CSRF protection mechanism for state-changing administrative actions.
When a logged-in administrator visits an attacker-controlled page, the browser submits a forged POST request to the plugin's option-update endpoint using the administrator's authenticated session. Without nonce validation, the plugin processes the request as legitimate. The attacker can write arbitrary values to any WordPress option, including default_role and users_can_register.
This CSRF condition requires user interaction but no privileges on the attacker side. Exploitation typically chains social engineering with a malicious link or embedded resource on an external site.
Root Cause
The plugin_page() function in option-editor.php processes option update submissions without calling check_admin_referer() or wp_verify_nonce(). This omission removes the standard WordPress protection against forged administrative requests.
Attack Vector
An attacker hosts a page containing an auto-submitting HTML form or image tag targeting the plugin's option update URL. The attacker delivers the link through phishing, comments, or third-party sites. When an administrator clicks the link while authenticated to the WordPress dashboard, the browser submits the request with valid session cookies. The plugin updates default_role to administrator and sets users_can_register to 1. The attacker then registers a new account that is automatically granted administrator privileges.
No verified proof-of-concept code has been published for this vulnerability. See the Wordfence Vulnerability Report and the WordPress Plugin Source Code for technical details.
Detection Methods for CVE-2024-13852
Indicators of Compromise
- Unexpected changes to the default_role WordPress option, particularly values set to administrator
- The users_can_register option flipped from 0 to 1 without administrator action
- New administrator accounts created through the standard WordPress registration flow
- HTTP referer headers on option-update requests pointing to external, untrusted domains
Detection Strategies
- Audit the WordPress wp_options table for unauthorized modifications to default_role and users_can_register
- Review web server access logs for POST requests to wp-admin/options-general.php?page=option-editor originating from external referers
- Monitor WordPress user creation events and correlate against expected administrative activity
- Compare current plugin file hashes against the official plugin distribution to confirm integrity
Monitoring Recommendations
- Enable WordPress audit logging to capture option changes and user role assignments
- Forward WordPress and web server logs to a centralized SIEM for correlation with authentication events
- Alert on creation of new accounts holding the administrator role outside change windows
- Track HTTP referer anomalies on admin endpoints to identify potential CSRF delivery attempts
How to Mitigate CVE-2024-13852
Immediate Actions Required
- Deactivate and remove the Option Editor plugin version 1.0 from all WordPress installations
- Audit wp_options for unauthorized changes to default_role, users_can_register, and related settings
- Review the WordPress users table and remove any unrecognized administrator accounts
- Rotate administrator passwords and invalidate active sessions following remediation
Patch Information
No vendor patch is referenced in the available advisory data. The plugin appears to remain at version 1.0. Administrators should remove the plugin until the maintainer publishes a fixed release that adds nonce validation to the plugin_page() function. Monitor the WordPress Plugin Developer Info page for updates.
Workarounds
- Remove the Option Editor plugin entirely if option-editing functionality is not required
- Restrict administrator dashboard access through IP allowlisting at the web server or WAF layer
- Deploy a WordPress security plugin or web application firewall ruleset that blocks unauthenticated POST requests with external referers to admin endpoints
- Train administrators to avoid clicking untrusted links while authenticated to the WordPress dashboard
# Configuration example: disable open registration and reset default role via WP-CLI
wp option update users_can_register 0
wp option update default_role subscriber
wp plugin deactivate option-editor
wp plugin delete option-editor
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
