CVE-2024-13933 Overview
CVE-2024-13933 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the FoodBakery Delivery Restaurant Directory WordPress theme in all versions up to and including 4.7. The flaw stems from missing or incorrect nonce validation across multiple AJAX functions, including foodbakery_var_backup_file_delete, foodbakery_widget_file_delete, theme_option_save, export_widget_settings, ajax_import_widget_data, foodbakery_var_settings_backup_generate, foodbakery_var_backup_file_restore, and theme_option_rest_all. Unauthenticated attackers can exploit these endpoints by tricking a site administrator into clicking a crafted link. The vulnerability is tracked as [CWE-352].
Critical Impact
Successful exploitation allows attackers to delete arbitrary files, modify theme options, manipulate widget settings, generate or restore backups, and reset the theme configuration on affected WordPress sites.
Affected Products
- FoodBakery | Delivery Restaurant Directory WordPress Theme versions 1.0 through 4.7
- WordPress installations running the vulnerable theme
- Restaurant and food delivery sites using the FoodBakery theme distribution from ThemeForest
Discovery Timeline
- 2025-03-19 - CVE-2024-13933 published to the National Vulnerability Database
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2024-13933
Vulnerability Analysis
The FoodBakery theme exposes several administrative AJAX actions without verifying WordPress nonces. Nonces are tokens WordPress uses to confirm that a request originated from an authenticated user session rather than a third-party site. When these tokens are absent or improperly validated, an attacker-controlled webpage can issue authenticated state-changing requests on behalf of any logged-in administrator who visits it.
The affected functions cover backup management, theme configuration, and widget import/export operations. An attacker who lures an administrator to a malicious page can invoke foodbakery_var_backup_file_delete to remove backup files, call theme_option_rest_all to reset configuration, or use ajax_import_widget_data to inject attacker-controlled widget definitions. Chained together, these actions enable site defacement, persistence, and recovery sabotage.
Root Cause
The root cause is the absence of check_admin_referer() or wp_verify_nonce() calls on privileged AJAX handlers registered through wp_ajax_ hooks. Without these checks, the theme relies solely on cookie-based session authentication, which browsers automatically attach to cross-origin requests.
Attack Vector
Exploitation requires user interaction. The attacker hosts a page containing an auto-submitting form or image tag targeting the WordPress AJAX endpoint. When an authenticated administrator visits the page, the browser sends the forged request with valid session cookies, and the server processes it as legitimate administrative action. Refer to the Wordfence Vulnerability Report for additional technical context.
Detection Methods for CVE-2024-13933
Indicators of Compromise
- Unexpected deletion of files within the FoodBakery backup directory or widget asset paths
- Theme option values reset to defaults or replaced with attacker-controlled settings
- New or modified widget configurations imported outside of administrative work hours
- HTTP POST requests to admin-ajax.php containing FoodBakery action names and missing or invalid _wpnonce parameters
Detection Strategies
- Inspect web server access logs for cross-origin Referer headers on POST requests targeting admin-ajax.php with FoodBakery action parameters
- Monitor the WordPress wp_options table for unauthorized changes to theme option keys
- Review file integrity baselines for the FoodBakery backup and widget directories to detect unexpected deletions
Monitoring Recommendations
- Enable WordPress audit logging plugins to record administrative configuration changes and AJAX action invocations
- Alert on AJAX requests whose Origin or Referer headers do not match the site domain
- Track administrator session activity for short-duration requests originating from external referrers
How to Mitigate CVE-2024-13933
Immediate Actions Required
- Update the FoodBakery theme to a version above 4.7 once the vendor releases a patched build
- Restrict administrator browsing on workstations used to manage WordPress sites and require separate browsers for admin tasks
- Audit existing theme options, widget configurations, and backup files for unauthorized modifications
Patch Information
No fixed version is referenced in the CVE record at the time of publication. Site operators should monitor the ThemeForest Product Page and the Wordfence Vulnerability Report for patch availability and apply updates promptly.
Workarounds
- Deploy a web application firewall rule to block POST requests to admin-ajax.php containing the affected action names when Referer or Origin headers are absent or external
- Disable the FoodBakery theme on production sites until a patched version is available, switching to a default WordPress theme
- Require administrators to log out of WordPress sessions before browsing untrusted content, reducing the window for CSRF exploitation
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
