CVE-2024-11350
Published: 08 January 2025
Summary
CVE-2024-11350 is a critical-severity Weak Password Recovery Mechanism for Forgotten Password (CWE-640) vulnerability in Scriptsbundle Adforest. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 36.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2024-11350 is a privilege escalation vulnerability via account takeover in the AdForest theme for WordPress, affecting all versions up to and including 5.1.6. The issue arises because the adforest_reset_password() function fails to properly validate a user's identity before updating their password, as published on 2025-01-08. It is associated with CWE-640 and carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H).
Unauthenticated attackers can exploit this vulnerability remotely with low complexity and no user interaction required. By leveraging the flawed password reset mechanism, they can change the passwords of arbitrary users, including administrators, to gain full unauthorized access to those accounts.
Advisories provide further details via the Wordfence threat intelligence page at https://www.wordfence.com/threat-intel/vulnerabilities/id/4ebb766a-44e9-460c-be84-356b7403e593?source=cve and the AdForest theme listing on ThemeForest at https://themeforest.net/item/adforest-classified-wordpress-theme/19481695.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-34249
Vulnerability details
The AdForest theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 5.1.6. This is due to the plugin not properly validating a user's identity prior to updating their password through the…
more
adforest_reset_password() function. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct remote exploitation of public-facing WordPress password reset flaw enables initial access via compromised valid accounts (incl. admin).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires verification of user identity prior to issuing or changing authenticators like passwords, directly preventing unauthorized password updates via the flawed adforest_reset_password() function.
Mandates validation of information inputs to the password reset function, blocking exploitation due to lack of identity validation.
Establishes procedures for account modifications including password changes with approvals and reviews, mitigating unauthorized takeovers and enabling detection of compromised accounts.