Cyber Posture

CVE-2024-11350

Critical

Published: 08 January 2025

Published
08 January 2025
Modified
12 August 2025
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0033 55.6th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-11350 is a critical-severity Weak Password Recovery Mechanism for Forgotten Password (CWE-640) vulnerability in Scriptsbundle Adforest. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 44.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

IA-5 Authenticator Management good match
prevent

Requires verification of user identity prior to issuing or changing authenticators like passwords, directly preventing unauthorized password updates via the flawed adforest_reset_password() function.

SI-10 Information Input Validation good match
prevent

Mandates validation of information inputs to the password reset function, blocking exploitation due to lack of identity validation.

AC-2 Account Management partial match
preventdetectrespond

Establishes procedures for account modifications including password changes with approvals and reviews, mitigating unauthorized takeovers and enabling detection of compromised accounts.

NVD Description

The AdForest theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 5.1.6. This is due to the plugin not properly validating a user's identity prior to updating their password through the…

more

adforest_reset_password() function. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account.

Deeper analysisAI

CVE-2024-11350 is a privilege escalation vulnerability via account takeover in the AdForest theme for WordPress, affecting all versions up to and including 5.1.6. The issue arises because the adforest_reset_password() function fails to properly validate a user's identity before updating their password, as published on 2025-01-08. It is associated with CWE-640 and carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H).

Unauthenticated attackers can exploit this vulnerability remotely with low complexity and no user interaction required. By leveraging the flawed password reset mechanism, they can change the passwords of arbitrary users, including administrators, to gain full unauthorized access to those accounts.

Advisories provide further details via the Wordfence threat intelligence page at https://www.wordfence.com/threat-intel/vulnerabilities/id/4ebb766a-44e9-460c-be84-356b7403e593?source=cve and the AdForest theme listing on ThemeForest at https://themeforest.net/item/adforest-classified-wordpress-theme/19481695.

Details

CWE(s)
CWE-640

Affected Products

scriptsbundle
adforest
≤ 5.1.7

CVEs Like This One

CVE-2024-12857Same product: Scriptsbundle Adforest
CVE-2025-69614Shared CWE-640
CVE-2026-30459Shared CWE-640
CVE-2026-42606Shared CWE-640
CVE-2025-63314Shared CWE-640
CVE-2026-2895Shared CWE-640
CVE-2025-1570Shared CWE-640
CVE-2026-24467Shared CWE-640
CVE-2025-13565Shared CWE-640
CVE-2026-1325Shared CWE-640

References