CVE-2024-12035
Published: 07 March 2025
Summary
CVE-2024-12035 is a high-severity Path Traversal (CWE-22) vulnerability in Themeforest (inferred from references). Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 8.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Deeper analysis
The CS Framework plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the cs_widget_file_delete() function. The flaw affects all versions up to and including 6.9 and is tracked under CWE-22 with a CVSS 3.1 score of 8.8.
Authenticated attackers holding Subscriber-level privileges or higher can exploit the issue over the network to delete arbitrary files on the underlying server. Successful deletion of critical files such as wp-config.php can readily result in remote code execution.
Public references point to the vendor theme page on ThemeForest and a detailed entry from Wordfence for further advisory and patch information.
EPSS for the CVE rose from lower values to a peak of 0.1247 on 2026-04-18 before receding to the current score of 0.0692, indicating a period of increased exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-54141
Vulnerability details
The CS Framework plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the cs_widget_file_delete() function in all versions up to, and including, 6.9. This makes it possible for authenticated attackers, with Subscriber-level access…
more
and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is in a public-facing WordPress plugin and directly enables authenticated attackers to perform arbitrary file deletion on the server (e.g., critical files like wp-config.php), mapping to exploitation of public-facing applications and file deletion.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly remediates the path validation flaw in the CS Framework plugin's cs_widget_file_delete() function by requiring identification, reporting, and correction of the vulnerability.
Prevents exploitation of the insufficient file path validation enabling CWE-22 path traversal and arbitrary file deletion.
Detects the CVE-2024-12035 vulnerability through scanning of WordPress plugins and ensures timely remediation to prevent exploitation.