Cyber Resilience

CVE-2024-12035

High

Published: 07 March 2025

Published
07 March 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0692 91.6th percentile
Risk Priority 22 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-12035 is a high-severity Path Traversal (CWE-22) vulnerability in Themeforest (inferred from references). Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 8.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).

Deeper analysis

The CS Framework plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the cs_widget_file_delete() function. The flaw affects all versions up to and including 6.9 and is tracked under CWE-22 with a CVSS 3.1 score of 8.8.

Authenticated attackers holding Subscriber-level privileges or higher can exploit the issue over the network to delete arbitrary files on the underlying server. Successful deletion of critical files such as wp-config.php can readily result in remote code execution.

Public references point to the vendor theme page on ThemeForest and a detailed entry from Wordfence for further advisory and patch information.

EPSS for the CVE rose from lower values to a peak of 0.1247 on 2026-04-18 before receding to the current score of 0.0692, indicating a period of increased exploitation interest after disclosure.

EU & UK References

Vulnerability details

The CS Framework plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the cs_widget_file_delete() function in all versions up to, and including, 6.9. This makes it possible for authenticated attackers, with Subscriber-level access…

more

and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1070.004 File Deletion Stealth
Adversaries may delete files left behind by the actions of their intrusion activity.
Why these techniques?

The vulnerability is in a public-facing WordPress plugin and directly enables authenticated attackers to perform arbitrary file deletion on the server (e.g., critical files like wp-config.php), mapping to exploitation of public-facing applications and file deletion.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-3666Shared CWE-22
CVE-2018-25308Shared CWE-22
CVE-2026-22460Shared CWE-22
CVE-2025-69377Shared CWE-22
CVE-2025-14850Shared CWE-22
CVE-2025-26752Shared CWE-22
CVE-2026-4350Shared CWE-22
CVE-2025-65792Shared CWE-22
CVE-2026-4758Shared CWE-22
CVE-2026-0704Shared CWE-22

Affected Assets

Themeforest
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the path validation flaw in the CS Framework plugin's cs_widget_file_delete() function by requiring identification, reporting, and correction of the vulnerability.

prevent

Prevents exploitation of the insufficient file path validation enabling CWE-22 path traversal and arbitrary file deletion.

preventdetect

Detects the CVE-2024-12035 vulnerability through scanning of WordPress plugins and ensures timely remediation to prevent exploitation.

References