Cyber Resilience

CVE-2024-12129

High

Published: 30 January 2025

Published
30 January 2025
Modified
05 February 2025
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0010 27.9th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-12129 is a high-severity Missing Authorization (CWE-862) vulnerability in Wp-Royal-Themes Royal Core. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 27.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

CVE-2024-12129 is a vulnerability in the Royal Core plugin for WordPress, affecting all versions up to and including 2.9.2. It stems from a missing capability check on the 'royal_restore_backup' function, enabling unauthorized modification of data that leads to privilege escalation. The issue is classified under CWE-862 (Missing Authorization) and carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its network accessibility, low complexity, and potential for high impact across confidentiality, integrity, and availability.

Authenticated attackers with Subscriber-level access or higher can exploit this vulnerability remotely without user interaction. By calling the vulnerable function, they can update arbitrary WordPress options, such as modifying the default role for new user registrations to administrator and enabling registration. This allows attackers to self-register with administrative privileges, achieving full site compromise.

Mitigation guidance is available in advisories from Wordfence at https://www.wordfence.com/threat-intel/vulnerabilities/id/a6ca0a45-cbb3-419b-a2fd-7427935524d8?source=cve. The plugin is associated with the HyperX Portfolio theme listed on ThemeForest at https://themeforest.net/item/hyperx-portfolio-for-freelancers-agencies/13439786.

EU & UK References

Vulnerability details

The Royal Core plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the 'royal_restore_backup' function in all versions up to, and including, 2.9.2. This makes it…

more

possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1098 Account Manipulation Persistence
Adversaries may manipulate accounts to maintain and/or elevate access to victim systems.
Why these techniques?

Direct remote exploitation of public-facing WordPress plugin (T1190) via missing authz to achieve privilege escalation (T1068) and arbitrary option changes for account role manipulation (T1098).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-10591Same product class: WordPress / CMS plugin
CVE-2025-24618Same product class: WordPress / CMS plugin
CVE-2025-24596Same product class: WordPress / CMS plugin
CVE-2025-14457Same product class: WordPress / CMS plugin
CVE-2025-22786Same product class: WordPress / CMS plugin
CVE-2024-13528Same product class: WordPress / CMS plugin
CVE-2025-26378Shared CWE-862
CVE-2024-12876Shared CWE-862
CVE-2026-2941Shared CWE-862
CVE-2025-8898Shared CWE-862

Affected Assets

wp-royal-themes
royal core
≤ 2.9.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations for logical access to prevent unauthorized data modification, directly countering the missing capability check in the royal_restore_backup function.

prevent

Restricts privileges to the least necessary for tasks, preventing Subscriber-level users from escalating via arbitrary option updates.

prevent

Mandates identification, testing, and installation of flaw fixes, enabling patching of the vulnerable Royal Core plugin versions.

References