Cyber Resilience

CVE-2024-12213

Critical

Published: 12 February 2025

Published
12 February 2025
Modified
08 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0022 44.2th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-12213 is a critical-severity Incorrect Privilege Assignment (CWE-266) vulnerability in Apusthemes Superio. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 44.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2024-12213 is a privilege escalation vulnerability affecting the WP Job Board Pro plugin for WordPress in all versions up to and including 2.3.16. The flaw stems from the plugin permitting users to supply the 'role' field during registration, enabling unauthorized role assignment. It has been assigned a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-266: Incorrect Privilege Assignment.

Unauthenticated attackers can exploit this vulnerability remotely with low complexity and no user interaction required. By manipulating the 'role' field during the registration process, they can create an account with administrator privileges, potentially gaining full control over the affected WordPress site, including access to sensitive data, modification of content, and execution of arbitrary actions.

Advisories indicate the vulnerability may have been addressed prior to version 2.3.16, with the oldest confirmed patched version being 1.2.85. Security practitioners should urge site administrators to update the WP Job Board Pro plugin to a patched version. Relevant details are available in the Wordfence threat intelligence report and the plugin's ThemeForest listing.

EU & UK References

Vulnerability details

The WP Job Board Pro plugin for WordPress is vulnerable to privilege escalation in all versions up to 2.3.16. This is due to the plugin allowing a user to supply the 'role' field when registering. This makes it possible for…

more

unauthenticated attackers to register as an administrator on vulnerable sites. Please note that this may have been patched sooner, however, the oldest available version for us to confirm this is patched in was 1.2.85.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1136.001 Local Account Persistence
Adversaries may create a local account to maintain access to victim systems.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Direct privilege escalation via unauthenticated account creation with arbitrary roles on a public-facing WordPress plugin.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-12296Same product: Apusthemes Superio
CVE-2026-24971Shared CWE-266
CVE-2024-51888Shared CWE-266
CVE-2025-44655Shared CWE-266
CVE-2025-49388Shared CWE-266
CVE-2024-43333Shared CWE-266
CVE-2024-12470Shared CWE-266
CVE-2026-23550Shared CWE-266
CVE-2026-32520Shared CWE-266
CVE-2025-67953Shared CWE-266

Affected Assets

apusthemes
superio
≤ 1.2.76

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-10 requires validation of all system inputs, including the user-supplied 'role' field during registration, directly preventing unauthorized privilege escalation via malformed inputs.

prevent

AC-2 mandates proper management of account creation and role assignments according to policy, blocking unauthenticated users from self-assigning administrator privileges during registration.

prevent

AC-6 enforces the principle of least privilege for accounts and functions, limiting the impact of any improperly assigned elevated roles created through the vulnerability.

References