CVE-2024-12213
Published: 12 February 2025
Summary
CVE-2024-12213 is a critical-severity Incorrect Privilege Assignment (CWE-266) vulnerability in Apusthemes Superio. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 44.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2024-12213 is a privilege escalation vulnerability affecting the WP Job Board Pro plugin for WordPress in all versions up to and including 2.3.16. The flaw stems from the plugin permitting users to supply the 'role' field during registration, enabling unauthorized role assignment. It has been assigned a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-266: Incorrect Privilege Assignment.
Unauthenticated attackers can exploit this vulnerability remotely with low complexity and no user interaction required. By manipulating the 'role' field during the registration process, they can create an account with administrator privileges, potentially gaining full control over the affected WordPress site, including access to sensitive data, modification of content, and execution of arbitrary actions.
Advisories indicate the vulnerability may have been addressed prior to version 2.3.16, with the oldest confirmed patched version being 1.2.85. Security practitioners should urge site administrators to update the WP Job Board Pro plugin to a patched version. Relevant details are available in the Wordfence threat intelligence report and the plugin's ThemeForest listing.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-50686
Vulnerability details
The WP Job Board Pro plugin for WordPress is vulnerable to privilege escalation in all versions up to 2.3.16. This is due to the plugin allowing a user to supply the 'role' field when registering. This makes it possible for…
more
unauthenticated attackers to register as an administrator on vulnerable sites. Please note that this may have been patched sooner, however, the oldest available version for us to confirm this is patched in was 1.2.85.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct privilege escalation via unauthenticated account creation with arbitrary roles on a public-facing WordPress plugin.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-10 requires validation of all system inputs, including the user-supplied 'role' field during registration, directly preventing unauthorized privilege escalation via malformed inputs.
AC-2 mandates proper management of account creation and role assignments according to policy, blocking unauthenticated users from self-assigning administrator privileges during registration.
AC-6 enforces the principle of least privilege for accounts and functions, limiting the impact of any improperly assigned elevated roles created through the vulnerability.