Cyber Resilience

CVE-2024-12264

Critical

Published: 07 January 2025

Published
07 January 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0057 69.2th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-12264 is a critical-severity Improper Authentication (CWE-287) vulnerability in Wordpress (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 30.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2024-2024-12264 is a privilege escalation vulnerability in the PayU CommercePro Plugin for WordPress, affecting all versions up to and including 3.8.3. The flaw arises from the REST API endpoints /wp-json/payu/v1/generate-user-token and /wp-json/payu/v1/get-shipping-cost, which do not properly verify a user's identity before setting the user's ID and authentication cookies. This issue is classified under CWE-287 (Improper Authentication) and carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Unauthenticated attackers can exploit the vulnerability remotely with low attack complexity and no user interaction. By leveraging the flawed endpoints, they can create new administrative user accounts on the WordPress site, enabling full unauthorized access and control over the affected instance.

Advisories, including the Wordfence threat intelligence report and WordPress plugin repository details, highlight the need to update beyond version 3.8.3. Relevant source code at line 187 in class-payu-shipping-tax-api-calculation.php and changeset 3217148 in the payu-india repository provide insight into the fix implementation.

EU & UK References

Vulnerability details

The PayU CommercePro Plugin plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 3.8.3. This is due to /wp-json/payu/v1/generate-user-token and /wp-json/payu/v1/get-shipping-cost REST API endpoints not properly verifying a user's identity prior to setting the…

more

users ID and auth cookies. This makes it possible for unauthenticated attackers to create new administrative user accounts.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1136.001 Local Account Persistence
Adversaries may create a local account to maintain access to victim systems.
Why these techniques?

Direct remote exploitation of public-facing WordPress REST endpoints (T1190) enables unauthenticated creation of administrative accounts (T1136.001).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-71279Shared CWE-287
CVE-2024-13804Shared CWE-287
CVE-2024-57046Shared CWE-287
CVE-2026-1203Shared CWE-287
CVE-2026-1740Shared CWE-287
CVE-2025-43995Shared CWE-287
CVE-2026-7876Shared CWE-287
CVE-2025-0637Shared CWE-287
CVE-2025-61882Shared CWE-287
CVE-2026-0589Shared CWE-287

Affected Assets

Wordpress
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires verifying user identity prior to distributing authenticators such as auth cookies, directly addressing the endpoints' failure to validate identity before setting user ID and cookies.

prevent

Limits and documents actions allowable without identification and authentication, preventing unauthenticated privilege escalation via sensitive API endpoints.

prevent

Mandates enforcement of approved authorizations before granting access, countering the lack of access checks in the vulnerable REST API endpoints.

References