CVE-2024-12264
Published: 07 January 2025
Summary
CVE-2024-12264 is a critical-severity Improper Authentication (CWE-287) vulnerability in Wordpress (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 30.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Deeper analysis
CVE-2024-2024-12264 is a privilege escalation vulnerability in the PayU CommercePro Plugin for WordPress, affecting all versions up to and including 3.8.3. The flaw arises from the REST API endpoints /wp-json/payu/v1/generate-user-token and /wp-json/payu/v1/get-shipping-cost, which do not properly verify a user's identity before setting the user's ID and authentication cookies. This issue is classified under CWE-287 (Improper Authentication) and carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Unauthenticated attackers can exploit the vulnerability remotely with low attack complexity and no user interaction. By leveraging the flawed endpoints, they can create new administrative user accounts on the WordPress site, enabling full unauthorized access and control over the affected instance.
Advisories, including the Wordfence threat intelligence report and WordPress plugin repository details, highlight the need to update beyond version 3.8.3. Relevant source code at line 187 in class-payu-shipping-tax-api-calculation.php and changeset 3217148 in the payu-india repository provide insight into the fix implementation.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-50728
Vulnerability details
The PayU CommercePro Plugin plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 3.8.3. This is due to /wp-json/payu/v1/generate-user-token and /wp-json/payu/v1/get-shipping-cost REST API endpoints not properly verifying a user's identity prior to setting the…
more
users ID and auth cookies. This makes it possible for unauthenticated attackers to create new administrative user accounts.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct remote exploitation of public-facing WordPress REST endpoints (T1190) enables unauthenticated creation of administrative accounts (T1136.001).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires verifying user identity prior to distributing authenticators such as auth cookies, directly addressing the endpoints' failure to validate identity before setting user ID and cookies.
Limits and documents actions allowable without identification and authentication, preventing unauthenticated privilege escalation via sensitive API endpoints.
Mandates enforcement of approved authorizations before granting access, countering the lack of access checks in the vulnerable REST API endpoints.