Cyber Resilience

CVE-2024-12295

High

Published: 19 March 2025

Published
19 March 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0014 34.0th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-12295 is a high-severity Weak Password Recovery Mechanism for Forgotten Password (CWE-640) vulnerability in Themeforest (inferred from references). Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 34.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2024-12295 is a privilege escalation vulnerability via account takeover in the BoomBox Theme Extensions plugin for WordPress, affecting all versions up to and including 1.8.0. The issue arises because the plugin does not properly validate a user's identity before updating their password through the 'boombox_ajax_reset_password' function. It carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H) and maps to CWE-640.

Authenticated attackers with subscriber-level privileges or higher can exploit this vulnerability over the network with low complexity and no user interaction required. By leveraging the flawed password reset function, they can change the passwords of arbitrary users, including administrators, and use this to take over those accounts for further compromise.

Mitigation details are available in advisories such as the Wordfence threat intelligence report at https://www.wordfence.com/threat-intel/vulnerabilities/id/c453aaf6-767d-4929-bbb3-3c0b78b0507a?source=cve. Security practitioners should review the plugin's page on ThemeForest at https://themeforest.net/item/boombox-viral-buzz-wordpress-theme/16596434 for update guidance, as the vulnerability is resolved in versions beyond 1.8.0.

EU & UK References

Vulnerability details

The BoomBox Theme Extensions plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.8.0. This is due to the plugin not properly validating a user's identity prior to updating their password…

more

through the 'boombox_ajax_reset_password' function. This makes it possible for authenticated attackers, with subscriber-level privileges and above, to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

The vulnerability allows authenticated low-privileged users to change passwords of arbitrary accounts (including administrators) via a flawed password reset function, directly enabling privilege escalation to take over higher-privileged accounts.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-32103Shared CWE-640
CVE-2025-50433Shared CWE-640
CVE-2026-30459Shared CWE-640
CVE-2025-63314Shared CWE-640
CVE-2026-29199Shared CWE-640
CVE-2026-27593Shared CWE-640
CVE-2026-2895Shared CWE-640
CVE-2026-40585Shared CWE-640
CVE-2025-69614Shared CWE-640
CVE-2026-7459Shared CWE-640

Affected Assets

Themeforest
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Remediating the specific flaw in the BoomBox plugin's boombox_ajax_reset_password function by updating beyond version 1.8.0 directly prevents unauthorized password changes and account takeover.

prevent

Validating user identity inputs to the password reset function prevents authenticated low-privilege attackers from updating arbitrary user passwords.

prevent

Managing accounts with proper authorization and validation requirements for password modifications blocks privilege escalation via unauthorized account takeovers.

References