CVE-2024-12295
Published: 19 March 2025
Summary
CVE-2024-12295 is a high-severity Weak Password Recovery Mechanism for Forgotten Password (CWE-640) vulnerability in Themeforest (inferred from references). Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 34.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2024-12295 is a privilege escalation vulnerability via account takeover in the BoomBox Theme Extensions plugin for WordPress, affecting all versions up to and including 1.8.0. The issue arises because the plugin does not properly validate a user's identity before updating their password through the 'boombox_ajax_reset_password' function. It carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H) and maps to CWE-640.
Authenticated attackers with subscriber-level privileges or higher can exploit this vulnerability over the network with low complexity and no user interaction required. By leveraging the flawed password reset function, they can change the passwords of arbitrary users, including administrators, and use this to take over those accounts for further compromise.
Mitigation details are available in advisories such as the Wordfence threat intelligence report at https://www.wordfence.com/threat-intel/vulnerabilities/id/c453aaf6-767d-4929-bbb3-3c0b78b0507a?source=cve. Security practitioners should review the plugin's page on ThemeForest at https://themeforest.net/item/boombox-viral-buzz-wordpress-theme/16596434 for update guidance, as the vulnerability is resolved in versions beyond 1.8.0.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-6716
Vulnerability details
The BoomBox Theme Extensions plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.8.0. This is due to the plugin not properly validating a user's identity prior to updating their password…
more
through the 'boombox_ajax_reset_password' function. This makes it possible for authenticated attackers, with subscriber-level privileges and above, to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability allows authenticated low-privileged users to change passwords of arbitrary accounts (including administrators) via a flawed password reset function, directly enabling privilege escalation to take over higher-privileged accounts.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Remediating the specific flaw in the BoomBox plugin's boombox_ajax_reset_password function by updating beyond version 1.8.0 directly prevents unauthorized password changes and account takeover.
Validating user identity inputs to the password reset function prevents authenticated low-privilege attackers from updating arbitrary user passwords.
Managing accounts with proper authorization and validation requirements for password modifications blocks privilege escalation via unauthorized account takeovers.