Cyber Resilience

CVE-2024-12386

High

Published: 12 February 2025

Published
12 February 2025
Modified
20 February 2025
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H
EPSS Score 0.0011 29.8th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-12386 is a high-severity CSRF (CWE-352) vulnerability in Kevonadonis Wp Abstracts. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious Link (T1204.001); ranked at the 29.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2024-12386 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, affecting the WP Abstracts plugin for WordPress in all versions up to and including 2.7.3. The issue arises from missing nonce validation on multiple functions within the plugin, earning a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H). Published on 2025-02-12, it enables unauthorized actions when nonce checks are bypassed.

Unauthenticated attackers can exploit this vulnerability by crafting a forged request and tricking a site administrator into executing it, such as by clicking a malicious link. Successful exploitation allows the deletion of arbitrary accounts, resulting in high integrity and availability impacts without requiring prior privileges, though it depends on user interaction.

Mitigation details are provided in advisories from the WordPress plugins trac (changeset 3238664), the plugin's developer page on WordPress.org, and Wordfence threat intelligence. Security practitioners should review these sources and update the WP Abstracts plugin to a version beyond 2.7.3 to address the missing nonce validation.

EU & UK References

Vulnerability details

The WP Abstracts plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.7.3. This is due to missing nonce validation on multiple functions. This makes it possible for unauthenticated attackers to delete arbitrary…

more

accounts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1204.001 Malicious Link Execution
An adversary may rely upon a user clicking a malicious link in order to gain execution.
T1566.002 Spearphishing Link Initial Access
Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems.
T1531 Account Access Removal Impact
Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users.
Why these techniques?

CSRF requires delivery via malicious link (T1204.001) often through spearphishing (T1566.002) and directly enables account deletion (T1531).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-24742Shared CWE-352
CVE-2026-4922Shared CWE-352
CVE-2026-40926Shared CWE-352
CVE-2024-51144Shared CWE-352
CVE-2026-25812Shared CWE-352
CVE-2025-59894Shared CWE-352
CVE-2024-47100Shared CWE-352
CVE-2025-26963Shared CWE-352
CVE-2026-38566Shared CWE-352
CVE-2025-25154Shared CWE-352

Affected Assets

kevonadonis
wp abstracts
≤ 2.7.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SC-23 requires mechanisms such as anti-CSRF tokens or nonces to protect session authenticity, directly mitigating the missing nonce validation that enables forged requests in CVE-2024-12386.

prevent

SI-10 enforces validation of all information inputs, including nonce parameters on plugin functions, preventing unauthenticated attackers from successfully submitting forged requests.

prevent

SI-2 mandates timely identification, reporting, and correction of software flaws like the missing nonce checks in WP Abstracts up to version 2.7.3, enabling patching to eliminate the vulnerability.

References