Cyber Resilience

CVE-2024-12402

Critical

Published: 07 January 2025

Published
07 January 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0057 69.2th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-12402 is a critical-severity Authentication Bypass Using an Alternate Path or Channel (CWE-288) vulnerability in Wordpress (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 30.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2024-12402 is a privilege escalation vulnerability via account takeover in the Themes Coder – Create Android & iOS Apps For Your Woocommerce Site plugin for WordPress, affecting all versions up to and including 1.3.4. The issue stems from the plugin failing to properly validate a user's identity before calling the update_user_profile() function to change passwords, enabling unauthorized password modifications.

Unauthenticated attackers can exploit this vulnerability remotely with low attack complexity and no user interaction or privileges required. By targeting the flawed endpoint, they can reset the password of any WordPress user, including administrators, to gain full account access and potentially compromise the site. The CVSS v3.1 base score is 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), linked to CWE-288 (Authentication Bypass Using an Alternate Path or Channel).

Advisories reference the vulnerable code in app_user.php at line 338, with a patch applied in changeset 3303561. The Wordfence threat intelligence page provides further details on the vulnerability for mitigation guidance.

EU & UK References

Vulnerability details

The Themes Coder – Create Android & iOS Apps For Your Woocommerce Site plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.3.4. This is due to the plugin not properly…

more

validating a user's identity prior to updating their password through the update_user_profile() function. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1078 Valid Accounts Stealth
Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
T1098 Account Manipulation Persistence
Adversaries may manipulate accounts to maintain and/or elevate access to victim systems.
Why these techniques?

Vulnerability enables remote unauthenticated exploitation of public-facing WordPress plugin (T1190) to bypass auth and perform unauthorized account password changes (T1098), resulting in takeover of valid accounts including admin (T1078).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-13442Shared CWE-288
CVE-2026-25357Shared CWE-288
CVE-2025-1061Shared CWE-288
CVE-2025-6895Shared CWE-288
CVE-2025-23504Shared CWE-288
CVE-2026-29139Shared CWE-288
CVE-2025-1564Shared CWE-288
CVE-2025-8359Shared CWE-288
CVE-2026-27389Shared CWE-288
CVE-2025-7710Shared CWE-288

Affected Assets

Wordpress
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

AC-3 enforces approved authorizations for access to system resources, directly preventing unauthenticated attackers from updating user passwords via the flawed plugin endpoint.

prevent

IA-5 requires identity verification prior to changing authenticators like passwords, mitigating the plugin's failure to validate user identity before calling update_user_profile().

prevent

AC-2 mandates procedures for managing account modifications including password changes with identity verification, addressing unauthorized account takeovers in the plugin.

References