CVE-2024-12402
Published: 07 January 2025
Summary
CVE-2024-12402 is a critical-severity Authentication Bypass Using an Alternate Path or Channel (CWE-288) vulnerability in Wordpress (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 30.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and AC-3 (Access Enforcement).
Deeper analysis
CVE-2024-12402 is a privilege escalation vulnerability via account takeover in the Themes Coder – Create Android & iOS Apps For Your Woocommerce Site plugin for WordPress, affecting all versions up to and including 1.3.4. The issue stems from the plugin failing to properly validate a user's identity before calling the update_user_profile() function to change passwords, enabling unauthorized password modifications.
Unauthenticated attackers can exploit this vulnerability remotely with low attack complexity and no user interaction or privileges required. By targeting the flawed endpoint, they can reset the password of any WordPress user, including administrators, to gain full account access and potentially compromise the site. The CVSS v3.1 base score is 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), linked to CWE-288 (Authentication Bypass Using an Alternate Path or Channel).
Advisories reference the vulnerable code in app_user.php at line 338, with a patch applied in changeset 3303561. The Wordfence threat intelligence page provides further details on the vulnerability for mitigation guidance.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-50826
Vulnerability details
The Themes Coder – Create Android & iOS Apps For Your Woocommerce Site plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.3.4. This is due to the plugin not properly…
more
validating a user's identity prior to updating their password through the update_user_profile() function. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables remote unauthenticated exploitation of public-facing WordPress plugin (T1190) to bypass auth and perform unauthorized account password changes (T1098), resulting in takeover of valid accounts including admin (T1078).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
AC-3 enforces approved authorizations for access to system resources, directly preventing unauthenticated attackers from updating user passwords via the flawed plugin endpoint.
IA-5 requires identity verification prior to changing authenticators like passwords, mitigating the plugin's failure to validate user identity before calling update_user_profile().
AC-2 mandates procedures for managing account modifications including password changes with identity verification, addressing unauthorized account takeovers in the plugin.