Cyber Posture

CVE-2024-12470

Critical

Published: 07 January 2025

Published
07 January 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0038 59.6th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-12470 is a critical-severity Incorrect Privilege Assignment (CWE-266) vulnerability in Wordpress (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 40.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly mitigates the CVE by requiring identification, reporting, and timely patching of the flaw in the SakolaWP plugin's registration function that fails to restrict roles.

AC-2 Account Management good match
prevent

Ensures system accounts, including those created via registration, are managed with appropriate role assignments to prevent unauthenticated users from gaining administrator privileges.

SI-10 Information Input Validation good match
prevent

Requires validation of role inputs to the plugin's registration endpoint, blocking attackers from specifying unauthorized administrative roles.

NVD Description

The School Management System – SakolaWP plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.0.8. This is due to the registration function not properly limiting what roles a user can register as. This…

more

makes it possible for unauthenticated attackers to register as an administrative user.

Deeper analysisAI

CVE-2024-12470 is a privilege escalation vulnerability in the School Management System – SakolaWP plugin for WordPress, affecting all versions up to and including 1.0.8. The issue arises because the plugin's registration function does not properly restrict the roles that users can select during signup, mapped to CWE-266 (Incorrect Privilege Assignment). It carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its network accessibility and high potential impact.

Unauthenticated attackers can exploit this vulnerability remotely without privileges or user interaction. By accessing the registration endpoint, they can choose an administrative role during signup, gaining immediate admin access to the WordPress site. This enables full control, including data exfiltration, modification, or deletion, as well as potential deployment of further malware.

Advisories from Wordfence and the plugin's WordPress.org listing provide further details on the issue. Mitigation requires updating to a version beyond 1.0.8, where the registration role restrictions have been addressed. Security practitioners should scan environments for the vulnerable plugin versions and apply updates promptly.

Details

CWE(s)
CWE-266

Affected Products

Wordpress
inferred from references and description; NVD did not file a CPE for this CVE

CVEs Like This One

CVE-2024-13251Shared CWE-266
CVE-2026-27102Shared CWE-266
CVE-2025-69293Shared CWE-266
CVE-2024-32444Shared CWE-266
CVE-2026-25414Shared CWE-266
CVE-2026-22907Shared CWE-266
CVE-2026-32520Shared CWE-266
CVE-2025-31643Shared CWE-266
CVE-2024-43333Shared CWE-266
CVE-2025-33179Shared CWE-266

References