CVE-2024-12470
Published: 07 January 2025
Summary
CVE-2024-12470 is a critical-severity Incorrect Privilege Assignment (CWE-266) vulnerability in Wordpress (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 32.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2024-12470 is a privilege escalation vulnerability in the School Management System – SakolaWP plugin for WordPress, affecting all versions up to and including 1.0.8. The issue arises because the plugin's registration function does not properly restrict the roles that users can select during signup, mapped to CWE-266 (Incorrect Privilege Assignment). It carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its network accessibility and high potential impact.
Unauthenticated attackers can exploit this vulnerability remotely without privileges or user interaction. By accessing the registration endpoint, they can choose an administrative role during signup, gaining immediate admin access to the WordPress site. This enables full control, including data exfiltration, modification, or deletion, as well as potential deployment of further malware.
Advisories from Wordfence and the plugin's WordPress.org listing provide further details on the issue. Mitigation requires updating to a version beyond 1.0.8, where the registration role restrictions have been addressed. Security practitioners should scan environments for the vulnerable plugin versions and apply updates promptly.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-50882
Vulnerability details
The School Management System – SakolaWP plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.0.8. This is due to the registration function not properly limiting what roles a user can register as. This…
more
makes it possible for unauthenticated attackers to register as an administrative user.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct remote unauthenticated exploitation of public-facing WordPress plugin registration logic enables immediate privilege escalation to admin via improper role assignment (CWE-266).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the CVE by requiring identification, reporting, and timely patching of the flaw in the SakolaWP plugin's registration function that fails to restrict roles.
Ensures system accounts, including those created via registration, are managed with appropriate role assignments to prevent unauthenticated users from gaining administrator privileges.
Requires validation of role inputs to the plugin's registration endpoint, blocking attackers from specifying unauthorized administrative roles.