Cyber Resilience

CVE-2024-12470

Critical

Published: 07 January 2025

Published
07 January 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0052 67.1th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-12470 is a critical-severity Incorrect Privilege Assignment (CWE-266) vulnerability in Wordpress (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 32.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2024-12470 is a privilege escalation vulnerability in the School Management System – SakolaWP plugin for WordPress, affecting all versions up to and including 1.0.8. The issue arises because the plugin's registration function does not properly restrict the roles that users can select during signup, mapped to CWE-266 (Incorrect Privilege Assignment). It carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its network accessibility and high potential impact.

Unauthenticated attackers can exploit this vulnerability remotely without privileges or user interaction. By accessing the registration endpoint, they can choose an administrative role during signup, gaining immediate admin access to the WordPress site. This enables full control, including data exfiltration, modification, or deletion, as well as potential deployment of further malware.

Advisories from Wordfence and the plugin's WordPress.org listing provide further details on the issue. Mitigation requires updating to a version beyond 1.0.8, where the registration role restrictions have been addressed. Security practitioners should scan environments for the vulnerable plugin versions and apply updates promptly.

EU & UK References

Vulnerability details

The School Management System – SakolaWP plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 1.0.8. This is due to the registration function not properly limiting what roles a user can register as. This…

more

makes it possible for unauthenticated attackers to register as an administrative user.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Direct remote unauthenticated exploitation of public-facing WordPress plugin registration logic enables immediate privilege escalation to admin via improper role assignment (CWE-266).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-24971Shared CWE-266
CVE-2024-51888Shared CWE-266
CVE-2025-44655Shared CWE-266
CVE-2025-49388Shared CWE-266
CVE-2024-43333Shared CWE-266
CVE-2026-23550Shared CWE-266
CVE-2026-32520Shared CWE-266
CVE-2025-67953Shared CWE-266
CVE-2024-32555Shared CWE-266
CVE-2026-32519Shared CWE-266

Affected Assets

Wordpress
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the CVE by requiring identification, reporting, and timely patching of the flaw in the SakolaWP plugin's registration function that fails to restrict roles.

prevent

Ensures system accounts, including those created via registration, are managed with appropriate role assignments to prevent unauthenticated users from gaining administrator privileges.

prevent

Requires validation of role inputs to the plugin's registration endpoint, blocking attackers from specifying unauthorized administrative roles.

References