Cyber Resilience

CVE-2024-12824

Critical

Published: 01 March 2025

Published
01 March 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.4829 97.8th percentile
Risk Priority 49 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-12824 is a critical-severity Unverified Password Change (CWE-620) vulnerability in Themeforest (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 2.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

The Nokri – Job Board WordPress Theme for WordPress is vulnerable to privilege escalation via account takeover in all versions through 1.6.2. The flaw arises because the theme fails to validate an empty token value before allowing updates to sensitive user details such as passwords, enabling unauthorized modifications.

Unauthenticated attackers can exploit the issue over the network to change passwords for arbitrary accounts, including those of administrators, and subsequently authenticate to those accounts with full privileges. The vulnerability carries a CVSS 3.1 score of 9.8.

The associated EPSS score rose from lower values to a peak of 0.6232 on 2026-02-18 before receding to the current 0.4829, indicating that exploitation interest emerged after disclosure. References include the theme listing on ThemeForest and a detailed entry in the Wordfence threat intelligence database.

EU & UK References

Vulnerability details

The Nokri – Job Board WordPress Theme theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.6.2. This is due to the plugin not properly checking for an empty token value…

more

prior updating their details like password. This makes it possible for unauthenticated attackers to change arbitrary user's password, including administrators, and leverage that to gain access to their account.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability is a remote unauthenticated flaw in a public-facing WordPress theme that directly enables exploitation for initial access and account takeover.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-63362Shared CWE-620
CVE-2025-1107Shared CWE-620
CVE-2026-30458Shared CWE-620
CVE-2024-13373Shared CWE-620
CVE-2025-4606Shared CWE-620
CVE-2024-45647Shared CWE-620
CVE-2025-9286Shared CWE-620
CVE-2025-11235Shared CWE-620
CVE-2024-12860Shared CWE-620
CVE-2024-13375Shared CWE-620

Affected Assets

Themeforest
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the plugin's failure to validate the empty token input before permitting unauthorized password updates.

prevent

Enforces logical access controls to block unauthenticated updates to privileged user accounts like administrators.

prevent

Protects authenticators such as passwords from unauthorized modification by requiring strong management and verification processes.

References