CVE-2024-12824
Published: 01 March 2025
Summary
CVE-2024-12824 is a critical-severity Unverified Password Change (CWE-620) vulnerability in Themeforest (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 2.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
The Nokri – Job Board WordPress Theme for WordPress is vulnerable to privilege escalation via account takeover in all versions through 1.6.2. The flaw arises because the theme fails to validate an empty token value before allowing updates to sensitive user details such as passwords, enabling unauthorized modifications.
Unauthenticated attackers can exploit the issue over the network to change passwords for arbitrary accounts, including those of administrators, and subsequently authenticate to those accounts with full privileges. The vulnerability carries a CVSS 3.1 score of 9.8.
The associated EPSS score rose from lower values to a peak of 0.6232 on 2026-02-18 before receding to the current 0.4829, indicating that exploitation interest emerged after disclosure. References include the theme listing on ThemeForest and a detailed entry in the Wordfence threat intelligence database.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-5898
Vulnerability details
The Nokri – Job Board WordPress Theme theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.6.2. This is due to the plugin not properly checking for an empty token value…
more
prior updating their details like password. This makes it possible for unauthenticated attackers to change arbitrary user's password, including administrators, and leverage that to gain access to their account.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a remote unauthenticated flaw in a public-facing WordPress theme that directly enables exploitation for initial access and account takeover.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly addresses the plugin's failure to validate the empty token input before permitting unauthorized password updates.
Enforces logical access controls to block unauthenticated updates to privileged user accounts like administrators.
Protects authenticators such as passwords from unauthorized modification by requiring strong management and verification processes.