CVE-2024-12857
Published: 22 January 2025
Summary
CVE-2024-12857 is a critical-severity Authentication Bypass Using an Alternate Path or Channel (CWE-288) vulnerability in Scriptsbundle Adforest. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 29.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and IA-8 (Identification and Authentication (Non-organizational Users)).
Deeper analysis
CVE-2024-12857 is an authentication bypass vulnerability (CWE-288, CWE-306) in the AdForest theme for WordPress, affecting all versions up to and including 5.1.8. The flaw occurs because the theme does not properly verify a user's identity prior to logging them in as that user, published on 2025-01-22 with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Unauthenticated attackers can exploit this vulnerability over the network with low attack complexity and no user interaction. Exploitation requires the target site to have OTP login configured by phone number, allowing attackers to authenticate as any user on the site and potentially gain full administrative access, resulting in high impacts to confidentiality, integrity, and availability.
Advisories from Wordfence provide further details on the vulnerability at https://www.wordfence.com/threat-intel/vulnerabilities/id/4ff3b4f1-dd36-43d0-b472-55a940907437?source=cve, while the AdForest theme page is available at https://themeforest.net/item/adforest-classified-wordpress-theme/19481695.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-51158
Vulnerability details
The AdForest theme for WordPress is vulnerable to authentication bypass in all versions up to, and including, 5.1.8. This is due to the plugin not properly verifying a user's identity prior to logging them in as that user. This makes…
more
it possible for unauthenticated attackers to authenticate as any user as long as they have configured OTP login by phone number.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct authentication bypass in public-facing WordPress theme enables unauthenticated network exploitation (T1190) to obtain valid user accounts (T1078).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly and comprehensively mitigates the authentication bypass by requiring timely identification, reporting, and remediation of flaws such as this CVE in the AdForest theme.
Mandates robust identification and authentication mechanisms for non-organizational users, directly addressing the improper identity verification in the WordPress theme's OTP phone login process.
Prevents exploitation by prohibiting or restricting nonessential capabilities like OTP login by phone number, which is required to trigger the vulnerability.