CVE-2024-12857

Critical

Published: 22 January 2025

Published

22 January 2025

Modified

24 January 2025

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0062 70.1th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-12857 is a critical-severity Authentication Bypass Using an Alternate Path or Channel (CWE-288) vulnerability in Scriptsbundle Adforest. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 29.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and IA-8 (Identification and Authentication (Non-organizational Users)).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly and comprehensively mitigates the authentication bypass by requiring timely identification, reporting, and remediation of flaws such as this CVE in the AdForest theme.

IA-8 Identification and Authentication (Non-organizational Users) good match

prevent

Mandates robust identification and authentication mechanisms for non-organizational users, directly addressing the improper identity verification in the WordPress theme's OTP phone login process.

CM-7 Least Functionality good match

prevent

Prevents exploitation by prohibiting or restricting nonessential capabilities like OTP login by phone number, which is required to trigger the vulnerability.

NVD Description

The AdForest theme for WordPress is vulnerable to authentication bypass in all versions up to, and including, 5.1.8. This is due to the plugin not properly verifying a user's identity prior to logging them in as that user. This makes…

it possible for unauthenticated attackers to authenticate as any user as long as they have configured OTP login by phone number.

Deeper analysisAI

CVE-2024-12857 is an authentication bypass vulnerability (CWE-288, CWE-306) in the AdForest theme for WordPress, affecting all versions up to and including 5.1.8. The flaw occurs because the theme does not properly verify a user's identity prior to logging them in as that user, published on 2025-01-22 with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Unauthenticated attackers can exploit this vulnerability over the network with low attack complexity and no user interaction. Exploitation requires the target site to have OTP login configured by phone number, allowing attackers to authenticate as any user on the site and potentially gain full administrative access, resulting in high impacts to confidentiality, integrity, and availability.

Advisories from Wordfence provide further details on the vulnerability at https://www.wordfence.com/threat-intel/vulnerabilities/id/4ff3b4f1-dd36-43d0-b472-55a940907437?source=cve, while the AdForest theme page is available at https://themeforest.net/item/adforest-classified-wordpress-theme/19481695.

Details

CWE(s): CWE-288 CWE-306

Affected Products

scriptsbundle

adforest

≤ 5.1.9

CVEs Like This One

CVE-2024-11350Same product: Scriptsbundle Adforest

CVE-2025-1283Shared CWE-288, CWE-306

CVE-2024-9658Shared CWE-288, CWE-306

CVE-2025-0159Shared CWE-288, CWE-306

CVE-2025-1717Shared CWE-288, CWE-306

CVE-2024-13771Shared CWE-288, CWE-306

CVE-2025-24456Shared CWE-288, CWE-306

CVE-2025-59367Shared CWE-288, CWE-306

CVE-2026-22731Shared CWE-288, CWE-306

CVE-2025-1315Shared CWE-288, CWE-306

References

https://themeforest.net/item/adforest-classified-wordpress-theme/19481695
Product · security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/4ff3b4f1-dd36-43d0-b472-55a940907437?source=cve
Third Party Advisory · security@wordfence.com