Cyber Resilience

CVE-2024-12860

Critical

Published: 18 February 2025

Published
18 February 2025
Modified
21 February 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0022 44.4th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-12860 is a critical-severity Unverified Password Change (CWE-620) vulnerability in Carspot Project Carspot. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Valid Accounts (T1078); ranked at the 44.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2024-12860 is a privilege escalation vulnerability via account takeover in the CarSpot – Dealership WordPress Classified Theme for WordPress, affecting all versions up to and including 2.4.3. The issue stems from the plugin failing to properly validate a token before updating a user's password, enabling unauthorized password changes. It is associated with CWE-620 and has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity with network accessibility, low attack complexity, and no privileges or user interaction required.

Unauthenticated attackers can exploit this vulnerability remotely to reset the passwords of arbitrary users, including administrators, and subsequently gain full access to those accounts. This allows complete site compromise, as attackers could escalate privileges to perform administrative actions.

Mitigation details are outlined in advisories from sources including the Wordfence threat intelligence page at https://www.wordfence.com/threat-intel/vulnerabilities/id/d1043dce-628f-485b-bc1c-b78938c2a6f5?source=cve and the theme listing on ThemeForest at https://themeforest.net/item/carspot-automotive-car-dealer-wordpress-classified-theme/20195539. The vulnerability was published on 2025-02-18.

EU & UK References

Vulnerability details

The CarSpot – Dealership Wordpress Classified Theme theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 2.4.3. This is due to the plugin not properly validating a token prior to updating…

more

a user's password. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1078 Valid Accounts Stealth
Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
T1098 Account Manipulation Persistence
Adversaries may manipulate accounts to maintain and/or elevate access to victim systems.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Direct account takeover via unauthenticated password reset on public-facing WordPress app enables T1190 for initial access, T1098 for password manipulation, and T1078 for subsequent use of valid admin accounts.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-13375Shared CWE-620
CVE-2025-1107Shared CWE-620
CVE-2026-30458Shared CWE-620
CVE-2024-13373Shared CWE-620
CVE-2024-45647Shared CWE-620
CVE-2026-40588Shared CWE-620
CVE-2026-24443Shared CWE-620
CVE-2025-63362Shared CWE-620
CVE-2026-27757Shared CWE-620
CVE-2026-24440Shared CWE-620

Affected Assets

carspot project
carspot
≤ 2.4.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires validation of inputs such as the reset token prior to processing password updates, directly addressing the lack of token validation in the vulnerable plugin.

prevent

Mandates secure management and protection of authenticators like passwords against unauthorized modification or changes without proper verification.

prevent

Requires identification, reporting, and correction of software flaws like the improper token validation in the CarSpot theme to prevent exploitation.

References