Cyber Posture

CVE-2024-12860

Critical

Published: 18 February 2025

Published
18 February 2025
Modified
21 February 2025
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0022 44.1th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-12860 is a critical-severity Unverified Password Change (CWE-620) vulnerability in Carspot Project Carspot. Its CVSS base score is 9.8 (Critical).

Operationally, ranked at the 44.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Requires validation of inputs such as the reset token prior to processing password updates, directly addressing the lack of token validation in the vulnerable plugin.

IA-5 Authenticator Management good match
prevent

Mandates secure management and protection of authenticators like passwords against unauthorized modification or changes without proper verification.

SI-2 Flaw Remediation good match
prevent

Requires identification, reporting, and correction of software flaws like the improper token validation in the CarSpot theme to prevent exploitation.

NVD Description

The CarSpot – Dealership Wordpress Classified Theme theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 2.4.3. This is due to the plugin not properly validating a token prior to updating…

more

a user's password. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account.

Deeper analysisAI

CVE-2024-12860 is a privilege escalation vulnerability via account takeover in the CarSpot – Dealership WordPress Classified Theme for WordPress, affecting all versions up to and including 2.4.3. The issue stems from the plugin failing to properly validate a token before updating a user's password, enabling unauthorized password changes. It is associated with CWE-620 and has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity with network accessibility, low attack complexity, and no privileges or user interaction required.

Unauthenticated attackers can exploit this vulnerability remotely to reset the passwords of arbitrary users, including administrators, and subsequently gain full access to those accounts. This allows complete site compromise, as attackers could escalate privileges to perform administrative actions.

Mitigation details are outlined in advisories from sources including the Wordfence threat intelligence page at https://www.wordfence.com/threat-intel/vulnerabilities/id/d1043dce-628f-485b-bc1c-b78938c2a6f5?source=cve and the theme listing on ThemeForest at https://themeforest.net/item/carspot-automotive-car-dealer-wordpress-classified-theme/20195539. The vulnerability was published on 2025-02-18.

Details

CWE(s)
CWE-620NVD-CWE-noinfo

Affected Products

carspot project
carspot
≤ 2.4.4

CVEs Like This One

CVE-2025-9286Shared CWE-620
CVE-2025-63362Shared CWE-620
CVE-2026-24440Shared CWE-620
CVE-2026-27757Shared CWE-620
CVE-2026-24443Shared CWE-620
CVE-2025-1107Shared CWE-620
CVE-2024-12824Shared CWE-620
CVE-2025-11235Shared CWE-620
CVE-2024-13375Shared CWE-620
CVE-2025-4606Shared CWE-620

References