CVE-2024-12876
Published: 07 March 2025
Summary
CVE-2024-12876 is a critical-severity Missing Authorization (CWE-862) vulnerability in Uxper Golo. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 36.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-5 (Authenticator Management).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations for all system access and actions, preventing unauthenticated attackers from updating arbitrary user passwords without identity validation.
Requires identity verification and secure procedures prior to changing authenticators like passwords, directly mitigating the missing authorization in password updates.
Mandates procedures and approvals for account modifications including password changes, reducing risk of unauthorized account takeovers.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability allows unauthenticated remote attackers to change passwords of arbitrary users including admins in a public-facing WordPress theme, directly mapping to exploitation for privilege escalation, account manipulation, and exploiting public-facing applications.
NVD Description
The Golo - City Travel Guide WordPress Theme theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.6.10. This is due to the plugin not properly validating a user's identity prior…
more
to updating their password. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account.
Deeper analysisAI
CVE-2024-12876 is a privilege escalation vulnerability via account takeover in the Golo - City Travel Guide WordPress Theme for WordPress, affecting all versions up to and including 1.6.10. The issue arises because the theme does not properly validate a user's identity prior to updating their password, classified under CWE-862 (Missing Authorization). It carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical due to its high impact on confidentiality, integrity, and availability.
Unauthenticated attackers can exploit this vulnerability remotely with low complexity and no user interaction. By targeting the flawed password update mechanism, they can change the passwords of arbitrary users, including administrators, and subsequently gain full access to those accounts for further compromise.
Advisories providing further details, including potential mitigation and patch information, are available from Wordfence at https://www.wordfence.com/threat-intel/vulnerabilities/id/e6cb81e5-61a4-4b67-a668-d8a7d46b2cea?source=cve and the theme's page on ThemeForest at https://themeforest.net/item/golo-directory-listing-travel-wordpress-theme/25397810.
Details
- CWE(s)