CVE-2024-12922
Published: 19 March 2025
Summary
CVE-2024-12922 is a critical-severity Missing Authorization (CWE-862) vulnerability in Themeforest (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 47.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-2 (Account Management).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations for access to system resources, directly addressing the missing capability check that allows unauthorized modification of WordPress options.
Employs least privilege to limit the impact of privilege escalation achieved by attackers modifying default registration roles to administrator.
Manages account provisioning and role assignments to prevent attackers from creating administrative accounts via altered user registration settings.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a remote unauthenticated flaw in a public-facing WordPress theme allowing arbitrary option modification, directly enabling exploitation of the web application (T1190), privilege escalation (T1068), and creation of administrative accounts via registration settings changes (T1136).
NVD Description
The Altair theme for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check within functions.php in all versions up to, and including, 5.2.4. This makes it possible for unauthenticated…
more
attackers to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.
Deeper analysisAI
CVE-2024-12922 is a critical vulnerability in the Altair theme for WordPress, affecting all versions up to and including 5.2.4. It stems from a missing capability check in the functions.php file, enabling unauthorized modification of data that leads to privilege escalation. The flaw, classified under CWE-862 (Missing Authorization), has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its network accessibility and lack of prerequisites for exploitation.
Unauthenticated attackers can exploit this vulnerability remotely by updating arbitrary WordPress options on the affected site. By modifying registration settings—specifically, enabling user registration and setting the default role for new users to administrator—attackers can create accounts with full administrative privileges, granting them complete control over the site.
Mitigation guidance is available in related advisories, including the Wordfence threat intelligence report at https://www.wordfence.com/threat-intel/vulnerabilities/id/e27971a3-f84c-4f13-81af-127e7560566a?source=cve and the Altair theme's changelog on ThemeForest at https://themeforest.net/item/tour-travel-agency-altair-theme/9318575#item-description__changelog, along with the theme's product page at https://themeforest.net/item/tour-travel-agency-altair-theme/9318575. Security practitioners should verify and apply updates to versions beyond 5.2.4 where available.
Details
- CWE(s)