CVE-2024-12295

CVE-2024-12295 is a privilege escalation vulnerability via account takeover in the BoomBox Theme Extensions plugin for WordPress, affecting all versions up to and including 1.8.0. The issue arises because the plugin does not properly validate a user's identity before updating their password through the 'boombox_ajax_reset_password' function. It carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H) and maps to CWE-640.

Authenticated attackers with subscriber-level privileges or higher can exploit this vulnerability over the network with low complexity and no user interaction required. By leveraging the flawed password reset function, they can change the passwords of arbitrary users, including administrators, and use this to take over those accounts for further compromise.

Mitigation details are available in advisories such as the Wordfence threat intelligence report at https://www.wordfence.com/threat-intel/vulnerabilities/id/c453aaf6-767d-4929-bbb3-3c0b78b0507a?source=cve. Security practitioners should review the plugin's page on ThemeForest at https://themeforest.net/item/boombox-viral-buzz-wordpress-theme/16596434 for update guidance, as the vulnerability is resolved in versions beyond 1.8.0.