CVE-2024-12402
Published: 07 January 2025
Description
The Themes Coder – Create Android & iOS Apps For Your Woocommerce Site plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.3.4. This is due to the plugin not properly validating a user's identity prior to updating their password through the update_user_profile() function. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account.
Security Summary
CVE-2024-12402 is a privilege escalation vulnerability via account takeover in the Themes Coder – Create Android & iOS Apps For Your Woocommerce Site plugin for WordPress, affecting all versions up to and including 1.3.4. The issue stems from the plugin failing to properly validate a user's identity before calling the update_user_profile() function to change passwords, enabling unauthorized password modifications.
Unauthenticated attackers can exploit this vulnerability remotely with low attack complexity and no user interaction or privileges required. By targeting the flawed endpoint, they can reset the password of any WordPress user, including administrators, to gain full account access and potentially compromise the site. The CVSS v3.1 base score is 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), linked to CWE-288 (Authentication Bypass Using an Alternate Path or Channel).
Advisories reference the vulnerable code in app_user.php at line 338, with a patch applied in changeset 3303561. The Wordfence threat intelligence page provides further details on the vulnerability for mitigation guidance.
Details
- CWE(s)