CVE-2024-12824
Published: 01 March 2025
Description
The Nokri – Job Board WordPress Theme theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.6.2. This is due to the plugin not properly checking for an empty token value prior updating their details like password. This makes it possible for unauthenticated attackers to change arbitrary user's password, including administrators, and leverage that to gain access to their account.
Security Summary
CVE-2024-12824 is a privilege escalation vulnerability via account takeover in the Nokri – Job Board WordPress Theme for WordPress, affecting all versions up to and including 1.6.2. The issue arises because the plugin does not properly validate an empty token value before allowing updates to user details, such as passwords. This flaw, published on 2025-03-01, carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is linked to CWE-620: Unverified Privilege Delegation.
Unauthenticated attackers can exploit this vulnerability remotely with low complexity and no user interaction required. By targeting the update mechanism, they can arbitrarily change any user's password, including those of administrators, and subsequently log in to gain full account access, potentially leading to complete site compromise.
Advisories from sources like Wordfence provide further details on the vulnerability. Security practitioners should consult the Wordfence threat intelligence report at https://www.wordfence.com/threat-intel/vulnerabilities/id/60a7cce0-637f-49bd-aa4a-fd7023d99a64?source=cve and the theme's listing on ThemeForest at https://themeforest.net/item/nokri-job-board-wordpress-theme/22677241 for mitigation guidance, including any available patches beyond version 1.6.2.
Details
- CWE(s)