CVE-2024-12857
Published: 22 January 2025
Description
The AdForest theme for WordPress is vulnerable to authentication bypass in all versions up to, and including, 5.1.8. This is due to the plugin not properly verifying a user's identity prior to logging them in as that user. This makes it possible for unauthenticated attackers to authenticate as any user as long as they have configured OTP login by phone number.
Security Summary
CVE-2024-12857 is an authentication bypass vulnerability (CWE-288, CWE-306) in the AdForest theme for WordPress, affecting all versions up to and including 5.1.8. The flaw occurs because the theme does not properly verify a user's identity prior to logging them in as that user, published on 2025-01-22 with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Unauthenticated attackers can exploit this vulnerability over the network with low attack complexity and no user interaction. Exploitation requires the target site to have OTP login configured by phone number, allowing attackers to authenticate as any user on the site and potentially gain full administrative access, resulting in high impacts to confidentiality, integrity, and availability.
Advisories from Wordfence provide further details on the vulnerability at https://www.wordfence.com/threat-intel/vulnerabilities/id/4ff3b4f1-dd36-43d0-b472-55a940907437?source=cve, while the AdForest theme page is available at https://themeforest.net/item/adforest-classified-wordpress-theme/19481695.
Details
- CWE(s)