CVE-2024-12860
Published: 18 February 2025
Description
The CarSpot – Dealership Wordpress Classified Theme theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 2.4.3. This is due to the plugin not properly validating a token prior to updating a user's password. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account.
Security Summary
CVE-2024-12860 is a privilege escalation vulnerability via account takeover in the CarSpot – Dealership WordPress Classified Theme for WordPress, affecting all versions up to and including 2.4.3. The issue stems from the plugin failing to properly validate a token before updating a user's password, enabling unauthorized password changes. It is associated with CWE-620 and has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity with network accessibility, low attack complexity, and no privileges or user interaction required.
Unauthenticated attackers can exploit this vulnerability remotely to reset the passwords of arbitrary users, including administrators, and subsequently gain full access to those accounts. This allows complete site compromise, as attackers could escalate privileges to perform administrative actions.
Mitigation details are outlined in advisories from sources including the Wordfence threat intelligence page at https://www.wordfence.com/threat-intel/vulnerabilities/id/d1043dce-628f-485b-bc1c-b78938c2a6f5?source=cve and the theme listing on ThemeForest at https://themeforest.net/item/carspot-automotive-car-dealer-wordpress-classified-theme/20195539. The vulnerability was published on 2025-02-18.
Details
- CWE(s)