CVE-2024-12876
Published: 07 March 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2024-12876 is a privilege escalation vulnerability via account takeover in the Golo - City Travel Guide WordPress Theme for WordPress, affecting all versions up to and including 1.6.10. The issue arises because the theme does not properly validate a user's identity prior to updating their password, classified under CWE-862 (Missing Authorization). It carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical due to its high impact on confidentiality, integrity, and availability.
Unauthenticated attackers can exploit this vulnerability remotely with low complexity and no user interaction. By targeting the flawed password update mechanism, they can change the passwords of arbitrary users, including administrators, and subsequently gain full access to those accounts for further compromise.
Advisories providing further details, including potential mitigation and patch information, are available from Wordfence at https://www.wordfence.com/threat-intel/vulnerabilities/id/e6cb81e5-61a4-4b67-a668-d8a7d46b2cea?source=cve and the theme's page on ThemeForest at https://themeforest.net/item/golo-directory-listing-travel-wordpress-theme/25397810.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability allows unauthenticated remote attackers to change passwords of arbitrary users including admins in a public-facing WordPress theme, directly mapping to exploitation for privilege escalation, account manipulation, and exploiting public-facing applications.