CVE-2024-12922

CVE-2024-12922 is a critical vulnerability in the Altair theme for WordPress, affecting all versions up to and including 5.2.4. It stems from a missing capability check in the functions.php file, enabling unauthorized modification of data that leads to privilege escalation. The flaw, classified under CWE-862 (Missing Authorization), has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its network accessibility and lack of prerequisites for exploitation.

Unauthenticated attackers can exploit this vulnerability remotely by updating arbitrary WordPress options on the affected site. By modifying registration settings—specifically, enabling user registration and setting the default role for new users to administrator—attackers can create accounts with full administrative privileges, granting them complete control over the site.

Mitigation guidance is available in related advisories, including the Wordfence threat intelligence report at https://www.wordfence.com/threat-intel/vulnerabilities/id/e27971a3-f84c-4f13-81af-127e7560566a?source=cve and the Altair theme's changelog on ThemeForest at https://themeforest.net/item/tour-travel-agency-altair-theme/9318575#item-description__changelog, along with the theme's product page at https://themeforest.net/item/tour-travel-agency-altair-theme/9318575. Security practitioners should verify and apply updates to versions beyond 5.2.4 where available.