CRITICAL🇵🇱 Wersja polska

CVE-2024-12824

CVSS 9.8v3.1pub. 2025-03-01upd. 2026-04-15

The Nokri – Job Board WordPress Theme theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.6.2. This is due to the plugin not properly checking for an empty token value prior updating their details like password. This makes it possible for unauthenticated attackers to change arbitrary user's password, including administrators, and leverage that to gain access to their account.

🤖 AI Analysis
How it works

The password change mechanism in the theme does not properly verify whether the provided token is empty before updating user data. An attacker can send a password change request with an empty token value, which is accepted by the application as valid. As a result, it is possible to change the password of any account – including administrator accounts – without knowing the original authentication credentials.

Impact

The attacker gains full access to the compromised user or administrator account, which can lead to complete takeover of the WordPress site, including content modification, malicious software installation, or data theft.

Mitigation & patch

The Nokri – Job Board theme should be updated to a version higher than 1.6.2. Patches available from the vendor should be applied according to references. Until the update is applied, it is recommended to consider temporarily disabling the password change functionality or restricting access to the site.

Who is affected

Nokri – Job Board WordPress theme in all versions up to and including 1.6.2

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Auth BypassLPE
CWE
References