CRITICAL🇵🇱 Wersja polska

CVE-2024-12860

CVSS 9.8v3.1pub. 2025-02-18upd. 2025-02-21

The CarSpot – Dealership Wordpress Classified Theme theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 2.4.3. This is due to the plugin not properly validating a token prior to updating a user's password. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account.

🤖 AI Analysis
How it works

The vulnerability results from lack of proper token validation before updating a user password. An unauthenticated attacker can send a password change request for any account, including administrative accounts, without needing a valid verification token. After changing the password, the attacker logs in to the compromised account and gains full access according to its permissions.

Impact

An attacker can take control of any user account, including administrator accounts, leading to complete compromise of the WordPress site — enabling installation of malicious code, modification of content, or data theft.

Mitigation & patch

The CarSpot theme should be updated to a version higher than 2.4.3. Patches available from the vendor should be applied according to references. Until the update is applied, it is recommended to monitor access logs for unauthorized password changes.

Who is affected

CarSpot – Dealership WordPress Classified Theme in all versions up to and including 2.4.3

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Carspot Project Carspot

    APP
    Carspot Project
    < 2.4.4
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Auth BypassLPE
CWE
References