Privilege Escalation Vulnerability in AdForest Theme for WordPress
CVE-2024-11350

9.8CRITICAL

Key Information:

Vendor: Wordpress
Status: Adforest
Vendor: CVE Published:; 8 January 2025

Summary

The AdForest theme for WordPress contains a security flaw allowing privilege escalation through account takeover. This vulnerability exists in all versions up to 5.1.6 due to inadequate validation of user identity during the password update process in the adforest_reset_password() function. As a result, unauthenticated attackers can manipulate the password of any user, including administrators, thus gaining unauthorized access to their accounts. To mitigate this significant security issue, it is vital for users to upgrade to the latest version of the theme and implement security best practices.

Affected Version(s)

AdForest * <= 5.1.6

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://themeforest.net/item/adforest-classified-wordpres...

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jan 8, 2025
Vulnerability Reserved
Nov 18, 2024

Credit

Tonn