CVE-2024-12771

Summary

CVE-2024-12771 is a newly disclosed vulnerability affecting the eCommerce Product Catalog Plugin for WordPress. Versions up to and including 3.3.43 are vulnerable to Cross-Site Request Forgery (CSRF). The vulnerability arises due to insufficient nonce validation on the 'customer_panel_password_reset' function, which allows unauthenticated attackers to reset the password of any administrator or customer account. By deceiving a site administrator into executing a malicious action such as clicking on a link, attackers can exploit this weakness and gain access to sensitive user credentials. This vulnerability poses a significant risk to websites using the affected plugin, emphasizing the importance of keeping WordPress installations updated and secure.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.