CVE-2024-12771
CVSS 3.1 Score 8.8 of 10 (high)
Details
Summary
CVE-2024-12771 is a critical vulnerability affecting the eCommerce Product Catalog Plugin for WordPress. The issue lies in the 'customer_panel_password_reset' function, which lacks proper nonce validation. This oversight enables unauthenticated attackers to execute password resets for both administrator and customer accounts through Cross-Site Request Forgery. By tricking administrators into clicking on malicious links, attackers can gain access to sensitive accounts, putting the entire WordPress site at risk. Version 3.3.43 and below are impacted. It is strongly advised to update to the latest version of the plugin or consider disabling it until a patch is available.
Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.