CVE-2024-12771

CVSS 3.1 Score 8.8 of 10 (high)

Details

Published Dec 21, 2024
CWE ID 352

Summary

CVE-2024-12771 is a critical vulnerability affecting the eCommerce Product Catalog Plugin for WordPress. The issue lies in the 'customer_panel_password_reset' function, which lacks proper nonce validation. This oversight enables unauthenticated attackers to execute password resets for both administrator and customer accounts through Cross-Site Request Forgery. By tricking administrators into clicking on malicious links, attackers can gain access to sensitive accounts, putting the entire WordPress site at risk. Version 3.3.43 and below are impacted. It is strongly advised to update to the latest version of the plugin or consider disabling it until a patch is available.

Ligh bulbPrevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Share