CVE-2024-12857: AdForest <= 5.1.8 - Authentication Bypass

9.8 CVSS

Description

The AdForest theme for WordPress is vulnerable to authentication bypass in all versions up to, and including, 5.1.8. This is due to the plugin not properly verifying a user's identity prior to logging them in as that user. This makes it possible for unauthenticated attackers to authenticate as any user as long as they have configured OTP login by phone number.

Classification

CVE ID: CVE-2024-12857

CVSS Base Severity: CRITICAL

CVSS Base Score: 9.8

Affected Products

Vendor: scriptsbundle

Product: AdForest

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.09% (probability of being exploited)

EPSS Percentile: 40.93% (scored less or equal to compared to others)

EPSS Date: 2025-02-20 (when was this score calculated)

References

https://www.wordfence.com/threat-intel/vulnerabilities/id/4ff3b4f1-dd36-43d0-b472-55a940907437?source=cve
https://themeforest.net/item/adforest-classified-wordpress-theme/19481695

Timeline

2025-01-23 00:30:17 UTC
CVE

AdForest <= 5.1.8 - Authentication Bypass