CVE-2024-12295

Name of the Vulnerable Software and Affected Versions BoomBox Theme Extensions plugin for WordPress versions up to, and including, 1.8.0

Description The BoomBox Theme Extensions plugin for WordPress is vulnerable to privilege escalation via account takeover. This is due to the plugin not properly validating a user's identity prior to updating their password through the boombox ajax reset password function. This makes it possible for authenticated attackers, with subscriber-level privileges and above, to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account.

Recommendations For versions up to, and including, 1.8.0, update to a version higher than 1.8.0 to fix the vulnerability. As a temporary workaround, consider disabling the boombox ajax reset password function until a patch is available. Restrict access to the password update process to minimize the risk of exploitation. Avoid using the password update feature in the affected plugin until the issue is resolved.