CVE-2024-12402

Name of the Vulnerable Software and Affected Versions The Themes Coder – Create Android & iOS Apps For Your Woocommerce Site plugin for WordPress versions up to, and including, 1.3.4

Description The issue is related to privilege escalation via account takeover due to the plugin not properly validating a user's identity prior to updating their password through the update user profile() function. This allows unauthenticated attackers to change arbitrary user's passwords, including administrators, and gain access to their account.

Recommendations For versions up to, and including, 1.3.4, update to a version that properly validates user identity before allowing password updates, or as a temporary workaround, consider disabling the update user profile() function until a patch is available. Restrict access to user profile updates to minimize the risk of exploitation. Avoid using the plugin until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.