CVE-2024-12860

Name of the Vulnerable Software and Affected Versions CarSpot – Dealership Wordpress Classified Theme versions up to 2.4.3

Description The issue concerns a privilege escalation vulnerability via account takeover. This vulnerability arises due to the plugin's failure to properly validate a token before updating a user's password. As a result, unauthenticated attackers can change the passwords of arbitrary users, including administrators, thereby gaining access to their accounts.

Recommendations For versions up to 2.4.3, update to a version later than 2.4.3 to resolve the issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.