CVE-2024-12827
BaseFortify
Publication date: 2025-06-27
Last updated on: 2025-06-30
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-620 | When setting a new password for a user, the product does not require knowledge of the original password, or using another form of authentication. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the DWT - Directory & Listing WordPress Theme up to version 3.3.6. It allows unauthenticated attackers to escalate privileges by exploiting a flaw in the password reset function (dwt_listing_reset_password()). The plugin does not properly check for an empty token value before resetting a user's password, enabling attackers to change any user's password, including administrators, and take over their accounts.
How can this vulnerability impact me? :
An attacker can gain unauthorized access to any user account, including administrator accounts, by resetting passwords without proper authentication. This can lead to full compromise of the affected WordPress site, allowing the attacker to control site content, user data, and potentially deploy further malicious actions.