Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
2 vulnerabilities found for TC Ecommerce – Create Android & iOS Apps for WooCommerce by themescoder
CVE-2024-12402 (GCVE-0-2024-12402)
Vulnerability from nvd – Published: 2025-01-07 03:21 – Updated: 2026-04-08 16:40
VLAI?
Title
Themes Coder – Create Android & iOS Apps For Your Woocommerce Site <= 1.3.4 - Insecure Direct Object Reference to Password Change/Account Takeover/Privilege Escalation
Summary
The Themes Coder – Create Android & iOS Apps For Your Woocommerce Site plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.3.4. This is due to the plugin not properly validating a user's identity prior to updating their password through the update_user_profile() function. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account.
Severity ?
9.8 (Critical)
CWE
- CWE-288 - Authentication Bypass Using an Alternate Path or Channel
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| themescoder | TC Ecommerce – Create Android & iOS Apps for WooCommerce |
Affected:
0 , ≤ 1.3.4
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-12402",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-07T15:57:12.171902Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-07T16:29:41.573Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "TC Ecommerce \u2013 Create Android \u0026 iOS Apps for WooCommerce",
"vendor": "themescoder",
"versions": [
{
"lessThanOrEqual": "1.3.4",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Tieu Pham Trong Nhan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Themes Coder \u2013 Create Android \u0026 iOS Apps For Your Woocommerce Site plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.3.4. This is due to the plugin not properly validating a user\u0027s identity prior to updating their password through the update_user_profile() function. This makes it possible for unauthenticated attackers to change arbitrary user\u0027s passwords, including administrators, and leverage that to gain access to their account."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-288",
"description": "CWE-288 Authentication Bypass Using an Alternate Path or Channel",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:40:52.130Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1ec14b1e-6d1a-4451-9fce-ac064623d92f?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tc-ecommerce/trunk/controller/app_user.php#L338"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3303561/tc-ecommerce/trunk/controller/app_user.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-01-06T15:09:57.000Z",
"value": "Disclosed"
}
],
"title": "Themes Coder \u2013 Create Android \u0026 iOS Apps For Your Woocommerce Site \u003c= 1.3.4 - Insecure Direct Object Reference to Password Change/Account Takeover/Privilege Escalation"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-12402",
"datePublished": "2025-01-07T03:21:53.748Z",
"dateReserved": "2024-12-10T14:24:37.517Z",
"dateUpdated": "2026-04-08T16:40:52.130Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-12402 (GCVE-0-2024-12402)
Vulnerability from cvelistv5 – Published: 2025-01-07 03:21 – Updated: 2026-04-08 16:40
VLAI?
Title
Themes Coder – Create Android & iOS Apps For Your Woocommerce Site <= 1.3.4 - Insecure Direct Object Reference to Password Change/Account Takeover/Privilege Escalation
Summary
The Themes Coder – Create Android & iOS Apps For Your Woocommerce Site plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.3.4. This is due to the plugin not properly validating a user's identity prior to updating their password through the update_user_profile() function. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account.
Severity ?
9.8 (Critical)
CWE
- CWE-288 - Authentication Bypass Using an Alternate Path or Channel
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| themescoder | TC Ecommerce – Create Android & iOS Apps for WooCommerce |
Affected:
0 , ≤ 1.3.4
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-12402",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-07T15:57:12.171902Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-07T16:29:41.573Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "TC Ecommerce \u2013 Create Android \u0026 iOS Apps for WooCommerce",
"vendor": "themescoder",
"versions": [
{
"lessThanOrEqual": "1.3.4",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Tieu Pham Trong Nhan"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Themes Coder \u2013 Create Android \u0026 iOS Apps For Your Woocommerce Site plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.3.4. This is due to the plugin not properly validating a user\u0027s identity prior to updating their password through the update_user_profile() function. This makes it possible for unauthenticated attackers to change arbitrary user\u0027s passwords, including administrators, and leverage that to gain access to their account."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-288",
"description": "CWE-288 Authentication Bypass Using an Alternate Path or Channel",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:40:52.130Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1ec14b1e-6d1a-4451-9fce-ac064623d92f?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/tc-ecommerce/trunk/controller/app_user.php#L338"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3303561/tc-ecommerce/trunk/controller/app_user.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-01-06T15:09:57.000Z",
"value": "Disclosed"
}
],
"title": "Themes Coder \u2013 Create Android \u0026 iOS Apps For Your Woocommerce Site \u003c= 1.3.4 - Insecure Direct Object Reference to Password Change/Account Takeover/Privilege Escalation"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-12402",
"datePublished": "2025-01-07T03:21:53.748Z",
"dateReserved": "2024-12-10T14:24:37.517Z",
"dateUpdated": "2026-04-08T16:40:52.130Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}