Search
Find a vulnerability
Search criteria
2 vulnerabilities by carspot_project
CVE-2024-12860 (GCVE-0-2024-12860)
Vulnerability from nvd – Published: 2025-02-18 08:21 – Updated: 2026-04-08 17:24
VLAI
Title
CarSpot – Dealership Wordpress Classified Theme <= 2.4.3 - Unauthenticated Arbitrary Password Reset/Account Takeover
Summary
The CarSpot – Dealership Wordpress Classified Theme theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 2.4.3. This is due to the plugin not properly validating a token prior to updating a user's password. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account.
Severity
9.8 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-620 - Unverified Password Change
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| scriptsbundle | CarSpot – Dealership Wordpress Classified Theme |
Affected:
0 , ≤ 2.4.3
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-12860",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-18T14:33:03.499833Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-18T14:33:14.791Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "CarSpot \u2013 Dealership Wordpress Classified Theme",
"vendor": "scriptsbundle",
"versions": [
{
"lessThanOrEqual": "2.4.3",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Lucio S\u00e1"
}
],
"descriptions": [
{
"lang": "en",
"value": "The CarSpot \u2013 Dealership Wordpress Classified Theme theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 2.4.3. This is due to the plugin not properly validating a token prior to updating a user\u0027s password. This makes it possible for unauthenticated attackers to change arbitrary user\u0027s passwords, including administrators, and leverage that to gain access to their account."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-620",
"description": "CWE-620 Unverified Password Change",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:24:59.674Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d1043dce-628f-485b-bc1c-b78938c2a6f5?source=cve"
},
{
"url": "https://themeforest.net/item/carspot-automotive-car-dealer-wordpress-classified-theme/20195539"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-02-17T20:04:38.000Z",
"value": "Disclosed"
}
],
"title": "CarSpot \u2013 Dealership Wordpress Classified Theme \u003c= 2.4.3 - Unauthenticated Arbitrary Password Reset/Account Takeover"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-12860",
"datePublished": "2025-02-18T08:21:43.498Z",
"dateReserved": "2024-12-20T17:00:35.574Z",
"dateUpdated": "2026-04-08T17:24:59.674Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-12860 (GCVE-0-2024-12860)
Vulnerability from cvelistv5 – Published: 2025-02-18 08:21 – Updated: 2026-04-08 17:24
VLAI
Title
CarSpot – Dealership Wordpress Classified Theme <= 2.4.3 - Unauthenticated Arbitrary Password Reset/Account Takeover
Summary
The CarSpot – Dealership Wordpress Classified Theme theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 2.4.3. This is due to the plugin not properly validating a token prior to updating a user's password. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account.
Severity
9.8 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-620 - Unverified Password Change
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| scriptsbundle | CarSpot – Dealership Wordpress Classified Theme |
Affected:
0 , ≤ 2.4.3
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-12860",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-18T14:33:03.499833Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-18T14:33:14.791Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "CarSpot \u2013 Dealership Wordpress Classified Theme",
"vendor": "scriptsbundle",
"versions": [
{
"lessThanOrEqual": "2.4.3",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Lucio S\u00e1"
}
],
"descriptions": [
{
"lang": "en",
"value": "The CarSpot \u2013 Dealership Wordpress Classified Theme theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 2.4.3. This is due to the plugin not properly validating a token prior to updating a user\u0027s password. This makes it possible for unauthenticated attackers to change arbitrary user\u0027s passwords, including administrators, and leverage that to gain access to their account."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-620",
"description": "CWE-620 Unverified Password Change",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:24:59.674Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d1043dce-628f-485b-bc1c-b78938c2a6f5?source=cve"
},
{
"url": "https://themeforest.net/item/carspot-automotive-car-dealer-wordpress-classified-theme/20195539"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-02-17T20:04:38.000Z",
"value": "Disclosed"
}
],
"title": "CarSpot \u2013 Dealership Wordpress Classified Theme \u003c= 2.4.3 - Unauthenticated Arbitrary Password Reset/Account Takeover"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-12860",
"datePublished": "2025-02-18T08:21:43.498Z",
"dateReserved": "2024-12-20T17:00:35.574Z",
"dateUpdated": "2026-04-08T17:24:59.674Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}