The Themes Coder – Create Android & iOS Apps For Your Woocommerce Site plugin for WordPress suffers from a critical authentication bypass vulnerability identified as CVE-2024-12402, categorized under CWE-288 (Authentication Bypass Using an Alternate Path or Channel). This vulnerability exists in all versions up to and including 1.3.4 due to insufficient validation of user identity before allowing password updates via the update_user_profile() function. Specifically, the plugin fails to verify that the request to change a password originates from an authenticated and authorized user. Consequently, an unauthenticated attacker can invoke this function to reset passwords for any user account, including those with administrative privileges. This leads to privilege escalation and full account takeover, enabling attackers to gain complete control over the WordPress site. The vulnerability requires no authentication or user interaction and can be exploited remotely over the network. The CVSS v3.1 base score is 9.8, reflecting the critical nature of the flaw with network attack vector, low attack complexity, no privileges required, and no user interaction needed. The impact covers confidentiality, integrity, and availability, as attackers can access sensitive data, modify site content, and disrupt services. Although no public exploits have been reported yet, the vulnerability's characteristics make it a prime target for attackers. The plugin is widely used by WooCommerce site owners to create mobile apps, making the exposure significant for e-commerce platforms relying on this integration.

The vulnerability allows attackers to completely compromise affected WordPress sites by resetting passwords of any user, including administrators, without authentication. This leads to full site takeover, enabling data theft, unauthorized modifications, installation of backdoors or malware, and disruption of e-commerce operations. For organizations, this can result in loss of customer trust, financial damage due to fraud or downtime, and potential regulatory penalties if customer data is exposed. WooCommerce sites are often critical for online retail businesses, so exploitation could directly impact revenue and brand reputation. The ease of exploitation and lack of required privileges mean that even low-skilled attackers can leverage this flaw. Additionally, compromised administrator accounts can be used to pivot to other internal systems or launch further attacks, increasing the overall risk to organizational IT infrastructure.

Immediate mitigation involves updating the Themes Coder plugin to a patched version once available. Until a patch is released, organizations should consider disabling the plugin to prevent exploitation. Implementing Web Application Firewall (WAF) rules to block unauthorized requests to the update_user_profile() function or related endpoints can reduce risk. Monitoring logs for suspicious password change attempts or unusual administrator account activities is critical for early detection. Restricting access to the WordPress admin interface by IP whitelisting or VPN can add an additional layer of protection. Site owners should enforce strong, unique passwords and enable multi-factor authentication (MFA) for all administrator accounts to limit damage if an account is compromised. Regular backups and incident response plans should be in place to recover quickly from any breach. Finally, security teams should stay alert for any emerging exploit code or threat intelligence related to this vulnerability.