CVE-2024-12402: CWE-288 Authentication Bypass Using an Alternate Path or Channel in themescoder TC Ecommerce – Create Android & iOS Apps for WooCommerce
The Themes Coder – Create Android & iOS Apps For Your Woocommerce Site plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.3.4. This is due to the plugin not properly validating a user's identity prior to updating their password through the update_user_profile() function. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account.
AI Analysis
Technical Summary
The Themes Coder plugin for WooCommerce sites suffers from an authentication bypass vulnerability (CWE-288) due to insufficient validation of user identity before allowing password updates via the update_user_profile() function. This weakness permits unauthenticated attackers to reset passwords of any user, including administrators, leading to privilege escalation and full account takeover. The vulnerability affects all versions up to and including 1.3.4. It is remotely exploitable without authentication and requires no user interaction. The CVSS 3.1 base score is 9.8, reflecting critical severity with network attack vector, low attack complexity, and no privileges required.
Potential Impact
Successful exploitation allows an unauthenticated attacker to change any user's password, including administrators, resulting in full account takeover. This compromises confidentiality, integrity, and availability of the affected WordPress site and potentially any connected systems or data. Given the administrative access gained, attackers can perform any action on the site, including data theft, site defacement, or further malware deployment.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict access to the plugin and monitor for suspicious activity. Consider disabling or removing the plugin if possible to prevent exploitation. Avoid relying on generic mitigations as this vulnerability allows unauthenticated password changes.
CVE-2024-12402: CWE-288 Authentication Bypass Using an Alternate Path or Channel in themescoder TC Ecommerce – Create Android & iOS Apps for WooCommerce
Description
The Themes Coder – Create Android & iOS Apps For Your Woocommerce Site plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.3.4. This is due to the plugin not properly validating a user's identity prior to updating their password through the update_user_profile() function. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The Themes Coder plugin for WooCommerce sites suffers from an authentication bypass vulnerability (CWE-288) due to insufficient validation of user identity before allowing password updates via the update_user_profile() function. This weakness permits unauthenticated attackers to reset passwords of any user, including administrators, leading to privilege escalation and full account takeover. The vulnerability affects all versions up to and including 1.3.4. It is remotely exploitable without authentication and requires no user interaction. The CVSS 3.1 base score is 9.8, reflecting critical severity with network attack vector, low attack complexity, and no privileges required.
Potential Impact
Successful exploitation allows an unauthenticated attacker to change any user's password, including administrators, resulting in full account takeover. This compromises confidentiality, integrity, and availability of the affected WordPress site and potentially any connected systems or data. Given the administrative access gained, attackers can perform any action on the site, including data theft, site defacement, or further malware deployment.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict access to the plugin and monitor for suspicious activity. Consider disabling or removing the plugin if possible to prevent exploitation. Avoid relying on generic mitigations as this vulnerability allows unauthenticated password changes.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2024-12-10T14:24:37.517Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 699f6e38b7ef31ef0b5980dd
Added to database: 2/25/2026, 9:48:40 PM
Last enriched: 4/9/2026, 7:22:58 PM
Last updated: 4/12/2026, 3:41:26 PM
Views: 28
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.