CVE-2024-12824 is a critical security vulnerability identified in the Nokri – Job Board WordPress Theme, versions up to and including 1.6.2. The root cause is an unverified password change mechanism classified under CWE-620, where the theme's plugin fails to properly validate the presence and correctness of a token before allowing password updates. Specifically, the plugin does not check for an empty token value, which means an unauthenticated attacker can submit a password change request for any user account, including those with administrative privileges. This lack of verification allows attackers to reset passwords arbitrarily, leading to account takeover and privilege escalation. The vulnerability requires no authentication or user interaction, making it trivially exploitable remotely over the network. The CVSS v3.1 base score is 9.8, reflecting its critical severity with high impact on confidentiality, integrity, and availability. Although no public exploits have been reported yet, the vulnerability poses a significant risk to any WordPress site using this theme, especially those managing sensitive user data or critical business functions. The absence of patch links suggests that a fix may not yet be publicly available, increasing urgency for mitigation. This vulnerability can be leveraged to gain persistent unauthorized access, potentially leading to data breaches, defacement, or further network compromise.

The impact of CVE-2024-12824 is severe for organizations worldwide using the Nokri – Job Board WordPress Theme. Successful exploitation results in complete account takeover, including administrative accounts, allowing attackers to control the website, modify or delete data, inject malicious code, or disrupt services. This can lead to data breaches involving sensitive user information, loss of customer trust, reputational damage, and potential regulatory penalties. For job board platforms, this could mean exposure of personal and professional data of job seekers and employers, undermining platform integrity. Additionally, attackers could use compromised sites as footholds for lateral movement within corporate networks or to launch further attacks such as phishing or malware distribution. The ease of exploitation without authentication or user interaction amplifies the threat, making automated mass exploitation feasible. Organizations relying on this theme for recruitment or HR functions face operational disruptions and potential financial losses.

To mitigate CVE-2024-12824, organizations should immediately verify if they are using the Nokri – Job Board WordPress Theme version 1.6.2 or earlier and prioritize upgrading to a patched version once available. In the absence of an official patch, temporary mitigations include disabling password change functionality or restricting it to authenticated users only via custom code or security plugins. Implementing Web Application Firewall (WAF) rules to detect and block requests with empty or missing tokens related to password changes can reduce exposure. Monitoring logs for suspicious password reset attempts and enforcing multi-factor authentication (MFA) for administrative accounts can limit damage from compromised credentials. Regular backups and incident response plans should be updated to prepare for potential exploitation. Additionally, site administrators should audit user accounts for unauthorized changes and reset passwords proactively. Engaging with the theme vendor or community for updates and patches is critical. Finally, educating site administrators about this vulnerability and ensuring minimal plugin/theme usage reduces attack surface.