CVE-2024-12129
📋 TL;DR
The Royal Core WordPress plugin has a privilege escalation vulnerability that allows authenticated users with Subscriber-level access or higher to modify WordPress site options. Attackers can change the default registration role to administrator and enable user registration to gain full administrative control. All WordPress sites using Royal Core plugin versions up to 2.9.2 are affected.
💻 Affected Systems
- Royal Core WordPress Plugin
📦 What is this software?
Royal Core by Wp Royal Themes
⚠️ Risk & Real-World Impact
Worst Case
Complete site takeover where attackers gain administrative access, can install backdoors, steal data, deface the site, or use it for further attacks.
Likely Case
Attackers create administrator accounts for themselves, gaining full control over the WordPress site and potentially the server if additional vulnerabilities exist.
If Mitigated
With proper access controls and monitoring, unauthorized privilege escalation attempts are detected and blocked before successful exploitation.
🎯 Exploit Status
Requires authenticated access (Subscriber role minimum). Exploitation involves sending crafted requests to the vulnerable endpoint.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 2.9.3 or later
Vendor Advisory: https://themeforest.net/item/hyperx-portfolio-for-freelancers-agencies/13439786
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Royal Core plugin. 4. Click 'Update Now' if update available. 5. If no update available, deactivate and remove plugin until patched version is available.
🔧 Temporary Workarounds
Disable Royal Core Plugin
allTemporarily deactivate the vulnerable plugin until patched version can be installed
wp plugin deactivate royal-core
Restrict User Registration
allDisable new user registration in WordPress settings to prevent attacker account creation
🧯 If You Can't Patch
- Implement strict access controls and monitor for unauthorized privilege escalation attempts
- Use web application firewall (WAF) rules to block requests to the vulnerable 'royal_restore_backup' endpoint
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → Installed Plugins for Royal Core version. If version is 2.9.2 or lower, you are vulnerable.Check Version:
wp plugin get royal-core --field=versionVerify Fix Applied:
After updating, verify Royal Core plugin version is 2.9.3 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- POST requests to /wp-admin/admin-ajax.php with action=royal_restore_backup
- Unauthorized user role changes in WordPress user logs
- New administrator account creation from non-admin users
Network Indicators:
- HTTP POST requests containing 'royal_restore_backup' parameter from non-admin IP addresses
SIEM Query:
source="wordpress.log" AND "royal_restore_backup" OR "action=royal_restore_backup"