CVE-2024-12414 – This CSRF vulnerability in the Themify Store Lo... (How to Fix)

Q: What is the severity of CVE-2024-12414?

CVE-2024-12414 has a CVSS score of 4.3 (MEDIUM). This CSRF vulnerability in the Themify Store Locator WordPress plugin allows attackers to modify plugin settings without authentication by tricking administrators into clicking malicious links. All WordPress sites using this plugin up to version 1.1.9 are affected. The attack requires social engineering to target administrators.

📋 TL;DR

This CSRF vulnerability in the Themify Store Locator WordPress plugin allows attackers to modify plugin settings without authentication by tricking administrators into clicking malicious links. All WordPress sites using this plugin up to version 1.1.9 are affected. The attack requires social engineering to target administrators.

💻 Affected Systems

Products:

Themify Store Locator WordPress Plugin

Versions: All versions up to and including 1.1.9

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress installation with the vulnerable plugin active. Attack requires administrator interaction.

📦 What is this software?

Store Locator by Themify

View all CVEs affecting Store Locator →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could modify store location data, inject malicious content, or disrupt business operations by altering plugin functionality.

🟠

Likely Case

Attackers modify store location settings to redirect users to malicious sites or display fraudulent information.

🟢

If Mitigated

With proper CSRF protections, administrators would be prompted for confirmation before settings changes.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires social engineering to trick administrators. No authentication needed for the CSRF attack itself.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.2.0 or later

Vendor Advisory: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3206624%40themify-store-locator&new=3206624%40themify-store-locator&sfp_email=&sfph_mail=

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Themify Store Locator'. 4. Click 'Update Now' if available. 5. Alternatively, download version 1.2.0+ from WordPress.org and replace the plugin files.

🔧 Temporary Workarounds

Disable Plugin

all

Temporarily disable the vulnerable plugin until patched

wp plugin deactivate themify-store-locator

Add CSRF Protection Manually

all

Add nonce validation to the setting_page() function

Edit includes/init.php line 142 to add wp_verify_nonce() check

🧯 If You Can't Patch

Restrict administrator access to trusted networks only
Implement web application firewall rules to block CSRF attempts

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → Themify Store Locator version. If version is 1.1.9 or lower, you are vulnerable.

Check Version:

wp plugin get themify-store-locator --field=version

Verify Fix Applied:

Verify plugin version is 1.2.0 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

Unauthorized POST requests to /wp-admin/admin.php?page=themify-store-locator
Multiple failed nonce validation attempts

Network Indicators:

CSRF attack patterns in web traffic
Suspicious referrer headers

SIEM Query:

source="wordpress" AND (uri="/wp-admin/admin.php?page=themify-store-locator" AND method="POST")

📊 Metadata

CVE ID: CVE-2024-12414

CVSS v3 Score: 4.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

CWE: CWE-352

Published: December 13, 2024

Last Updated: May 6, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-12414, you might also want to check these: