CVE-2024-12876 – This vulnerability allows unauthenticated attac... (How to Fix)

Q: What is the severity of CVE-2024-12876?

CVE-2024-12876 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows unauthenticated attackers to change any WordPress user's password, including administrators, in the Golo City Travel Guide theme. All WordPress sites using this theme version 1.6.10 or earlier are affected. Attackers can take over accounts and gain administrative access.

📋 TL;DR

This vulnerability allows unauthenticated attackers to change any WordPress user's password, including administrators, in the Golo City Travel Guide theme. All WordPress sites using this theme version 1.6.10 or earlier are affected. Attackers can take over accounts and gain administrative access.

💻 Affected Systems

Products:

Golo - City Travel Guide WordPress Theme

Versions: All versions up to and including 1.6.10

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all WordPress installations using the vulnerable theme version regardless of configuration.

📦 What is this software?

Golo by Uxper

View all CVEs affecting Golo →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete site compromise with administrative account takeover, data theft, malware injection, and defacement.

🟠

Likely Case

Administrative account takeover leading to site defacement, data exfiltration, or backdoor installation.

🟢

If Mitigated

Limited impact if strong network controls prevent external access, but internal attackers could still exploit.

🌐 Internet-Facing: HIGH - Unauthenticated remote exploitation allows external attackers to compromise sites.

🏢 Internal Only: HIGH - Even internally, unauthenticated attackers on the network can exploit this vulnerability.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Simple HTTP request manipulation required. No authentication needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version after 1.6.10

Vendor Advisory: https://themeforest.net/item/golo-directory-listing-travel-wordpress-theme/25397810

Restart Required: No

Instructions:

1. Update Golo theme to latest version via WordPress admin panel. 2. Verify theme version is above 1.6.10. 3. Test password change functionality.

🔧 Temporary Workarounds

Disable vulnerable theme

all

Switch to default WordPress theme until patch is applied

wp theme activate twentytwentyfour

Web application firewall rule

all

Block requests to password reset endpoints for Golo theme

🧯 If You Can't Patch

Remove theme files from server completely
Implement strict network access controls to WordPress admin areas

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin > Appearance > Themes for Golo theme version 1.6.10 or earlier

Check Version:

wp theme list --field=name,version | grep -i golo

Verify Fix Applied:

Confirm theme version is above 1.6.10 and test password change functionality

📡 Detection & Monitoring

Log Indicators:

Unusual password reset requests
Multiple failed login attempts followed by successful login from new IP
Admin user password changes from unauthenticated IPs

Network Indicators:

POST requests to theme-specific password reset endpoints from unauthenticated sources

SIEM Query:

source="wordpress.log" AND ("password" AND "reset" AND "golo")

📊 Metadata

CVE ID: CVE-2024-12876

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-862

EPSS Score: 0.64% exploit probability (70th percentile)

Published: March 7, 2025

Last Updated: March 13, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-12876, you might also want to check these: