CVE-2024-12402: 
WordPress vulnerability analysis and mitigation

The Themes Coder – Create Android & iOS Apps For Your Woocommerce Site plugin for WordPress is vulnerable to privilege escalation via account takeover in versions up to and including 1.3.4. This vulnerability was discovered and reported on January 6, 2025, and has been assigned CVE-2024-12402 with a CVSS v3.1 base score of 9.8 (CRITICAL) (NVD).

The vulnerability stems from improper user identity validation in the updateuserprofile() function. The plugin fails to properly authenticate users before allowing password updates, which represents an authentication bypass using an alternate path or channel (CWE-288). The vulnerability has received a CVSS v3.1 vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating network accessibility, low attack complexity, and no required privileges or user interaction (NVD).

The vulnerability allows unauthenticated attackers to change arbitrary user passwords, including those of administrators. This can lead to complete account takeover and unauthorized access to administrative functions, potentially compromising the entire WordPress installation (NVD).

Users should immediately update to a version newer than 1.3.4 if available. If an update is not possible, it is recommended to disable the plugin until a patch is released, given the critical nature of the vulnerability (NVD).