A severe security flaw (CVE-2024-12857) has been discovered in the AdForest WordPress theme, a popular premium classified ads theme with over 8,743 sales globally. This vulnerability, rated CVSS 9.8, allow attackers to bypass authentication mechanisms entirely.
Discovered by security researcher Chloe Chamberland of Wordfence, the issue affects all versions of AdForest up to and including 5.1.8. The vulnerability stems from the theme’s inability to properly verify a user’s identity during the login process when using OTP login by phone number.
This loophole enables unauthenticated attackers to log in as any user, including administrators, without needing the actual OTP, giving them complete control over the WordPress site. The implications are significant, as this could lead to:
- Full site compromise: Attackers could modify content, inject malicious code, or steal sensitive data.
- Administrative abuse: Malicious actors could create new accounts with administrative privileges or lock out legitimate users.
- Phishing campaigns: Attackers could exploit compromised sites to distribute phishing pages or malware.
The developers of AdForest have since released version 5.1.9 to address the vulnerability. All users of the AdForest theme are strongly urged to update to the latest version immediately.
