vulnerability

WordPress Theme: dwt-listing: CVE-2024-12827: Unverified Password Change

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
10	(AV:N/AC:L/Au:N/C:C/I:C/A:C)	Jun 26, 2025	Dec 8, 2025	Dec 8, 2025

Severity

CVSS

(AV:N/AC:L/Au:N/C:C/I:C/A:C)

Published

Jun 26, 2025

Added

Dec 8, 2025

Modified

Dec 8, 2025

Description

The DWT - Directory and Listing WordPress Theme theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.3.6. This is due to the plugin not properly checking for an empty token value prior to resetting a user's password through the dwt_listing_reset_password() function. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account.

Solution

dwt-listing-theme-cve-2024-12827

References

URL-https://www.cve.org/CVERecord?id=CVE-2024-12827
URL-https://www.wordfence.com/threat-intel/vulnerabilities/id/51fc7d47-2a0f-4713-9859-120321aa32dc?source=api-prod
CVE-2024-12827
https://attackerkb.com/topics/CVE-2024-12827
CWE-620

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today