Threat Entry Updated 2025-03-19

CVE-2024-12295 - Boombox Theme Extensions Plugin

The BoomBox Theme Extensions plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.8.0. This is due to the plugin not properly validating a user's identity prior to updating their password through the 'boombox_ajax_reset_password' function. This makes it possible for authenticated attackers, with subscriber-level privileges and above, to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account.

PLUGIN Boombox Theme Extensions

CVE-2024-12295

HIGH CVSS 8.8 2025-03-19

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2025-02-03

CVE-2024-12859 - Boombox Theme Extensions Plugin

The BoomBox Theme Extensions plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.8.0 via the 'boombox_listing' shortcode 'type' attribute. This makes it possible for authenticated attackers, with contributor-level and above permissions, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where php file type can be uploaded and included.

PLUGIN Boombox Theme Extensions

CVE-2024-12859

HIGH CVSS 8.8 2025-02-03

Risk Score

Open Full Technical Breakdown