Platform
wordpress
Component
payu-india
Fixed in
3.8.4
CVE-2024-12264 is a privilege escalation vulnerability affecting the PayU CommercePro Plugin for WordPress. This vulnerability allows unauthenticated attackers to create new administrative user accounts, granting them complete control over the WordPress site. The vulnerability impacts versions of the plugin up to and including 3.8.3. A patch is expected from the vendor.
The impact of CVE-2024-12264 is severe. An attacker exploiting this vulnerability can bypass authentication and directly create a new administrator account. This grants them full control over the affected WordPress website, including access to sensitive data, modification of content, installation of malicious plugins, and potentially pivoting to other systems on the network. The lack of authentication checks on the /wp-json/payu/v1/generate-user-token and /wp-json/payu/v1/get-shipping-cost endpoints is the root cause, enabling this unauthorized account creation. This is similar in impact to other WordPress plugin vulnerabilities where unauthorized admin accounts are created, allowing for complete site takeover.
CVE-2024-12264 was publicly disclosed on 2025-01-07. The vulnerability's criticality (CVSS 9.8) indicates a high probability of exploitation. No public proof-of-concept (POC) code has been released at the time of writing, but the simplicity of the attack vector suggests that a POC is likely to emerge. It is not currently listed on CISA KEV.
Exploit Status
EPSS
0.38% (59% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-12264 is to upgrade the PayU CommercePro Plugin to a patched version as soon as it becomes available. Until a patch is released, consider temporarily disabling the plugin to prevent exploitation. As a workaround, restrict access to the /wp-json/payu/v1/generate-user-token and /wp-json/payu/v1/get-shipping-cost endpoints using a WordPress firewall plugin or server-level access controls (e.g., .htaccess) to block unauthorized requests. After upgrading, verify the fix by attempting to access the vulnerable endpoints with an unauthenticated user and confirming that access is denied.
Update the PayU CommercePro Plugin to the latest available version. This will resolve the privilege escalation vulnerability that allows unauthenticated attackers to create administrator accounts.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-12264 is a critical vulnerability in the PayU CommercePro Plugin for WordPress allowing unauthenticated attackers to create admin accounts. It affects versions up to 3.8.3 and carries a CVSS score of 9.8.
You are affected if your WordPress site uses the PayU CommercePro Plugin version 3.8.3 or earlier. Check your plugin versions immediately.
Upgrade the PayU CommercePro Plugin to the latest available version as soon as a patch is released. Temporarily disable the plugin as a workaround until the update is available.
While no active exploitation has been confirmed, the high CVSS score and ease of exploitation suggest a high probability of exploitation. Monitor your systems closely.
Refer to the PayU CommercePro Plugin's official website or WordPress plugin repository for updates and advisories regarding CVE-2024-12264.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.