CVE-2024-12129 HIGH

CVE-2024-12129: Royal Core <= 2.9.2 - Authenticated (Subscriber+) Arbitrary Options Update

Vendor Royal-Flush
Product Royal Core
Weakness CWE-862 · Missing authorization
Published January 30, 2025
Last update April 8, 2026
View on NVD All CVEs

CVSS base score

8.8/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

The Royal Core plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the 'royal_restore_backup' function in all versions up to, and including, 2.9.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.

Key dates

02Disclosure timeline

January 30, 2025 CVE published
April 8, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2023-49856 WordPress Smart Forms plugin <= 2.6.84 - Authenticated Arbitrary Options Change Vulnerability CVE-2025-13318 Booking Calendar Contact Form <= 1.2.60 - Missing Authorization to Unauthenticated Arbitrary Booking Confirmation via 'dex_bccf_ipn' Parameter CVE-2024-10824 Authorization Bypass Vulnerability was Identified in GitHub Enterprise Server that Allowed Unauthorized Internal Users to Access Secret Scanning Alert Data CVE-2026-1103 AIKTP <= 5.0.04 - Missing Authorization to Authenticated (Subscriber+) Multiple Administrator Actions CVE-2026-1355 Missing Authorization Check in GitHub Enterprise Server Allows Unauthorized Uploads to Repository Migration Exports