CVE-2024-12827 CRITICAL

CVE-2024-12827: DWT - Directory & Listing WordPress Theme <= 3.3.6 - Unauthenticated Arbitrary User Password Reset

Vendor Scriptsbundle
Product DWT - Directory & Listing WordPress Theme
Weakness CWE-620 · Unverified password change
Published June 27, 2025
Last update April 8, 2026

CVSS base score

9.8/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

The DWT - Directory & Listing WordPress Theme theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.3.6. This is due to the plugin not properly checking for an empty token value prior to resetting a user's password through the dwt_listing_reset_password() function. This makes it possible for unauthenticated attackers to change arbitrary user's passwords, including administrators, and leverage that to gain access to their account.

Explanation of Vulnerability in Simple Terms

02Summary

The DWT - Directory & Listing WordPress Theme contains a vulnerability that allows unauthenticated attackers to read, modify, or delete data on affected sites without any user interaction. The flaw affects all versions up to 3.3.6. No authentication or special configuration is required to exploit this issue. Site administrators should update immediately to a version newer than 3.3.6.

What an attacker can do

03Attacker Capabilities

Read, modify, or delete site data without logging in.

Potential impact on your site

04Site Impact

Attackers can compromise your site's data, content, and functionality without any credentials.

Conditions required to exploit

05Prerequisites

Network access only; no authentication or user interaction required.

Key dates

06Disclosure timeline

June 27, 2025 CVE published
April 8, 2026 Record updated