Cyber Resilience

CVE-2024-12252

CriticalRCE

Published: 07 January 2025

Published
07 January 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0312 86.2th percentile
Risk Priority 80 floored blend · peak EPSS

Summary

CVE-2024-12252 is a critical-severity Code Injection (CWE-94) vulnerability in Wordpress (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 13.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

The SEO LAT Auto Post plugin for WordPress is vulnerable to file overwrite due to a missing capability check on the remote_update AJAX action in all versions up to and including 2.2.1. This flaw, assigned CVE-2024-12252 and rated 9.8 under CVSS 3.1, permits unauthenticated attackers to overwrite the seo-beginner-auto-post.php file, which can be leveraged for remote code execution. The issue is categorized under CWE-94.

Unauthenticated remote attackers can exploit the vulnerability without user interaction or privileges by sending crafted requests to the affected AJAX endpoint. Successful exploitation grants full control over the overwritten plugin file, enabling arbitrary code execution that impacts confidentiality, integrity, and availability of the WordPress site.

The current and peak EPSS score of 0.7133 indicates substantial exploitation interest following disclosure. Public references include the plugin directory page and a Wordfence threat intelligence entry that document the affected component.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

The SEO LAT Auto Post plugin for WordPress is vulnerable to file overwrite due to a missing capability check on the remote_update AJAX action in all versions up to, and including, 2.2.1. This makes it possible for unauthenticated attackers to…

more

overwrite the seo-beginner-auto-post.php file which can be leveraged to achieve remote code execution.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

Missing auth check on AJAX endpoint enables unauthenticated remote file overwrite in WordPress plugin, directly facilitating T1190 (public app exploitation) and T1100 (web shell via malicious PHP overwrite for RCE).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-10057Shared CWE-94
CVE-2024-54724Shared CWE-94
CVE-2025-52744Shared CWE-94
CVE-2021-47778Shared CWE-94
CVE-2026-42607Shared CWE-94
CVE-2026-25447Shared CWE-94
CVE-2025-61196Shared CWE-94
CVE-2026-35194Shared CWE-94
CVE-2025-62521Shared CWE-94
CVE-2025-59954Shared CWE-94

Affected Assets

Wordpress
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations on the remote_update AJAX action, directly addressing the missing capability check that allows unauthenticated file overwrites.

prevent

Implements least privilege to prevent unauthenticated attackers from gaining the capabilities needed to overwrite critical PHP files like seo-beginner-auto-post.php.

prevent

Restricts logical access to changes such as file overwrites, mitigating the vulnerability's exploitation for remote code execution.

References