Cyber Resilience

CVE-2024-12269

High

Published: 30 January 2025

Published
30 January 2025
Modified
08 April 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0013 32.2th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-12269 is a high-severity Missing Authorization (CWE-862) vulnerability in Wpmessiah Safe Ai Malware Protection For Wp. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 32.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as Other Platforms; in the Privacy and Disclosure risk domain.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

CVE-2024-12269 affects the Safe Ai Malware Protection for WP plugin for WordPress, specifically due to a missing capability check on the export_db() function in all versions up to and including 1.0.17. This vulnerability, classified under CWE-862 (Missing Authorization), enables unauthorized access to sensitive data. It has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact with no effects on integrity or availability.

Unauthenticated attackers can exploit this vulnerability remotely over the network with low complexity and no user interaction required. By accessing the export_db() function, they can retrieve a complete dump of the site's database, potentially exposing user credentials, personal data, and other confidential information stored in the WordPress database.

Advisories from sources like Wordfence detail the issue and reference the vulnerable code in class-mvsp-export-db.php at line 7, along with a patch applied in changeset 3232957 for the plugin. Mitigation involves updating to a version beyond 1.0.17 where the capability check has been implemented to prevent unauthorized database exports.

EU & UK References

Vulnerability details

The Safe Ai Malware Protection for WP plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the export_db() function in all versions up to, and including, 1.0.17. This makes it possible for…

more

unauthenticated attackers to retrieve a complete dump of the site's database.

CWE(s)

AI Security AnalysisAI

AI Category
Other Platforms
Risk Domain
Privacy and Disclosure
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: ai

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1213.006 Databases Collection
Adversaries may leverage databases to mine valuable information.
Why these techniques?

The vulnerability enables unauthenticated exploitation of a public-facing WordPress plugin (T1190) to perform a complete database dump, facilitating collection of data from databases (T1213.006).

CVEs Like This One

CVE-2026-3431Shared CWE-862
CVE-2026-45209Shared CWE-862
CVE-2026-25026Shared CWE-862
CVE-2026-42083Shared CWE-862
CVE-2026-0656Shared CWE-862
CVE-2026-24532Shared CWE-862
CVE-2025-13603Shared CWE-862
CVE-2025-69063Shared CWE-862
CVE-2026-3045Shared CWE-862
CVE-2025-67956Shared CWE-862

Affected Assets

wpmessiah
safe ai malware protection for wp
≤ 1.0.17

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces approved authorizations to prevent unauthorized access to sensitive functions like export_db() lacking capability checks.

prevent

Implements least privilege to ensure unauthenticated attackers cannot access database export capabilities in WordPress plugins.

prevent

Requires timely remediation of flaws such as missing authorization in plugins, as evidenced by the patch in changeset 3232957.

References