CVE-2024-12274

HighPublic PoC

Published: 13 January 2025

Published

13 January 2025

Modified

08 May 2025

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS Score 0.0051 66.4th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-12274 is a high-severity an unspecified weakness vulnerability in Codepeople Appointment Booking Calendar. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 33.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-22 (Publicly Accessible Content).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-22 Publicly Accessible Content good match

prevent

Requires reviewing and restricting sensitive information in publicly accessible content, directly preventing exposure of exported settings files stored in public folders with guessable names.

SC-14 Public Access Protections good match

prevent

Establishes protections for information in public web systems against unauthorized disclosure, mitigating unauthenticated access to exported files in the WordPress plugin.

AC-14 Permitted Actions Without Identification or Authentication good match

prevent

Limits actions permitted without identification or authentication, preventing unauthenticated attackers from accessing guessable exported files in public folders.

NVD Description

The Appointment Booking Calendar Plugin and Scheduling Plugin WordPress plugin before 1.1.23 export settings functionality exports data to a public folder, with an easily guessable file name, allowing unauthenticated attackers to access the exported files (if they exist).

Deeper analysisAI

CVE-2024-12274 is a vulnerability in the Appointment Booking Calendar Plugin and Scheduling Plugin for WordPress, affecting versions prior to 1.1.23. The issue resides in the export settings functionality, which stores exported data in a public folder using an easily guessable filename. This design flaw enables unauthorized access to any existing exported files.

Unauthenticated attackers can exploit this vulnerability remotely over the network with low attack complexity, requiring no privileges, user interaction, or special conditions. Exploitation allows retrieval of the exported files' contents, leading to high-impact confidentiality violations, such as exposure of sensitive plugin settings or other data. The CVSS v3.1 base score is 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

The WPScan advisory at https://wpscan.com/vulnerability/e3176c9a-63f3-4a28-a8a7-8abb2b4100ef/ details the issue, with mitigation achieved by updating to version 1.1.23 or later, which resolves the insecure export behavior.

Details

CWE(s): NVD-CWE-noinfo

Affected Products

codepeople

appointment booking calendar

≤ 1.1.23

References

https://wpscan.com/vulnerability/e3176c9a-63f3-4a28-a8a7-8abb2b4100ef/
Exploit, Third Party Advisory · contact@wpscan.com