Cyber Resilience

CVE-2024-12274

HighPublic PoC

Published: 13 January 2025

Published
13 January 2025
Modified
08 May 2025
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0069 72.3th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-12274 is a high-severity an unspecified weakness vulnerability in Codepeople Appointment Booking Calendar. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 27.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-22 (Publicly Accessible Content).

Deeper analysis

CVE-2024-12274 is a vulnerability in the Appointment Booking Calendar Plugin and Scheduling Plugin for WordPress, affecting versions prior to 1.1.23. The issue resides in the export settings functionality, which stores exported data in a public folder using an easily guessable filename. This design flaw enables unauthorized access to any existing exported files.

Unauthenticated attackers can exploit this vulnerability remotely over the network with low attack complexity, requiring no privileges, user interaction, or special conditions. Exploitation allows retrieval of the exported files' contents, leading to high-impact confidentiality violations, such as exposure of sensitive plugin settings or other data. The CVSS v3.1 base score is 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

The WPScan advisory at https://wpscan.com/vulnerability/e3176c9a-63f3-4a28-a8a7-8abb2b4100ef/ details the issue, with mitigation achieved by updating to version 1.1.23 or later, which resolves the insecure export behavior.

EU & UK References

Vulnerability details

The Appointment Booking Calendar Plugin and Scheduling Plugin WordPress plugin before 1.1.23 export settings functionality exports data to a public folder, with an easily guessable file name, allowing unauthenticated attackers to access the exported files (if they exist).

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Direct remote unauthenticated exploitation of a public-facing WordPress plugin vulnerability to access sensitive exported data.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

Affected Assets

codepeople
appointment booking calendar
≤ 1.1.23

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires reviewing and restricting sensitive information in publicly accessible content, directly preventing exposure of exported settings files stored in public folders with guessable names.

prevent

Establishes protections for information in public web systems against unauthorized disclosure, mitigating unauthenticated access to exported files in the WordPress plugin.

prevent

Limits actions permitted without identification or authentication, preventing unauthenticated attackers from accessing guessable exported files in public folders.

References