Cyber Posture

CVE-2024-12315

High

Published: 12 February 2025

Published
12 February 2025
Modified
25 February 2025
KEV Added
Patch
CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0043 62.6th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-12315 is a high-severity Insecure Storage of Sensitive Information (CWE-922) vulnerability in Smackcoders Export All Posts\, Products\, Orders\, Refunds \& Users. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 37.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-22 (Publicly Accessible Content) and AC-3 (Access Enforcement).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SC-14 Public Access Protections good match
prevent

SC-14 directly protects sensitive information on public web servers like WordPress by restricting unauthorized access to directories such as /wp-content/uploads/smack_uci_uploads/exports/.

AC-22 Publicly Accessible Content good match
prevent

AC-22 prohibits placement of sensitive exported user data in publicly accessible content directories without authorization.

AC-3 Access Enforcement good match
prevent

AC-3 enforces access controls to prevent unauthenticated attackers from reading sensitive files in the unsecured exports directory.

NVD Description

The Export All Posts, Products, Orders, Refunds & Users plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.9.3 via the exports directory. This makes it possible for unauthenticated attackers to extract sensitive…

more

data stored insecurely in the /wp-content/uploads/smack_uci_uploads/exports/ directory which can contain information like exported user data.

Deeper analysisAI

CVE-2024-12315 is a sensitive information exposure vulnerability (CWE-922) in the Export All Posts, Products, Orders, Refunds & Users plugin for WordPress, affecting all versions up to and including 2.9.3. The flaw arises from insecure storage of exported data in the /wp-content/uploads/smack_uci_uploads/exports/ directory, which is accessible via the plugin's exports directory, allowing exposure of sensitive information such as exported user data.

Unauthenticated attackers can exploit this vulnerability remotely over the network with low attack complexity, requiring no privileges or user interaction. Successful exploitation enables extraction of sensitive data from the exports directory, resulting in high confidentiality impact but no integrity or availability effects, as reflected in the CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

Advisories, including Wordfence threat intelligence, detail the issue and reference specific locations in the plugin's codebase, such as ExportExtension.php at line 1678 and changeset 3230400 in the wp-ultimate-exporter repository on the WordPress plugins trac. No patches are mentioned for affected versions.

Details

CWE(s)
CWE-922

Affected Products

smackcoders
export all posts\, products\, orders\, refunds \& users
≤ 2.10

CVEs Like This One

CVE-2025-12539Shared CWE-922
CVE-2026-40868Shared CWE-922
CVE-2024-57546Shared CWE-922
CVE-2024-57436Shared CWE-922
CVE-2025-28244Shared CWE-922
CVE-2025-21299Shared CWE-922
CVE-2025-2241Shared CWE-922
CVE-2025-22984Shared CWE-922
CVE-2025-22983Shared CWE-922
CVE-2024-56113Shared CWE-922

References