CVE-2024-12330
Published: 09 January 2025
Summary
CVE-2024-12330 is a high-severity Exposure of Backup File to an Unauthorized Control Sphere (CWE-530) vulnerability in Wordpress (inferred from references). Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 22.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-22 (Publicly Accessible Content) and SC-14 (Public Access Protections).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly restricts access to publicly accessible backup files to prevent unauthorized extraction of sensitive database information.
Enforces access authorizations and protections for information on publicly accessible systems, directly mitigating exposure of database backups via unauthenticated access.
Requires identification, reporting, and correction of flaws like publicly accessible backups through timely patching of the vulnerable plugin.
NVD Description
The WP Database Backup – Unlimited Database & Files Backup by Backup for WP plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 7.3 via publicly accessible back-up files. This makes it possible…
more
for unauthenticated attackers to extract sensitive data including all information stored in the database.
Deeper analysisAI
CVE-2024-12330 is a sensitive information exposure vulnerability (CWE-530) affecting the WP Database Backup – Unlimited Database & Files Backup by Backup for WP plugin for WordPress, in all versions up to and including 7.3. The issue stems from publicly accessible backup files, which expose all information stored in the database. It has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact with no requirements for privileges or user interaction.
Unauthenticated attackers can exploit this vulnerability remotely over the network with low complexity by directly accessing the publicly exposed backup files. Successful exploitation allows extraction of sensitive data, including the entire database contents, potentially encompassing user credentials, personal information, and other confidential site data.
Advisories from Wordfence and WordPress plugin trac repositories detail mitigation through updating the plugin, with fix commits available in changesets 3209380 and 3209387. Security practitioners should verify installations of the plugin, ensure backups are not publicly accessible, and apply updates immediately to versions beyond 7.3.
Details
- CWE(s)