Cyber Resilience

CVE-2024-12330

High

Published: 09 January 2025

Published
09 January 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0136 80.6th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-12330 is a high-severity Exposure of Backup File to an Unauthorized Control Sphere (CWE-530) vulnerability in Wordpress (inferred from references). Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Credentials In Files (T1552.001); ranked in the top 19.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-22 (Publicly Accessible Content) and SC-14 (Public Access Protections).

Deeper analysis

CVE-2024-12330 is a sensitive information exposure vulnerability (CWE-530) affecting the WP Database Backup – Unlimited Database & Files Backup by Backup for WP plugin for WordPress, in all versions up to and including 7.3. The issue stems from publicly accessible backup files, which expose all information stored in the database. It has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact with no requirements for privileges or user interaction.

Unauthenticated attackers can exploit this vulnerability remotely over the network with low complexity by directly accessing the publicly exposed backup files. Successful exploitation allows extraction of sensitive data, including the entire database contents, potentially encompassing user credentials, personal information, and other confidential site data.

Advisories from Wordfence and WordPress plugin trac repositories detail mitigation through updating the plugin, with fix commits available in changesets 3209380 and 3209387. Security practitioners should verify installations of the plugin, ensure backups are not publicly accessible, and apply updates immediately to versions beyond 7.3.

EU & UK References

Vulnerability details

The WP Database Backup – Unlimited Database & Files Backup by Backup for WP plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 7.3 via publicly accessible back-up files. This makes it possible…

more

for unauthenticated attackers to extract sensitive data including all information stored in the database.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1552.001 Credentials In Files Credential Access
Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.
Why these techniques?

Direct exposure of database backup files containing credentials and sensitive data enables unsecured credential access from files.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-56462Shared CWE-530

Affected Assets

Wordpress
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly restricts access to publicly accessible backup files to prevent unauthorized extraction of sensitive database information.

prevent

Enforces access authorizations and protections for information on publicly accessible systems, directly mitigating exposure of database backups via unauthenticated access.

prevent

Requires identification, reporting, and correction of flaws like publicly accessible backups through timely patching of the vulnerable plugin.

References