CVE-2024-12535
Published: 07 January 2025
Summary
CVE-2024-12535 is a high-severity Missing Authorization (CWE-862) vulnerability in Wordpress (inferred from references). Its CVSS base score is 8.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 4.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Deeper analysis
The Host PHP Info plugin for WordPress is affected by CVE-2024-12535, an authorization vulnerability (CWE-862) present in all versions through 1.0.4. A missing capability check on the inclusion of the phpinfo function permits exposure of server configuration settings and predefined variables. The flaw carries a CVSS 3.1 score of 8.6 and can be reached without the plugin being activated.
Unauthenticated attackers can exploit the issue remotely with low complexity to obtain high-impact confidentiality data from the hosting server. No user interaction or privileges are required, and the changed scope rating indicates the exposure can affect resources beyond the immediate WordPress installation.
Public references at the WordPress plugin tracker and Wordfence threat intelligence page document the affected code path and provide the primary sources for mitigation guidance. The EPSS score remains flat at 0.1984 with no material increase after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-50940
Vulnerability details
The Host PHP Info plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check when including the 'phpinfo' function in all versions up to, and including, 1.0.4. This makes it possible for unauthenticated attackers…
more
to read configuration settings and predefined variables on the site's server. The plugin does not need to be activated for the vulnerability to be exploited.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Missing authorization in public-facing WordPress plugin directly enables remote unauthenticated exploitation of a web app (T1190) to disclose detailed system/PHP configuration (T1082).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces approved authorizations for access to system resources, directly addressing the missing capability check that allows unauthorized access to the phpinfo() function.
Defines and authorizes specific actions performable without identification or authentication, preventing exposure of sensitive server configuration via unauthenticated access to the plugin endpoint.
Protects information in publicly accessible web systems like WordPress, mitigating unauthorized disclosure of server settings and variables through the vulnerable plugin.