Cyber Resilience

CVE-2024-12535

High

Published: 07 January 2025

Published
07 January 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
EPSS Score 0.1984 95.6th percentile
Risk Priority 29 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-12535 is a high-severity Missing Authorization (CWE-862) vulnerability in Wordpress (inferred from references). Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 4.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).

Deeper analysis

The Host PHP Info plugin for WordPress is affected by CVE-2024-12535, an authorization vulnerability (CWE-862) present in all versions through 1.0.4. A missing capability check on the inclusion of the phpinfo function permits exposure of server configuration settings and predefined variables. The flaw carries a CVSS 3.1 score of 8.6 and can be reached without the plugin being activated.

Unauthenticated attackers can exploit the issue remotely with low complexity to obtain high-impact confidentiality data from the hosting server. No user interaction or privileges are required, and the changed scope rating indicates the exposure can affect resources beyond the immediate WordPress installation.

Public references at the WordPress plugin tracker and Wordfence threat intelligence page document the affected code path and provide the primary sources for mitigation guidance. The EPSS score remains flat at 0.1984 with no material increase after disclosure.

EU & UK References

Vulnerability details

The Host PHP Info plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check when including the 'phpinfo' function in all versions up to, and including, 1.0.4. This makes it possible for unauthenticated attackers…

more

to read configuration settings and predefined variables on the site's server. The plugin does not need to be activated for the vulnerability to be exploited.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1082 System Information Discovery Discovery
An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture.
Why these techniques?

Missing authorization in public-facing WordPress plugin directly enables remote unauthenticated exploitation of a web app (T1190) to disclose detailed system/PHP configuration (T1082).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-12542Shared CWE-862
CVE-2026-45209Shared CWE-862
CVE-2026-25026Shared CWE-862
CVE-2026-42083Shared CWE-862
CVE-2026-0656Shared CWE-862
CVE-2026-24532Shared CWE-862
CVE-2025-13603Shared CWE-862
CVE-2023-46632Shared CWE-862
CVE-2025-69063Shared CWE-862
CVE-2026-3045Shared CWE-862

Affected Assets

Wordpress
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations for access to system resources, directly addressing the missing capability check that allows unauthorized access to the phpinfo() function.

prevent

Defines and authorizes specific actions performable without identification or authentication, preventing exposure of sensitive server configuration via unauthenticated access to the plugin endpoint.

prevent

Protects information in publicly accessible web systems like WordPress, mitigating unauthorized disclosure of server settings and variables through the vulnerable plugin.

References