Cyber Posture

CVE-2024-12542

High

Published: 09 January 2025

Published
09 January 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
EPSS Score 0.3039 96.7th percentile
Risk Priority 35 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-12542 is a high-severity Missing Authorization (CWE-862) vulnerability in Wordpress (inferred from references). Its CVSS base score is 8.6 (High).

Operationally, ranked in the top 3.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and CM-7 (Least Functionality).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match
prevent

Directly enforces the missing capability check to prevent unauthenticated attackers from accessing the phpinfo function and exposing server configuration settings.

SI-2 Flaw Remediation good match
prevent

Mandates timely identification, reporting, and correction of the authorization flaw in linkID plugin versions up to 0.1.2, eliminating the vulnerability through patching or removal.

CM-7 Least Functionality good match
prevent

Restricts the system to essential capabilities by prohibiting unnecessary plugins like linkID, preventing exploitation even when the plugin is not activated.

NVD Description

The linkID plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check when including the 'phpinfo' function in all versions up to, and including, 0.1.2. This makes it possible for unauthenticated attackers to read…

more

configuration settings and predefined variables on the site's server. The plugin does not need to be activated for the vulnerability to be exploited.

Deeper analysisAI

CVE-2024-12542 is a vulnerability in the linkID plugin for WordPress, affecting all versions up to and including 0.1.2. It stems from a missing capability check that allows unauthorized inclusion of the PHP 'phpinfo' function, enabling exposure of configuration settings and predefined server variables. The plugin does not need to be activated for the flaw to be exploitable, and it is classified under CWE-862 (Missing Authorization).

Unauthenticated attackers can exploit this vulnerability remotely with low attack complexity and no user interaction or privileges required, earning a CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N). Exploitation provides high-impact confidentiality access to sensitive server data, such as configuration details, across the affected scope without impacting integrity or availability.

Advisories and related resources, including Wordfence's threat intelligence page (https://www.wordfence.com/threat-intel/vulnerabilities/id/b2fe5315-37b7-4009-b2e5-909e6b5ed1da?source=cve) and the vulnerable source code in the plugin's trac repository (https://plugins.trac.wordpress.org/browser/linkid/trunk/lib/linkid/linkid-sdk-php/util/index.php#L1), provide details on the issue for mitigation guidance.

Details

CWE(s)
CWE-862

Affected Products

Wordpress
inferred from references and description; NVD did not file a CPE for this CVE

CVEs Like This One

CVE-2024-12365Shared CWE-862
CVE-2025-67974Shared CWE-862
CVE-2025-65669Shared CWE-862
CVE-2026-28254Shared CWE-862
CVE-2025-48574Shared CWE-862
CVE-2026-3266Shared CWE-862
CVE-2025-69297Shared CWE-862
CVE-2025-69186Shared CWE-862
CVE-2026-25456Shared CWE-862
CVE-2024-12810Shared CWE-862

References