Cyber Resilience

CVE-2024-12544

High

Published: 01 March 2025

Published
01 March 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0171 82.8th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-12544 is a high-severity Missing Authorization (CWE-862) vulnerability in Wordpress (inferred from references). Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 17.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

CVE-2024-12544 affects the SurveyJS: Drag & Drop WordPress Form Builder plugin for WordPress in all versions up to and including 1.12.17. The vulnerability enables arbitrary file deletion due to a missing capability check in the callback function of the SurveyJS_DeleteFile class, corresponding to CWE-862 (Missing Authorization). It carries a CVSS 3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

Authenticated attackers with Subscriber-level access or higher can exploit this issue to delete arbitrary files on the server. Targeting critical files such as wp-config.php can readily result in remote code execution.

Patches are available via WordPress plugin trac changesets 3214665 and 3222216/surveyjs/trunk/ajax_handlers/delete_file.php, with additional details in Wordfence threat intelligence at https://www.wordfence.com/threat-intel/vulnerabilities/id/e9404fe4-855e-4eb4-81c4-5246f6e9be0c?source=cve. However, the function remains vulnerable to Cross-Site Request Forgery as of version 1.12.20.

EU & UK References

Vulnerability details

The SurveyJS: Drag & Drop WordPress Form Builder to create, style and embed multiple forms of any complexity plugin for WordPress is vulnerable to arbitrary file deletion due to a missing capability check on the callback function of the SurveyJS_DeleteFile…

more

class in all versions up to, and including, 1.12.17. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). This function is still vulnerable to Cross-Site Request Forgery as of 1.12.20.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Missing authorization in public-facing WordPress plugin directly enables remote exploitation by authenticated attackers, leading to arbitrary file deletion and RCE.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-45209Shared CWE-862
CVE-2026-25026Shared CWE-862
CVE-2026-42083Shared CWE-862
CVE-2026-0656Shared CWE-862
CVE-2026-24532Shared CWE-862
CVE-2025-13603Shared CWE-862
CVE-2025-69063Shared CWE-862
CVE-2026-3045Shared CWE-862
CVE-2025-67956Shared CWE-862
CVE-2025-41765Shared CWE-862

Affected Assets

Wordpress
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations for logical access, directly addressing the missing capability check that allows low-privilege users to perform arbitrary file deletions.

prevent

Restricts privileges to the least necessary, preventing Subscriber-level users from executing destructive file deletion operations.

prevent

Requires timely flaw remediation through patching, directly mitigating the known vulnerability in the SurveyJS plugin up to version 1.12.17.

References