CVE-2024-12583

Critical

Published: 04 January 2025

Published

04 January 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

EPSS Score 0.0914 92.7th percentile

Risk Priority 25 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-12583 is a critical-severity Improper Neutralization of Special Elements Used in a Template Engine (CWE-1336) vulnerability in Wordpress (inferred from references). Its CVSS base score is 9.9 (Critical).

Operationally, ranked in the top 7.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly addresses the root cause of the SSTI vulnerability by requiring validation and sanitization of inputs to the Twig render function.

SI-2 Flaw Remediation good match

prevent

Mandates timely remediation of the specific code flaw in the plugin's render function, such as applying the available patch from changeset 3210927.

AC-6 Least Privilege partial match

prevent

Enforces least privilege to restrict Contributor-level access, reducing the attack surface for authenticated users exploiting the render function.

NVD Description

The Dynamics 365 Integration plugin for WordPress is vulnerable to Remote Code Execution and Arbitrary File Read in all versions up to, and including, 1.3.23 via Twig Server-Side Template Injection. This is due to missing input validation and sanitization on…

the render function. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute code on the server.

Deeper analysisAI

CVE-2024-12583 is a critical vulnerability in the Dynamics 365 Integration plugin for WordPress, affecting all versions up to and including 1.3.23. It enables Remote Code Execution (RCE) and Arbitrary File Read through Twig Server-Side Template Injection (SSTI), resulting from missing input validation and sanitization in the plugin's render function. The flaw carries a CVSS v3.1 base score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) and maps to CWE-1336.

Authenticated attackers with Contributor-level access or higher can exploit this vulnerability over the network with low complexity and no user interaction required. Exploitation allows them to execute arbitrary code on the server, read arbitrary files, and achieve high-impact confidentiality, integrity, and availability violations, potentially leading to full compromise of the affected WordPress site.

Advisories and references include the vulnerable code in Twig.php at https://plugins.trac.wordpress.org/browser/integration-dynamics/trunk/src/Shortcode/Twig.php#L53, a patch in WordPress plugin changeset 3210927 at https://plugins.trac.wordpress.org/changeset/3210927/, and further details from the Wordfence threat intelligence report at https://www.wordfence.com/threat-intel/vulnerabilities/id/7f3dac5a-9ff8-4e8c-8c73-422123e121d8?source=cve.

Details

CWE(s): CWE-1336

Affected Products

Wordpress

—

inferred from references and description; NVD did not file a CPE for this CVE

CVEs Like This One

CVE-2025-67843Shared CWE-1336

CVE-2025-49828Shared CWE-1336

CVE-2025-60355Shared CWE-1336

CVE-2026-39980Shared CWE-1336

CVE-2026-28695Shared CWE-1336

CVE-2026-34587Shared CWE-1336

CVE-2026-21450Shared CWE-1336

CVE-2025-1040Shared CWE-1336

CVE-2024-54954Shared CWE-1336

CVE-2025-53909Shared CWE-1336

References

https://plugins.trac.wordpress.org/browser/integration-dynamics/trunk/src/Shortcode/Twig.php#L53
security@wordfence.com
https://plugins.trac.wordpress.org/changeset/3210927/
security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/7f3dac5a-9ff8-4e8c-8c73-422123e121d8?source=cve
security@wordfence.com