CVE-2024-12583
Published: 04 January 2025
Summary
CVE-2024-12583 is a critical-severity Improper Neutralization of Special Elements Used in a Template Engine (CWE-1336) vulnerability in Wordpress (inferred from references). Its CVSS base score is 9.9 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 6.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
The Dynamics 365 Integration plugin for WordPress is vulnerable to remote code execution and arbitrary file read in all versions through 1.3.23. The issue stems from insufficient input validation and sanitization in the render function, which permits Twig server-side template injection (CWE-1336). The flaw carries a CVSS 3.1 score of 9.9.
Authenticated users with Contributor-level privileges or higher can supply malicious Twig templates that execute arbitrary code or read files on the underlying server. Exploitation requires network access but no user interaction and affects the WordPress site in the context of the web server account.
Public references include a WordPress plugin changeset that addresses the vulnerable code path along with a detailed advisory from Wordfence. The EPSS score has remained flat at 0.1192 with no material increase observed after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-50974
Vulnerability details
The Dynamics 365 Integration plugin for WordPress is vulnerable to Remote Code Execution and Arbitrary File Read in all versions up to, and including, 1.3.23 via Twig Server-Side Template Injection. This is due to missing input validation and sanitization on…
more
the render function. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute code on the server.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SSTI RCE on public-facing WP plugin directly enables T1190 exploitation; arbitrary file read maps to T1005.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly addresses the root cause of the SSTI vulnerability by requiring validation and sanitization of inputs to the Twig render function.
Mandates timely remediation of the specific code flaw in the plugin's render function, such as applying the available patch from changeset 3210927.
Enforces least privilege to restrict Contributor-level access, reducing the attack surface for authenticated users exploiting the render function.