Cyber Posture

CVE-2024-12849

High

Published: 07 January 2025

Published
07 January 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.9304 99.8th percentile
Risk Priority 71 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-12849 is a high-severity Path Traversal (CWE-22) vulnerability in Wordpress (inferred from references). Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 0.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Validates file path inputs in the AJAX action to block path traversal attempts enabling arbitrary file reads.

AC-3 Access Enforcement good match
prevent

Enforces access restrictions on server files to prevent unauthenticated arbitrary reads via the flawed log download function.

SI-2 Flaw Remediation good match
prevent

Requires timely patching of the plugin vulnerability beyond version 1.0.1.3 to remediate the arbitrary file read flaw.

NVD Description

The Error Log Viewer By WP Guru plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 1.0.1.3 via the wp_ajax_nopriv_elvwp_log_download AJAX action. This makes it possible for unauthenticated attackers to read the contents…

more

of arbitrary files on the server, which can contain sensitive information.

Deeper analysisAI

CVE-2024-12849 is an arbitrary file read vulnerability (CWE-22) in the Error Log Viewer By WP Guru plugin for WordPress, affecting all versions up to and including 1.0.1.3. The flaw exists in the wp_ajax_nopriv_elvwp_log_download AJAX action, which fails to properly restrict file access, enabling attackers to retrieve the contents of arbitrary files on the affected server.

Unauthenticated attackers can exploit this vulnerability over the network with low attack complexity and no user interaction, as reflected in its CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). Exploitation allows reading sensitive files stored on the server, potentially exposing confidential information such as configuration data or other server contents.

Advisories reference specific code locations in the vulnerable plugin version at lines 295 and 479 of error-log-viewer-wp.php, along with WordPress plugin trac changeset 3215563, which likely addresses the issue. The Wordfence threat intelligence page provides additional vulnerability details, and mitigation requires updating to a version beyond 1.0.1.3.

Details

CWE(s)
CWE-22

Affected Products

Wordpress
inferred from references and description; NVD did not file a CPE for this CVE

CVEs Like This One

CVE-2026-23536Shared CWE-22
CVE-2025-23422Shared CWE-22
CVE-2024-48885Shared CWE-22
CVE-2026-33656Shared CWE-22
CVE-2025-8343Shared CWE-22
CVE-2025-59384Shared CWE-22
CVE-2026-3051Shared CWE-22
CVE-2025-15031Shared CWE-22
CVE-2025-12062Shared CWE-22
CVE-2026-3464Shared CWE-22

References