CVE-2024-12035
Published: 07 March 2025
Description
Adversaries may delete files left behind by the actions of their intrusion activity.
Security Summary
CVE-2024-12035 is a vulnerability in the CS Framework plugin for WordPress that enables arbitrary file deletion due to insufficient file path validation in the cs_widget_file_delete() function. It affects all versions up to and including 6.9. The issue, published on 2025-03-07, carries a CVSS score of 8.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-22 (Improper Limitation of a Pathname to a Restricted Directory).
Authenticated attackers with Subscriber-level access or higher can exploit this vulnerability over the network with low complexity and no user interaction required. By targeting the delete function, they can remove arbitrary files on the server, potentially leading to remote code execution—for instance, by deleting critical files like wp-config.php.
Advisories provide further details on the vulnerability, including those from Wordfence at https://www.wordfence.com/threat-intel/vulnerabilities/id/31093664-c45e-4e87-b72f-5cdf8e8e9f67?source=cve and the plugin's listing on ThemeForest at https://themeforest.net/item/jobcareer-job-board-responsive-wordpress-theme/14221636.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability is in a public-facing WordPress plugin and directly enables authenticated attackers to perform arbitrary file deletion on the server (e.g., critical files like wp-config.php), mapping to exploitation of public-facing applications and file deletion.