CVE-2024-12036

CVE-2024-12036 is an arbitrary file read vulnerability in the CS Framework plugin for WordPress, affecting all versions up to and including 6.9. The issue stems from the get_widget_settings_json() function, which allows attackers to access the contents of arbitrary files on the server. It has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) and is associated with CWE-73 (External Control of File Name or Path). The vulnerability was published on 2025-03-07.

Authenticated attackers with subscriber-level access or higher can exploit this vulnerability remotely over the network with low complexity. By leveraging the flawed function, they can read sensitive files on the server, potentially exposing configuration data, credentials, or other confidential information without impacting integrity or availability.

Advisories from Wordfence (https://www.wordfence.com/threat-intel/vulnerabilities/id/5ed1978e-1dd7-45d3-829a-1a75c1789827?source=cve) and the JobCareer theme page on ThemeForest (https://themeforest.net/item/jobcareer-job-board-responsive-wordpress-theme/14221636), which integrates the CS Framework, provide additional details on the issue. Security practitioners should review these for patch availability and mitigation guidance, such as updating the plugin or restricting subscriber access.