CVE-2024-12152

CVE-2024-12152 is a directory traversal vulnerability (CWE-22) in the MIPL WC Multisite Sync plugin for WordPress, affecting all versions up to and including 1.1.5. The issue resides in the 'mipl_wc_sync_download_log' action, which allows unauthenticated attackers to read the contents of arbitrary files on the server, potentially exposing sensitive information. Published on 2025-01-07, it carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact with no integrity or availability disruption.

Unauthenticated attackers can exploit this vulnerability over the network with low attack complexity and no user interaction required. By crafting malicious requests to the vulnerable action, they gain access to arbitrary file contents on the server, such as configuration files or other sensitive data hosted by the WordPress installation.

Patches are available via the WordPress plugin repository, as documented in changesets 3215735 and 3216574. Additional details on the vulnerability and remediation are provided in the Wordfence threat intelligence advisory.