CVE-2024-12252

Critical

Published: 07 January 2025

Published

07 January 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.6807 98.6th percentile

Risk Priority 60 60% EPSS · 20% KEV · 20% CVSS

Description

The SEO LAT Auto Post plugin for WordPress is vulnerable to file overwrite due to a missing capability check on the remote_update AJAX action in all versions up to, and including, 2.2.1. This makes it possible for unauthenticated attackers to overwrite the seo-beginner-auto-post.php file which can be leveraged to achieve remote code execution.

Security Summary

CVE-2024-12252 is a file overwrite vulnerability in the SEO LAT Auto Post plugin for WordPress, affecting all versions up to and including 2.2.1. The issue arises from a missing capability check on the remote_update AJAX action, which allows attackers to overwrite the seo-beginner-auto-post.php file. Published on January 7, 2025, it has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-94 (code injection).

Unauthenticated attackers can exploit this vulnerability remotely with low complexity and no user interaction. By leveraging the flawed AJAX endpoint, they can overwrite critical plugin files, enabling remote code execution on the targeted WordPress site.

Advisories and mitigation guidance are detailed in the Wordfence threat intelligence report at https://www.wordfence.com/threat-intel/vulnerabilities/id/67df10cc-ce3c-4157-9860-7e367062f710?source=cve and the plugin's WordPress.org page at https://wordpress.org/plugins/seo-beginner-auto-post/. Security practitioners should consult these sources for patch availability and recommended actions.

Details

CWE(s): CWE-94

References

https://wordpress.org/plugins/seo-beginner-auto-post/
security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/67df10cc-ce3c-4157-9860-7e367062f710?source=cve
security@wordfence.com