CVE-2024-12269
Published: 30 January 2025
Description
Adversaries may leverage databases to mine valuable information.
Security Summary
CVE-2024-12269 affects the Safe Ai Malware Protection for WP plugin for WordPress, specifically due to a missing capability check on the export_db() function in all versions up to and including 1.0.17. This vulnerability, classified under CWE-862 (Missing Authorization), enables unauthorized access to sensitive data. It has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact with no effects on integrity or availability.
Unauthenticated attackers can exploit this vulnerability remotely over the network with low complexity and no user interaction required. By accessing the export_db() function, they can retrieve a complete dump of the site's database, potentially exposing user credentials, personal data, and other confidential information stored in the WordPress database.
Advisories from sources like Wordfence detail the issue and reference the vulnerable code in class-mvsp-export-db.php at line 7, along with a patch applied in changeset 3232957 for the plugin. Mitigation involves updating to a version beyond 1.0.17 where the capability check has been implemented to prevent unauthorized database exports.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability enables unauthenticated exploitation of a public-facing WordPress plugin (T1190) to perform a complete database dump, facilitating collection of data from databases (T1213.006).