CVE-2024-12535
Published: 07 January 2025
Description
The Host PHP Info plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check when including the 'phpinfo' function in all versions up to, and including, 1.0.4. This makes it possible for unauthenticated attackers to read configuration settings and predefined variables on the site's server. The plugin does not need to be activated for the vulnerability to be exploited.
Security Summary
CVE-2024-12535 affects the Host PHP Info plugin for WordPress in all versions up to and including 1.0.4. The vulnerability stems from a missing capability check that allows unauthorized access to data via the inclusion of the 'phpinfo' function. Notably, the plugin does not need to be activated for exploitation, exposing configuration settings and predefined server variables to attackers. It is rated with a CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N) and is associated with CWE-862 (Missing Authorization).
Unauthenticated attackers can exploit this vulnerability remotely with low complexity over the network. By accessing the vulnerable endpoint, they achieve high-impact confidentiality breaches, reading sensitive server details such as PHP configuration settings and predefined variables without requiring privileges, user interaction, or impacting integrity or availability. The changed scope (S:C) amplifies the risk across the hosting environment.
Advisories from sources like Wordfence provide threat intelligence and reference the vulnerable code in the plugin's info.php file at line 2. Security practitioners should consult these resources, including https://www.wordfence.com/threat-intel/vulnerabilities/id/88d27385-9b92-419c-9e03-687d7192bbb5?source=cve and https://plugins.trac.wordpress.org/browser/host-php-info/trunk/info.php#L2, for detailed mitigation guidance, such as updating or removing the plugin.
Details
- CWE(s)