Plattform
wordpress
Komponente
error-log-viewer-wp
Behoben in
1.0.2
CVE-2024-12849 describes an Arbitrary File Access vulnerability affecting the Error Log Viewer By WP Guru plugin for WordPress. This vulnerability allows unauthenticated attackers to read arbitrary files on the server, potentially leading to the exposure of sensitive information. Versions of the plugin up to and including 1.0.1.3 are affected. A fix is available via plugin update.
An attacker exploiting CVE-2024-12849 can leverage the wpajaxnoprivelvwplog_download AJAX action to read any file accessible to the web server process. This includes configuration files, database credentials, source code, and other sensitive data. Successful exploitation could lead to complete compromise of the WordPress instance and potentially the underlying server. The ability to read arbitrary files bypasses typical access controls, making this a high-severity risk. The impact is amplified if the server hosts other applications or databases, as the attacker could potentially gain access to those systems as well.
CVE-2024-12849 was publicly disclosed on 2025-01-07. No public proof-of-concept (POC) code has been published at the time of writing, but the vulnerability's simplicity suggests that a POC is likely to emerge. The vulnerability is not currently listed on the CISA KEV catalog. The ease of exploitation makes this a potential target for automated scanning and exploitation campaigns.
WordPress websites using the Error Log Viewer By WP Guru plugin, particularly those running versions prior to 1.0.1.3, are at risk. Shared hosting environments where multiple WordPress installations share the same server are especially vulnerable, as a compromise of one site could potentially lead to the exposure of data from other sites.
• wordpress / composer / npm:
grep -r 'wp_ajax_nopriv_elvwp_log_download' /var/www/html/wp-content/plugins/error-log-viewer-by-wp-guru/• generic web:
curl -I https://your-wordpress-site.com/wp-admin/admin-ajax.php?action=elvwp_log_download&file=/etc/passwd• wordpress / composer / npm:
wp plugin list | grep 'Error Log Viewer By WP Guru'disclosure
Exploit-Status
EPSS
92.98% (100% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2024-12849 is to upgrade the Error Log Viewer By WP Guru plugin to a version that addresses the vulnerability. If immediate upgrading is not possible due to compatibility issues or testing requirements, consider restricting access to the wpajaxnoprivelvwplog_download endpoint using a WordPress security plugin or by modifying the .htaccess file to deny access to unauthenticated users. Monitor WordPress access logs for suspicious requests to this endpoint. After upgrading, verify the fix by attempting to access a non-existent file through the plugin's download functionality; it should return a 404 error.
Actualice el plugin Error Log Viewer By WP Guru a una versión posterior a la 1.0.1.3. Esto solucionará la vulnerabilidad de lectura arbitraria de archivos.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-12849 is a vulnerability allowing unauthenticated attackers to read arbitrary files on a WordPress server running the Error Log Viewer By WP Guru plugin versions up to 1.0.1.3.
You are affected if you are using the Error Log Viewer By WP Guru plugin in WordPress and are running a version equal to or less than 1.0.1.3. Check your plugin version immediately.
Update the Error Log Viewer By WP Guru plugin to the latest available version. If immediate upgrade is not possible, restrict access to the vulnerable AJAX endpoint.
As of the current date, there are no confirmed reports of active exploitation, but the vulnerability's ease of exploitation makes it a potential target.
Refer to the plugin developer's website or WordPress plugin repository for the official advisory and update information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.