Platform
wordpress
Component
cs-framework
Fixed in
7.1.1
CVE-2024-12036 describes an Arbitrary File Read vulnerability within the CS Framework plugin for WordPress. This flaw allows authenticated attackers, even those with subscriber-level access, to read arbitrary files on the server. The vulnerability impacts versions of the CS Framework plugin up to and including 6.9. Mitigation involves upgrading to a patched version or implementing temporary workarounds.
An attacker exploiting CVE-2024-12036 can leverage the getwidgetsettings_json() function to read any file accessible by the webserver process. This includes configuration files, database credentials, and potentially even source code. Successful exploitation could lead to complete compromise of the WordPress instance and the underlying server. The ability to read sensitive files could facilitate further attacks, such as privilege escalation or data exfiltration. While requiring authentication, the low privilege threshold (subscriber access) significantly expands the potential attack surface.
As of the publication date (2025-03-07), there is no indication of this vulnerability being actively exploited in the wild. No public proof-of-concept (POC) code has been released. The vulnerability has not been added to the CISA KEV catalog. The CVSS score of 7.5 (HIGH) indicates a significant potential impact if exploited.
Exploit Status
EPSS
0.18% (40% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-12036 is to upgrade the CS Framework plugin to a version that addresses the vulnerability. If immediate upgrading is not feasible due to compatibility issues or breaking changes, consider implementing a Web Application Firewall (WAF) rule to block requests targeting the vulnerable getwidgetsettings_json() function with potentially malicious parameters. Restrict file permissions on the server to minimize the impact of a successful read. After upgrading, confirm the fix by attempting to access arbitrary files via the plugin's settings interface and verifying that access is denied.
Update the CS Framework plugin to the latest available version. This will resolve the Arbitrary File Read vulnerability. If no version is available, consider disabling the plugin until an update is released.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-12036 is a vulnerability in the CS Framework WordPress plugin allowing authenticated subscribers to read arbitrary files on the server, potentially exposing sensitive data.
You are affected if your WordPress site uses the CS Framework plugin version 7.1 or earlier. Check your plugin versions and upgrade immediately.
Upgrade the CS Framework plugin to the latest version. If upgrading is not immediately possible, implement a WAF rule to block access to the vulnerable function.
As of the publication date, there is no evidence of active exploitation, but the vulnerability's severity warrants immediate attention.
Refer to the CS Framework plugin's official website or WordPress plugin repository for updates and advisories related to CVE-2024-12036.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.