Platform
wordpress
Component
error-log-viewer-wp
Fixed in
1.0.2
CVE-2024-12849 describes an Arbitrary File Access vulnerability affecting the Error Log Viewer By WP Guru plugin for WordPress. This vulnerability allows unauthenticated attackers to read arbitrary files on the server, potentially leading to the exposure of sensitive information. Versions of the plugin up to and including 1.0.1.3 are affected. A fix is available via plugin update.
The Arbitrary File Read vulnerability allows an attacker to bypass access controls and retrieve files from the server's file system. This could include configuration files, database credentials, source code, or other sensitive data. Successful exploitation could lead to complete compromise of the WordPress instance and potentially the underlying server. The attacker does not need to be authenticated to exploit this vulnerability, significantly expanding the potential attack surface. The impact is amplified if the server stores sensitive data in easily accessible locations, or if the WordPress installation has weak file permissions.
This vulnerability was publicly disclosed on 2025-01-07. There are currently no known public exploits or active campaigns targeting this specific vulnerability. The vulnerability is not listed on the CISA KEV catalog at the time of writing. The ease of exploitation, combined with the plugin's popularity, suggests it could become a target for automated attacks.
Exploit Status
EPSS
92.98% (100% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to immediately update the Error Log Viewer By WP Guru plugin to a version that addresses this vulnerability. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider temporarily restricting access to the wpajaxnoprivelvwplog_download AJAX endpoint using a WordPress security plugin or custom code. Review file permissions on the server to ensure that sensitive files are not world-readable. Implement a Web Application Firewall (WAF) with rules to block suspicious requests targeting the vulnerable endpoint. After upgrading, verify the fix by attempting to access a non-existent file via the vulnerable AJAX endpoint; it should return an error, not file contents.
Actualice el plugin Error Log Viewer By WP Guru a una versión posterior a la 1.0.1.3. Esto solucionará la vulnerabilidad de lectura arbitraria de archivos.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-12849 is a vulnerability allowing unauthenticated attackers to read arbitrary files on a WordPress server running the Error Log Viewer By WP Guru plugin versions up to 1.0.1.3.
You are affected if you are using the Error Log Viewer By WP Guru plugin in WordPress and are running a version equal to or less than 1.0.1.3. Check your plugin version immediately.
Update the Error Log Viewer By WP Guru plugin to the latest available version. If immediate upgrade is not possible, restrict access to the vulnerable AJAX endpoint.
As of the current date, there are no confirmed reports of active exploitation, but the vulnerability's ease of exploitation makes it a potential target.
Refer to the plugin developer's website or WordPress plugin repository for the official advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.