CVE-2024-12535

CVSS 3.1 Score 8.6 of 10 (high)

Details

Published Jan 7, 2025
CWE ID 862

Summary

CVE-2024-12535: Unauthenticated attackers can access sensitive configuration settings and predefined variables on WordPress sites using the Host PHP Info plugin, even if the plugin is not activated. The vulnerability stems from a missing capability check when the 'phpinfo' function is included, allowing unauthorized users to gain insights into the server environment. This issue affects all versions of the plugin up to 1.0.4.

Ligh bulbPrevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Share