CVE-2024-12023 is a medium-severity SQL Injection vulnerability affecting the FULL – Cliente WordPress plugin versions 3.1.5 through 3.1.25. The vulnerability arises from improper neutralization of special elements in SQL commands (CWE-89) specifically via the 'formId' parameter. This parameter is insufficiently escaped and the SQL queries are not properly prepared, allowing an authenticated attacker with Subscriber-level privileges or higher to inject additional SQL commands. Exploitation requires the PRO version of FULL – Cliente to be active alongside Elementor Pro and Elementor CRM plugins, which are popular WordPress extensions for page building and customer relationship management respectively. The attack vector is remote network-based (AV:N) with low attack complexity (AC:L), requiring privileges (PR:L) but no user interaction (UI:N). Successful exploitation can lead to unauthorized disclosure of sensitive database information, impacting confidentiality but not integrity or availability. The vulnerability does not require administrative privileges, making it more accessible to lower-privileged users who have authenticated access to the WordPress site. No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability was published in May 2025 and is tracked by Wordfence and CISA, indicating credible recognition and enrichment of the threat intelligence. The vulnerability scope is unchanged (S:U), meaning the impact is limited to the vulnerable component without affecting other system components directly.

For European organizations using WordPress sites with the FULL – Cliente plugin (PRO version) in conjunction with Elementor Pro and Elementor CRM, this vulnerability poses a significant risk of data leakage. Attackers with subscriber-level access could extract sensitive information from the backend database, potentially exposing customer data, business intelligence, or other confidential information. This could lead to reputational damage, regulatory penalties under GDPR due to data breaches, and loss of customer trust. Since the vulnerability does not affect data integrity or availability, direct service disruption or data manipulation is less likely. However, the confidentiality breach alone is critical for sectors handling sensitive personal or financial data, such as finance, healthcare, and e-commerce. The requirement for authenticated access somewhat limits the attack surface but does not eliminate risk, as subscriber accounts are common and may be compromised or created by malicious actors. The dependency on multiple plugins (FULL – Cliente PRO, Elementor Pro, Elementor CRM) means organizations using these popular WordPress extensions in combination are at higher risk, especially small to medium enterprises and agencies relying on WordPress for client management.

Immediately audit WordPress sites to identify installations of FULL – Cliente plugin versions 3.1.5 to 3.1.25, especially those with the PRO version activated alongside Elementor Pro and Elementor CRM. Restrict subscriber-level privileges to trusted users only and implement strong authentication mechanisms such as multi-factor authentication (MFA) to reduce the risk of account compromise. Implement Web Application Firewall (WAF) rules specifically targeting SQL injection patterns on the 'formId' parameter to provide a temporary protective layer until an official patch is released. Monitor database query logs and WordPress activity logs for unusual or unexpected queries that may indicate exploitation attempts. Disable or remove the FULL – Cliente PRO plugin if it is not essential, or temporarily deactivate Elementor Pro and Elementor CRM plugins if feasible to break the exploitation chain. Engage with the plugin vendor or community to obtain or request a security patch and apply it promptly once available. Conduct regular security assessments and penetration tests focusing on WordPress plugins and their interactions to detect similar vulnerabilities early. Educate site administrators and developers on secure coding practices, especially regarding input validation and SQL query preparation.