CVE-2024-12023 identifies a SQL Injection vulnerability in the FULL – Cliente plugin for WordPress, specifically affecting versions 3.1.5 through 3.1.25. The root cause is improper neutralization of special elements in the 'formId' parameter, which is insufficiently escaped and not properly prepared in the SQL query. This flaw allows authenticated attackers with Subscriber-level privileges or higher to append arbitrary SQL commands to existing queries. The attack vector is remote and network-based, requiring no user interaction but does require authentication. Crucially, exploitation is only possible when the PRO version of FULL – Cliente is activated alongside Elementor Pro and Elementor CRM plugins, which are popular tools for building and managing WordPress sites. The vulnerability can be leveraged to extract sensitive information from the backend database, compromising confidentiality. The CVSS v3.1 base score is 6.5, indicating medium severity with high confidentiality impact but no integrity or availability impact. No public exploits are known at this time, but the vulnerability is publicly disclosed and enriched by CISA. The issue stems from CWE-89, a common and critical class of injection flaws that have historically led to severe data breaches.

The primary impact of this vulnerability is unauthorized disclosure of sensitive data stored in the WordPress database, which may include user credentials, personal information, or business-critical data. Since the attack requires only Subscriber-level access, which is a low privilege role, an attacker could exploit compromised or weak user accounts to escalate their impact. The vulnerability does not affect data integrity or availability directly but can lead to significant confidentiality breaches. Organizations running WordPress sites with the FULL – Cliente PRO plugin combined with Elementor Pro and Elementor CRM are at risk of data leakage, potentially leading to reputational damage, regulatory penalties, and loss of customer trust. The medium CVSS score reflects the balance between ease of exploitation and the scope of impact. Although no known active exploits exist, the public disclosure increases the risk of future exploitation attempts. This threat is particularly relevant for businesses relying on these plugins for customer management and form handling, as sensitive customer data could be exposed.

To mitigate this vulnerability, organizations should immediately update the FULL – Cliente plugin to a patched version once available from the vendor. Until a patch is released, consider disabling the PRO version of the plugin or deactivating Elementor Pro and Elementor CRM to prevent exploitation. Implement strict access controls and monitor for unusual database query patterns that may indicate SQL injection attempts. Employ Web Application Firewalls (WAFs) with rules specifically targeting SQL injection vectors, especially those related to the 'formId' parameter. Conduct thorough audits of user accounts to ensure no unauthorized Subscriber-level accounts exist. Additionally, review and harden database permissions to limit the scope of data accessible via SQL queries. Regularly back up databases and maintain incident response plans to quickly address any potential breaches. Finally, educate site administrators about the risks of installing multiple interdependent plugins without verifying security implications.