CVE-2024-12035 is a path traversal vulnerability classified under CWE-22, found in the CS Framework plugin for WordPress developed by Chimpstudio. The vulnerability exists in the cs_widget_file_delete() function, which fails to properly validate file paths before deletion. This flaw allows authenticated attackers with as little as Subscriber-level privileges to specify arbitrary file paths outside the intended directory scope, enabling deletion of any file on the server accessible by the web server user. Since WordPress sites often rely on critical configuration files like wp-config.php, deleting such files can disrupt site functionality and enable attackers to gain remote code execution by forcing site administrators to restore or reconfigure the site under attacker control. The vulnerability affects all versions of the plugin up to and including 6.9. The CVSS v3.1 score of 8.8 indicates a high-severity issue with network attack vector, low attack complexity, and no user interaction required beyond authentication. Although no public exploits have been reported yet, the ease of exploitation and potential impact make this a critical risk for affected WordPress installations. The vulnerability was publicly disclosed in March 2025, with no official patch available at the time of reporting, increasing the urgency for mitigation.

The impact of CVE-2024-12035 is significant for organizations running WordPress sites with the vulnerable CS Framework plugin. Attackers with minimal privileges can delete arbitrary files, potentially leading to site downtime, data loss, and full server compromise through remote code execution. Confidentiality is at risk as attackers could delete or manipulate sensitive configuration files, exposing database credentials or other secrets. Integrity is compromised by unauthorized file deletions, and availability is affected by potential site outages or defacement. The vulnerability could be leveraged to disrupt business operations, damage reputation, and facilitate further attacks such as malware deployment or lateral movement within the network. Given WordPress’s widespread use globally, the threat surface is large, especially for organizations that do not regularly update plugins or enforce strict access controls.

To mitigate CVE-2024-12035, organizations should immediately restrict access to the WordPress admin area to trusted users only and review user roles to minimize Subscriber-level privileges where possible. Applying the latest plugin updates from Chimpstudio as soon as they become available is critical. In the absence of an official patch, administrators can implement web application firewall (WAF) rules to detect and block suspicious file deletion requests targeting the cs_widget_file_delete() function. Additionally, hardening the server by restricting file system permissions to prevent the web server user from deleting critical files can reduce impact. Regular backups of WordPress files and databases should be maintained to enable rapid recovery. Monitoring logs for unusual deletion activity and conducting periodic security audits of plugins can help detect exploitation attempts early. Finally, consider disabling or replacing the CS Framework plugin if it is not essential to reduce attack surface.