CVE-2024-12066 is a vulnerability classified under CWE-73 (External Control of File Name or Path) found in the SMSA Shipping(official) WordPress plugin, which is widely used for shipping management. The flaw exists in the smsa_delete_label() function, where the plugin fails to properly validate file paths before deleting files. This lack of validation allows authenticated users with as low as Subscriber-level privileges to specify arbitrary file paths for deletion. Because WordPress installations rely on critical configuration files such as wp-config.php, deleting such files can disrupt site functionality and enable attackers to execute remote code by forcing the system into an unstable or compromised state. The vulnerability is remotely exploitable over the network without requiring user interaction beyond authentication, making it particularly dangerous. The CVSS 3.1 base score of 8.8 indicates high severity, with network attack vector, low attack complexity, privileges required at a low level, no user interaction, and high impact on confidentiality, integrity, and availability. Although no public exploits have been reported yet, the vulnerability's characteristics make it a prime target for attackers aiming to escalate privileges and gain control over WordPress sites. The vulnerability affects all versions of the plugin up to 2.2, and no official patches have been linked yet, underscoring the urgency for mitigation.

The impact of CVE-2024-12066 is significant for organizations using the SMSA Shipping(official) plugin on WordPress sites. Successful exploitation allows attackers with minimal privileges to delete arbitrary files, including critical configuration files like wp-config.php, which can lead to site downtime, data loss, and potential remote code execution. This can result in full site compromise, data breaches, and disruption of e-commerce and shipping operations. For businesses relying on WordPress for customer-facing services, this could mean loss of revenue, reputational damage, and regulatory consequences if sensitive data is exposed or services are interrupted. The vulnerability's ease of exploitation and high impact on confidentiality, integrity, and availability make it a critical risk, especially for organizations with multiple users having Subscriber-level access or higher. Additionally, the lack of known exploits currently does not diminish the urgency, as attackers may develop exploits rapidly once details are public.

To mitigate CVE-2024-12066, organizations should immediately audit their WordPress installations for the presence of the SMSA Shipping(official) plugin and restrict Subscriber-level and higher privileges to trusted users only. Until an official patch is released, administrators can implement web application firewall (WAF) rules to detect and block suspicious requests targeting the smsa_delete_label() function or attempts to delete files via crafted parameters. Monitoring server logs for unusual file deletion requests or errors related to critical files like wp-config.php can provide early detection. Additionally, implementing file integrity monitoring to alert on unexpected deletions or modifications of critical files is recommended. Restricting file system permissions to prevent the web server user from deleting or modifying sensitive files can reduce the impact of exploitation. Finally, organizations should subscribe to vendor and security advisories for prompt application of patches once available and consider isolating WordPress environments to limit lateral movement in case of compromise.