CVE-2024-12157 is an SQL Injection vulnerability classified under CWE-89 found in the WordPress plugin 'Popup – MailChimp, GetResponse and ActiveCampaign Integrations' developed by arrowplugins. This vulnerability affects all versions up to and including 3.2.6. The issue arises from improper neutralization of special elements in the 'id' parameter of the 'upc_delete_db_record' AJAX action. Specifically, the plugin fails to sufficiently escape user-supplied input and does not use prepared statements or parameterized queries, allowing attackers to append arbitrary SQL commands to the existing query. Since the vulnerable endpoint is accessible without authentication and does not require user interaction, attackers can remotely exploit this flaw to extract sensitive information from the backend database, such as user data, configuration settings, or other confidential records. The CVSS v3.1 base score is 7.5, reflecting a high severity due to network attack vector, low attack complexity, no privileges required, no user interaction, and a significant impact on confidentiality. Although no active exploits have been reported, the vulnerability poses a serious risk to websites using this plugin, especially those handling sensitive marketing or customer data. The lack of available patches at the time of disclosure necessitates immediate defensive measures by administrators.

The primary impact of CVE-2024-12157 is the unauthorized disclosure of sensitive information stored in the WordPress site's database. Attackers exploiting this vulnerability can extract user credentials, email lists, marketing data, and potentially other confidential information managed by the plugin. This can lead to privacy violations, reputational damage, and compliance issues for organizations, especially those subject to data protection regulations such as GDPR or CCPA. Although the vulnerability does not directly affect data integrity or availability, the exposure of sensitive data can facilitate further attacks, including phishing, identity theft, or targeted social engineering. Organizations relying on the affected plugin for email marketing integrations are at heightened risk, as attackers could gain access to subscriber lists and campaign data. The ease of exploitation without authentication increases the threat surface, making automated scanning and exploitation plausible. Overall, this vulnerability undermines trust in the affected websites and can have cascading effects on business operations and customer relationships.

To mitigate CVE-2024-12157, organizations should first verify if their WordPress installations use the 'Popup – MailChimp, GetResponse and ActiveCampaign Integrations' plugin at or below version 3.2.6. Immediate steps include disabling or restricting access to the 'upc_delete_db_record' AJAX action, especially from unauthenticated users, by implementing firewall rules or web application firewall (WAF) policies. Administrators should apply strict input validation and sanitization on the 'id' parameter, ideally using prepared statements or parameterized queries to prevent SQL injection. Until an official patch is released, consider removing or replacing the plugin with a secure alternative. Monitoring database logs and web server access logs for unusual queries or repeated requests to the vulnerable endpoint can help detect exploitation attempts. Additionally, ensure that WordPress and all plugins are regularly updated, and maintain regular backups to recover from potential data compromise. Employing security plugins that detect and block SQL injection attempts can provide an additional layer of defense.