CVE-2024-12158 is a vulnerability classified under CWE-862 (Missing Authorization) found in the WordPress plugin 'Popup – MailChimp, GetResponse and ActiveCampaign Integrations' developed by arrowplugins. The vulnerability exists because the plugin fails to perform a capability check on the AJAX action 'upc_delete_db_data'. This action is intended to delete the plugin's database data but can be triggered by unauthenticated attackers due to the missing authorization control. The flaw affects all versions up to and including 3.2.6. Since the AJAX endpoint is accessible without authentication or user interaction, an attacker can remotely invoke this action to delete critical plugin data, potentially disrupting email marketing integrations and related workflows. The vulnerability does not impact confidentiality or availability directly but compromises data integrity by allowing unauthorized deletion. The CVSS 3.1 base score is 5.3, indicating medium severity, with attack vector network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and unchanged scope (S:U). No patches or known exploits are currently reported, but the risk remains significant for affected sites. The vulnerability was publicly disclosed on January 7, 2025, and assigned by Wordfence.

The primary impact of CVE-2024-12158 is unauthorized deletion of plugin database data, which can disrupt the functionality of the Popup – MailChimp, GetResponse and ActiveCampaign Integrations plugin. This can lead to loss of marketing subscriber data, campaign configurations, and integration settings, potentially causing operational disruptions for organizations relying on these email marketing tools. The integrity of marketing data is compromised, which may result in inaccurate campaign targeting or loss of customer engagement data. Although the vulnerability does not directly affect confidentiality or availability, the loss of data integrity can have downstream effects on business processes and customer relations. Organizations with high dependency on these integrations for customer outreach and lead generation may experience degraded marketing effectiveness and increased recovery costs. The ease of exploitation and lack of authentication requirements increase the risk of automated or opportunistic attacks, especially on publicly accessible WordPress sites. The absence of known exploits currently limits immediate widespread impact, but the vulnerability remains a significant threat if weaponized.

1. Immediate mitigation involves updating the plugin to a version that includes proper authorization checks once a patch is released by arrowplugins. Monitor official plugin repositories and vendor announcements for updates. 2. In the absence of an official patch, implement web application firewall (WAF) rules to block or restrict access to the AJAX action 'upc_delete_db_data' endpoint, limiting it to authenticated users or trusted IP addresses. 3. Restrict access to the WordPress admin-ajax.php endpoint using server-level controls or security plugins to prevent unauthenticated AJAX requests targeting sensitive actions. 4. Regularly back up the WordPress database and plugin data to enable rapid restoration in case of data deletion. 5. Conduct security audits and review plugin permissions to ensure no other AJAX actions lack proper authorization. 6. Educate site administrators about the risks of using outdated plugins and encourage timely updates. 7. Monitor logs for suspicious AJAX requests that invoke 'upc_delete_db_data' to detect potential exploitation attempts early. 8. Consider temporarily disabling the plugin if it is not critical to operations until a secure version is available.