CVE-2024-12159 is a medium-severity vulnerability classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) found in the WordPress plugin 'Optimize Your Campaigns – Google Shopping – Google Ads – Google Adwords' developed by muzaara. The vulnerability exists in all plugin versions up to and including 3.1 due to the presence of a publicly accessible script named print_php_information.php. This script exposes sensitive PHP configuration and potentially other environment details without requiring any authentication or user interaction. Such information leakage can include database credentials, API keys, or server configuration details that attackers can leverage to escalate attacks, such as privilege escalation, code injection, or targeted exploitation of other vulnerabilities. The vulnerability is remotely exploitable over the network with low attack complexity and no privileges required, making it accessible to unauthenticated attackers. Although no known exploits have been reported in the wild, the exposure of sensitive configuration data poses a significant risk to confidentiality. The CVSS 3.1 base score is 5.3, reflecting the medium impact on confidentiality with no impact on integrity or availability. The plugin is used primarily by WordPress sites running Google Ads and Shopping campaigns, which are common in e-commerce and digital marketing sectors. The lack of a patch link suggests that users must manually mitigate or await an official update. This vulnerability highlights the importance of restricting access to sensitive files and careful plugin security hygiene in WordPress environments.

The primary impact of CVE-2024-12159 is the unauthorized disclosure of sensitive configuration information, which can compromise the confidentiality of the affected systems. Attackers gaining access to such data may obtain database credentials, API keys, or other environment variables that can be used to further compromise the WordPress site or the underlying server. This can lead to subsequent attacks such as privilege escalation, data theft, or injection of malicious code. For organizations relying on this plugin to manage Google Ads and Shopping campaigns, exploitation could result in unauthorized manipulation of marketing campaigns, financial loss, reputational damage, and potential regulatory compliance issues if customer data is exposed. Since the vulnerability requires no authentication and can be exploited remotely, the attack surface is broad, especially for publicly accessible WordPress sites. The absence of known exploits in the wild reduces immediate risk but does not eliminate the threat, as attackers may develop exploits once the vulnerability becomes widely known. Overall, the impact is medium but could escalate if combined with other vulnerabilities or poor security practices.

1. Immediately restrict access to the print_php_information.php file by implementing web server rules (e.g., .htaccess for Apache or location blocks for Nginx) to deny all external requests or limit access to trusted IP addresses only. 2. Remove or rename the print_php_information.php file if it is not essential for plugin functionality or debugging. 3. Monitor web server logs for any access attempts to this file and investigate suspicious activity. 4. Keep the plugin updated and monitor the vendor’s announcements for official patches addressing this vulnerability. 5. Employ a Web Application Firewall (WAF) to detect and block attempts to access sensitive files. 6. Conduct regular security audits of WordPress plugins and remove unused or unmaintained plugins. 7. Harden WordPress installations by following best practices, including least privilege principles for database and file permissions. 8. Educate site administrators about the risks of publicly exposing debug or configuration files. 9. If possible, isolate the plugin environment or run it in a sandboxed context to limit the impact of potential exploitation. 10. Consider implementing security plugins that can scan for exposed sensitive files and alert administrators.