CVE-2024-12264 is a critical security vulnerability classified under CWE-287 (Improper Authentication) found in the PayU CommercePro Plugin for WordPress, versions up to and including 3.8.3. The vulnerability arises from insufficient authentication checks on two REST API endpoints: /wp-json/payu/v1/generate-user-token and /wp-json/payu/v1/get-shipping-cost. These endpoints improperly allow unauthenticated requests to set user IDs and authentication cookies, effectively bypassing normal authentication mechanisms. As a result, attackers can escalate privileges by creating new administrative user accounts without any valid credentials or user interaction. This flaw compromises the confidentiality, integrity, and availability of affected WordPress sites, as attackers gain full administrative control. The vulnerability is remotely exploitable over the network without any authentication or user interaction, reflected in its CVSS 3.1 score of 9.8 (critical). Although no public exploits have been reported yet, the vulnerability's nature and ease of exploitation make it a high-risk threat. The plugin is widely used in e-commerce environments, increasing the potential impact on online merchants and their customers. The lack of available patches at the time of disclosure necessitates urgent mitigation steps to prevent exploitation.

The impact of CVE-2024-12264 is severe for organizations using the PayU CommercePro Plugin on WordPress. Successful exploitation grants attackers administrative privileges, enabling them to fully control the affected website. This includes the ability to modify site content, steal sensitive customer data, inject malicious code, deploy ransomware, or pivot to other internal systems. For e-commerce sites, this can lead to financial losses, reputational damage, and regulatory penalties due to data breaches. The vulnerability affects all versions of the plugin up to 3.8.3, potentially impacting a large number of WordPress installations globally. Given the critical nature of the flaw, attackers can exploit it remotely without authentication or user interaction, increasing the likelihood of widespread attacks. Organizations relying on this plugin for payment processing or shipping cost calculations face significant operational risks, including service disruption and loss of customer trust.

To mitigate CVE-2024-12264, organizations should immediately check if they are using the PayU CommercePro Plugin version 3.8.3 or earlier and plan to upgrade to a patched version as soon as it becomes available. Until a patch is released, administrators should restrict access to the vulnerable REST API endpoints by implementing web application firewall (WAF) rules that block unauthenticated requests to /wp-json/payu/v1/generate-user-token and /wp-json/payu/v1/get-shipping-cost. Additionally, disable or restrict the plugin if it is not essential for business operations. Monitoring WordPress logs for unusual user creation activities or unexpected administrative account additions can help detect exploitation attempts. Employing multi-factor authentication (MFA) for all administrative accounts can reduce the impact of unauthorized access. Regularly audit user accounts and permissions to identify and remove suspicious or unauthorized users. Finally, maintain up-to-date backups of website data to enable recovery in case of compromise.