CVE-2024-12266 is a vulnerability identified in the ELEX WooCommerce Dynamic Pricing and Discounts plugin for WordPress, affecting all versions up to and including 2.1.7. The root cause is a missing authorization check (CWE-862) on two critical functions: elex_dp_export_rules() and elex_dp_import_rules(). These functions handle the import and export of product pricing rules, which are essential for managing dynamic discounts and pricing strategies in WooCommerce stores. Due to the lack of capability checks, unauthenticated attackers can remotely invoke these functions without any privilege verification, allowing them to export existing pricing rules and import arbitrary rules. Additionally, attackers can obtain phpinfo() data, which reveals detailed PHP environment and server configuration information that can aid further attacks. The vulnerability is remotely exploitable over the network without requiring any authentication or user interaction, increasing its risk profile. The CVSS v3.1 base score is 6.5 (medium severity), reflecting the ease of exploitation and the impact on confidentiality and integrity, but no direct impact on availability. No patches or official fixes have been linked yet, and no known exploits have been reported in the wild as of the publication date. This vulnerability primarily threatens the confidentiality and integrity of e-commerce pricing data and server information, potentially enabling attackers to manipulate pricing rules or gather intelligence for subsequent attacks.

The vulnerability allows unauthorized access to sensitive pricing rules and server configuration data, which can undermine the confidentiality and integrity of e-commerce operations. Attackers could export existing discount rules to analyze pricing strategies or import malicious rules to manipulate product prices, potentially causing financial loss or reputational damage. Access to phpinfo() data exposes detailed server environment information, which can facilitate further targeted attacks such as privilege escalation or exploitation of other vulnerabilities. Although there is no direct availability impact, the manipulation of pricing rules can disrupt business operations and customer trust. Organizations relying on this plugin for dynamic pricing are at risk of data leakage and unauthorized configuration changes. The lack of authentication requirement and remote exploitability increase the threat surface, especially for publicly accessible WordPress sites. The absence of known exploits in the wild suggests limited active exploitation currently, but the vulnerability could be targeted by opportunistic attackers or automated scanning tools.

1. Immediately update the ELEX WooCommerce Dynamic Pricing and Discounts plugin to a patched version once available from the vendor. Monitor vendor communications for official patches. 2. Until a patch is released, restrict access to the affected plugin endpoints by implementing web application firewall (WAF) rules that block unauthenticated requests to the import/export functions. 3. Use IP whitelisting or authentication mechanisms at the web server or application level to limit access to administrative plugin functions. 4. Disable or remove the plugin if dynamic pricing features are not critical to reduce attack surface. 5. Regularly audit WooCommerce pricing rules and logs for unauthorized changes or suspicious activity. 6. Harden the WordPress installation by enforcing least privilege principles for users and plugins. 7. Monitor network traffic for unusual requests targeting the plugin’s import/export endpoints. 8. Consider deploying runtime application self-protection (RASP) or endpoint detection to detect exploitation attempts. 9. Educate site administrators about the risk and encourage prompt application of security updates. These steps go beyond generic advice by focusing on access control, monitoring, and temporary compensating controls until vendor patches are available.