CVE-2024-12272 is a Local File Inclusion vulnerability classified under CWE-98, affecting the WP Travel Engine – Elementor Widgets plugin for WordPress, which is used to create travel booking websites. The vulnerability exists in all versions up to and including 1.3.7 and allows authenticated users with Contributor-level access or higher to manipulate include or require statements improperly. This improper control of filenames enables attackers to include arbitrary files from the server, including those uploaded as seemingly safe file types such as images, which can contain embedded PHP code. Once included, this code executes with the privileges of the web server, allowing attackers to bypass access controls, read sensitive data, or execute arbitrary commands. The vulnerability does not require user interaction but does require authentication, which lowers the bar for exploitation in environments where multiple users have contributor or higher roles. The CVSS v3.1 base score of 8.8 reflects the high impact on confidentiality, integrity, and availability, combined with low attack complexity and no user interaction. Although no known exploits have been reported in the wild yet, the vulnerability poses a significant risk due to the widespread use of WordPress and the plugin’s focus on travel-related websites, which often handle sensitive customer data. The vulnerability was publicly disclosed on December 25, 2024, and no official patches have been linked yet, emphasizing the need for immediate mitigation strategies.

The impact of CVE-2024-12272 is severe for organizations using the WP Travel Engine – Elementor Widgets plugin. Successful exploitation can lead to full server compromise, including unauthorized access to sensitive customer data, website defacement, and the ability to execute arbitrary PHP code. This can result in data breaches, loss of customer trust, and potential regulatory penalties, especially for travel-related businesses handling personal and payment information. The vulnerability allows attackers to bypass WordPress role-based access controls by leveraging Contributor-level accounts, which are commonly granted in multi-user environments, increasing the risk of insider threats or compromised accounts being used maliciously. Additionally, the ability to execute arbitrary code can lead to persistent backdoors, lateral movement within hosting environments, and disruption of website availability. The broad impact on confidentiality, integrity, and availability makes this vulnerability a critical concern for affected organizations worldwide.

1. Immediately restrict Contributor-level and higher user roles to trusted personnel only, minimizing the risk of exploitation from low-privilege accounts. 2. Monitor and audit file uploads rigorously, implementing strict validation to prevent uploading files that could contain executable PHP code disguised as images or other safe types. 3. Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious include or require statement manipulations targeting the plugin. 4. Disable or remove the WP Travel Engine – Elementor Widgets plugin if it is not essential to reduce the attack surface until an official patch is released. 5. Implement file integrity monitoring to detect unauthorized changes or additions to server files that could indicate exploitation attempts. 6. Harden PHP configurations by disabling functions like include, require, and allow_url_include where feasible, or restrict them to trusted directories. 7. Keep WordPress core, themes, and plugins updated and subscribe to vendor security advisories for timely patching once available. 8. Conduct regular security assessments focusing on user role assignments and plugin vulnerabilities to proactively identify and remediate risks.