CVE-2024-12300: CWE-862 Missing Authorization in webandprint AR for WordPress
The AR for WordPress plugin for WordPress is vulnerable to unauthorized double extension file upload due to a missing capability check on the set_ar_featured_image() function in all versions up to, and including, 7.3. This makes it possible for unauthenticated attackers to upload php files leveraging a double extension attack. It's important to note the file is deleted immediately and double extension attacks only work on select servers making this unlikely to be successfully exploited.
AI Analysis
Technical Summary
CVE-2024-12300 is a missing authorization vulnerability (CWE-862) in the AR for WordPress plugin. The set_ar_featured_image() function lacks a capability check, enabling unauthenticated attackers to upload files with double extensions. Although this could allow PHP file uploads, the plugin deletes such files immediately, and successful exploitation depends on specific server configurations. This vulnerability affects all versions up to 7.3 and has a CVSS 3.1 score of 3.7 (low severity). No known exploits are reported in the wild, and no patch or official fix has been documented yet.
Potential Impact
The vulnerability could allow unauthorized file uploads with double extensions, potentially leading to limited impact such as low integrity compromise. However, immediate deletion of the uploaded files and the requirement for specific server configurations significantly reduce the risk and likelihood of successful exploitation. There is no confidentiality or availability impact reported.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users should monitor vendor communications for updates. Given the low likelihood of exploitation and immediate file deletion, no urgent mitigation is mandated by the vendor at this time.
CVE-2024-12300: CWE-862 Missing Authorization in webandprint AR for WordPress
Description
The AR for WordPress plugin for WordPress is vulnerable to unauthorized double extension file upload due to a missing capability check on the set_ar_featured_image() function in all versions up to, and including, 7.3. This makes it possible for unauthenticated attackers to upload php files leveraging a double extension attack. It's important to note the file is deleted immediately and double extension attacks only work on select servers making this unlikely to be successfully exploited.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2024-12300 is a missing authorization vulnerability (CWE-862) in the AR for WordPress plugin. The set_ar_featured_image() function lacks a capability check, enabling unauthenticated attackers to upload files with double extensions. Although this could allow PHP file uploads, the plugin deletes such files immediately, and successful exploitation depends on specific server configurations. This vulnerability affects all versions up to 7.3 and has a CVSS 3.1 score of 3.7 (low severity). No known exploits are reported in the wild, and no patch or official fix has been documented yet.
Potential Impact
The vulnerability could allow unauthorized file uploads with double extensions, potentially leading to limited impact such as low integrity compromise. However, immediate deletion of the uploaded files and the requirement for specific server configurations significantly reduce the risk and likelihood of successful exploitation. There is no confidentiality or availability impact reported.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users should monitor vendor communications for updates. Given the low likelihood of exploitation and immediate file deletion, no urgent mitigation is mandated by the vendor at this time.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2024-12-06T13:28:58.342Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 699f6e35b7ef31ef0b597cd9
Added to database: 2/25/2026, 9:48:37 PM
Last enriched: 4/9/2026, 12:42:15 PM
Last updated: 4/12/2026, 4:19:25 PM
Views: 26
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.