CVE-2024-12300 is a vulnerability identified in the AR for WordPress plugin, which is widely used to enhance WordPress functionality related to web and print features. The root cause is a missing authorization check (CWE-862) in the set_ar_featured_image() function, which fails to verify user capabilities before allowing file uploads. This omission enables unauthenticated attackers to perform a double extension file upload attack, where a file is named with two extensions (e.g., file.php.jpg) to bypass file type restrictions and upload executable PHP code. However, the plugin immediately deletes the uploaded file, and the attack only succeeds on certain server configurations that do not properly handle double extensions or file deletion timing. The vulnerability affects all versions up to and including 7.3. Despite the potential for unauthorized file uploads, the immediate deletion and limited server conditions reduce the likelihood of successful exploitation. The CVSS v3.1 score of 3.7 reflects a low-severity rating due to the lack of confidentiality impact, limited integrity impact, no availability impact, and the high complexity of attack. No known exploits have been reported in the wild, and no official patches have been linked yet. The vulnerability was publicly disclosed on December 13, 2024.

If exploited, this vulnerability could allow an attacker to upload malicious PHP files to a WordPress site running the affected AR for WordPress plugin versions. Although the files are deleted immediately, on certain server configurations, the double extension technique might bypass security controls, potentially enabling remote code execution or unauthorized actions. This could lead to integrity compromise of the website, unauthorized content modification, or further exploitation of the hosting environment. However, the immediate deletion of files and the complexity of the attack significantly limit the practical impact. Organizations running this plugin on vulnerable versions face a low risk of compromise, but the presence of this vulnerability could be leveraged as part of a multi-stage attack chain. The threat is primarily to the integrity of the web application, with no direct impact on confidentiality or availability reported.

Organizations should immediately verify if they are using the AR for WordPress plugin version 7.3 or earlier and plan to update to a patched version once available. In the interim, administrators should restrict file upload permissions and capabilities within WordPress to trusted users only. Implementing web application firewall (WAF) rules to detect and block double extension file uploads can reduce risk. Server administrators should ensure proper handling of file extensions and configure the server to reject or quarantine suspicious files before execution. Regularly monitoring upload directories for unauthorized files and enabling strict PHP execution policies (e.g., disabling PHP execution in upload directories) will further mitigate exploitation chances. Additionally, auditing logs for unusual upload activity and applying the principle of least privilege for plugin usage can help reduce exposure.