CVE-2024-12315 identifies a vulnerability in the WordPress plugin 'Export All Posts, Products, Orders, Refunds & Users' developed by smackcoders. This plugin facilitates exporting various types of site data, including posts, products, orders, refunds, and user information. The vulnerability arises because the plugin stores exported data files in the /wp-content/uploads/smack_uci_uploads/exports/ directory without proper access controls or protections. As a result, these files are publicly accessible over the web, allowing unauthenticated attackers to download sensitive information. The vulnerability is categorized under CWE-922, which concerns insecure storage of sensitive information. The CVSS v3.1 base score is 7.5, reflecting a high severity due to network attack vector, no required privileges, no user interaction, and high confidentiality impact. The integrity and availability of the system are not impacted, but the confidentiality breach can expose personal user data and potentially sensitive business information. No patches or fixes have been officially released at the time of publication, and no known exploits have been observed in the wild. The vulnerability affects all versions of the plugin up to and including 2.9.3, which is widely used in WordPress environments for data export functionality. The lack of authentication or authorization checks on the export directory is the root cause, making it trivial for attackers to enumerate and download export files if they know or guess the directory path.

The primary impact of this vulnerability is the unauthorized disclosure of sensitive information, including user data, orders, refunds, and other exported content. This can lead to privacy violations, regulatory non-compliance (e.g., GDPR, CCPA), and reputational damage for affected organizations. Attackers could use the exposed data for identity theft, phishing campaigns, or further targeted attacks against the organization or its users. Since the vulnerability requires no authentication and no user interaction, it can be exploited remotely and at scale, increasing the risk of mass data leakage. Although the integrity and availability of the WordPress site are not directly affected, the confidentiality breach alone is significant, especially for e-commerce sites or those handling personal user information. Organizations relying on this plugin for data export are at risk of having sensitive business and customer data exposed to unauthorized parties.

Organizations should immediately audit their WordPress installations for the presence of the vulnerable 'Export All Posts, Products, Orders, Refunds & Users' plugin. If found, they should restrict access to the /wp-content/uploads/smack_uci_uploads/exports/ directory by implementing server-level access controls such as .htaccess rules or web server configuration to deny public access. Removing or archiving existing export files from this directory is critical to prevent ongoing exposure. Until an official patch is released, consider disabling or uninstalling the plugin if export functionality is not essential. If export features are required, use alternative plugins with verified secure storage practices or implement custom export solutions that securely handle sensitive data. Additionally, monitor web server logs for unusual access patterns to the exports directory and alert on any unauthorized download attempts. Regularly update WordPress and plugins to the latest versions once a patch is available. Finally, educate site administrators about secure file storage and access control best practices to prevent similar issues.